Entries |
Document | Title | Date |
20080209535 | Configuration of mandatory access control security policies - Presented herein are systems and methods for configuring a mandatory access control security policy in a computer, and applications thereof. An embodiment provides a security configuration program. The security configuration program configures a security policy based on user input. For example, a user may provide input regarding ranges of values corresponding to a resource, such as ports and/or Internet protocol (IP) addresses, to which a process is to be granted access. The security configuration program configures the security policy to allow the process access to the specified ranges of values for the resource. In this way, a security configuration program in accordance with an embodiment of the present invention allows a user to configure and extend a security policy without special knowledge of the security policy language. | 08-28-2008 |
20080222715 | Enhanced Personal Firewall for Dynamic Computing Environments - An enhanced personal firewall system having an inter-firewall connection listener which binds to a specified communications port and listens for inbound and/or outbound connection requests; and an inter-firewall controller which establishes a trusted communications through a local firewall and a remote firewall by exchanging public keys, a signed trusted computer firewall request, and using the keys to determine if a local key storage indicates previous authorization to trusted communications. If not, then a user of the targeted resource is notified and prompted to authorize the access. If so, then the firewall rules protecting the targeted resource are modified, even if temporarily, to allow the requesting firewall to have trusted access. | 09-11-2008 |
20080222716 | COMMUNICATION SYSTEM, IPsec TUNNEL TERMINATION DEVICE, AND IPsec TUNNEL COMMUNICATION CONTINUATION METHOD USED FOR THEM - A control unit of a connection destination device assigns a connection destination device address to a virtual line unit. In response to an instruction from the control unit, the virtual line unit sets a line as an active line to be used for communication and, to make it appear to an external device that the connection destination device address is assigned to the line, notifies a preceding-stage device that the line has the connection destination device address. Thereafter, the line is used to establish, communicate, or disconnect an IPsec tunnel from a connection source device to the connection destination device. | 09-11-2008 |
20080244723 | Firewall Restriction Using Manifest - Procedures of using manifest restrictions for use in configuring a firewall are described. In an example, an application including manifest defined restrictions for a firewall is executed. The firewall is configured to permit application access, in accordance with the defined restrictions while the application is executing. | 10-02-2008 |
20080250487 | Systems For Firewall Protection Of Mass Storage Devices - The present invention discloses a URD including: a non-volatile storage memory having program code, wherein said program code is configured to enable a network protocol for communicating with a host system; and a controller for controlling operations performed on said storage memory. Preferably, the storage memory includes flash memory. A URD including: a host system having a firewall; and a URD having a non-volatile storage memory, wherein said storage memory includes program code, and wherein said program code is configured to enable a network protocol, said URD operationally connected to said host system; wherein said firewall is configured to provide security measures related to said URD. Preferably, the firewall is a software firewall or a hardware firewall. | 10-09-2008 |
20080250488 | Methods For Firewall Protection Of Mass-Storage Devices - The present invention discloses methods for protecting a host system from information-security risks posed by a URD, the method including the steps of: operationally connecting the URD to the host system; communicating, between the URD and the host system, via a network protocol, through a firewall residing in the host system; and configuring said firewall to provide security measures related to the URD. Preferably, the firewall is a software firewall or a hardware firewall. A method for protecting a host system from information-security risks posed by a URD, the method including the steps of: operationally connecting the URD to the host system; communicating, between the URD and the host system, via a network protocol, through a firewall residing in the host system; and configuring said firewall to restrict access of at least one application to the URD. Preferably, the firewall is a software firewall or a hardware firewall. | 10-09-2008 |
20080250489 | Systems For Firewall Protection Of Mass Storage Devices - The present invention discloses a URD including: a non-volatile storage memory having program code, wherein said program code is configured to enable a network protocol for communicating with a host system; and a controller for controlling operations performed on said storage memory. Preferably, the storage memory includes flash memory. A URD including: a host system having a firewall; and a URD having a nonvolatile storage memory, wherein said storage memory includes program code, and wherein said program code is configured to enable a network protocol, said URD operationally connected to said host system; wherein said firewall is configured to provide security measures related to said URD. Preferably, the firewall is a software firewall or a hardware firewall. | 10-09-2008 |
20080256618 | METHOD TO APPLY NETWORK ENCRYPTION TO FIREWALL DECISIONS - A system and related methods for providing a handler for requests to access a wireless network, operable by or separate from an enhanced personal firewall system, which obtains connection-related information from the operating system, network interface drivers, or both, and then provides that information to a controller which determines to allow or deny access. By collecting certain connection-related information, new levels and granularities of control are allowed and enabled. The process is equally well suited for implementation by a wireless device which may be in range of multiple servers or networks, such that the device may allow different levels of access to the device by the different servers or networks according to the collected connection-related information. | 10-16-2008 |
20080256619 | Detection of adversaries through collection and correlation of assessments - An automated arrangement for detecting adversaries is provided in which assessments of detected adversaries are reported to a reputation service from security devices, such as unified threat management systems in deployed customer networks. By using actual deployed networks, the number of available sensors can be very large to increase the scope of the adversary detection, while still observing real attacks and threats including those that are targeted to small sets of customers. The reputation service performs a number of correlations and validations on the received assessments to then return a reputation back to the security device in the enterprise network that can be used for blocking adversaries, but only when multiple, distinct sources report the same adversary in their assessments to thus ensure that the reputation is accurate and reliable. | 10-16-2008 |
20080276311 | Method, Apparatus, and software for a multi-phase packet filter for internet access - A Time Gate Packet Filter (TGPF) for controlling data flow and Internet Access in a small environment. The TGPF is self-contained, simple to use, does not require IT expertise, and requires no software installation. The TGPF utilizes multi-phase filtering to control network access based on: types of sites, specific sites, types of services that can be accessed, source and destination, time of day, and day of week. | 11-06-2008 |
20080282335 | Software firewall control - A software firewall that may be simply configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be translated to firewall filters for network interfaces of that network type. The translation may be performed automatically and may be updated based on network location awareness information. | 11-13-2008 |
20080282336 | Firewall control with multiple profiles - A networked computer with a software firewall that may be configured for any of a number of network contexts may be quickly configured with an appropriate set of rules for a current network context. The computer has multiple profiles, each containing rules applicable to a different network context. When a change in network context is detected, a difference between the profile for the current context and the profile with which the firewall was previously configured is determined. These differences are applied to quickly reconfigure the firewall without blocking, even temporarily, communications that are allowed in the previously configured and current profiles. Additionally, when the networked computer is connected to multiple networks simultaneously, an appropriate profile may be selected. | 11-13-2008 |
20080289026 | Firewall installer - Embodiments of the invention are directed to a firewall installer that receives a set of configuration instructions for configuring a firewall in a declarative format that describes one or more rules to be implemented by the firewall, and that automatically configures the firewall. Providing a firewall installer that is capable of configuring a firewall based upon declarative input rather than procedural process-oriented input facilitates administration of a firewall by allowing an administrator to specify desired firewall configuration at a higher, declarative level and frees the administrator from the need to specify procedures for implementing configuration changes in the firewall. In one embodiment of the invention, the firewall installer can receive and store input for configuring a firewall even when the firewall is not running, such that the firewall executes on those configuration changes when it next comes online. | 11-20-2008 |
20080289027 | Incorporating network connection security levels into firewall rules - Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts. | 11-20-2008 |
20080289028 | FIREWALL FOR CONTROLLING CONNECTIONS BETWEEN A CLIENT MACHINE AND A NETWORK - A firewall system adapted for location outside the client machine, preferably in the same data processing device as the client machine but outside a virtual machine containing the client machine. Control logic of the firewall system receives incoming and outgoing connections from the network and client machine respectively. In response to a connection request initiating a connection between respective endpoints in the network and client machine, the control logic performs a security assessment comprising obtaining from at least one of the network and client machine information indicative of the security state of the endpoint therein, and allows or inhibits the connection in dependence on the result of the security assessment. The security assessment may be performed in accordance with a security policy of the system, and different security assessments may be performed for different connection requests in accordance with the security policy. | 11-20-2008 |
20080301794 | METHOD AND SYSTEM FOR PROVIDING REMOTE ACCESS TO RESOURCES IN A SECURE DATA CENTER OVER A NETWORK - Methods, computer products, and systems are described for providing remote access to resources in a secure data center protected by at least one firewall. One method includes sending by an internal server within the secure data center a request to an external server outside of the secure data center to establish a secure data transport channel between the internal server and the external server. The request travels through at least one firewall protecting the secure data center and over a public network, a private network, and/or a second firewall. The internal server receives a reply to the request from the external server granting the request and confirming the establishment of the secure data transport channel. When a first message from the external server instructing the internal server to create a first data access point associated with a first session is received via the established secure data transport channel, the internal server instantiates the first data access point for the first session and visual data corresponding to the resources in the secure data center is sent from the first data access point to the external server via the secure data transport channel. The visual data is received by the external server and then sent to a first client associated with the first session so that the first client is provided visual access to the resources in the secure data center while the resources remain protected within the secure data center. | 12-04-2008 |
20080301795 | DISTRIBUTED AND SCALABLE INSTANT MULTIMEDIA COMMUNICATION SYSTEM - A scalable instant multimedia communication network includes at least one server that supports instant multimedia communication (IMC) sessions for a plurality of clients registered on the at least one server, and a multi-point switch unit coupled to the server(s) that sends data out of and receives data into the network, routes data between server(s), and performs a security check to enforce a security policy of the network on an invitation to establish a secure IMC session between at least two of the plurality of clients registered on the at least one server. The instant multimedia communication network can be expanded or contracted by coupling additional or fewer servers to the multi-point switch unit. | 12-04-2008 |
20080320580 | SYSTEMS, METHODS, AND MEDIA FOR FIREWALL CONTROL VIA REMOTE SYSTEM INFORMATION - Generally speaking, systems, methods and media for implementing a firewall control system responsive to remote system information are disclosed. Embodiments of a method may include receiving a data request at a firewall where the data request is associated with a program and determining whether a remote system condition exists for the associated program, where the remote system condition includes a condition to be satisfied based on information received from a particular remote system. Embodiments may also include, in response to determining that a remote system condition exists, determining whether the remote system condition is satisfied based on information received from the particular remote system. Embodiments may also include, in response to determining whether the remote system condition is satisfied, performing one or more firewall actions. | 12-25-2008 |
20080320581 | SYSTEMS, METHODS, AND MEDIA FOR FIREWALL CONTROL VIA PROCESS INTERROGATION - Generally speaking, systems, methods and media for implementing a firewall control system responsive to process interrogations are disclosed. Embodiments of a method may include receiving a data request at a firewall where the data request is associated with a program and determining whether a process rule exists for the associated program, where the process rule includes a condition to be satisfied for a process of the user computer system. Embodiments may also include, in response to determining that a process rule does exist, determining a method for evaluating a status of the process and determining a current status of the process. Embodiments may also include determining whether the process rule is satisfied based on the current status of the process and using the determined evaluation method. Embodiments may also include, in response to determining whether the condition of the process rule is satisfied, performing one or more firewall actions. | 12-25-2008 |
20090007251 | Host firewall integration with edge traversal technology - A host firewall can determine and consider whether unsolicited traffic is inbound from beyond the edge of the network and allow or block such traffic based at least in part upon this characteristic. In one implementation, an edge traversal parameter can be set on a host firewall rule, which typically includes other parameters such as port, protocol, etc. If the unsolicited traffic received via an edge traversal interface matches a host firewall rule that has the edge traversal criterion, then the firewall does not block the traffic. On the other hand, if the unsolicited traffic received via an edge traversal interface fails to satisfy the edge traversal criterion on any firewall rule, then the firewall blocks the traffic. | 01-01-2009 |
20090013398 | Remote Testing Of Firewalled Networks - The present invention enables flexible deployment of testing agents within a firewalled network without the concern of needing to change security policies on routers and switches inside the firewalled network. Accordingly, remote diagnostic testing of networks and network devices can be conducted in which the firewalled network security is maintained and not compromised. The long-term diagnostic monitoring of networks is possible including an evolvable solution in which remote upgrades of the application agents are utilized. | 01-08-2009 |
20090025077 | MANAGING CONFIGURATIONS OF A FIREWALL - A method and system for managing multiple firewall configurations are disclosed. The method uses a pointer on a packet object representing a packet to reference a configuration object representing a configuration of the firewall which is assigned to the packet. By using a pointer to link each packet entering a computer system to the most recent configuration, the method can maintain multiple configurations and enable the firewall processing modules to process each packet according to its assigned configuration even if new configurations are released during the transition of the packet through the system. A reference count is also used as a variable by the configuration object to track the number of packets assigned to the configuration. A corresponding system is also provided. | 01-22-2009 |
20090031412 | GLOBAL NETWORK COMPUTERS - Embodiments useful for a network of computers are presented. In an embodiment, microchip includes a plurality of dies. Each die is made by a separate fabrication process and assembled into a package with the separate die sections connected directly. | 01-29-2009 |
20090037998 | Systems and Methods for Authorizing a Client in an SSL VPN Session Failover Environment - The SSL VPN session failover solution of the appliance and/or client agent described herein provides an environment for handling IP address assignment and end point re-authorization upon failover. The appliances may be deployed to provide a session failover environment in which a second appliance is a backup to a first appliance when a failover condition is detected, such as failure in operation of the first appliance. The backup appliance takes over responsibility for SSL VPN sessions provided by the first appliance. In the failover environment, the first appliance propagates SSL VPN session information including user IP address assignment and end point authorization information to the backup appliance. The backup appliance maintains this information. Upon detection of failover of the first appliance, the backup appliance activates the transferred SSL VPN session and maintains the user assigned IP addresses. The backup appliance may also re-authorize the client for the transferred SSL VPN session. | 02-05-2009 |
20090055919 | Unauthorized communication detection method - According to an aspect of an embodiment, a method for controlling an apparatus for transferring data from a plurality of first devices to a second device via a network, the data being transferred by using a packet, comprises the steps of: extracting type information identifying type of software conveyed by a packet and destination information identifying destination of the packet transmitted from one of the first devices; counting the number of kinds of the type information extracted from packets associated with the same destination information, respectively; and determining an unauthorized communication when the number of kinds of the type information is less than a predetermined value. | 02-26-2009 |
20090064304 | PORT ACCESS USING USER DATAGRAM PROTOCOL PACKETS - Communication through an intervening firewall can be achieved by transmitting an outbound datagram through a port of a firewall to open a circuit through the firewall, receiving an inbound datagram through the open circuit from an application, wherein the application is external to the firewall, and communicating with the application through the open circuit. Also, the application can comprise a client application and the firewall can comprise a server firewall. Further, the client application can transmit an outbound datagram through a port of an associated client firewall to open a circuit through the client firewall and can receive one or more datagrams through the open circuit of the client firewall. Additionally, the port of the server firewall and the port of the client firewall can correspond to the same port number. | 03-05-2009 |
20090064305 | System and method for secure service delivery - A secure service delivery network, including a service delivery compartment connected to deliver services to a plurality of client networks. The secure service delivery network includes a first firewall connecting the service delivery compartment to a first virtual local area network. The secure service delivery network includes a plurality of firewalls each connecting one of the plurality of client networks to the first virtual local area network, whereby no communications between the plurality of client networks can be made over the first virtual local area network. A related method is also described. | 03-05-2009 |
20090077647 | METHOD AND APPARATUS FOR FIREWALL TRAVERSAL - A method and apparatus for traversing a firewall are described. | 03-19-2009 |
20090083844 | Synchronizing between host and management co-processor for network access control - In network access controlled networks, it is desirable to prevent access to the network by any non-authenticated entities. Access control may be established through a trusted agent that, in some embodiments, may be implemented with a management co-processor. In some cases, active management technology may establish a connection while a host is inactive. Then, after the host becomes active, the host can attempt to use the management co-processor connection without obtaining the necessary authentications. This may be prevented, in some embodiments, by scanning for an active host and, if such an active host is found, blocking the host from using a layer 2 authentication channel unless the host is properly authenticated and has a proper Internet Protocol address. | 03-26-2009 |
20090083845 | NETWORK FIREWALL TEST METHODS AND APPARATUS - A test method for Internet-Protocol packet networks that verifies the proper functioning of a dynamic pinhole filtering implementation as well as quantifying network vulnerability statistically, as pinholes are opened and closed is described. Specific potential security vulnerabilities that may be addressed through testing include: 1) excessive delay in opening pinholes, resulting in an unintentional denial of service; 2) excessive delay in closing pinholes, creating a closing delay window of vulnerability; 3) measurement of the length of various windows of vulnerability; 4) setting a threshold on a window of vulnerability such that it triggers an alert when a predetermined value is exceeded; 5) determination of incorrectly allocated pinholes, resulting in a denial of service; 6) determining the opening of extraneous pinhole/IP address combinations through a firewall which increase the network vulnerability through unrecognized backdoors; and 7) determining the inability to correlate call state information with dynamically established rules in the firewall. | 03-26-2009 |
20090089871 | Methods and apparatus for digital data processor instantiation - The invention provides, in one aspect, a digital data processing device includes a firewall device and a computer, both housed within the same enclosure and sharing a common path to the Internet (or other external network), yet, not sharing the same substantive processing logic. Thus, by way of example, the firewall device does not the computer's central processing unit (CPU) to execute firewall logic. The digital data processing device can be arranged to limit connectivity and/or functionality of the computer and/or firewall device, e.g., absent authentication. Thus, for example, the computer and firewall can be coupled to the common path—e.g., a modem, network interface card or other communications port supporting access via wired (e.g., wired ethernet and coaxial), wireless (e.g., satellite, telephony, 802.11x), and/or optical (e.g., fiber) means—such that that access by the computer to the Internet (or other external network) is mediated by the firewall device. | 04-02-2009 |
20090094691 | Intranet client protection service - A system and method for protecting intranet client devices in a virtual private network are disclosed. The method includes defining one or more groups of client devices to protect from traffic emanating from an external network (e.g., Internet, a Wide Area Network (WAN), a remote subnet of an intranet, and the like), while allowing the client devices to initiate TCP sessions with servers in the outside network. | 04-09-2009 |
20090094692 | SESSION CONTROL SERVER, COMMUNICATION DEVICE, COMMUNICATION SYSTEM AND COMMUNICATION METHOD, AND PROGRAM AND RECORDING MEDIUM FOR THE SAME - A communication device, connected via a network so as to be able to communicate with a session control server, and which establishes a session with another communication device by performing signal transmission to and reception from the session control server, includes: a unit which generates an asymmetric key pair; a request unit which requests certificate issuance for a public key in the asymmetric key pair; a receiving unit which receives notification of public key issuance completion from the session control server; a storage unit which stores a public key certificate which has been received; a sending unit which sends a location registration request of a communication device to the session control server; and a receiving unit which receives a location registration completed notification which includes a term of validity from the session control server; and which sends a location registration request and a certificate issuance request as a combined request. | 04-09-2009 |
20090100513 | Universal media firewall - A universal media firewall allows a parent to control filtering of multiple media providers via a single firewall policy. The firewall(s) may be a stand-alone device or may be preformed with software on a home computer or at a remote site. Parental controls are accessible by the media provider so that media is filtered according to the parental settings prior to entering the home media network. | 04-16-2009 |
20090113535 | Securely Virtualizating Network Services - Services in a network device are added through providing virtual environments. Virtualization allows services based on other platforms or architectures to be run with minimum modification and in a secure manner. Connecting services to the host through a stateful firewall allows dynamic integration, and passes only traffic of interest to the service. Virtualization allows services written for different instruction architectures to be supported. Multiple virtualized environments each supporting a service may be run. | 04-30-2009 |
20090133112 | USE OF DATA LINKS FOR AERONAUTICAL PURPOSES WITHOUT COMPROMISING SAFETY AND SECURITY - A method of ensuring secure and cost effective communication of aeronautical data to and from an aircraft is provided. The method includes uplinking air-ground aircraft data communications via an aeronautical safety data link and downlinking air-ground aircraft data communications via a consumer data link separated from the aeronautical safety data link by a one-way firewall. | 05-21-2009 |
20090138954 | SECURITY SYSTEM AND SECURING METHOD OF CALL SIGNALING MESSAGES FOR SESSION INITIATION PROTOCOL BASED VoIP SERVICE - Disclosed is a security system of a call signaling message. An object of the invention is to provide a security system and a securing method of a call signaling message, in which even when a call signaling message is leaked out and thus modified in a SIP (Session Initiation Protocol) based VoIP (Voice Over Internet Protocol) service, the modified message is blocked in advance to enable the VoIP service to be provided without an attack effect by the packets. When using the security system and the securing method of a call signaling message according to an embodiment of the invention, it is possible to prevent, in the SIP based VoIP service, a call signaling message from being modified to cause a call failure when requesting a call or during the call, and to block an attack on the call signaling message in advance. | 05-28-2009 |
20090144816 | Knowledge-Intensive Arrangement for Handling of Scattered Data - The invention relates to a knowledge-intensive arrangement ( | 06-04-2009 |
20090158415 | METHOD AND APPARATUS OF PROVIDING AN INTERFACE FOR MANAGING NETWORK SWITCHES - An approach is provided for presenting, via a graphical user interface, a plurality of selectable areas corresponding to a plurality of categories of switches and a plurality of options. One of the options includes a search function for finding a desired one of the switches. A communication session is automatically established with one of the switches as specified by a user through one of the selectable areas or the search function. Information from the one switch is received over the communication session, wherein the information is used for analyzing the one switch. | 06-18-2009 |
20090165113 | SYSTEMS, METHODS AND COMPUTER PROGRAM PRODUCTS FOR FIREWALL USE OF CERTIFIED BINARIES - Systems, methods and computer program products for firewall use of certified binaries. Exemplary embodiments include a method including reading a plaintext component from a digital signature, searching the plaintext component for an identifier, reading in a TotalTCPIPPorts field for a total number of sockets to be opened for an application, reading in ports and descriptions for each of the ports, displaying information from the plaintext component up to a block including the identifier, the port being opened and the port description, prompting an instruction, displaying on the screen information from the plaintext component up to a block including the identifier, displaying a warning that the application is opening additional ports beyond the default number specified displaying a warning that opening the additional ports should be avoided and prompting the instruction. | 06-25-2009 |
20090172799 | SECURITY-LEVEL ENFORCEMENT IN VIRTUAL-MACHINE FAIL-OVER - Methods, systems, and articles to receive, by a fail-over computing device, a request to instantiate a virtual-machine in response to a virtual-machine failure on a separate physical device. The request includes a minimum security rating. The fail-over computing device then compares the minimum security rating against an assigned security rating of the fail-over computing device and instantiates the virtual-machine if the assigned security rating meets or exceeds the minimum security rating. | 07-02-2009 |
20090172800 | REORDERING A FIREWALL RULE BASE ACCORDING TO USAGE STATISTICS - A computer implemented method of reducing central processing unit (CPU) usage of a firewall by safe reordering a current firewall's rule-base exhibiting N rules. The method comprising: receiving rule usage statistics exhibiting usage frequency of each rule on the current firewall's rule-base; calculating a rules matched per packet (RMPP) parameter, being a summation of products of each rule identifier and the corresponding usage frequency for all the N rules; determining an alternative order of the rule base by repositioning rules, wherein the repositioned rules perform the same action on the firewall, or wherein the repositioned rules act on disjoint sets of network connections, and wherein the repositioning results in a reduction of the RMPP of the reordered rule base, thereby reducing the CPU usage of the firewall in implementing the alternative order of rules. | 07-02-2009 |
20090199288 | DISTRIBUTED AUTHENTICATION IN A PROTOCOL-BASED SPHERE OF TRUST IN WHICH A GIVEN EXTERNAL CONNECTION OUTSIDE THE SPHERE OF TRUST MAY CARRY COMMUNICATIONS FROM MULTIPLE SOURCES - A distributed authentication model that operates within a protocol-based sphere of trust. Rather than being able to communicate with any one of the computing systems internal to the sphere of trust, the amount of authentication is reduced by having the external computing systems initially communicate with a specific edge internal computing system. Many if not all of the internal computing systems then delegate the task of authentication to the edge computing system, and will rely on any authentication performed by the edge computing system. This allows the task of authentication to scale well for large protocol-based spheres of trust. | 08-06-2009 |
20090205038 | Enabling Wake on LAN Behind NATs and Firewalls - Exemplary methods, computer-readable media, and systems for maintaining an inbound network path to a host in a sleep or a hibernation mode behind a plurality of network address translators (NAT) or firewalls. A network interface card (NIC) of a host is configured to periodically send or receive keep-alive packets. These packets enable network mappings that would ordinarily expire while a host is in a sleep or a hibernation mode. Power is maintained on the NIC while the host is in such mode, and the NIC responds as programmed including waking a host upon a certain event, such as receiving a data packet matching a preconfigured signature. During such time, the host may be in a wake on LAN mode. | 08-13-2009 |
20090205039 | SECURITY MANAGEMENT SYSTEM FOR MONITORING FIREWALL OPERATION - A test method for Internet-Protocol packet networks that verifies the proper functioning of a dynamic pinhole filtering implementation as well as quantifying network vulnerability statistically, as pinholes are opened and closed is described. Specific potential security vulnerabilities that may be addressed through testing include: 1) excessive delay in opening pinholes, resulting in an unintentional denial of service; 2) excessive delay in closing pinholes, creating a closing delay window of vulnerability; 3) measurement of the length of various windows of vulnerability; 4) setting a threshold on a window of vulnerability such that it triggers an alert when a predetermined value is exceeded; 5) determination of incorrectly allocated pinholes, resulting in a denial of service; 6) determining the opening of extraneous pinhole/IP address combinations through a firewall which increase the network vulnerability through unrecognized backdoors; and 7) determining the inability to correlate call state information with dynamically established rules in the firewall. | 08-13-2009 |
20090222904 | NETWORK ACCESS NODE COMPUTER FOR A COMMUNICATION NETWORK, COMMUNICATION SYSTEM AND METHOD FOR OPERATING A COMMUNICATION SYSTEM - The invention relates to a network access remote front-end processor ( | 09-03-2009 |
20090222905 | METHOD, APPARATUS, AND SYSTEM FOR PRE-AUTHENTICATION AND PROCESSING OF DATA STREAMS - A method, apparatus and system for pre-authenticating ports is disclosed. In one embodiment, an active port facilitating communication of media content between a transmitting device and a receiving device is identified, while the active port are associated with a first High-Definition Content Protection (HDCP) engine. Then, inactive ports that are in idle mode serving as backup ports to the active port are identified, while the inactive ports are associated with a second HDCP engine. Pre-authentication of each of the inactive ports is performed so the pre-authenticated inactive ports can subsequently replace the active port if a port switch is performed. | 09-03-2009 |
20090249464 | FIREWALL FOR REMOVABLE MASS STORAGE DEVICES - A firewall device comprising a first connection device for connecting with a data device supporting transfer data with a removable mass storage device; second connection device for connecting with the removable mass storage device; and a microprocessor, adapted to control and secure data transfer between the data device and the removable mass storage device. | 10-01-2009 |
20090249465 | System and Method for Implementing Content and Network Security Inside a Chip - Systems and methods for implementing content, streaming, and network security inside a chip or inside a computing device are disclosed. In exemplary embodiments, a system comprises a communication chip and a second processor. The communication chip comprises a router and security instructions. The router is configured to intercept untrusted data between a network, and a first router. The second processor is configured to receive the untrusted data from the router, process the untrusted data with the security instructions to produce trusted data, and provide the trusted data to the router. | 10-01-2009 |
20090254984 | HARDWARE INTERFACE FOR ENABLING DIRECT ACCESS AND SECURITY ASSESSMENT SHARING - Native IPv6 capabilities are provided to an IPv4 network node, device, or endpoint using a hardware interface that supports network communication under a Direct Access model. The Direct Access model supports IPv6 communication with IPsec and enforces Network Access Protection (“NAP”) health requirement policies for endpoints that are network clients. A Direct Access-ready server is enabled using a hardware interface that implements IPv4 to IPv6 translation and optionally IPsec termination capability. A Direct Access-ready client is enabled using a hardware interface that implements IPv4 to IPv6 translation, IPsec termination capability, and which optionally provides NAP (Network Access Protection) capabilities for Direct Access-ready clients that are configured as mobile information appliances. The hardware interface may be implemented as a network interface card (“NIC”) or as a chipset. | 10-08-2009 |
20090254985 | Secure network interface device - An interface device for a protected workstation or host has a network interface for connection to a multi-level secure network, a first address corresponding to a guard control port, and a second address corresponding to a guard data port. A transport guard in the device has a control component coupled to the guard control port for processing configuration data sent to the first address and producing a desired security configuration, a guard component coupled to the output of the control component and to the guard data port of the network interface, and a host interface coupled to the guard component for exchanging data with the protected host. Only when permitted by the desired security configuration, the guard component passes network data addressed to the second address of the network interface to the host interface, and passes outbound data from the host interface to the network through the guard data port. | 10-08-2009 |
20090265777 | COLLABORATIVE AND PROACTIVE DEFENSE OF NETWORKS AND INFORMATION SYSTEMS - Collaborative and proactive defense of networks and information systems. The present examples of collaborative and proactive defense of networks and information systems provides a way of protecting computer networks from hackers by stopping them from entering a protected network. Protection may be include processes that utilize communications between layers in a communications protocol stack, or its equivalent to identify threats. Identified threats may be profiled and stored in a local and/or network database that may be shared among other subscribers. Once a threat is identified it may be blocked, redirected or otherwise processed to thwart, identify, or otherwise deal with the threat. Such protection may be termed the collaborative and proactive defense of networks and information systems. | 10-22-2009 |
20090271857 | METHOD AND APPARATUS FOR FILTERING PACKETS USING AN APPROXIMATE PACKET CLASSIFICATION - A method and apparatus that enables approximate packet classification by using both an exact packet classification method and an inexact packet classification method are disclosed. For example, the method filters a plurality of packets using an exact packet classification method when a processing load is below or equal to a threshold, and filters the plurality of packets by dynamically switching between the exact packet classification method and an inexact packet classification method when the processing load is above the threshold. | 10-29-2009 |
20090282469 | AIRCRAFT COMMUNICATIONS SYSTEM USING WHITELISTS TO CONTROL ACCESS AND ASSOCIATED METHODS - A communications system for an aircraft carrying personnel having personal electronic devices (PEDs) includes a wireless access device in the aircraft for the PEDs, and an aircraft server in the aircraft cooperating with the wireless access device for determining airborne validation of a ground server address entered via a corresponding PED. An air-to-ground transceiver in the aircraft cooperates with the aircraft server for communicating over an air-to-ground interface the airborne validated ground server address. A ground server on the ground receives the airborne validated ground server address over the air-to-ground interface, determines ground validation of the airborne validated ground server address, and provides ground access for the corresponding PED for which the entered ground server address has both airborne and ground validation. | 11-12-2009 |
20090288156 | SYSTEM AND METHOD FOR DETECTING AND ELIMINATING IP SPOOFING IN A DATA TRANSMISSION NETWORK - A traffic management system sniffs data arriving at any point in a system. The sniffer operates to extract certain data from each address. This data could be, for example, the IP address data and the physical address data. The extracted data is then used to access different data bases to determine if matches occur. Time stamps, sequencing and other parameters of each piece of data entering a system are used to control data access. | 11-19-2009 |
20090300748 | RULE COMBINATION IN A FIREWALL - A firewall system comprises a rule management tool that is operable to evaluate a rule set for rules that may be merged, present selected rules that can be merged to an administrator, along with an indication of any change in function of the resulting merged rule, and receive input from the administrator indicating whether to merge the selected rules. | 12-03-2009 |
20090328182 | ENABLING TWO-FACTOR AUTHENTICATION FOR TERMINAL SERVICES - Techniques for enabling two-factor authentication for terminal services are described. A client receives an authentication token from an authentication server. The authentication token is used as a factor for authenticating the client to a terminal services device. Native authentication of the client is also performed. | 12-31-2009 |
20090328183 | ONE WAY SECURE LINK - A method for secure communications between a transmitting computer ( | 12-31-2009 |
20100011432 | AUTOMATICALLY DISTRIBUTED NETWORK PROTECTION - A network protection solution is provided by which security capabilities of a client machine are communicated to a network security gateway so that a variety of processes can be automatically and dynamically distributed between the gateway and the client machine in a way that achieves a target level of security for the client while consuming the least possible amount of resources on the gateway. For example, for a client that is compliant with specified health and/or corporate governance policies and which is known to have A/V capabilities that are deployed and operational, the network security gateway will not need to perform additional A/V scanning on incoming network traffic to the client which can thus save resources at the gateway and lower operating costs. | 01-14-2010 |
20100017868 | METHOD AND SYSTEM FOR CONFIGURING A RULE FILE FOR FIREWALL OF WEB SERVER - A method, a system, and a computer program product embodying computer readable code for configuring a rule file for a Web application firewall. The method includes: blocking a response created by a Web application; modifying the response by adding capturing code for capturing a regular expression and an associated parameter value embedded in the response while being executed; sending the modified response to the browser; receiving a request submitted by the browser and at least one regular expression and an associated parameter value captured by the capturing code; determining a parameter name and a regular expression associated with the same parameter value, and configuring the rule file of the firewall by use of the determined parameter name and regular expression associated with one another as a filtering rule. | 01-21-2010 |
20100058455 | METHODS AND SYSTEMS FOR AUTOMATIC REMOVAL AND REPLACEMENT OF CONNECTIONS IN A POOL RENDERED STALE BY A FIREWALL - This disclosure describes, generally, methods and systems for managing connections within a connection pool. The method includes initializing a plurality of connections. The plurality of connections are configured to pierce a firewall. The method further includes placing the plurality of connections in a connection pool, and storing creation times for each of the plurality of connections. The method then determines the firewall's connection teardown time period and, based at least in part on the firewall's connection teardown time period, setting the connection pool's connection teardown time period to be at least less than the firewall's connection teardown time period. | 03-04-2010 |
20100058456 | IDS Sensor Placement Using Attack Graphs - Embodiments of the present invention identify locations to deploy IDS sensor(s) within a network infrastructure and prioritize IDS alerts using attack graph analysis. An attack graph that describes exploitable vulnerability(ies) within a network infrastructure is aggregated into protection domains. Edge(s) that have exploit(s) between two protection domains are identified. Sets that contain edge(s) serviced by a common network traffic device are defined. Set(s) that collectively contain all of the edge(s) are selected. The common network traffic device(s) that service the selected sets are identified as the location(s) to deploy IDS sensor(s) within the network infrastructure. | 03-04-2010 |
20100058457 | Methodology, Measurements and Analysis of Performance and Scalability of Stateful Border Gateways - Methods and apparatus for testing of Internet-Protocol packet network perimeter protection devices, e.g., Border Gateways such as Session Border Controllers, including 5 dynamic pinhole capable firewalls are discussed. Analysis and testing of these network perimeter protection devices is performed to evaluate the ability of such device to perform at carrier class levels. The efficiency of state look table functions as well as call signaling processing capacity, implemented in a particular perimeter protection device, are determined and evaluated. Proper performance and efficiency of such perimeter protection devices are evaluated as a function of incoming call rate and as a function of total pre-existing active calls. Various different network perimeter protection devices, e.g., of different types and/or from different manufactures, can be benchmarked for suitability to carrier class environments and comparatively evaluated. Test equipment devices, e.g., enhanced Integrated Intelligent End Points (IIEPs), for fault testing, 15 evaluating and stressing the network perimeter protection devices in a system environment are described. Typically these specialized test devices are used in pairs, one on each side of the firewall under test. These test equipment devices include a heavy duty traffic generator module, monitoring and analysis capability including a utilization analysis module, and a graphical output capability. | 03-04-2010 |
20100058458 | SYSTEM AND METHOD FOR PROVIDING A SECURE CONNECTION BETWEEN NETWORKED COMPUTERS - Embodiments disclosed herein provide a system, method, and computer program product for establishing a secure network connection between two computers, a client and a server. The client may send a connection request over a public network to the server. In response, the server may generate a set of credentials, select a controller to automatically run on the client, and send the controller and the set of credentials to the client. The controller automatically executes on the client and utilizes the set of credentials from the server to establish a secure network connection with the server without user intervention. The set of credentials is valid until the secure network connection between the client and the server is severed. | 03-04-2010 |
20100071050 | OPTIMIZING STATE SHARING BETWEEN FIREWALLS ON MULTI-HOMED NETWORKS - In one embodiment, a security device monitors for outgoing re-transmission messages indicating that an endpoint located in a multi-homed network transmitted an unanswered initial connection request. Responsive to identifying one of the outgoing re-transmission messages, the security device identifies destination address information included in the identified re-transmission message. The security device then causes another security device associated with a different link of the same multi-homed network to update its internal state table according to the identified destination address information. As a result, a response to the outgoing re-transmission can be forwarded to the multi-homed network regardless of which security device receives the response. | 03-18-2010 |
20100077470 | METHOD AND APPARATUS FOR SECURITY-RISK BASED ADMISSION CONTROL - A method and apparatus is disclosed herein for security risk-based admission control. In one embodiment, the method comprises: receiving a request from the user device to access the network; determining whether to admit the user device based on a security-based admission control policy that admits user devices based on a constraint optimization that attempts to maximize the sum utility of the currently admitted user devices in view of a security assessment of the user device and security risk imposed on the network and already admitted user devices if the user device is admitted to the network, wherein the constraint optimization is based on a utility associated with admitting the user device to the network, a reputation value associated with the user device, and a botnet damage estimation on the network associated with the user device; and admitting the user device to the network based on results of determining whether to admit the user device. | 03-25-2010 |
20100088755 | Access management for devices in communication networks - The invention relates to a terminal a node and a method for terminating communication between a communication network ( | 04-08-2010 |
20100095365 | Self-setting security system and method for guarding against unauthorized access to data and preventing malicious attacks - A self-setting security guarding system and method for protecting against unauthorized access to data stored in a data processing apparatus, comprising setting various items used to guard data, wherein the items consist of protected areas with access control for data storage and access therein, authorized types of files with access controls, and access rules of safety regulations enabling the data processing apparatus to verify access to data contents stored therein or in the protected area thereof; and detecting access events of the protected area or types of files using the access control and generating a request for analysis when an access event is detected, and further analyzing whether the detected access event complies with the access rules and the analysis request to permit or deny execution of said access event depending on whether it complies or not with safety regulations. | 04-15-2010 |
20100095366 | Enabling Network Communication From Role Based Authentication - Network communications are secured on clients that do not have a user properly logged in and authenticated. The clients have transmit and/or receive functionality disabled. When a user logs into the client and is properly authenticated, the transmit and/or receive functionality is enabled. In some embodiments, the client can then download firewall policy information to prevent the client from communicating on certain ports or with certain clients. The firewall policy information may be specific to a role that a user logged into the client has. For example, administrators, executives and employee roles may each use different firewall policy information. | 04-15-2010 |
20100100954 | METHOD AND APPARATUS FOR REDUCING FIREWALL RULES - A method and apparatus for reducing obsolete firewall rules are disclosed. The present invention addresses the issue by using existing network routing information as well as firewall rule configuration information to help analyze firewall access logs to identify obsolete and unused firewall rules so that these obsolete firewall rules can be removed. In one embodiment, the present invention is capable of periodically identifying the unused rule set for each external partner network and removing these obsolete rules with no impact to the current operation. | 04-22-2010 |
20100115599 | METHOD AND SYSTEM FOR SECURING DATA FROM A POINT OF SALE DEVICE OVER AN EXTERNAL NETWORK - A data control system allows point of sale devices ( | 05-06-2010 |
20100115600 | METHOD AND SYSTEM FOR SECURING DATA FROM AN EXTERNAL NETWORK TO A POINT OF SALE DEVICE - A data control system allows point of sale devices ( | 05-06-2010 |
20100115601 | Method and an apparatus for assessing a security of a component and a corresponding system - In a method and an apparatus for assessing of security of components, in particular, of components involved in safety-critical infrastructures, the assessment of security of the safety-critical component has an assessing of risks of the respective component and deriving of security measures for the component. Further, an assessing of a level of implementation for each standardized security measure is performed defined by a standard and/or requirement document for the component as well as evaluating of a resilience of the component against attacks directed to the component by performing test attacks against the component which are arranged by use of test cases defined by use of risk assessing results, and by use of implementation level assessing results for each standardized security measure. Thus, improved assessing of the security of components is enabled which can be used, e.g., for insurance of the security of safety-critical components and infrastructures. | 05-06-2010 |
20100122334 | Internet based data, voice and video alert notification communications system - A real-time integrated information sharing and telecommunications collaboration system is disclosed. The system includes at least one central server to create, store, display, edit, distribute, share, control and archive voice, data, video and images with a plurality of simultaneous wireless and wireline remote display devices. The system includes at least one central server monitors, controls and protects voice, data, video and image communications to, from and between display devices through encrypted token based security identifiers. The sharing of information and communication data packets between the display devices is contingent upon permissions assigned to individual human or machine end users. All data and communications, including the encrypted token based security identifiers may be stored simultaneously or individually within the central server, display device, or a third-party remote storage device whereby each or all may reside behind additional security systems and firewalls at a plurality of locations. All voice, data, video and images are seamlessly integrated through either one or in combination of communications paths to include, but not limited to, the Public Switched Telephone Network, World Wide Web, Internet, Wireless Wide Area Network (WWAN), Wide Area Network (WAN), Local Area Network (LAN), satellite, land mobile radio, WiFi, Worldwide Interoperability for Microwave Access (WiMAX), broadband over powerlines and other wireline and wireless networks. | 05-13-2010 |
20100122335 | System and Method for Filtering Unwanted Internet Protocol Traffic Based on Blacklists - A system and method for filtering unwanted Internet Protocol traffic based on blacklists receives a first blacklist containing a first plurality of Internet protocol addresses associated with unwanted Internet traffic. The system also operates a first plurality of access control lists adapted to block the unwanted Internet traffic from one of the first Internet protocol addresses listed in the first blacklist. The system also assigns a first weight to each of the first Internet protocol addresses based on a reliability of Internet traffic from each of the first Internet protocol addresses. Additionally, the system reduces a first number of the first access control lists to optimally trade off a number of desirable Internet protocol addresses blocked with a number of bad Internet protocol addresses blocked based on the first weight of each of the first Internet protocol addresses. | 05-13-2010 |
20100122336 | METHOD AND APPARATUS FOR TWO-WAY TRANSMISSION OF MEDICAL DATA - The present invention provides for a secure, two-way transmission of medical data over the Internet and through the hospital's firewall using push and pull mechanisms. More particularly, the present invention utilizes standard SSH technology and the rsync and scp protocols to enable secure, cost-effective data transmission over the Internet. The hospital firewall is traversed through the use of an agent located behind the hospital's firewall. The agent utilizes a push mechanism to push the raw scan data through the firewall and over the Internet to the outside third party; and the agent uses a pull mechanism to reach through the firewall and over the Internet to retrieve the data processed by the outside third party. In other words, the present invention transfers data from the hospital to the third party by initiating a data push mechanism from behind the hospital firewall; and transfers the processed data from the outside third party back into the hospital by initiating a data pull mechanism from behind the hospital firewall. The aforementioned agent acts as a broker for the foregoing data transmission and also encodes how the data should be handled once it is received on the hospital side. | 05-13-2010 |
20100132026 | Selective Web Content Controls for MFP Web Pages Across Firewalls - Devices, methods, and computer-readable media for tagging web page content according to a content access level for entry into a web page content database, and filtering in response to a dynamic web page construction request based on the access level of the requesting source. | 05-27-2010 |
20100132027 | Independent role based authorization in boundary interface elements - A boundary interface element for communications networks is disclosed. The boundary interface element is adapted for enabling a network administrator for a first network coupled to a first network interface of the boundary interface element to configure a policy for the first network interface independently of the other administrators of the other interfaces, while restricting access to a second network interface of the boundary interface element. Similarly, the boundary interface element enables a network administrator for a second network coupled to the second network interface of the boundary interface element to configure a policy for the second network interface while restricting access to the first network interface. The network administrator for the first network is permitted to view the policy configured for the second network interface, and the network administrator for the second network is permitted to view the policy configured for the first network interface. The boundary interface element may be employed in a variety of network deployment scenarios. | 05-27-2010 |
20100132028 | METHOD FOR IMPLEMENTING SECURITY-RELATED PROCESSING ON PACKET AND NETWORK SECURITY DEVICE - Embodiments of the present invention provide method for implementing security-related processing on packet and a network security device. Through establishing a relationship between stream attribute information of an initial packet of a stream and security-related processing information implemented on the initial packet, when a succeeding packet of the stream is received, the previously stored relationship is acquired according to stream attribute information of the succeeding packet, the security-related processing is implemented on the succeeding packet according to the security-related processing information in the relationship. Therefore, according to the method for implementing security-related processing on packet and the network security device provided by the present invention, the process of searching for security information entries for succeeding packets of a stream is not required, the security-related processing procedure of the packet is thus accelerated, and the packet processing efficiency is improved. | 05-27-2010 |
20100138908 | Access Control Method And Apparatus - A method of controlling access to computing resources, comprising providing a first computing device with access to a database containing data indicative of computing resources access to which is controlled by the first computing device and a minimum security capability that a second computing device must possess to access the respective resources, assigning the second computing device a security capability, providing the second computing device with data indicative of the security capability, configuring the first computing device to respond to data indicative of the security capability and data indicative of a desired access from the second computing device by ascertaining the minimum required security capability corresponding to the desired access and by comparing the minimum required security capability with the security capability of the second computing device, and providing the desired access if the security capability of the second computing device meets the minimum security capability for the desired access. | 06-03-2010 |
20100138909 | VPN AND FIREWALL INTEGRATED SYSTEM - The present disclosure provides an integrated VPN/Firewall system that uses both hardware (firmware) and software to optimize the efficiency of both VPN and firewall functions. The hardware portions of the VPN and firewall are designed in flexible and scalable layers to permit high-speed processing without sacrificing system security. The software portions are configured to provide interfacing with hardware components, report and rules management control. | 06-03-2010 |
20100146615 | Systems and Methods for Inhibiting Attacks on Applications - In accordance with some embodiments of the present invention, systems and methods that protect an application from attacks are provided. In some embodiments of the present invention, input from an input source, such as traffic from a communication network, can be routed through a filtering proxy that includes one or more filters, classifiers, and/or detectors. In response to the input passing through the filtering proxy to the application, a supervision framework monitors the input for attacks (e.g., code injection attacks). The supervision framework can provide feedback to tune the components of the filtering proxy. | 06-10-2010 |
20100146616 | COOPERATION FOR CONSUMER AND SERVICE PROVIDER MOCA NETWORKS - Embodiments may be disclosed herein that provide systems, devices, and methods of operating a Multimedia over Coax (MoCA) network. One such embodiment is a method comprising: designating a selected MoCA device as a network controller; and logically partitioning, into virtual MoCA networks, a predetermined bandwidth reserved for the MoCA network by sending, from the network controller one or more beacons containing virtual network information. | 06-10-2010 |
20100180331 | COMMUNICATION TERMINAL DEVICE, RULE DISTRIBUTION DEVICE, AND PROGRAM - A communication terminal device ( | 07-15-2010 |
20100192215 | Method for Multi-Core Processor Based Packet Classification on Multiple Fields - The present invention relates to a method for multi-core processor based packet classification on multiple fields. The first step involved in this invention involves constructing a data structure of classification, which includes selecting a certain dimension such that the sum of the rules that fall into two rule sub-sets of two subspaces is as small as possible after spatial partition through a certain partition point in which the method to determine the partition point on the selected dimension is to select the partition point on the dimension such that the number of rules that fall into the two sub-spaces after partition by the point is equal to each other as much as possible. The invention specifically proposes three methods to select partition points, two associated methods to select dimensions, then receiving packet information after the data structure of classification is constructed, and searching the data structure of classification according to packet information to get matched results. The present invention can be implemented on many types of multi-core processor based platforms which ensure favorable performance and adaptive capabilities for different network applications, and significantly reduce the product cost of high-end routers and firewalls. | 07-29-2010 |
20100199343 | CLASSIFICATION OF WIRED TRAFFIC BASED ON VLAN - Controlling access and capabilities on wired digital networks. According to the invention, rather than use port-centric controls, multiple virtual local area networks (VLANs) are supported by a wired controller, and these VLANS may be terminated on multiple physical ports. Capabilities are then assigned on a VLAN basis, with default capabilities assigned to the port when no VLAN is used. By defining capabilities on a VLAN basis, as an example no access, trusted access, or untrusted access. Trusted access VLANS are not subject to authentication or firewalling. Untrusted VLANS are subject to authentication and firewalling, which may be configured as required for the VLAN and its authorized users. | 08-05-2010 |
20100199344 | REDUNDANCY DETECTION AND RESOLUTION AND PARTIAL ORDER DEPENDENCY QUANTIFICATION IN ACCESS CONTROL LISTS - Aspects of the invention pertain to analyzing and modifying access control lists that are used in computer networks. Access control lists may have many individual entries that indicate whether information can be passed between certain devices in a computer network. The access control lists may include redundant or conflicting entries. An aspect of the invention converts an order-dependent control list into an order-free equivalent. Redundant entries are identified and removed without adversely affecting the access control list. Redundancy may be identified by evaluating the volume contraction ratio, which is the ratio of the volume of spin-off entries to specific original entry in the access control list. This ratio reflects the extent of order-dependent impact on that entry in a given access control list. | 08-05-2010 |
20100199345 | Method and System for Providing Remote Protection of Web Servers - Techniques for preventing attacks of web servers are provided. In one embodiment, a secure web application firewall (“WAF”) service server is provided to protect one or more web servers from malicious activity. The secure WAF service server is located at a location that is remote from the one or more web servers. Incoming traffic to the web servers and outbound traffic from the web servers is directed through the secure WAF service server. A secure WAF associated with the secure WAF service server analyzes the incoming and outbound traffic and can perform various responsive actions if malicious activity is detected. | 08-05-2010 |
20100218246 | DETECTING THE TYPE OF NAT FIREWALL USING MESSAGES - A method, system, and computer program product for detecting the type of NAT firewall using messages provides the capability to determine the type of NAT in use without requiring special purpose hardware or software. A method for determining a type of a NAT firewall may comprise receiving a message from a device inside the NAT firewall, the message addressed to a first IP address and port of a device outside the NAT firewall, transmitting a plurality of messages to the device inside the NAT firewall, at least one of the plurality of messages addressed from the first IP address and port and at least one of the messages addressed from a second IP address and port, receiving responses to at least some of the plurality of messages transmitted to the device inside the NAT firewall and determining the type of the NAT firewall based on the received responses. | 08-26-2010 |
20100229234 | SYSTEMS AND METHODS FOR DETECTING AND PREVENTING DENIAL OF SERVICE ATTACKS IN AN IPTV SYSTEM - An intrusion protection system is disclosed for an Internet based television service (IPTV) that detects unexpected conditions, including rogue terminals sending unexpected message. The system comprises one or more firewalls that may implement a mirrored state machine which is specific to an application level protocol. The state machine is typically maintained for each user, and each message from a user may be analyzed to determine if it is an expected message. The message may also be analyzed to determine if it represents an unusual volume of messages from the user or otherwise represents some other unusual aspect associated with a rogue terminal or terminals. Information regarding unusual events are reported from the firewall to an intrusion protection system which can further analyze the events, other data, and report possible attacks to a network operations center. | 09-09-2010 |
20100263039 | Accessing Method and Multimedia System Using Thereof - The access method includes the following steps. Firstly, multimedia data is accessed with a multimedia access device located on a local network, which connected to a public network via a network address translation (NAT) or firewall device. Next, first communication link between a portal server and the multimedia access device is established. Then a piece of punch-through information indicating whether the multimedia access device can punch through the NAT/firewall device is obtained in response to an inquiry command provided by a client device. Next, when the multimedia access device cannot punch through the NAT/firewall device, the multimedia data is pushed from the multimedia access device to the portal server and the multimedia data pushed to the portal server is further pulled from the portal server to the client device, so that multimedia data transmission between the client device and the multimedia access device can be obtained. | 10-14-2010 |
20100269168 | System And Method For Developing A Risk Profile For An Internet Service - A method and system for controlling access to an Internet resource is disclosed herein. When a request for an Internet resource, such as a Web site, is transmitted by an end-user of a LAN, a security appliance for the LAN analyzes a reputation index for the Internet resource before transmitting the request over the Internet. The reputation index is based on a reputation vector which includes a plurality of factors for the Internet resource such as country of domain registration, country of service hosting, country of an internet protocol address block, age of a domain registration, popularity rank, internet protocol address, number of hosts, to-level domain, a plurality of run-time behaviors, JavaScript block count, picture count, immediate redirect and response latency. If the reputation index for the Internet resource is at or above a threshold value established for the LAN, then access to the Internet resource is permitted. If the reputation index for the Internet resource is below a threshold value established for the LAN, then access to the Internet resource is denied. | 10-21-2010 |
20100281531 | MOBILE SERVER WITH MULTIPLE SERVICE CONNECTIONS - A method of communicating between a mobile communications device and a plurality of services that are used by the mobile communications device. The method includes establishing, through a firewall and a wireless network, a first communications session between the mobile communications device and a mobile server located in an enterprise network with which the mobile communications device is associated; and establishing, concurrent with the first communications session at least one further communications session between the mobile server and a service, the at least one further communications session being established by the mobile server as a session proxy for the mobile communications device. | 11-04-2010 |
20100281532 | FIREWALL INCLUDING LOCAL BUS - A gateway for screening packets transferred over a network. The gateway includes a plurality of network interfaces, a memory and a memory controller. Each network interface receives and forwards messages from a network through the gateway. The memory temporarily stores packets received from a network. The memory controller couples each of the network interfaces and is configured to coordinate the transfer of received packets to and from the memory using a memory bus. The gateway includes a firewall engine couples to the memory bus. The firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface. A local bus is coupled between the firewall engine and the memory providing a second path for retrieving packets from memory when the memory bus is busy. | 11-04-2010 |
20100287608 | PROCESS CONTROL METHODS AND APPARATUS FOR INTRUSION DETECTION, PROTECTION AND NETWORK HARDENING - The invention provides an improved network and methods of operation thereof for use in or with process control systems, computer-based manufacturing or production control systems, environmental control systems, industrial control system, and the like (collectively, “control systems”). Those networks utilize a unique combination of firewalls, intrusion detection systems, intrusion protection devices and/or other devices for hardening (e.g., security against hacking, intrusion or other mischievous conduct) and/or intrusion detection. The networks and methods have application, by way of example, in plants, sites and other facilities in which networks that support control systems interface with corporate, business or other networks. | 11-11-2010 |
20100313260 | METHOD AND SYSTEM OF PROVIDING FIREWALL IN HANDSET - A method of providing firewall in handset is disclosed. The method includes receiving a request with a telephone number by a handset. The handset determines if the telephone number meets a refusing condition. The refusing condition includes a telephone number interval with at least one number and a symbolic variable. The handset refuses the request of the telephone number if the telephone number meets the refusing condition. | 12-09-2010 |
20100313261 | Communication method for device in network system and system for managing network devices - A communication method for a device in a network system and a system for managing network devices are disclosed. The communication method for a device in a network system includes connecting a management server that manages at least one device in an internal network, the at least one device, and a designated device with one another through a firewall, the internal network, and an external network; the designated device maintaining a connection with the management server; and if a message for requesting a connection with a target device among the at least one device is received by the designated device from the management server, the designated device forwarding the received message to the target device. According to this method, the management server can connect and communicate with managed devices, whenever necessary, by making the designated device connected to the network continuously maintain the connection with the management server. | 12-09-2010 |
20100325717 | System and Method for Managing Access to a Plurality of Servers in an Organization - A system for managing access to resources in a plurality of servers by a plurality of client computers by using an operating system independent Secure Shell (SSH) protocol running in each server and using a central policy database that centrally stores access rules which specify access to the servers for a plurality of users/accounts. Each time a target server receives a user request to establish an SSH session, it retrieves associated access rules from the central policy database to obtain the latest access rules. Based on the retrieved rules and the identity of the user and the identity of the client computer, the target server determines whether the user has permission to establish the SSH session with the target server. Using a centralized database and requiring the servers to always retrieve the latest access rules from a central database provides consistent application of the access rules across all servers and all client computers. | 12-23-2010 |
20110004930 | GLOBAL NETWORK COMPUTERS - A computer that is configured for connection to a network including the Internet, including, but not limited to the following. A microchip including a microprocessor, the microprocessor including a master control unit and at least two processing units and wherein the master control unit is configured to control the processing units. The computer also includes a Faraday Cage substantially surrounding the microchip. The Microchip further includes a firewall being configured with hardware to make the master control unit inaccessible from the network including the Internet when the computer is connected to the network including the Internet. The fire wall is further configured in a manner that permits access by another computer in the network including the Internet to at least one of the processing units of the microprocessor for an operation with another computer when the computer is connected to the network including the Internet. | 01-06-2011 |
20110004931 | GLOBAL NETWORK COMPUTERS FOR SHARED PROCESSING - A computer configured for a connection to a network of computers including the Internet, comprising: a microchip including a microprocessor including a master control unit configured using hardware and firmware, and two processing units; an internal hardware firewall that is located between a protected portion and an unprotected portion of the microchip; said protected portion including said master control unit and one of the processing units, said unprotected portion including one or more of the processing units that are separate from and located outside of the internal hardware firewall; said hardware firewall denying access to said protected portion by the network; and said hardware firewall permitting access by another computer in the network to one or more of the processing units included in the unprotected portion for an operation with said another computer in the network; and an active configuration of a circuit integrated into the microchip. | 01-06-2011 |
20110010767 | Server System, Communication Method, Computer, Program And Recording Medium - Establishment of communication between client apparatuses and an arithmetic function unit is performed based on communication information acquired by communication using HTTP between the client apparatuses and the arithmetic function unit through a firewall function unit, where the client apparatuses download encrypted contents data from the arithmetic function unit by P2P without passing a firewall. | 01-13-2011 |
20110010768 | Method and Apparatuses for End-to-Edge Media Protection in ANIMS System - An IMS system includes an IMS initiator user entity. The system includes an IMS responder user entity that is called by the initiator user entity. The system includes a calling side S-CSCF in communication with the caller entity which receives an INVITE having a first protection offer and parameters for key establishment from the caller entity, removes the first protection offer from the INVITE and forwards the INVITE without the first protection offer. The system includes a receiving end S-CSCF in communication with the responder user entity and the calling side S-CSCF which receives the INVITE without the first protection offer and checks that the responder user entity supports the protection, inserts a second protection offer into the INVITE and forwards the INVITE to the responder user entity, wherein the responder user entity accepts the INVITE including the second protection offer and answers with an acknowledgment having a first protection accept. A method for supporting a call by a telecommunications node. | 01-13-2011 |
20110023104 | SYSTEM FOR HOSTING CUSTOMIZED COMPUTING CLUSTERS - A computer system for hosting computing clusters for clients. The system includes clusters each including a set of computing resources and each implemented in custom or differing configurations. Each of the configurations provides a customized computing environment for performing particular client tasks. The configurations may differ due to configuration of the processing nodes, the data storage, or the private cluster network or its connections. The system includes a monitoring system that monitors the clusters for operational problems on a cluster level and also on a per-node basis such as with monitors provided for each node. The system controls client access to the clusters via a public communications by only allowing clients to access their assigned cluster or the cluster configured per their specifications and performing their computing task. Gateway mechanisms isolate each cluster such that communications within a cluster or on a private cluster communications network are maintained separate. | 01-27-2011 |
20110023105 | IPv6-over-IPv4 Architecture - Mobile clients can execute IPv6 applications in an IPv4 environment without the need for any specialized IPv6 hardware or upgrades to the network infrastructure. The architecture provides a seamless, disruption-free connectivity experience for mobile clients. Mobile clients are automatically connected to other mobile clients irrespective of their network connectively, whether wireless, wire line, IPv4, IPv6, public or private. Mobile clients communicate with other mobile clients using a secure, end-to-end IPv6 tunnel. This creates a persistent VPN connection between two clients using software. | 01-27-2011 |
20110023106 | METHODS AND SYSTEMS FOR ACHIEVING HIGH ASSURANCE COMPUTING USING LOW ASSURANCE OPERATING SYSTEMS AND PROCESSES - A computing system contains and uses a partitioning microkernel (PMK) or equivalent means for imposing memory partitioning and isolation prior to exposing data to a target operating system or process, and conducts continuing memory management whereby data is validated by security checks before or between sequential processing steps. The PMK may be used in conjunction with an Object Request Broker. | 01-27-2011 |
20110030048 | SYSTEM, METHOD AND PROGRAM FOR MANAGING FIREWALLS - Computer system, method and program for managing a firewall. First program instructions identify a first rule of the firewall. The first rule specifies a permitted message flow through the firewall to or from an IP address of a computer. The computer resides on a network. Second program instructions identify a second rule of the firewall. The second rule specifies a permitted message flow through the firewall to or from an IP address corresponding to the network. Message flows through the firewall to all computers on the network are permitted pursuant to the second rule. Third program instructions delete the first rule from the firewall based on the identification of the second rule and the computer residing on the network. Other program instructions identify and delete stale rules which are not needed. Other program instructions automatically identify rules for a new server added to a cluster. | 02-03-2011 |
20110072504 | Policy-Based Virtualization Method Involving Adaptive Enforcement - A method is provided in which a permission for running a system software instance alongside another system software instance is issued on the basis of a first policy rule concerning the operation of a first software application and a second policy rule concerning the execution of second software application. | 03-24-2011 |
20110072505 | Process for Installing Software Application and Platform Operating System - A process for installing a software application on a platform, the platform comprises several servers including one or more application servers and a control server on which a platform configuration database is installed. The process comprises the following steps after a predefined software application is selected by an user: reading out configuration data and solution data from the platform configuration database wherein the registration data describes the platform configuration and the solution data describes a solution of the selected software application which is registered on the platform, determining the virtual server(s) which is needed to run the selected software application, creating the determined virtual server(s) on the platform, installing an instance of the selected software application in the created virtual server(s), connecting the instance to an interface of the platform to provide an access for listeners to the instance. | 03-24-2011 |
20110072506 | Integrated unified threat management for a process control system - A Unified Threat Management System (UTMS) for securing network traffic in a process control system may comprise network devices configured to receive network traffic related to the process control system and including a ruleset received from an external source. The ruleset may include one or more rules defining a condition to accept or deny the network traffic received at the network device. The state of the network device may be integrated into the process control system as a process control object or variable, thus allowing the state and other UTMS and component network device parameters and variables to be displayed to an operator at a workstation within a graphical process control system environment. The network devices may also communicate with a perpetual service that proactively supplies the devices with rulesets to meet the latest security threats, threat patterns, and control system vulnerabilities found or predicted to exist within the network. | 03-24-2011 |
20110078781 | Framework for Communicating Across a Firewall - A system for enabling communication between a first domain and a second domain is disclosed. At least the first domain is protected by a firewall. A first data-processing system is provided in the first domain and a second data-processing system provided in second domain. The second domain hosts an application that the first domain desires to access. To enable the communication between the two domains a tunnel is established through the firewall. The tunnel runs from the first data-processing system to the second data-processing system. The second data-processing system provides a web-proxy interface to interface to the application and also acts as a tunnel gateway. | 03-31-2011 |
20110099619 | SYSTEM AND METHOD FOR CREATING A TRANSPARENT DATA TUNNEL - A method of transparently transferring data between a network application running on a first processor and a target service running on a second processor through a tunnel server running on a third processor, the method comprising: connecting a target program running on the second processor to the tunnel server; connecting a client program running on the first processor to the tunnel server; connecting the network application to the client program through a network adapter running on the first processor; sending data from network application to the tunnel server through the client program; connecting the target program to the target service through a network adapter running on the second processor; and relaying data from the tunnel server to the target service through the target program. | 04-28-2011 |
20110107412 | APPARATUS FOR DETECTING AND FILTERING DDOS ATTACK BASED ON REQUEST URI TYPE - Provided is an apparatus for detecting and responding to a DDoS attack. The apparatus includes: a receiver unit configured to receive an HTTP request from a client terminal having a predetermined IP address; a data measuring unit configured to compute a number of a pre-defined URI in the received HTTP request by IP for a predetermined measuring time period; a DDoS discrimination unit configured to compare the computed number of the pre-defined URI with a pre-defined threshold and configured to detect an access of the client terminal with the IP address as the DDoS attack when the number of the pre-defined URI is greater than the threshold; and a blocking unit configured to block the access of the client terminal when the DDoS discrimination unit detects the DDoS attack. | 05-05-2011 |
20110131644 | NETWORK SECURITY SYSTEM HAVING A DEVICE PROFILER COMMUNICATIVELY COUPLED TO A TRAFFIC MONITOR - A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities. | 06-02-2011 |
20110138455 | FIREWALL FILTERING USING NETWORK CONTROLLER CIRCUITRY - An embodiment may include network controller circuitry to be comprised in a host computer that includes a host processor to execute an operating system environment. The circuitry may be coupled to the processor, receive at least one packet via a network, store at least one firewall filter parameter set, and execute, based at least in part upon the parameter set and packet, at least one firewall filter action involving, at least in part, the packet. The action may implement, at least in part, at least one firewall rule supplied by a firewall application to an interface of a driver associated with the circuitry. The application may be executed, at least in part, in the environment. The circuitry may generate and store the parameter set based at least in part upon at least one command from the driver. The command may be based at least in part upon the rule. | 06-09-2011 |
20110138456 | SECURITY MANAGEMENT SYSTEM FOR MONITORING FIREWALL OPERATION - A test method for Internet-Protocol packet networks that verifies the proper functioning of a dynamic pinhole filtering implementation as well as quantifying network vulnerability statistically, as pinholes are opened and closed is described. Specific potential security vulnerabilities that may be addressed through testing include: 1) excessive delay in opening pinholes, resulting in an unintentional denial of service; 2) excessive delay in closing pinholes, creating a closing delay window of vulnerability; 3) measurement of the length of various windows of vulnerability; 4) setting a threshold on a window of vulnerability such that it triggers an alert when a predetermined value is exceeded; 5) determination of incorrectly allocated pinholes, resulting in a denial of service; 6) determining the opening of extraneous pinhole/IP address combinations through a firewall which increase the network vulnerability through unrecognized backdoors; and 7) determining the inability to correlate call state information with dynamically established rules in the firewall. | 06-09-2011 |
20110145909 | Interface Logic For A Multi-Core System-On-A-Chip (SoC) - In one embodiment, the present invention includes a system-on-a-chip (SoC) with first and second cores, interface logic coupled to the cores, chipset logic coupled to the interface logic, and a virtual firewall logic coupled between the chipset logic and the second core. The interface logic may include a firewall logic, a bus logic, and a test logic, and the chipset logic may include a memory controller to provide for communication with a memory coupled to the SoC. In some system implementations, both during test operations and functional operations, the second core can be disabled during normal operation to provide for a single core SoC, enabling greater flexibility of use of the SoC in many different implementations. Other embodiments are described and claimed. | 06-16-2011 |
20110154468 | METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR ACCESS CONTROL SERVICES USING A TRANSPARENT FIREWALL IN CONJUNCTION WITH AN AUTHENTICATION SERVER - Access control methods include receiving an access authorization message from an authentication server computer at a blocking device that connects a first network to a second network, modifying access criteria of a transparent firewall at the blocking device responsive to the received access authorization message and operating the transparent firewall according to the modified access criteria to control transfer of messages between the first and second networks. The invention may also be implemented as apparatus and computer readable media. | 06-23-2011 |
20110154469 | METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR ACCESS CONTROL SERVICES USING SOURCE PORT FILTERING - An authentication request message is received at an authentication server computer, the authentication request message identifying a requesting client device. The authentication request message is authenticated at the authentication server computer and, responsive to authentication of the authentication request message, a source port for a redirected communication between the requesting client device associated and the protected server is determined. An access authorization message identifying the determined source port is transmitted from the authentication server computer to a blocking device that controls access to the protected server. A redirect message may be transmitted from the authentication server to a browser resident at the client device responsive to authentication of the authentication request message. Embodiments include methods, apparatus and computer readable media. | 06-23-2011 |
20110154470 | METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR MANAGING FIREWALL CHANGE REQUESTS IN A COMMUNICATION NETWORK - A method of managing firewall change requests for a communication network includes providing a change request interface comprising a plurality of change request form types, each request form including an interface for entering requestor identification information, Internet Protocol (IP) address information, change implementation schedule information, and submission information specifying any requestor instructions for implementing the change, receiving completed change request forms from at least one requestor, arranging the completed change request forms in a request queue, and presenting the request queue to at least one administrator responsible for implementing firewall changes in the communication network. | 06-23-2011 |
20110154471 | SYSTEMS AND METHODS FOR PROCESSING APPLICATION FIREWALL SESSION INFORMATION ON OWNER CORE IN MULTIPLE CORE SYSTEM - The present invention is directed towards systems and methods for sharing session data among cores in a multi-core system. A first application firewall module executes on a core of a multi-core intermediary device which establishes a user session. The first application firewall module stores application firewall session data to memory accessible by the first core. A second application firewall module executes on a second core of the multi-core intermediary device. The second application firewall module receives a request from the user via the established user session. The request includes a session identifier identifying that the user session was established by the first core. The second application firewall module determines to perform one or more security checks on the request and communicates a portion of the request the first core. The second application firewall module receives and processes the security check results and instructions from the first core. | 06-23-2011 |
20110154472 | SYSTEMS AND METHODS FOR PREVENTION OF JSON ATTACKS - Described herein is a method and system for prevention of personal computing attacks, such as JavaScript Objection Notation (JSON) attacks. An intermediary device is deployed between a plurality of clients and servers. A firewall executes on the intermediary device. A client sends a request to the server and the server sends a response to the request. The intermediary device intercepts the response and identifies that the response may contain possibly harmful content. The application firewall parses the content of the response and determines whether it contains any harmful content. If it does, the application firewall blocks the response from being sent to its destination. Additionally, the method and system can provide other security checks, such as content hijacking protection and data validation. | 06-23-2011 |
20110154473 | SYSTEMS AND METHODS FOR CROSS SITE FORGERY PROTECTION - The present solution described herein is directed towards systems and methods to prevent cross-site request forgeries based on web form verification using unique identifiers. The present solution tags each form from a server that is served out in the response with a unique and unpredictable identifier. When the form is posted, the present solution enforces that the identifier being returned is the same as the one that was served out to the user. This prevents malicious unauthorized third party users from submitting a form on a user's behalf since they cannot guess the value of this unique identifier that was inserted. | 06-23-2011 |
20110162059 | APPARATUS AND METHOD FOR SECURE REMOTE PROCESSING - A method and apparatus for providing on-demand services to an organization. The services are provided by a hosting center. The apparatus comprises an on-premises connectivity agent at the organization, which receives requests or commands from computing platforms within the organization and concentrates all communication to and from the hosting center. The on-premises connectivity agent embeds or otherwise introduces organization metadata to the messages. The apparatus further comprises a hosted connectivity agent associated with the hosting center. The apparatus may further comprise a central connectivity component for routing communication between the on-premises connectivity agent and the hosted connectivity agent, in accordance with the metadata. Communication between the on-premises connectivity agent and the central connectivity component flows through a secure channel and comprises only communications related to the organization. Communication between the central connectivity component and the hosted connectivity agent may comprise communications related multiple organizations. Such communications may be multiplexed. | 06-30-2011 |
20110202993 | DIGITAL MEDIA COMMUNICATION PROTOCOL - A digital media communication protocol structured to selectively transmit one or more digital media files between a media terminal and a media node via a communication link on an interactive computer network. The communication link is initiated by the media terminal, wherein the media terminal is disposed in an accessible relation to the interactive computer network. The digital media communication protocol, and in particular, the communication link, is further structured to bypass at least one security measure, such as, for example, a password, security key, and/or firewall. | 08-18-2011 |
20110219443 | SECURE CONNECTION INITIATION WITH HOSTS BEHIND FIREWALLS - The invention is directed to an inter-host signaling protocol, referred to herein as Knock-On Protocol (KOP), for establishing in a secure manner a connection with a host behind firewall. Some embodiments of the invention are directed to a Knock-On Feature (KOF) used in intermediate firewalls or network address translators to enable connection establishment through the FW or NAT to hosts behind the FW or NAT. Advantageously the KOF may include a prefix-based protection feature to protect against address spoofing used in a message flood attack. | 09-08-2011 |
20110225644 | BEHAVIOR-BASED SECURITY SYSTEM - Described herein are techniques for operating a security server to determine behavioral profiles for entities in a network and to detect attacks or unauthorized traffic in a network based on those behavioral profiles. In one technique, a behavioral profile may be generated based on requests for security operations to be performed that are received at a security server from an entity in a network. The behavioral profile may be generated using learning techniques, including artificial intelligence techniques such as neural networks. When the security server receives from an entity one or more requests for security operations to be performed, the security server may compare properties of the requests to the behavioral profile for the entity and properties of requests commonly sent by the entity. The security server may determine a similarity score indicating how similar the request are to the behavioral profile and to requests commonly received from the entity. | 09-15-2011 |
20110225645 | BASIC ARCHITECTURE FOR SECURE INTERNET COMPUTERS - Hardware or firmware-based firewalls or other access barriers are disclosed. The firewalls or access barriers establish one or more private units disconnected from a public unit that is connected to the Internet. One or more of the private units have a connection to one or more secure non-Internet connected private networks. | 09-15-2011 |
20110225646 | POLICY-BASED CONTENT FILTERING - Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a network connection is redirected by a networking subsystem implemented within a kernel of an operating system of a firewall device to a proxy module within the firewall device that is configured to support a network service protocol associated with the network connection. The proxy module retrieves one or more content processing configuration schemes associated with a matching firewall policy for the network service protocol and the network connection. The content processing configuration schemes each include multiple content processing configuration settings for each of one or more network service protocols. Application-level content of a packet stream associated with the network connection is then processed by the proxy module reassembling the application-level content from multiple packets of the packet stream and scanning the application-level content based on the retrieved content processing configuration schemes. | 09-15-2011 |
20110231924 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR PROVIDING APPLICATION LAYER FIREWALL AND INTEGRATED DEEP PACKET INSPECTION FUNCTIONS FOR PROVIDING EARLY INTRUSION DETECTION AND INTRUSION PREVENTION AT AN EDGE NETWORKING DEVICE - Methods, systems, and computer readable media for an application layer firewall function including an integrated deep packet inspection function for providing early intrusion detection and intrusion prevention at an edge networking device are disclosed. According to one method, steps are performed at a session controller configured to operate at the border of a first network and a second network. The steps include receiving, at an intrusion protection system (IPS) module of the session controller interfacing with modules associated with layers 2 and above of a protocol stack of the session controller, information gathered by modules located at lower layers and associated with an intrusion attempt, vulnerability, or other security policy violation. In response to receiving the information, the IPS module provides at least one of a security policy and a rule to a module located at the most appropriate layer for securing the intrusion attempt, vulnerability, or other security policy violation. | 09-22-2011 |
20110231925 | FIREWALL NETWORK APPLICATION APPARATUS - A method and system for distributing flows between a multiple processors. The flows can be received from an external source such as a network, by a front-end processor that recognizes the flow and the associated request, and identifies at least one internal applications processor to process the request/flow. The front-end processor utilizes a flow scheduling vector related to the identified applications processor(s), and the flow scheduling vector can be based on intrinsic data from the applications processor(s) that can include CPU utilization, memory utilization, packet loss, and queue length or buffer occupation. In some embodiments, applications processors can be understood to belong to a group, wherein applications processors within a group can be configured identically. A flow schedule vector can be computed for the different applications processor groups. | 09-22-2011 |
20110231926 | BASIC ARCHITECTURE FOR SECURE INTERNET COMPUTERS - A method or apparatus for a computer or microchip with one or more inner hardware-based access barriers or firewalls that establish one or more private units disconnected from a public unit having connection to the Internet, and one or more of the private units have a connection to one or more secure non-Internet-connected private networks for personal and/or local administration. The hardware-based access barriers include a single out-only bus and/or another in-only bus with a single on/off switch and/or both buses, each with a single on/off switch. The hardware-based access barriers can be positioned successively between an outer private unit, an intermediate more private unit, an inner most private unit, and the public unit, and each private unit can be configured for a separate connection to a separate network of computers that excludes the Internet. | 09-22-2011 |
20110239288 | EXECUTABLE CODE VALIDATION IN A WEB BROWSER - An active filter monitors a web browser session to identify executable code transmitted in the session. The executable code may be analyzed to determine if the code is digitally signed. When the code is digitally signed by the web server or by another trusted source, the code may be executed. When the code is neither digitally signed or when the source is not trusted, the code may be rejected and not executed. The filter may be implemented as a web browser component or plugin, as well as a gateway device, proxy, or other service. The filter may also be implemented on the server side to reject incoming data that may include unauthenticated code. | 09-29-2011 |
20110252468 | METHOD AND SYSTEM FOR PROTECTING A COMPUTER AGAINTS MALICIOUS SOFTWARE - A method of protecting a computer by having security software be set to clean mode where the clean mode acts as if files installed or modified before the clean date are safe and installed or modified after the clean date as potentially harmful. | 10-13-2011 |
20110258691 | METHOD FOR IMPROVING SECURITY OF COMPUTER NETWORKS - A method of preventing unauthorized user access to a computer network has been developed. The method includes receiving a domain name server resolution request at the computer network from a requesting user. Next a reply to the requesting user is generated with a domain name server resolution and internet protocol address of a target device within the computer network. The reply is inspected with a network security device, where the network security device does not have an assigned internet protocol address so that it remains undetected by the requesting user. The network security device then monitors data traffic to the computer network to detect a reply from the requesting user. Once detected, the reply to the internet protocol address is intercepted with the network security device. Finally, the network security device verifies that the requesting user is authorized to access the computer network with the network security device. | 10-20-2011 |
20110258692 | PROTECTED APPLICATION STACK AND METHOD AND SYSTEM OF UTILIZING - A secure appliance for use within a multi-tenant cloud computing environment which comprises: a) a policy enforcement point (PEP); b) a hardened Operating System (OS) capable of deploying applications; and c) at least one application capable of hosting services and application program interfaces (APIs). | 10-20-2011 |
20110258693 | OPERATIONS AND MAINTENANCE ARCHITECTURE FOR MULTIPROTOCOL DISTRIBUTED SYSTEM - An architecture for providing operations and maintenance functionality in an open access wireless signal distribution system. The open access system makes use of a common, shared, distributed radio frequency distribution network and associated network entities that enable a system operator to offer access to wireless infrastructure that maybe shared among multiple wireless service providers (WSPs). The WSPs, or tenants of the operators, may obtain access in a tenant lease-space model. The open access system provides the ability for multiple tenants in a given community to share wireless equipment such as remotely located antenna sites, regardless of their specific requirements for radio frequency (RF) air interface signal protocols and/or management messaging formats. The present invention is directed to an open access Network Management System (NMS) that provides multiple tenants with an appropriate level of access and control over the system elements that carry their signaling. For example, in addition to forwarding messages from tenant-controlled NMSs to the open access system elements, the open access NMS preferably acts as a caching firewall to ensure that the tenant NMS are permitted privileges to access only those system elements to which they are a properly assigned. A database function included with the open access NMS may be used to build and maintain a database of operations and maintenance information from autonomously initiated poll and status functions. This then permits queries from tenant NMSs to be answered without the need to duplicate open system network traffic. | 10-20-2011 |
20110277028 | ASSIGNING A NETWORK ADDRESS FOR A VIRTUAL DEVICE TO VIRTUALLY EXTEND THE FUNCTIONALITY OF A NETWORK DEVICE - Virtually extending the functionality of a network device to a server is provided. A virtual device which virtually represents functionality of the network device is created. An association is stored between the network device and a user or a group for the network device. A determination is made as to whether the network device and the user or the group for the network device correspond to a local network or to a disparate network, based on the stored association. A network address for the virtual device is assigned based on the determination. Functionality of the network device is accessed via the virtual device, using the assigned network address for the virtual device. | 11-10-2011 |
20110283348 | SYSTEM AND METHOD FOR DETERMINING FIREWALL EQUIVALENCE, UNION, INTERSECTION AND DIFFERENCE - Aspects of the invention pertain to integrated compliance analysis of multiple firewalls and access control lists for network segregation and partitioning. Access control lists may have many individual rules that indicate whether information can be passed between certain devices in a computer network. The access control lists in different firewalls in different network segments within a given network may overlap or have inconsistent rules. Aspects of the invention generate differences between firewalls, analyze equivalency of firewalls, generate the intersection (if any) between a pair of firewalls, and generate the union (if any) between firewalls. Such information provides an integrated analysis of multiple interrelated firewalls, including inbound and outbound access control lists for such firewalls, and may be used to manage firewall operation within the network to ensure consistent operation and maintain network security. It also addresses a wide range of security questions that arise when dealing with multiple firewalls. | 11-17-2011 |
20110283349 | IMPLEMENT METHOD AND DEVICE OF TERMINAL CALL FIREWALL - The present invention discloses an implement method and device of a terminal call firewall. The method comprises: adding a call number into a blacklist list, when it is determined that the call number is not in the blacklist list stored and an address list and it is determined that a call duration is less than a set call duration threshold. The device comprises: a storage module, which is connected with a judgment module, and configured to store a blacklist list and an address list; the judgment module, which is connected with a storage module and a timer, and configured to start up the timer to start timing when a call number is determined not in the blacklist list and the address list; the timer, which is connected with the judgment module and a processing module, and configured to make timing for a time length of a call duration threshold; the processing module, which is connected with the timer, and configured to add the call number into the blacklist list when the duration of the call is determined less than the call duration threshold. Through the method and the device, the present invention can ensure the terminal to identify unknown harassing call automatically during operation, can add the number of the call directly into the blacklist list, does not bother the user by ringing or prompting the user of the call, is simple and convenient to be used, and has remarkable practical effect. | 11-17-2011 |
20110289578 | PIN-HOLE FIREWALL FOR COMMUNICATING DATA PACKETS ON A PACKET NETWORK - A pin-hole firewall network communications device that includes a first port configured to communicate data packets over a packet network and a first counter module in communication with the first port. A pin-hole firewall module may be in communication with the first counter module. A call control module may be in communication with the first counter module and the pin-hole firewall function. The call control module is configured to communicate with the pin-hole firewall module to alter the communication of data packets through a firewall pin-hole. A second counter module may be in communication with the pin-hole firewall function and the call control module. A second port may in communication with the second counter module and the packet network and be configured to communicate data packets over a second node segment of the packet network. | 11-24-2011 |
20110296516 | INTEGRATED FIREWALL, IPS, AND VIRUS SCANNER SYSTEM AND METHOD - A system, method and computer program product are provided including a router and a security sub-system coupled to the router. Such security sub-system includes a plurality of virtual firewalls, a plurality of virtual intrusion prevention systems (IPSs), and a plurality of virtual virus scanners. Further, each of the virtual firewalls, IPSs, and virus scanners is assigned to at least one of a plurality of user and is configured in a user-specific. | 12-01-2011 |
20110302647 | AUTOMATING NETWORK RECONFIGURATION DURING MIGRATIONS - Automating network reconfiguration such as firewall reconfiguration in migrations may include determining network reconfiguration needs in one or more network functionalities of the target environment based on the discovering; and applying the network reconfiguration needs to the one or more network functionalities in the target environment. | 12-08-2011 |
20110314535 | NULL-PACKET TRANSMISSION FROM INSIDE A FIREWALL TO OPEN A COMMUNICATION WINDOW FOR AN OUTSIDE TRANSMITTER - A high-bandwidth direct communication path between two clients is used for voice or video calls over the Internet. An opening or a window in a firewall is made for the direct path by sending a null packet out from inside the firewall. The null packet can be a UDP packet directed to a UDP port of the other client. Initially, each client makes a TCP connection to port | 12-22-2011 |
20110321150 | Methods And Systems For Context-Based Application Firewalls - Context-based application firewall functionality. A user session is initiated with a client device. The user session allows access a remote resource on a server device coupled with the client device over a network. The connection between the client device and the remote resource is through an application firewall. An application firewall context setup is performed with the application firewall in response to the user session. The application firewall context comprises firewall context information to be used during the user session to perform network and application security operations with the application firewall. A response is created to provide information from the remote resource to the client device. The response includes metadata to be used to update the firewall context information. The firewall context information is updated with the application firewall based on the metadata. The response is transmitted to the client device. | 12-29-2011 |
20110321151 | Methods And Systems For Providing Context-Based Outbound Processing Application Firewalls - Outbound processing with application firewalls. An outbound message is generated with an application. The outbound message includes at least a trustworthiness indicator and/or marking information for the one or more portions of the outbound message. The outbound message is received by an application firewall. The outbound message is analyzed based on the trustworthiness indicator and/or marking information, and context information. An action is performed on the outbound message based on the trustworthiness indicator and/or marking information, and the context information. | 12-29-2011 |
20120005741 | FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS - Methods and systems for an intelligent network protection gateway (NPG) are provided. According to one embodiment, a firewall prevents unauthorized network-lawyer access to internal hosts by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall facilitates concurrent management of multiple incoming VoIP calls by providing multiple VoIP ports and advertising multiple IP address/VoIP port pairs corresponding to internal hosts. When incoming VoIP packets are received, the packets are directed to an appropriate internal host by the firewall performing port forwarding based on a port indication contained within the packets to a server or gatekeeper within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts. | 01-05-2012 |
20120030746 | Devices and Methods for Using HTTP Encapsulation to Access Web Resources - Embodiments provide a method of a system accessing web resources using HTTP encapsulation, by for example, a method that may include the steps of: (a) receiving, by an HTTP-encapsulator server component, HTTP request data from a web client; (b) saving, by the HTTP-encapsulator server, the HTTP request data; (c) creating, by the HTTP-encapsulator server, a first web resource accessible through an endpoint Uniform Resource Locator (URL); (d) creating, by the HTTP-encapsulator server, a second web resource containing data, wherein the data comprises: a URL to access the first web resource; and an endpoint URL pointing to a file handler on the HTTP-encapsulator server; (e) fetching, by an HTTP-encapsulator client of a local computing device, a command data of the HTTP-encapsulator server; (f) receiving, by the HTTP-encapsulator client, the command data of the HTTP-encapsulator server comprising a retrieval instruction to a data file stored at the local computing device as a destination page; (g) and generating, by the HTTP-encapsulator client, a response to the request of the HTTP-encapsulator server, based on a protected network resource; and (h) sending the generated response to the URL endpoint of the HTTP-encapsulator server hosted at the source external to the HTTP-encapsulator client of the local computing device. | 02-02-2012 |
20120030747 | Computers and microchips with at least one internal hardware firewall and at least two microprocessors or processing units outside the at least one firewall - A computer, comprising: at least one internal hardware firewall; at least two microprocessors being located outside of the at least one internal hardware firewall; and the at least two microprocessors being separate from the at least one internal hardware firewall. | 02-02-2012 |
20120030748 | COMPUTERS AND MICROCHIPS WITH AN INTERNAL HARDWARE FIREWALL AND AT LEAST ONE MICROPROCESSOR PROCESSING UNIT OUTSIDE THE FIREWALL - This invention generally relates to one or more computer networks having computers like personal computers or network servers with microprocessors linked by broadband 5 transmission means and having hardware, software, firmware, and other means such that at least one parallel processing operation occurs that involve at least two computers in the network. More particularly, this invention relates to one or more large networks composed of smaller networks and large numbers of computers connected, like the Internet, wherein more than one separate parallel processing operation involving more than one different set of computers occurs simultaneously and wherein ongoing processing linkages can be established between virtually any microprocessors of separate computers connected to the network. Still more particularly, this invention relates to business arrangements enabling the shared used of network microprocessors for parallel and other processing, wherein personal computer owners provide microprocessor processing power to a network, preferably for parallel processing, in exchange for network linkage to other personal and other computers supplied by network providers, including linkage to other microprocessors for parallel or other processing; the basis of the exchange between owners and providers being whatever terms to which the parties agree, subject to governing laws, regulations, or rules, including payment from either party to the other based on periodic measurement of net use or provision of processing power. | 02-02-2012 |
20120036570 | IMAGE FORMING APPARATUS, METHOD FOR CONTROLLING THE SAME, AND STORAGE MEDIUM - An image forming apparatus to communicate with a service provision system via a firewall may include an identification unit, a determination unit, and a communication unit. The identification unit identifies, out of services provided by the service provision system, a service which provides a substitute function corresponding to a function of the image forming apparatus limited by a failure. The determination unit determines, out of a plurality of communication methods to be used for communication with the service provision system via the firewall, a communication method to be used to perform data communication with the service identified by the identification unit. The communication unit performs data communication with the service identified by the identification unit by using the communication method determined by the determination unit. | 02-09-2012 |
20120042372 | GLOBAL NETWORK COMPUTERS - A microchip for a computer configured to connect to a one network of computers, the microchip comprising: a first internal hardware-based firewall, the first internal hardware-based firewall configured to deny access to a portion of the microchip from the network; a general purpose microprocessor including at least two general purpose cores or general purpose processing units; a first core or processing unit is located inside of the first internal hardware-based firewall; a second core or processing unit is located outside of at the first internal hardware-based firewall; the second core or processing unit is separate from the first internal hardware-based firewall; and a memory component located inside of a second internal hardware-based firewall that is located between said memory component and a core or processing unit with which said memory component is associated. The microchip can also include a plurality of dies. | 02-16-2012 |
20120042373 | MANAGING CONFIGURATIONS OF A FIREWALL - A method for processing packets in a computer undergoing transitioning from a first configuration of a firewall to a second configuration of the firewall is disclosed. Packets arriving in the computer are associated with the first configuration of the firewall existing in the computer, and after a second configuration of the firewall becomes available, the computer starts associating packets arriving in the computer with the second configuration of the firewall, and processing packets associated with the second configuration according to the second configuration of the firewall, while continuing processing the packets associated with the first configuration according to the first configuration of the firewall until all packets associated with the first configuration are processed. Packets are processed by a plurality of firewall processing modules asynchronously. First and second reference counts, counting numbers of packets processed according to respective firewall configuration are conveniently introduced. A corresponding system is also provided. | 02-16-2012 |
20120047569 | METHOD FOR PROVIDING TERMINALS OF IMS NETWORK WITH FIREWALL AND FIREWALL SYSTEM - A method for providing firewall for terminals in the IMS network and a firewall system are provided. The method includes: arranging a firewall system in the IMS network; acquiring an identification information of said terminal, when the firewall system receives a request for providing the terminal with a firewall from a network element; sending an identification information of the firewall system to the terminal and related network elements; and managing at least part of the communication activities between said terminal and other network elements by the firewall system, wherein, said other network elements include network elements in the IMS network and/or network elements which communicate with said terminal via the IMS network. | 02-23-2012 |
20120047570 | FIREWALLS FOR SECURING CUSTOMER DATA IN A MULTI-TENANT ENVIRONMENT - Network security is enhanced in a multi-tenant database network environment using a query plan detection module to continually poll the database system to locate and raise an alert for suspect query plans. Security also can be enhanced using a firewall system sitting between the application servers and the client systems that records user and organization information for each client request received, compares this with information included in a response from an application server, and verifies that the response is being sent to the appropriate user. Security also can be enhanced using a client-side firewall system with logic executing on the client system that verifies whether a response from an application server is being sent to the appropriate user system by comparing user and organization id information stored at the client with similar information in the response. | 02-23-2012 |
20120096536 | Data Security System - A method, computer system, and computer program product for validating data contained in a request sent by a requestor to a server application. A computer receives the request from the requestor before receipt of the request by the server application. The computer identifies a set of data validation rules to apply to the data in the request based on a data format specification contained in the request sent by the requestor. The computer determines whether the data is valid based on the identified set of data validation rules. The computer forwards the request to the server application in response to the computer determining that the data is valid based on the identified set of data validation rules. | 04-19-2012 |
20120096537 | BASIC ARCHITECTURE FOR SECURE INTERNET COMPUTERS - A method of securely controlling through a private network a computer protected by a hardware-based inner access barrier or firewall and optionally configured to operate as a general purpose computer connected to the Internet, comprising: two separate network connections separated by an inner hardware-based access barrier or inner hardware-based firewall protecting a private network connection configured for connection to a private network of computers but not protecting a public network connection configured for connection to a public network configured to include the Internet, the method including the step of controlling at least one operation of the computer, the control being provided through the private network and the operation involving data and/or code transmitted to the public network. Another method includes the step of controlling an operation of a second or third private protected unit of the computer, the control being provided through a second or third private network, respectively. | 04-19-2012 |
20120117640 | Integrated Computer Security Management System and Method - The present disclosure is generally directed to a computer security management system that integrates a firewall with an intrusion detection system (IDS). In other words, the firewall and IDS of the present disclosure can be designed to communicate process or status information and packets with one another. The present disclosure can facilitate centralized control of the firewall and the IDS and can increase the speed at which packets are passed between a secured computer network and an external network. Increased packet processing speed can be achieved in several ways. For example, the firewall and IDS can process packets in series, in parallel, and sometimes singularly when one of the components is not permitted to process a packet. Alternatively, singular processing can also be performed when one component is permitted to pass a packet to the secured computer network without checking with the other component. | 05-10-2012 |
20120131662 | Virtual local area networks in a virtual machine environment - In one embodiment, a method includes identifying virtual machines operating at a network device and virtual local area networks associated with the virtual machines, creating an allowed list of virtual local area networks at the network device based on the virtual machines operating at the network device, and updating the allowed list in response to changes in the virtual machines at the network device. The network device is configured to forward traffic received from the virtual local area networks on the allowed list to a virtual switch at the network device, and drop traffic received from a virtual local area network not on the allowed list. An apparatus and logic are also disclosed. | 05-24-2012 |
20120137356 | INTELLIGENT ELECTRIC DEVICE AND NETWORK SYSTEM INCLUDING THE DEVICE - A protection relay installed at a power system and a network system including the protection relay are disclosed, the protection relay storing a security level of a plurality of systems or a plurality of source addresses, instructing whether to short-circuit a power by checking a security level of a data-transmitting system based on a security level stored in a security level setting device, or instructing whether to short-circuit a power by comparing the source addresses included in the data with the plurality of source addresses. | 05-31-2012 |
20120144475 | SCALABLE NAT TRAVERSAL - A system and method for traversing a firewall for a voice-over-IP session or other communication session uses four main components: a relay agent, and NAT | 06-07-2012 |
20120144476 | SYSTEM AND METHOD FOR NETWORK VULNERABILITY DETECTION AND REPORTING - A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target ports, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing. | 06-07-2012 |
20120151571 | "Push" Keep-Alive Mechanism For SIP User Agents Located Behind NATS/Firewalls - A user equipment (UE) and method is provided having one or more components configured to receive a non-session initiation protocol (SIP) notification from a SIP entity and in response to send a ping request to the SIP entity, the one or more components further configured to receive a SIP request from the SIP entity. A network component and method is also provided that include one or more components configured to send a non-session initiation protocol (SIP) notification to a user equipment (UE) and to receive a ping request from the UE and further to send a SIP request to the UE. | 06-14-2012 |
20120174209 | Method and Device for Detecting Validation of Access Control List - A method for detecting validation of an Access Control List (ACL) is disclosed in the present invention, when an action part of an ACL rule is performed each time, a counter attached to the currently performed ACL rule is started in accordance with an attachment mode, wherein the counter counts in accordance with a preset counting mode; whether the ACL rule takes effect or not is judged according to whether there is a count value or not by reading the count value stored in the counter. An apparatus for detecting validation of an ACL is also disclosed in the present invention. The apparatus can implement neither increasing the network load nor impacting the safety of a Central Processing Unit (CPU) in a device while judging whether an ACL rule takes effect or not. | 07-05-2012 |
20120180119 | Session Initiation Protocol (SIP) Firewall For IP Multimedia Subsystem (IMS) Core - A SIP firewall defends an IMS network against SIP registration-based DoS/DDoS attacks by issuing fake authentication challenges when suspiciously high registration traffic is present. The fake authentication challenges include a predictive nonce that is to be used in the challenge response, thus forcing users to be state-aware and to issue the SIP registration requests from valid IP address in order to successfully respond to the fake authentication challenges. Upon confirming an association between the challenge response and the fake authentication challenges, the firewall opens a registration window to a protected node of the core network. In such manner, the firewall opens a registration window to (unauthenticated) legitimate users while stopping DDoS mode of registrations (or at least making them extremely difficult and costly) without impacting or involving the protected node. | 07-12-2012 |
20120180120 | SYSTEM FOR DATA LEAK PREVENTION FROM NETWORKS USING CONTEXT SENSITIVE FIREWALL - Method and system of preventing data leak in a network that allows for context based access of network resources by network users is provided. Where the communication network can be an open network like the internet or a closed network like a company's Local Area Network (LAN). The network resource may be any application, website, program, communication means etc. available by accessing the network. A request is sent to a network firewall to access a web application, where the web application is identified. A context template is created for the web application, and compared with the request to create a request context map. The request context map is compared to a request context rule on the network firewall. Access is provided to the web application when the request context map matches the request context rule. | 07-12-2012 |
20120185929 | INCORPORATING NETWORK CONNECTION SECURITY LEVELS INTO FIREWALL RULES - Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts. | 07-19-2012 |
20120192262 | NETWORK ADAPTER FIREWALL SYSTEM AND METHOD - A network adapter system and associated method are provided. Included is a network adapter having a plurality of designated trusted and untrusted ports. The network adapter includes a processor coupled to a computer. Such processor is further coupled to a network via the ports. In use, the processor is configured for conditionally preventing network traffic from accessing the computer from the network via the untrusted ports and/or preventing unauthorized software from accessing the network in an untrusted manner from the computer. | 07-26-2012 |
20120204251 | METHOD AND SYSTEM FOR PROVIDING CLOUD BASED NETWORK SECURITY SERVICES - An approach is provided for performing cloud based computer network security services. Data traffic from a plurality of networks corresponding to a plurality of subscribers are received. Data traffic is routed to a security platform over a communication path to one or more service aggregators to process the data traffic according to one or more security services performed by the security platform. The security services are provided as a managed service by a service provider. The processed data are received from the one or more service aggregators, and routed to the corresponding one of the networks. | 08-09-2012 |
20120210416 | LOAD BALANCING IN A NETWORK WITH SESSION INFORMATION - Methods and systems for balancing load among firewall security devices are provided. According to one embodiment, a switch maintains a session table the session entries of which represent established traffic sessions between a source and a destination and form an association between the traffic session and a particular firewall security device (FSD). Responsive to receiving a packet of a first traffic session on a first port, a determination is made whether there exists a matching session entry. Responsive to a negative determination, a load balancing function is performed to select an FSD with which to associate the first traffic session and a corresponding reverse second traffic session. After processing of the packet by the selected FSD and receipt of the packet at a second port, a session entry is installed within the session table for the second traffic session and which associates the selected FSD with the second traffic session. | 08-16-2012 |
20120216269 | Software licensing in a virtualization environment - Provided are a system and method for activating an unauthorized software program in a virtualization environment. A software program is installed on a computer. A valid license is obtained to activate the software program. A cloning operation is performed on the software program. At least one other instance of the software program is generated during the cloning operation. The valid license is obtained to activate the at least one other instance of the software program. Also provided are systems and methods for identifying and counteracting unauthorized licensing of instances of a software program. | 08-23-2012 |
20120216270 | Method and Apparatus for Graphical Presentation of Firewall Security Policy - A graphical representation of the firewall and a network coupled to the firewall is generated and displayed. A number of an inbound port of the network is displayed. An arrow adjacent to the port number pointing toward the network is displayed to indicate that a communication is permitted to the port. The port number and the arrow are located between an icon for the network and an icon for the firewall. A port number of a destination of a communication originating from the network is displayed. Also, another arrow adjacent to the destination port number pointing toward the firewall is displayed to indicate that a communication is permitted to the destination port number. The destination port number and the other arrow are located between an icon for the network and an icon for the firewall. | 08-23-2012 |
20120222106 | Automated Hybrid Connections Between Multiple Environments In A Data Center - A multi-tenant data center environment includes a dedicated domain having at least one dedicated server associated with a client and a cloud domain having at least one cloud server associated with the client. The cloud server may have a public interface to a public network and a private interface to a private network. In turn, a network device is coupled between the dedicated domain and the public network, and is further coupled to the cloud server via the private network. A controller of the data center may be used to determine presence of the cloud server, and configure the network device to allow certain traffic to pass directly to the dedicated domain, while preventing other traffic from this direct path, based on access controls of the network device. | 08-30-2012 |
20120227100 | APPARATUS, SYSTEM, AND METHOD FOR NETWORK AUTHENTICATION AND CONTENT DISTRIBUTION - An apparatus, system, and method are disclosed for network authentication and content distribution. The apparatus includes an authentication module configured to receive redirected network requests over a communications network from a firewall module and configured to present a user license agreement and not require user-identifiable information, and a content distribution module configured to synchronize over the communications network with a client module and transmit content to the client module. The system includes a firewall module connected with a global communications network, a network connected with the firewall module, a computing device configured to couple with the network, and the apparatus. The method includes receiving redirected network requests over a communications network from a firewall module, presenting a user license agreement and not requiring user-identifiable information, and synchronizing over the communications network with a client module and transmitting content to the client module. | 09-06-2012 |
20120233686 | NETWORK ACCESS FIREWALL - The communications management systems manage access to a local area network or network content by external users, applications, and devices. The systems and methods are implemented on a network appliance to manage content within the network and facilitate content transmission through a firewall that separates the network from a larger networking environment, such as the World Wide Web. | 09-13-2012 |
20120254973 | DATA PROTECTION DEVICE FOR COMPUTERS - A data protection device includes a storage unit, a hard disk drive (HDD) controller, a switch, a network card; and a main control unit. The main control unit prevents the network card from communicating with communication networks when the first switch connects the HDD controller to the storage unit, and directs the first switch to disconnect the HDD controller from the storage unit when the network card is allowed to communicate with the communication networks. | 10-04-2012 |
20120254974 | Local Data Appliance for Collecting and Storing Remote Sensor Data - A system for providing local access by means of a local data appliance to data collected from remote monitors and sensors is described. The system includes a plurality of remote monitors and sensors, the remote monitors and sensors reporting data over a wide area communications network, and a data collection center receiving the data from the remote monitors and sensors, the data collection center operable to process the data and generate customer defined reports based on the data. A local data appliance placed in the customer's network operates to receive the data from the data collection center, and to process the customer data, generate reports based on the data and send instructions to the remote monitors and sensors. The appliance resides behind the customer's firewall but is separate from the customers network and data center equipment. | 10-04-2012 |
20120254975 | SYSTEM AND METHOD FOR AUTOMATICALLY REGULATING MESSAGES BETWEEN NETWORKS - A system, method, and profiler for regulating access between a remote network and a host network. The profiler includes a processor for executing a set of instructions and a memory for storing the set of instructions. The set of instructions are executed to determine one or more target devices for the host network, determine authorized content for messages from one or more remote networks to the one or more target devices, analyze the messages to determine whether the messages comply with message thresholds for the remote networks, and communicate the messages between the host network and the one or more remote networks in response to compliance with the message thresholds and the authorized content. | 10-04-2012 |
20120254976 | DIRECTORY SERVER FOR AUTOMATIC NETWORK INFORMATION ACCESS SYSTEMS - Systems, apparatus and methods are described for providing information access to network devices. A directory server registers identification information about a first network device coupled to a first network. The first network and the directory server may be coupled to a second network, which may include a wide area network, public network, or the Internet. The identification information may include a network address of the first network device on the first network, or a network address of the first network on the second network. The directory server may receive and process requests for identification information about registered network devices, and may selectively reply to the requests based on status information of the first network device. | 10-04-2012 |
20120260331 | Network Firewall Host Application Identification and Authentication - Systems for providing information on network firewall host application identification and authentication include an identifying and transmitting agent on a host computer, configured to identify each application in use, tag the application identity with a host identity, combine these and other information into a data packet, and securely transmit the data packet to the network based firewall. The embodiment also includes an application identity listener on the network based firewall, configured to receive the information data packet, decode the data packet and provide to the network based firewall the identity of the application. The network based firewall is provided with an application-awareness via an extension of firewall filtering or security policy rules via the addition of a new application identity parameter upon which filtering can be based. Other systems and methods are also provided. | 10-11-2012 |
20120266230 | METHOD AND APPARATUS FOR CYBER SECURITY - Aspects of the disclosure provide a network interface device for use in an electronic device. The network interface device includes multiple systems and can be configured to perform multiple levels of security functions. In an example, the network interface device includes a first system and a second system. The first system includes a first interface configured to couple the first system with a host system of the electronic device, a second interface configured to couple the first system with an external electronic device, and first integrated circuits configured to monitor and filter traffic flowing between the external electronic device and the host system of the electronic device. The second system includes second integrated circuits. The network interface device also includes a communication channel between the first system and the second system. The second system is configured to send control information to and receive status information from the first system via the communication channel. | 10-18-2012 |
20120272308 | MANAGEMENT SYSTEM, MANAGEMENT METHOD AND MANAGEMENT PROGRAM FOR MANAGING INDUSTRIAL CONTROL SYSTEM - A system and method of an appropriate countermeasure at the time of anomaly. The management system for an industrial control system includes a control apparatus, a control network connected to the control apparatus, and multiple devices controlled by the control apparatus via the control network, the management system includes multiple firewall modules provided for each of control zones each controlling one part of the industrial control system, the firewall modules relaying communication between devices in the control zones and the control network; an event analyzing module collecting events from each of the multiple firewall modules and analyzing the events to detect an anomaly of each of the control zones, and a communication managing module changing a communication operation performed via the firewall module provided for the control zone where an anomaly has been detected. | 10-25-2012 |
20120291115 | METHOD AND APPARATUS FOR DYNAMIC HOST OPERATING SYSTEM FIREWALL CONFIGURATION - A method and apparatus for dynamic host operating system firewall configuration provides plural monitoring processes to monitor the firewall configuration of a host operating system and guest operating systems. When any firewall configuration change is detected by a monitor in a monitored guest operating system, a appropriate corresponding firewall change is made by the monitor to the host operating system. | 11-15-2012 |
20120291116 | Network Security Device - The present invention provides for a security device for location within a network device and having first and second Medium Independent Interfaces for functional connection within the network device, whereby the MII interfaces can callow for location of the security device between a PHY chip and a MAC chip of the host network device. | 11-15-2012 |
20120297475 | METHODS, NETWORK SERVICES, AND COMPUTER PROGRAM PRODUCTS FOR RECOMMENDING SECURITY POLICIES TO FIREWALLS - Recommending a security policy to a firewall, includes receiving a request from a firewall for a recommendation as to whether the firewall should allow or block a detected present communication for which the firewall does not have an existing security policy. Information about past blocked and allowed communications at other firewalls on a network is searched to identify past communications that are similar to the present communication. The identified past communications are assigned a respective positive or negative vote. A positive vote indicates a past communication was allowed and a negative vote indicates a past communication was not allowed. A positive recommendation is sent to the requesting firewall to allow the present communication if the positive votes outnumber the negative votes, and a negative recommendation is sent to the requesting firewall to block the present communication if the negative votes outnumber the positive votes. | 11-22-2012 |
20120304274 | SYSTEM AND METHOD FOR INITIALIZING AND MAINTAINING A SERIES OF VIRTUAL LOCAL AREA NETWORKS CONTAINED IN A CLUSTERED COMPUTER SYSTEM - A system and method for sharing network resources; the system comprising at least one network switch, at least one computing device comprising at least one network connection and at least one storage device containing software capable of initializing and maintaining: (i) a management local area network (MLAN) comprising a virtual or physical firewall; and (ii) a plurality of client virtual local area networks (VLANs), wherein each client VLAN comprises a virtual firewall and a plurality of network resources. | 11-29-2012 |
20120304275 | HIERARCHICAL RULE DEVELOPMENT AND BINDING FOR WEB APPLICATION SERVER FIREWALL - At least one of an HTTP request message and an HTTP response message is intercepted. A corresponding HTTP message model is identified. The HTTP message model includes a plurality of message model sections. Additional steps include parsing a representation of the at least one of an HTTP request message and an HTTP response message into message sections in accordance with the message model sections of the HTTP message model; and binding a plurality of security rules to the message model sections. The plurality of security rules each specify at least one action to be taken in response to a given condition. The given condition is based, at least in part, on a corresponding given one of the message sections. A further step includes processing the at least one of an HTTP request message and an HTTP response message in accordance with the plurality of security rules. Techniques for developing rules for a web application server firewall are also provided. | 11-29-2012 |
20120311690 | METHOD OF USING A SECURE PRIVATE NETWORK TO ACTIVELY CONFIGURE THE HARDWARE OF A COMPUTER MICROCHIP - A method for a computer or microchip with one or more inner hardware-based access barriers or firewalls that establish one or more private units disconnected from a public unit or units having connection to the public Internet and one or more of the private units have a connection to one or more non-Internet-connected private networks for private network control of the configuration of the computer or microchip using active hardware configuration, including field programmable gate arrays (FPGA). The hardware-based access barriers include a single out-only bus and/or another in-only bus with a single on/off switch. | 12-06-2012 |
20120317634 | Method of securely controlling a computer or microchip with a master or central controller connected by a secure control bus to networked microprocessors or cores - A method of securely controlling a computer or microchip through a private network. The computer or microchip includes a secure private unit protected by an inner hardware-based access barrier or firewall; an unprotected public unit including at least one network connection configured to connect to a network; a separate private network connection located in the secure private unit a microprocessor, core or processing unit configured for general purposes, in the unprotected public unit and separate from the access barrier or firewall; a master or central controlling device located in the secure private unit; and a secure control bus configured to connect the master or central controlling device with the microprocessor, core or processing unit. The secure control bus is isolated from input from both the network and components of the unprotected public unit. The method includes securely controlling an operation executed by the microprocessor, core or processing unit. | 12-13-2012 |
20120317635 | SYSTEM AND METHOD FOR MONITORING UNAUTHORIZED TRANSPORT OF DIGITAL CONTENT - A system for network content monitoring and control, comprising: a transport data monitor, connectable to a point in a network, for monitoring data being transported past said point, a signature extractor, associated with said transport data monitor, for extracting a derivation of said data, said derivation being indicative of content of said payload, a database of preobtained signatures of content whose movements it is desired to monitor, and a comparator for comparing said derivation with said preobtained signatures, thereby to determine whether said payload comprises any of said content whose movements it is desired to monitor. The monitoring result may be used in bandwidth control on the network to restrict transport of the content it is desired to control. | 12-13-2012 |
20120317636 | MANAGEMENT SYSTEM, MANAGEMENT METHOD AND MANAGEMENT PROGRAM FOR MANAGING INDUSTRIAL CONTROL SYSTEM - A system and method of an appropriate countermeasure at the time of anomaly. The management system for an industrial control system includes a control apparatus, a control network connected to the control apparatus, and multiple devices controlled by the control apparatus via the control network, the management system includes multiple firewall modules provided for each of control zones each controlling one part of the industrial control system, the firewall modules relaying communication between devices in the control zones and the control network; an event analyzing module collecting events from each of the multiple firewall modules and analyzing the events to detect an anomaly of each of the control zones, and a communication managing module changing a communication operation performed via the firewall module provided for the control zone where an anomaly has been detected. | 12-13-2012 |
20120324561 | ROAD BLOCK the next evolution of security software for network operations - Road Block simply put is a blockade against any and all hacker attempts. It is a security software program that resides on a server and the user machine with specific coding interchanging between the two for a secure link and transference of information. Unlike VPN technology Road Block establishes a Binary code link specific to computer chips residing on a server and also on the user computer. This technology can be used by banks, medical offices, insurance companies, credit unions and facilities allowing employees to work remotely. In a nutshell Road Block is the ultimate security software package to ensure safe and secure transmission of any information between a user and server. | 12-20-2012 |
20120324562 | Enhanced Personal Firewall for Dynamic Computing Environments - An enhanced personal firewall system having an inter-firewall connection listener which binds to a specified communications port and listens for inbound and/or outbound connection requests; and an inter-firewall controller which establishes a trusted communications through a local firewall and a remote firewall by exchanging public keys, a signed trusted computer firewall request, and using the keys to determine if a local key storage indicates previous authorization to trusted communications. If not, then a user of the targeted resource is notified and prompted to authorize the access. If so, then the firewall rules protecting the targeted resource are modified, even if temporarily, to allow the requesting firewall to have trusted access. | 12-20-2012 |
20120324563 | MICROCHIPS WITH MULTIPLE INTERNAL HARDWARE-BASED FIREWALLS AND DIES - Embodiments useful for a network of computers are presented. In an embodiment, microchip includes a plurality of dies. Each die is made by a separate fabrication process and assembled into a package with the separate die sections connected directly. | 12-20-2012 |
20120324564 | Computers and microchips with a faraday cage, with a side protected by an internal hardware firewall and unprotected side connected to the internet for network operations, and with internal hardware compartments - A personal computer or microchip comprising at least one Faraday Cage, two or more microprocessors or processing units and an internal hardware firewall. The internal hardware firewall is configured to separate a protected side of the computer or microchip from an unprotected side of the computer or microchip. The unprotected side being configured to connect to a network including the Internet. The protected hardware side of the computer or microchip includes at least one microprocessor or processing unit. The unprotected network side of the computer or microchip is located between the internal hardware firewall and the network and includes the unprotected microprocessors or processing units. At least one of the unprotected microprocessors or processing units is not a network communications component and is a separate component from the internal hardware firewall. The computer or microchip can include two, four, or more internal hardware compartments. | 12-20-2012 |
20120331541 | SYSTEMS, METHODS, AND MEDIA FOR FIREWALL CONTROL VIA REMOTE SYSTEM INFORMATION - A method and system for controlling a firewall for a user computer system. One or more processors of the user computer system receive a control request to control a program of the user computer system by the firewall. The control request includes a condition pertaining to at least one process of a remote computer system. The at least one process is configured to be executed on the remote computer system. The firewall protects the user computer system from external threats. The processors store a remote system condition associated with the program of the user computer system. The remote system condition includes the condition pertaining to the at least one process. The processors ascertain whether the remote system condition is satisfied. The processors direct the firewall to block or allow the transmission of data if it is ascertained that the remote system condition is not satisfied or satisfied, respectively. | 12-27-2012 |
20130007870 | SYSTEMS FOR BI-DIRECTIONAL NETWORK TRAFFIC MALWARE DETECTION AND REMOVAL - An exemplary bi-directional network traffic malware detection and removal system may comprise a scrubbing center running one or more server computer communicatively coupled to a network configured to receive a request for website content, remove any server-directed malware from the content request, transmit the scrubbed content request to the website's hosting server, receive the responsive website content, remove and client-directed malware from the content, and transmit the scrubbed content to the requesting client. | 01-03-2013 |
20130019301 | SYSTEMS AND METHODS FOR INTEGRATION BETWEEN APPLICATION FIREWALL AND CACHING - The present invention is directed towards integrating cache managing and application firewall processing in a networked system. An integrated cache/firewall system comprises an application firewall operating in conjunction with a cache managing system in operation on an intermediary device. The application firewall processes a received HTTP response to a request by a networked entity serviced by the intermediary device. The application firewall generates metadata from the HTTP response and stores the metadata in cache with the HTTP response. When a subsequent request hits in the cache, the metadata is identified to a user session associated with the subsequent request. The application firewall can modify a cache-control header of the received HTTP response, and can alter the cookie-setting header of the cached HTTP response. | 01-17-2013 |
20130047248 | Apparatus and Method for Determining Subject Assurance Level - According to one embodiment, an apparatus may store a plurality of token-based rules. The apparatus may further store a plurality of subject tokens associated with at least one of a user and a device. The apparatus may receive a resource token indicating that access to a resource has been requested. The apparatus may determine the value of an access value associated with the at least one subject token. The apparatus may then determine that the value of the access value is insufficient to grant access to the resource. The apparatus may then determine that access by at least one of the user and the device to the resource should be denied. | 02-21-2013 |
20130067556 | APPLICATION STATE SHARING IN A FIREWALL CLUSTER - A firewall cluster system comprises a first node operable to receive a connection in a firewall cluster having three or more nodes, monitor packets of the received connection and determining application state data associated with the connection from the monitored packets in the first node, and share application state data with at least another node in the firewall cluster. | 03-14-2013 |
20130067557 | AUTHENTICATION SHARING IN A FIREWALL CLUSTER - A firewall cluster system comprises a first node operable to receive a connection in a firewall cluster having three or more nodes, determine user data associated with the connection, and share the user data with at least another node in the firewall cluster. | 03-14-2013 |
20130067558 | ASSURED PIPELINE THREAT DETECTION - Devices, methods, and systems for assured pipeline threat detection are described herein. One method for assured pipeline threat detection includes receiving a first set of data at a firewall from an unsecured network, moving the first set of data from the firewall to a number of virtual machines, performing a number of threat detection analyses on the first set of data in the number of virtual machines that are organized in a first assured pipeline, and sending the first set of data to a secured target network if no threat was detected. | 03-14-2013 |
20130067559 | INSTANT INTERNET BROWSER BASED VoIP SYSTEM - The present invention is an instant Internet browser based VoIP system with a VoIP client in the form of temporary VoIP applets that can start in a Web browser and can establish an instant peer-to-peer connection with another web-based or hardware embedded/installed VoIP client using session initiation protocol (SIP) and real-time transport protocol (RTP) audio streaming. The applet is a small file that is easily loaded onto a user's browser and uses application program interfaces (APIs) that require no additional libraries. The applet is written in JAVA, although other programming languages may also be used to write the applet. | 03-14-2013 |
20130074173 | Control of Security Application in a LAN from Outside the LAN - A method and a system are disclosed that enable an address at the edge router to be used to establish a multi-pipe virtual private network (MVPN) connecting controllers to multiple web enabled end user devices (EUDs) inside a security protected local area network (LAN). The EUDs connect to a central server (CS) outside the LAN during configuration establishing registration and identity (ID) for each EUD. Once the EUDs establish connection from inside the LAN, the CS is enabled to communicate with the EUDs using the address and ID provided during registration. The CS then acts as a facilitator establishing secure VPN connection between controllers in the cloud and the EUDs inside the LAN. CS further acts as a pass through for those LANs that do not allow direct connections to controllers outside the LAN. The CS continues to monitor the health of the overall system once connectivity is established. | 03-21-2013 |
20130081129 | Outbound Connection Detection and Blocking at a Client Computer - A method of detecting and blocking a malicious SSL connection at a client computer. The method includes identifying, at a network firewall level, an outbound SSL connection being set up at the client computer; detecting an SSL certificate associated with the SSL connection; sending a request to a central server for reputation information on the SSL certificate; at the central server, determining reputation information in dependence upon the SSL certificate; providing said reputation information from the central server to the client computer; and using the reputation information at the client computer to determine whether or not to block the connection. | 03-28-2013 |
20130081130 | METHODS, APPARATUS, AND ARTICLES OF MANUFACTURE TO PROVIDE FIREWALLS FOR PROCESS CONTROL SYSTEMS - Methods, apparatus, and articles of manufacture to provide firewalls for process control systems are disclosed. An example method includes analyzing a network communication to identify a first service, an address associated with the first service within a secured portion of a network, and a subset of ports used by the first service, the network communication originating from within the secured portion of the network and to be transmitted to a destination outside of the secured portion of the network, and storing an identifier of the first service, the address, and the subset of the ports when the network communication includes the identifier, the address, and the subset of the ports. | 03-28-2013 |
20130111576 | SECURE SERVER ARCHITECTURE FOR WEB BASED DATA MANAGEMENT | 05-02-2013 |
20130111577 | CONNECTION SERVER, COMMUNICATION SYSTEM, AND COMMUNICATION METHOD | 05-02-2013 |
20130139243 | DISTRIBUTED FIREWALLING IN A WIRELESS COMMUNICATION NETWORK - A method and system for distributed collaborative firewalling in a wireless wide area communication network including a plurality of controllers, comprises a binding table that is built by the controller in response to receiving identifiers of wireless clients being served by the controller, where the binding table lists the wireless clients associated with each access port under control of the controller. A processor of the controller is operable to apply stateless firewalling on wireless communication traffic from a wireless client using the binding table, and applying, by each access port, stateful firewalling on the wireless communication traffic from the wireless client. | 05-30-2013 |
20130139244 | ENHANCING NETWORK CONTROLS IN MANDATORY ACCESS CONTROL COMPUTING ENVIRONMENTS - A Mandatory Access Control (MAC) aware firewall includes an extended rule set for MAC attributes, such as a security label or path. Application labels may be used to identify processes and perform firewall rule-checking. The firewall rule set may including conventional firewall rules, such as address checking, in addition to an extension for MAC attributes. | 05-30-2013 |
20130152186 | FILTERING KERNEL-MODE NETWORK COMMUNICATIONS - Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system. | 06-13-2013 |
20130152187 | METHODS AND APPARATUS FOR MANAGING NETWORK TRAFFIC - Methods, apparatus, and computer readable storage media reduce or eliminate network traffic meeting criteria. In some aspects, network traffic transmitted by one or more source nodes to one or more destination nodes may comprise a denial of service attack against the destination node(s). At least a portion of the denial of service attack traffic may be reduced or eliminated with the disclosed methods and apparatus. In one aspect, a method of managing undesirable network traffic transmitted from a source node to a destination node over a communications network includes receiving a notification of a routing rule change, authenticating the notification, determining a network routing rule based on the notification, applying the network routing rule, determining a network path toward the source node, determining an entity based on the network path, and transmitting a notification of the routing rule change to the entity. | 06-13-2013 |
20130160106 | BASIC ARCHITECTURE FOR SECURE INTERNET COMPUTERS - A method of securely controlling through a private network a computer protected by a hardware-based inner access barrier or firewall and optionally configured to operate as a general purpose computer connected to the Internet, comprising: two separate network connections separated by an inner hardware-based access barrier or inner hardware-based firewall protecting a private network connection configured for connection to a private network of computers but not protecting a public network connection configured for connection to a public network configured to include the Internet, the method including the step of controlling at least one operation of the computer, the control being provided through the private network and the operation involving data and/or code transmitted to the public network. Another method includes the step of controlling an operation of a second or third private protected unit of the computer, the control being provided through a second or third private network, respectively. | 06-20-2013 |
20130174245 | METHOD OF SECURELY CONTROLLING A COMPUTER OR MICROCHIP WITHA MASTER OR CENTRAL CONTROLLER CONNECTED BY A SECURE CONTROL BUSTO NETWORKED MICROPROCESSORS OR CORES - A method of securely controlling a computer or microchip through a private network. The computer or microchip includes a secure private unit protected by an inner hardware-based access barrier or firewall; an unprotected public unit including at least one network connection configured to connect to a network; a separate private network connection located in the secure private unit a microprocessor, core or processing unit configured for general purposes, in the unprotected public unit and separate from the access barrier or firewall; a master or central controlling device located in the secure private unit; and a secure control bus configured to connect the master or central controlling device with the microprocessor, core or processing unit. The secure control bus is isolated from input from both the network and components of the unprotected public unit. The method includes securely controlling an operation executed by the microprocessor, core or processing unit. The secure control is provided by the master or central controlling device through the separate private network to the separate private network connection via the secure control bus. | 07-04-2013 |
20130179963 | COMPUTERS AND MICROCHIPS WITH MULTIPLE INTERNAL HARWARE FIREWALLS - An apparatus for a network of computers is presented. A plurality of inner firewalls operate within a personal computer. The personal computer operates in a network of computers and includes at least one microprocessor and at least two memory components. The plurality of inner firewalls deny access to a first memory component of the personal computer by another computer through a network connection with the personal computer during a shared operation. The plurality of inner firewalls also allow access to a second memory component of the personal computer by the other computer through the network connection with the personal computer during the shared operation. | 07-11-2013 |
20130185785 | SYSTEM AND METHOD FOR INITIALIZING AND MAINTAINING A SERIES OF VIRTUAL LOCAL AREA NETWORKS CONTAINED IN A CLUSTERED COMPUTER SYSTEM - A system and method for sharing network resources; the system comprising at least one network switch, at least one computing device comprising at least one network connection and at least one storage device containing software capable of initializing and maintaining: (i) a management local area network (MLAN) comprising a virtual or physical firewall; and (ii) a plurality of client virtual local area networks (VLANs), wherein each client VLAN comprises a virtual firewall and a plurality of network resources. | 07-18-2013 |
20130198829 | SYSTEM TO RETRIEVE AND DISTRIBUTE IMAGES IN REAL TIME - An image-data acquisition and display system coupled to a network provides a first specified data to an interactive control server system to be accessed by a user for acquiring a second specified data based on the first specified data, and receives third specified data from the ICSS, includes: identifying information associated with the system; a server for coupling to the network for transmitting the identifying information to the ICSS via the network; and a tunnel client coupled to the network to establish, based on the identifying information, a communications tunnel through a firewall to exchange data wait the ICSS via the tunnel, to allow data/commands to be received by and transmitted from the system through the firewall to the ICSS over the network. The firewall allows the third specified data to be received by the system though the tunnel and prevents data/commands from being received by the system. | 08-01-2013 |
20130212668 | Suspension of Processes in Industrial Control System When an Anomaly Occurs - A method for suspension of processes in an industrial control system includes detecting at least one anomaly in an industrial control system; notifying a controller of the at least one anomaly; accessing a database comprising emergency suspend procedures; sending a stream comprising at least one emergency suspend command through at least one firewall/gateway to at least one downstream zone; and terminating or suspending a process in the at least one zone. | 08-15-2013 |
20130227670 | SERVICE AGGREGATION IN A CLOUD SERVICES CENTER - A cloud center infrastructure system may include a service aggregator connected directly to a provider network. The service aggregator may be configured to receive, via the provider network, a data unit from a customer device, associated with a customer; identify a first device, associated with a first traffic processing service, based on a sequence of traffic processing services associated with the customer; and send the data unit to the first device, wherein the first device is located in a cloud services center, and wherein the first device is connected to the service aggregator over a Layer 2 connection. | 08-29-2013 |
20130227671 | SECURE IN-BAND SIGNALING METHOD FOR MOBILITY MANAGEMENT CROSSING FIREWALLS - An in-band signaling method that enables secure updates of a care-of-IP address for a mobile host that roams between access networks. In the illustrative embodiment described herein, a mobile host includes an intelligent interface that handles IP networking functions and tunnels IP packets between the mobile host and the mobile host's home agent/remote access server (HA/RAS) transparently, as if the mobile host established a connection to a communicating or destination host (DST) from the home network (where the HA/RAS resides). In accordance with an aspect of the invention, there is provided an in-band signaling method that employs encrypted three-way handshake signaling messages that are embedded in encapsulated IP packets to enable care-of IP address updates. This method can effectively protect mobile hosts from denial-of-service attacks and is transparent to NAT/NAPT firewalls. The signaling messages are communicated between the home agent and the mobile host, in a manner transparent to any NAT/NAPT firewall in the network. | 08-29-2013 |
20130232564 | Method of using a secure private network to actively configure the hardware of a computer or microchip - A method for a computer or microchip with one or more inner hardware-based access barriers or firewalls that establish one or more private units disconnected from a public unit or units having connection to the public Internet and one or more of the private units have a connection to one or more non-Internet-connected private networks for private network control of the configuration of the computer or microchip using active hardware configuration, including field programmable gate arrays (FPGA). The hardware-based access barriers include a single out-only bus and/or another in-only bus with a single on/off switch. | 09-05-2013 |
20130247167 | SYSTEM, METHOD, AND COMPUTER PROGRAM FOR PREVENTING INFECTIONS FROM SPREADING IN A NETWORK ENVIRONMENT USING DYNAMIC APPLICATION OF A FIREWALL POLICY - A method for containing a threat in network environment using dynamic firewall policies is provided. In one example embodiment, the method can include detecting a threat originating from a first node having a source address in a network, applying a local firewall policy to block connections with the source address, and broadcasting an alert to a second node in the network. In more particular embodiments, an alert may be sent to a network administrator identifying the source address and providing remedial information. In yet other particular embodiments, the method may also include applying a remote firewall policy to the first node blocking outgoing connections from the first node. | 09-19-2013 |
20130254868 | SYSTEM AND METHOD FOR MULTIMEDIA MULTI-PARTY PEERING (M2P2) - Embodiments of the present invention pertain to systems and methods for implementing a platform to support multimedia services peering with multiple independent competing parties, such as carriers or service providers. More particularly, certain embodiments of the invention pertain to deployment of the same physical platform or device by using soft- and hard-virtual separation of resources. Each party is allowed to retain full control over its logical resources space, even when a party is not using any of its resources. However, the multimedia multi-party peering provider maintains complete overview of the utilization of resources by each party via an active monitoring and enforcing method. | 09-26-2013 |
20130254869 | Electronic Device For Communication In A Data Network Including A Protective Circuit For Identifying Unwanted Data - An electronic device for communication in a data network including a communication circuit adapted for performing the network communication, which communication includes controlling a plurality of network layers, the layers including a physical layer, a link layer and at least one higher order layer, the communication circuit includes a protective circuit for identifying unwanted data. The electronic device is characterised in that the protective circuit is arranged to monitor data during transmission of data from the electronic device, and identify unwanted data, and the communication circuit is adapted to avoid transmission of the unwanted data identified by the protective circuit. In this way the network is protected against excessive traffic, for example during a Denial of Service attack. | 09-26-2013 |
20130254870 | Detecting and Thwarting Browser-Based Network Intrusion Attacks By a Virtual Machine Monitoring System, Apparatus, and Method - Detecting and thwarting attacks for intellectual property misappropriation is provided by directing retrieval of resources using uniform resource identifiers to a browser operating within a virtual machine whose IP address is within a range external to a trusted network sub-circuit. Such a virtual machine is constrained by a monitor application which terminates the virtual machine if characteristics of browser-based intrusion or network attack are observed within the virtual machine. | 09-26-2013 |
20130263243 | AGENT DEVICE, IMAGE-FORMING-DEVICE MANAGEMENT SYSTEM, IMAGE-FORMING-DEVICE MANAGEMENT METHOD, IMAGE-FORMING-DEVICE MANAGEMENT PROGRAM, AND STORAGE MEDIUM - An agent device is connected with one or more image-forming devices in a local network having a firewall provided therein. A management device carries out remote management of the image-forming devices in the local network through the Internet. The agent device includes a command receiving unit which starts connection with the management device and receives a management command from the management device via the firewall, the command being sent by the management device in response to the connection. An image-forming-device communication unit receives device-state information of a corresponding one of the image-forming devices according to the management command. A command response transmitting unit transmits the device-state information to the management device through the Internet. | 10-03-2013 |
20130263244 | REVERSE FIREWALL WITH SELF-PROVISIONING - An application provisioning device may be used to manage a profile of a host and provide data corresponding to a selected application for installation at a host. A reverse firewall may use the profile of the host to determine whether to allow or block particular network communication from an application running on the host. An indication of a selected application may be received at the application provisioning device. Configuration information may also be received at the application provisioning device. The application provisioning server may request an update to the profile of a host and transmit such a request. The profile may be updated to reflect the configuration information and/or information of the selected application. Data corresponding to the selected application may be updated and transmitted to a host computer, where it may be installed. Therefore, the installed application running on the host may operate without being prematurely blocked by the reverse firewall. | 10-03-2013 |
20130276090 | CLOUD-BASED WAN MANAGEMENT - A method, performed by a network device, may include generating a virtual Layer 3 device for a customer's network. The method may further include establishing a Layer 2 connection between the customer's network and the generated virtual Layer 3 device; establishing a Layer 3 connection between the generated virtual Layer 3 device and a Layer 3 network; and configuring the generated virtual Layer 3 device to function as an edge router for the customer's network. | 10-17-2013 |
20130276091 | METHOD AND APPARATUS TO TUNNEL MESSAGES TO STORAGE DEVICES BY OVERLOADING READ/WRITE COMMANDS - Embodiments of systems, apparatuses, and methods for securely transferring data between a storage system and an agent are described. In some embodiments, a system establishes a tunnel between the storage system and the agent. The system further securely transfers the data between the storage system and the agent using the tunnel. In one embodiment, the tunnel uses an action and results mailbox to transfer the data. In another embodiment, the tunnel is based on a trusted send facility. | 10-17-2013 |
20130291087 | SYSTEMS AND METHODS FOR INTEGRATING CLOUD SERVICES WITH INFORMATION MANAGEMENT SYSTEMS - A system includes an enterprise network including an internal management system communicatively coupled thereon, the enterprise network includes security and the internal management system is disposed behind the security; a cloud system external to the enterprise network and communicatively coupled to the enterprise network, at least one user associated with the enterprise network is configured to communicate through the cloud system for cloud-based services, and the cloud system is configured to log data associated with the at least one user for the cloud-based services; and an external service bridge located in the enterprise network behind the security, the external service bridge is configured to securely communicate with the cloud system to receive the log data and to communicate with the internal management system to provide the log data thereto. | 10-31-2013 |
20130291088 | COOPERATIVE NETWORK SECURITY INSPECTION - A network system includes a security device and a network access device. The network access device is to receive a packet from a source node destined to a destination node, and to examine a data structure maintained by the network access device to determine whether the data structure stores a data member having a predetermined value, the data member indicating whether the packet should undergo security processing. If the data member matches the predetermined value, the packet is transmitted to a security device associated with the network access device to allow the security device to perform content inspection, and in response to a response received from the security device, the packet is routed to the destination node dependent upon the response. The packet is routed to the destination node without forwarding the packet to the security device. | 10-31-2013 |
20130298218 | METHOD FOR SECURE SINGLE-PACKET AUTHORIZATION WITHIN CLOUD COMPUTING NETWORKS - A method for secure single-packet authorization and secure transparent access to software services residing on cloud-based servers other than the host system where the SPA server itself is running. A single packet authorization (SPA) server running on a host system passively monitors a network for a valid SPA packet while maintaining a default deny stance on a gateway packet filter. The SPA server stores the MD5 sum of every valid SPA packet that it monitors and flags any duplicate access attempts. This way, if any SPA packet has the same MD5 hash as a previously monitored packet the SPA server treats the packet as malicious. After a valid SPA packet is sent, the SPA host server provides a Network Address Translation (NAT) which essentially creates an “SPA gateway” within a Cloud network independent of any other border gateway devices that already exist within the Cloud. The client system may then request access via the SPA gateway to services that are on other Cloud systems besides the one where the SPA server is running. | 11-07-2013 |
20130305340 | INTEGRITY MONITORING TO DETECT CHANGES AT NETWORK DEVICE FOR USE IN SECURE NETWORK ACCESS - In one embodiment, a method includes initiating integrity monitoring at a network device, continuously monitoring the network device to detect changes at the network device over a period of time, and transmitting information collected during said integrity monitoring to a security device for use in determining if the network device is allowed access to a trusted network. An apparatus and logic are also disclosed. | 11-14-2013 |
20130305341 | AUTOMATICALLY CONFIGURING COMPUTER NETWORK AT HOSPITALITY ESTABLISHMENT WITH RESERVATION-SPECIFIC SETTINGS - A system includes a storage device for storing details of a plurality of reservations of a hospitality establishment. A particular reservation includes a registered device setting for affecting behavior of a computer network at the hospitality establishment toward a user device having a specified device identifier. The system further includes a clock unit for tracking time, and a system controller coupled to the computer network and having access to the storage device and the clock unit. The system controller automatically configures one or more network components of the computer network when a start time of the particular reservation is reached in order to activate the registered device setting, and automatically configures the one or more network components when an end time of the particular reservation is reached in order to deactivate the registered device setting. | 11-14-2013 |
20130305342 | HARDWARE ENFORCED OUTPUT SECURITY SETTINGS - Generally, aspects of this disclosure are directed to copy protection techniques. Areas in memory may be secured to establish a secure memory area in the memory that is not accessible by unauthorized clients. A request to decode video content stored in the secure memory area may be received. If the video content to be decoded is stored in the secure memory area, a first MMU associated with the hardware decoder may enforce a rule that the video content is to be decoded into one or more output buffers in the secure memory area. A request to display the decoded video content stored in the secure memory area may be received. If the decoded video content is stored in the secure memory area, a second MMU associated with a hardware display processor may enforce a rule that a secure link be established between the hardware display processor and an output device. | 11-14-2013 |
20130305343 | COMPUTERIZED SYSTEM AND METHOD FOR HANDLING NETWORK TRAFFIC - Methods and systems for processing network content associated with multiple virtual domains are provided. According to one embodiment, a service daemon process is instantiated within a firewall to handle content processing of network traffic of virtual domains by aggregating communication channels associated with the virtual domains and by applying an appropriate content processing policy for the corresponding virtual domain. A connection request is received by the firewall from a virtual domain. A child process is forked by the service daemon process to handle network traffic associated with the virtual domain. A communication channel is established between a kernel of the firewall and the service daemon process to transfer a portion of the network traffic between the service daemon process and the kernel. The child process is configured to perform content processing of the network traffic in accordance with a content processing policy associated with the virtual domain. | 11-14-2013 |
20130333018 | Portable Security Device and Methods for Secure Communication - Disclosed a portable personal security device and methods for secure communication. In one example, the personal security device may wirelessly connect to a user device and collect information about the user device. The personal security device may then assess security characteristics of the user device based on the collected information. When the user device is determined to be unsecure, the personal security devices may instruct the user to use a secure internet application of the personal security device instead of an unsecure internet application of the user device. In addition, the personal security device may instruct the user to use a secure data input device of the personal security device instead of an unsecure data input device of the user device. The personal security device then receives via the secure data input device a user input data for the secure internet application, and transmit it to the user device. | 12-12-2013 |
20130333019 | INTEGRATED SECURITY SWITCH - An integrated security switch and related method for managing connectivity and security among networks. The integrated security switch includes a security function connectable with a first network and at least one switching function connectable with a second network. A common management interface driven by both command line interface and graphic user interface protocols manages the switching function via a management path dedicated between the security function and the switching function. The common management interface enables secure switching of traffic to flow via a traffic path dedicated between the switching function and the security function. Typically, the traffic is a flow of data between the Internet and a group of networked users such as a wide area network. | 12-12-2013 |
20130347094 | IN-LINE FILTERING OF INSECURE OR UNWANTED MOBILE DEVICE SOFTWARE COMPONENTS OR COMMUNICATIONS - Techniques for in-line filtering of insecure or unwanted mobile components or communications (e.g., insecure or unwanted behaviors associated with applications for mobile devices (“apps”), updates for apps, communications to/from apps, operating system components/updates for mobile devices, etc.) for mobile devices are disclosed. In some embodiments, in-line filtering of apps for mobile devices includes intercepting a request for downloading an application to a mobile device; and modifying a response to the request for downloading the application to the mobile device. In some embodiments, the response includes a notification that the application cannot be downloaded due to an application risk policy violation. | 12-26-2013 |
20140013411 | SURGICALLY IMPLANTABLE DEVICES WITH A COMPUTER, A FARADAY CAGE AND AT LEAST ONE INTERNAL FLEXIBILITY SIPE - A surgically implantable device comprising at least a part of an electronic and/or electromechanical device, at least one outer chamber, compartment, or bladder, at least one inner chamber, compartment, or bladder inside said outer chamber, compartment, or bladder, at least one internal sipe separating at least a part of said outer chamber, compartment, or bladder and at least a part of said inner chamber, compartment, or bladder, at least one Faraday cage; and a computer configured to connect to at least one network of computers, said computer comprising at least a first internal hardware firewall configured to deny access to at least a first protected portion of said computer from said network. At least a portion of an outer surface of said outer chamber, compartment, or bladder is proximate to an outer surface of said surgically implantable device. | 01-09-2014 |
20140013412 | PROVIDING TELEPHONY SERVICES TO TERMINALS BEHIND A FIREWALL AND/OR A NETWORK ADDRESS TRANSLATOR - A method and apparatus for allowing telephony or other types of media communications and services to be provided for a device ( | 01-09-2014 |
20140020083 | Customizable Storage Controller With Integrated F+ Storage Firewall Protection - A Customizable Storage Controller (CSC) is a software defined storage device controller, a replacement for the ASIC storage controller approach that has been used up to now. The differences from the current storage controllers are that the CSC software will need to be protected from unauthorized modification and provides an excellent place to add additional storage management functionality. The CSC type of storage controller is a good place to integrate the F+ Storage Firewall storage protection technology, fitting the needs of the CSC as well as protecting stored data from unauthorized access. This portion of the larger patent disclosure provides the design of a CSC both with a software version of a F+ Storage Firewall, as well as an improved (more secure) CSC designed with a security co-processor and locked firmware. These designs can be implemented with standard parts such as microprocessors and/or FPGAs (Field Programmable Gate Arrays), RAM (Random Access Memory), and some version of nonvolatile memory as a program store. | 01-16-2014 |
20140041012 | SYSTEM FOR THE MANAGEMENT OF ACCESS POINTS - A network management system for the management of remote networks located behind a firewall. A managed device establishes a connection with the firewall. The managed device then generates and transmits a data packet to the firewall. The firewall then redirects the data packet to a controller server. Based on the information contained in the data packet, the controller server will verify the authenticity of the managed device. Based on the outcome of the verification process, the controller server will then carry out the necessary actions. | 02-06-2014 |
20140068747 | Automatic Completeness Checks of Network Device Infrastructure Configurations During Enterprise Information Technology Transformation - Techniques for automatically determining configuration completeness during information technology (IT) transformation from a pre-transformation source environment to a post-transformation target environment. A method includes obtaining a record of each of multiple data flows in a source environment, transforming each data flow in the source environment to a transformed data flow that corresponds to a target environment, and automatically determining that each of the transformed data flows is covered by a firewall configuration of one or more interfaces in the target environment. | 03-06-2014 |
20140068748 | DIAMETER FIREWALL USING RECEPTION IP ADDRESS OR PEER IDENTITY - Various exemplary embodiments relate to a method performed by a DIAMETER network node, the method including: receiving a first DIAMETER message; determining that the first DIAMETER message is not trusted; and rejecting the first DIAMETER message. | 03-06-2014 |
20140075533 | ACCESSING RESOURCES THROUGH A FIREWALL - Systems, methods, and computer-readable storage media for providing access to a firewalled resource are provided. A system includes a controller configured to be positioned outside of the firewall and configured to communicate with the client device and a mediator configured to communicate with the controller via a communications network. The mediator is configured to communicate with the resource and is configured to be positioned behind the firewall such that communications between the mediator and the resource do not traverse the firewall and communications between the mediator and the controller traverse the firewall. The mediator is configured to open a bidirectional connection between the mediator and the controller through which communications between the client device and protected resource may be transmitted. Requests forwarded by the mediator to the resource may be formatted in a manner such that they appear to the resource to be received from the client device. | 03-13-2014 |
20140096225 | MESSAGING SYSTEM FOR HEALTHCARE COMMUNITY - A messaging system for a health care community includes a private network. Electronic medical records are accessible via the private network. A calendar system includes appointments of patients with medical providers. An encrypted firewall and subscriber directory limits access to the private network so that only subscribers to the private network have access to the private network. Subscribers are identified by mobile phone numbers or extensions. | 04-03-2014 |
20140096226 | SECURE COMPUTER ARCHITECTURES, SYSTEMS, AND APPLICATIONS - Secure computer architectures, systems, and applications are provided herein. An exemplary computing system may include a trusted environment having a trusted processor and memory that provides a trusted computing environment that performs computing functions that could expose the computing device to a security risk, and a legacy environment having a secondary processor and memory for providing a legacy computing environment that manages computing functions exposed to unsecure environments. | 04-03-2014 |
20140096227 | Extensible Framework for Communicating over a Firewall with a Software Application Regarding a User Account - An on-premise software application (“OPA”) is communicated with according to an action received from outside a firewall. The action concerns user account information maintained by the OPA. The OPA is installed on a device located inside the firewall. The action is received from a management server located outside the firewall. The action includes a portion that adheres to a standardized format. An OPA interface request is generated based on the action. The OPA interface request includes the standardized portion. The OPA interface request is sent to an agent/OPA interface. | 04-03-2014 |
20140115686 | Method for Managing Connections in Firewalls - The disclosure relates to a method for managing connections in a firewall. The method includes receiving packets from an external network; generating a connection table; determining the total number of currently established connections; determining a level of firewall load by comparing the number of established connections with a threshold; identifying new and established connections based on two-way exchange of packets between a client and server; identifying closed connections based on processing ICMP error messages or flags in a TCP header; and dynamically determining current timeout values for connections from the network protocol type, the connection state, and the firewall load level. The method also includes modifying the last packet processing timestamp if any packet is passed within a given connection or a group of connections; and removing the connection if the last packet processing timestamp differs from the current time by a value greater than the timeout of said connection. | 04-24-2014 |
20140137228 | Web application vulnerability scanning - Present example embodiments relate generally to scanning websites, wherein the devices, methods, and logic for the scanning comprises receiving interaction information between a user computing device and a web application of the website; dynamically determining an action to be performed to the web application that approximately simulates the user computing device interacting with the web application, wherein the action is dynamically determined based on the received interaction information; establishing a browsing session with the website; discovering the web application within the website; and identifying a vulnerability of the web application by interacting with the web application using the action. | 05-15-2014 |
20140137229 | PROVIDING NOTIFICATION OF SPAM AVATARS - Provided are approaches for monitoring activities, movements, and other behavior patterns necessary to determine whether an avatar is a spam advertisement. A storing mechanism stores a “black list” and a black list score consisting of a list of spam avatar identifications (UUIDs) matching avatars that have been flagged as confirmed or suspected spam advertisers. Another mechanism allows the owner to redraw or otherwise re-render a distinguishing mark when an avatar has been detected as being a spam advertiser. Yet another mechanism signals to the owner of an offending avatar that they have been added to the black list or had a report filed against them. Another mechanism allows for a black listed avatar to be removed from the black list, and scores to be decreased and for the virtual universe and users to utilize the black list and score. | 05-15-2014 |
20140143849 | Secure Master and Secure Guest Endpoint Security Firewall - This invention is a security firewall having a security hierarchy including: secure master (SM); secure guest (SG); and non-secure (NS). There is one secure master and n secure guests. The firewall includes one secure region for secure master and one secure region for secure guests. The SM region only allows access from the secure master and the SG region allows accesses from any secure transaction. Finally, the non-secure region can be implemented two ways. In a first option, non-secure regions may be accessed only upon non-secure transactions. In a second option, non-secure regions may be accessed any processing core. In this second option, the access is downgraded to a non-secure access if the security identity is secure master or secure guest. If the two security levels are not needed the secure master can unlock the SM region to allow any secure guest access to the SM region. | 05-22-2014 |
20140150081 | SYSTEMS AND METHODS FOR ELIMINATING REDUNDANT SECURITY ANALYSES ON NETWORK DATA PACKETS - A computer-implemented method for eliminating redundant security analyses on network data packets may include (1) intercepting, at a networking device, at least one network data packet destined for a target computing device, (2) identifying a security system installed on the target computing device, (3) determining that the security system installed on the target computing device does not satisfy a predefined security standard, and then (4) performing a security analysis that satisfies the predefined security standard on the network data packet at the networking device based at least in part on determining that the security system installed on the target computing device does not satisfy the predefined security standard. Various other methods, systems, and computer-readable media are also disclosed. | 05-29-2014 |
20140165181 | NETWORK APPARATUS AND OPERATING METHOD THEREOF - Disclosed are a network apparatus and an operating method thereof. The network apparatus includes: a security authentication module that executes security authentication of a distributed denial of service (DDoS) attack when a predetermined packet requests access to a particular service server to which the security authentication is applied, at the time of inputting the predetermined packet; and a communication module that transmits the predetermined packet security-authenticated by the security authentication module through a transmission route of the particular service server, so as to easily defend the DDoS attack by using a pseudo state of a service procedure. | 06-12-2014 |
20140173712 | NETWORK SECURITY SYSTEM WITH CUSTOMIZABLE RULE-BASED ANALYTICS ENGINE FOR IDENTIFYING APPLICATION LAYER VIOLATIONS - Methods, devices, and storage media storing instructions to obtain logs from a security device and one or multiple service-providing devices, wherein the logs include information pertaining to traffic flow activity at an application layer associated with a service; store rules that identify behavior ranging from unintentional through intentional for one or multiple communication layers including an application layer; interpret the logs based on the rules; determine whether a violation exists based on the interpreting; and generate a notification that indicates the violation exists in response to a determination that the violation exists. | 06-19-2014 |
20140181949 | METHODS AND SYSTEMS FOR A POWER FIREWALL - The present invention provides methods of and systems to create an infrastructure firewall for devices such as power systems that support personnel and systems. In accordance with an embodiment of the present invention, a system includes at least one infrastructure device, at least one data-gathering client, at least one server and at least one end-user client. The infrastructure device is secured by the data-gathering client having no ability to communicate with any device to which it does not initiate the communication. The data-gathering client makes use of a private network between itself and one or more infrastructure devices to which no one may interrupt the communications. The data-gathering client then securely pushes data received with respect to the cyber security, physical security and operating parameters of the infrastructure devices. If an alert exists with an infrastructure device, upon receiving information from the data-gathering client, the server opens a push-communications connection between itself and, ultimately, the end-user client. The end-user client displays data received from the server wherein the displayed data is derived from the data generated with respect to a task performed by the monitored device. | 06-26-2014 |
20140208412 | FIREWALL EVENT REDUCTION FOR RULE USE COUNTING - An illustrative embodiment of a method for firewall rule use counting receives log messages comprising one or more log data sets from each firewall rule in a particular network whose counts are to be tracked in a log collector, generates a network trie for each reference database in a set of databases and a device source trie and a device destination trie for each firewall device in a plurality of devices of the particular network, a source port and protocol list and a destination port and protocol list for each respective device, a unique object for each log data set received; a mapping database comprising an entry for each log data set received associated with the unique object; and feeds each entry in the mapping database through a topology model to also generate a reference to a unique firewall rule on a respective device in the plurality of devices. A count associated with the unique firewall rule is incremented using a count of logs stored associated with the respective unique object and a report is generated. | 07-24-2014 |
20140223536 | INFORMATION PROCESSING SYSTEM - An information processing system includes multiple network segments to which one or more information processors are connectable. The network segments includes a first network segment to which at least one first information processor configured to store predetermined information is connected, a second network segment to which at least one second information processor is connected, and a third network segment to which at least one third information processor is connected. The second network segment includes multiple predefined application programming interface (API)s, and the at least one second information processor executes a process corresponding to a called one of the APIs using the predetermined information stored in the at least one first information processor. In response to receiving a request from outside the information processing system, the at least one third information processor controls a process corresponding to the request by calling one of the APIs which corresponds to the request. | 08-07-2014 |
20140237583 | Systems and Methods for A Self-Defending Wireless Computer Network - In one embodiment, the methods and apparatuses to assign a routing address to a wireless computer that is in a different logical network from the routing addresses of other wireless computers within the same physical wireless network; and to prevent a wireless computer from learning the routing address of another wireless computer within the same physical wireless network. | 08-21-2014 |
20140245421 | IP REFLECTION - IP reflection comprising double static NAT (network address translation) is disclosed. In some embodiments, a packet having a public IP address is received at a protecting network. The public IP address of the packet is translated to a corresponding protected IP address associated with a protected network, and the packet is forwarded to the protected network for servicing. The protected IP address of a response to the packet from the protected network is translated back to the public IP address at the protected network before sending. | 08-28-2014 |
20140245422 | SYSTEM AND METHOD FOR NETWORK VIRTUALIZATION AND SECURITY USING COMPUTER SYSTEMS AND SOFTWARE - Methods and systems are provided for network security. In one embodiment, the method involves receiving a data packet (e.g., from a firewall). The method also involves running an inspection of the received data packet within a virtual network, the virtual network duplicating at least a portion (e.g., servers(s) and/or application(s)) of a protected network. The method further involves sending the inspected data packet, or portion and/or modified version thereof, to the protected network, in response to the data packet passing the inspection within the virtual network. The method also involves blocking passage of the data packet to the protected network, in response to the data packet failing the inspection. | 08-28-2014 |
20140250519 | CLOUD COMPUTING METHOD AND SYSTEM - Methods and systems integrating sensitive or private data with cloud computing resources while mitigating security, privacy and confidentiality risks associated with cloud computing. In one embodiment, a computer network system includes a firewall separating a public portion of the computer network from an on-premises portion of the computer network, a database storing private data behind the firewall, and a user device connected with the computer network. The user device accesses an application hosted in the public portion of the computer network. In response, the application generates return information. The user device receives the return information and generates a request for private data based on at least a portion of the returned information. The request is transmitted to the database which generates a response including the requested private data. The response is transmitted in an encrypted form from the database via the computer network to the user device. | 09-04-2014 |
20140259140 | USING LEARNED FLOW REPUTATION AS A HEURISTIC TO CONTROL DEEP PACKET INSPECTION UNDER LOAD - A network appliance can adjust the amount of deep packet inspection performed by the network appliance as a function of load. In one example, the network appliance can be configured to utilize load (e.g., of its internal processors) and reputation of data flows to determine when selected trusted flows can bypass inspection performed using deep packet analysis. Reputation of data flows can be determined based on historical information regarding a particular flow in combination with a reputation service determining reputation scores based on properties of the data flow (e.g., source, type of data in flow, destination, Internet Protocol domains, etc.). In general, when the network appliance is under heavy load, the more trusted flows are allowed to pass through without in depth inspection. | 09-11-2014 |
20140259141 | SYSTEMS AND METHODS FOR DETECTING UNDESIRABLE NETWORK TRAFFIC CONTENT - A method of detecting a content desired to be detected includes receiving electronic data at a first host, determining a checksum value using the received electronic data, sending the checksum value to a processing station, the processing station being a second host that is different from the first host, and receiving a result from the processing station, the result indicating whether the electronic data is associated with a content desired to be detected. A method of detecting a content desired to be detected includes receiving electronic data at a receiving station, and determining whether the received electronic data is associated with a content desired to be detected, wherein the receiving station does not include content detection data for identifying the content desired to be detected. | 09-11-2014 |
20140259142 | SYSTEMS AND METHODS FOR DETECTING UNDESIRABLE NETWORK TRAFFIC CONTENT - A method of detecting a content desired to be detected includes receiving electronic data at a first host, determining a checksum value using the received electronic data, sending the checksum value to a processing station, the processing station being a second host that is different from the first host, and receiving a result from the processing station, the result indicating whether the electronic data is associated with a content desired to be detected. A method of detecting a content desired to be detected includes receiving electronic data at a receiving station, and determining whether the received electronic data is associated with a content desired to be detected, wherein the receiving station does not include content detection data for identifying the content desired to be detected. | 09-11-2014 |
20140259143 | COMMUNICATION SYSTEM FOR A MOTOR VEHICLE - A communication system for a motor vehicle comprises a telemetry terminal with a plurality of interfaces, a motor vehicle control device terminal, a bus by means of which the telemetry terminal and the motor vehicle control device terminal are communicating with each other, and a firewall which monitors the communication between the telemetry terminal and the motor vehicle control device terminal. | 09-11-2014 |
20140282998 | METHOD OF USING A SECURE PRIVATE NETWORK TO ACTIVELY CONFIGURE THE HARDWARE OF A COMPUTER OR MICROCHIP - A microchip comprising one or more buffer zones each excluding integrated circuitry; two or more zones each including integrated circuitry; and the one or more buffer zones forming one or more boundaries separating the zones with integrated circuitry. The zones can include a public unit connected to the Internet and at least one protected private unit that is not connected to the Internet. Alternatively, a computer motherboard comprising one or more buffer zones each excluding circuitry; two or more zones each including circuitry; the one or more buffer zones forming one or more boundaries separating the zones with circuitry; and the zones include a public unit connected to the Internet and at least one private unit that is not connected to the Internet. | 09-18-2014 |
20140304798 | SYSTEMS AND METHODS FOR HTTP-BODY DOS ATTACK PREVENTION WITH ADAPTIVE TIMEOUT - The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold. | 10-09-2014 |
20140304799 | System and method for operating a safety-critical device over a non-secure communication network - In a system and method for operating, at a near location, a remote safety-critical device, the system includes a first operating input device operated at the near location, providing a first barrier control signal; and a second operating input device to be operated at the near location, providing a second barrier control signal. The first barrier control signal is communicatively connected to a near end of a first secure communication tunnel, and the second barrier control signal is communicatively connected to a near end of a second secure communication tunnel, both through the non-secure communication network. Far ends of the first and second secure communication tunnels are communicatively connected to activating inputs of first and second barrier circuits, respectively. The first and second barrier circuits enable operation of the safety-critical device when both are activated. | 10-09-2014 |
20140304800 | METHODS AND APPARATUS FOR AGENT-BASED MALWARE MANAGEMENT - Methods and apparatus for providing protection against malware are disclosed. An exemplary method includes executing an agent program on a remote computer connected to a network, the agent program being configured to communicate with a base computer via the network, the agent program including a firewall arranged to block communications between the remote computer and entities on the network in accordance with predetermined rules; and configuring the firewall in accordance with rules received from the base computer. | 10-09-2014 |
20140304801 | USE OF DATA LINKS FOR AERONAUTICAL PURPOSES WITHOUT COMPROMISING SAFETY AND SECURITY - A method of ensuring secure and cost effective communication of aeronautical data to and from an aircraft is provided. The method includes uplinking air-ground aircraft data communications via an aeronautical safety data link and downlinking air-ground aircraft data communications via a consumer data link separated from the aeronautical safety data link by a one-way firewall. | 10-09-2014 |
20140317717 | FIREWALL SETTINGS CONTROLLING METHOD - A management server includes a control module. The management server electronically connects with one or more firewall, and each firewall connects one or more VMs which are installed in the same or different hosts. The control module sends a firewall setting command to a firewall agent module of each firewall, and controls the firewall agent module to set parameters of the firewall according to the firewall setting command. Furthermore, the control module sends a VM control command to a host agent module of each host, and controls the host agent module to perform one or more operations on one or more VMs in the host. | 10-23-2014 |
20140317718 | IPS Detection Processing Method, Network Security Device, and System - An IPS detection processing method, a network security device and a system are disclosed. The method includes: determining, by a network security device, whether an internal network device is a client or a server; if the internal network device is the client, simplifying an IPS signature rule base to obtain an IPS signature rule base corresponding to the client, or if the internal network device is the server, simplifying the IPS signature rule base to obtain an IPS signature rule base corresponding to the server; generating a state machine according to a signature rule in the IPS signature rule base obtained through simplifying processing; and performing IPS detection on flowing-through traffic by applying the state machine. In embodiments of the present invention, the network security device performs IPS detection by adopting the state machine with a redundant state removed, thereby improving IPS detection efficiency. | 10-23-2014 |
20140325633 | COMPUTER OR MICROCHIP WITH ITS SYSTEM BIOS PROTECTED BY ONE OR MORE INTERNAL HARDWARE FIREWALLS - A computer or microchip, comprising at least one protected portion, at least one network portion a system BIOS located in a first protected portion, and at least one internal hardware firewall located between the first protected portion and a first said network portion. The first protected portion being protected by at least a first internal hardware firewall, said first network portion having a connection for a network of computers including the World Wide Web and/or the Internet; the first internal hardware firewall denies access to at least said first protected portion of said computer or microchip from the network. The computer or microchip also includes hardware network communications components located in the first network portion and one or more microprocessors that are not hardware network communications components, located in the first network portion and are separate from the at least one internal hardware firewall. The location of at least the first internal hardware firewall permits unrestricted access by the network to the first network portion so that processing operations other than network communications and firewall operations conducted by said computer or microchip with the network are executed by one or more of said microprocessors in said first network portion. | 10-30-2014 |
20140331304 | METHOD AND SYSTEM FOR MITIGATION OF DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS - A system and method for mitigating the effects of malicious internet traffic, including DDOS attacks, by utilizing a DNS Traffic Analyzer and Firewall to analyze network traffic intended for a DNS server and preventing some network traffic from accessing the DNS server. | 11-06-2014 |
20140331305 | A COMPUTER OR MICROCHIP WITH A SECURE SYSTEM BIOS AND A SECURE CONTROL BUS CONNECTING A CENTRAL CONTROLLER TO MANY NETWORK-CONNECTED MICROPROCESSORS AND VOLATILE RAM - A computer or microchip including a system BIOS located in flash memory which is located in a portion of the computer or microchip protected by an inner hardware-based access barrier or firewall, a central controller of the computer or microchip having a connection by a secure control bus with other parts of the computer or microchip, and a volatile random access memory located in a portion of the computer or microchip that has a connection for a network. The secure control bus is isolated from input from the network, and provides and ensures direct preemptive control by the central controller over the volatile random access memory, the control including transmission to or erasure of data and/or code in the volatile random access memory and control of a connection between the central controller, the volatile random access memory and at least one microprocessor having a connection for the network. | 11-06-2014 |
20140331306 | Anti-Virus Method and Apparatus and Firewall Device - An anti-virus method which includes receiving, by a first thread, data packets belonging to the same data stream, and sequentially buffering payload data of data packets bearing file content among the received data packets into a first queue, reading, by a second thread, payload data of at least one data packet from a start position of the first queue, and determining whether payload data in the first queue is file content of a compressed file. If yes, identifying a compressed format of the compressed file, querying a decompression algorithm from a mapping between a compressed format and a decompression algorithm, by using the queried decompression algorithm, reading payload data of data packets one by one from the first queue, and performing decompression processing separately on payload data that is read each time, and performing anti-virus detection separately on file content that is obtained. | 11-06-2014 |
20140331307 | METHOD OF USING A SECURE PRIVATE NETWORK TO ACTIVELY CONFIGURE THE HARDWARE OF A COMPUTER OR MICROCHIP - A computer or microchip including a network connection for connection to a public network of computers including the Internet, the network connection being located in a public unit; and an additional and separate network connection for connection to a separate, private network of computers, the additional network connection being located in a protected private unit. An inner hardware-based access barrier or firewall is located between and communicatively connects the protected private unit and the public unit; and the private and public units and the two separate network connections are separated by the inner barrier or firewall. The protected private unit includes at least a first microprocessor and a system BIOS located in flash memory. The public unit includes at least a second or many microprocessors separate from the inner barrier or firewall. The inner barrier or firewall comprises a bus with an on/off switch controlling communication input and output. | 11-06-2014 |
20140344912 | FIREWALL BASED BOTNET DETECTION - A computer detects malicious intrusions (or bots) into a computer. The computer receives firewall log data that includes communication records containing the source and destination of the communication, as well as, the time of the communication. The source or destination of the communication may be on a list of suspicious servers known to contain malicious software. The computer identifies a sequence of communications between a common source address and a common destination address. The computer further identifies substantially fixed intervals between the communications, and generates an alert indicating a suspected bot intrusion. The computer also identifies from the sequence of communication, patterns in the communication intervals, similarly generating an alert indicating a suspected bot intrusion. | 11-20-2014 |
20140344913 | DEVICE, SOFTWARE MODULE, SYSTEM OR BUSINESS METHOD FOR GLOBAL REAL-TIME - A telecommunication device for real-time communication at a border between a global transport network and a private domain of a communication network may include a proxy for a communication protocol, means for traffic using real-time communication protocols to traverse a firewall, means for real-time traffic initiated by the communication protocol to traverse a firewall, means for measuring and collecting value information about the real-time traffic over the global transport network, means for creating mutual trust between the telecommunication device and a second device with which it communicates; and means for authorizing usage of a feature for a mutually trusted communication participant. | 11-20-2014 |
20140344914 | AUTHENTICATION OF REMOTE HOST VIA CLOSED PORTS - A method, system and apparatus for authenticating a communication request sent from a client computing device. The communication request is initially blocked by a firewall preventing delivery to a server. A first logging event corresponding to the communication request is created. The communication request and the logging event are stored in a firewall. The server is notified of the first logging event. The communication request corresponding to the first logging event is authenticated. A port in the firewall is enabled if the communication request is authenticated. | 11-20-2014 |
20140351917 | PROVISIONING NETWORK ACCESS THROUGH A FIREWALL - A method may include determining one or more rules and communicating the one or more rules to a firewall, where the firewall receives a data unit and determines, based on the one or more rules, whether to forward the data unit to a destination address; receiving a redirection of a device from the firewall when the firewall determines not to forward the data unit to the destination address; receiving an indication that the firewall did not forward the data unit to the destination address; and determining a new rule to allow the firewall to forward the data unit to the destination address and communicating the new rule to the firewall; and redirecting the device to the destination address. | 11-27-2014 |
20140359749 | SYSTEMS AND METHODS FOR DYNAMIC NETWORK SECURITY CONTROL AND CONFIGURATION - A computer-implemented method according to one embodiment of the present disclosure includes identifying, by a computer system, an asset associated with a logical zone; detecting a change in an attribute of the asset; and in response to detecting the change in the attribute of the asset, modifying, by the computer system, a configuration setting for a firewall. Among other things, the embodiments of the present disclosure can perform dynamically configure and control security features in response to changes in the computing environment, including asset attribute changes, security events, operational events, user input and environmental changes. Embodiments of the present disclosure thereby help to quickly maintain or change the security posture of a system and maintain the level of compliance with set of predefined security benchmarks or codified best practices. | 12-04-2014 |
20140366117 | METHOD AND SYSTEM OF MANAGING A CAPTIVE PORTAL WITH A ROUTER - In one exemplary embodiment a computer-implemented method of a providing a captive portal with a router includes implementing a hotspot managed by a router. The hotspot comprises an Internet-access over a WLAN through a rooter communicatively coupled to an Internet service provider. The WLAN is identified with a service set identifier (SSID). A connection with a client device is initiated. An HTTP request to a web server from the client device is detected. An internet communication is restricted, with a firewall rule, to a Transmission Control Protocol (TCP) port used, by a HTTP or a TCP port used by an alternative HTTP Secure port. The HTTP request is transparently routed to an internal HTTP proxy server running on an alternative HTTP TCP port in the router. The internal HTTP proxy server determines a requested web site's uniform resource locator (URL) and determines whether the requested web site's URL is allowed into a walled garden maintained by the router. | 12-11-2014 |
20140380454 | WHITE-LIST FIREWALL BASED ON THE DOCUMENT OBJECT MODEL - Some embodiments provide firewalls and methods for guarding against attacks by leveraging the Document Object Model (DOM). The firewall renders the DOM tree to produce a white-list rendering of the data which presents the non-executable elements of the data and, potentially, outputs of the executable elements of the data without the executable elements that could be used to carry a security threat. Some embodiments provide control over which nodes of the DOM tree are included in producing the white-list rendering. Specifically, a configuration file is specified to white-list various nodes from the DOM tree and the white-list rendering is produced by including the DOM tree nodes that are specified in the white-list of the configuration file while excluding those nodes that are not in the white-list. Some embodiments provide a hybrid firewall that executes a set of black-list rules over white-listed nodes of the DOM tree. | 12-25-2014 |
20140380455 | System and Method for Making Application Requests into Private Firewalled Networks - A first agent process is provided in a first computing environment. The first agent process is in communication with a first application. A second agent process is provided in a second computing environment, and the second agent process is in communication with a second application. Both the second agent process and first application run behind a firewall. The first agent process and second agent process communicate with each other across the firewall to have tasks performed by the second application on behalf of the first application. | 12-25-2014 |
20140380456 | INTEGRATED DATA TRAFFIC MONITORING SYSTEM - The present invention includes an integrated data traffic monitoring system monitoring data traffic received from a communication network and destined for a protected network. The monitoring system includes a security appliance and one or more security and monitoring technologies such as hardware and open source and proprietary software products. The security appliance and the security and monitoring technologies may be implemented as separate and distinct modules or combined into a single security appliance. The security and monitoring technologies monitor network data traffic on, or directed to, the protected network. The monitoring system collects data from each of the technologies into an event database and, based on the data, automatically generates rules directing one or more of the technologies to prevent subsequent communications traffic from specific sources from entering the protected network. | 12-25-2014 |
20150020186 | Various Methods and Apparatuses for a Central Management Station for Automatic Distribution of Configuration Information to Remote Devices - A method, apparatus, and system are described for a central management system to configure remote devices. A device service manager server (DSM) may have an IP redirector module configured to cooperate with two or more device service controllers (DSCs) that are behind a firewall on a wide area network relative to a location of the DSM on the wide area network, where the DSM serves as a central management station for a distribution of configuration information to the DSCs, wherein an executable boot up file uploaded via a drive port in that DSC is scripted to gather configuration information for that DSC and network devices on the same network as that DSC and without a prompt by the DSM then sends an initial configuration file to the DSM which makes a master copy of the device configuration file in the DSM's registry for that DSC. | 01-15-2015 |
20150020187 | SYSTEM AND METHOD FOR DETECTING A COMPROMISED COMPUTING SYSTEM - A digital security threat management system is disclosed. The system detects the presence of a computing system, on a network, that has been compromised by an undetected and/or unknown digital security threat. The digital security threat management system recognizes characteristic emanations from a computer system that has been compromised. Because the characteristic emanations that result from a known threat can be the same as the characteristic emanations that result from an undetected and/or unknown threat, the digital security threat management system can learn to detect a computing system that has been compromised by an unknown threat if the security threat management system recognizes characteristic emanations from a previous attack, based on a known threat, of the computing system. In this way, the system can detect the presence of a compromised computing system, even if the cause of the compromise remains undetected and/or unknown. Appropriate remedial action may be taken upon detection. | 01-15-2015 |
20150026792 | SYSTEM FOR PROVIDING A SECURE VIDEO DISPLAY - A system for providing a secure video display using a one-way data link. An input interface for receives a video stream signal. The one-way data link has an input node coupled to receive the input video stream signal and an output node. A processing system is coupled to the output node of the one-way data link and is configured to run a predetermined operating system. In an embodiment, a video display software program operates within the predetermined operating system to process the video stream signal received from the output node of the one-way data link and to provide an output signal for viewing on a display coupled to the processing system. Optionally, the video display program operates within a virtual operating system running within the predetermined operating system. In other embodiments, the video display program may process a video stream signal containing a plurality of different video programs. | 01-22-2015 |
20150033319 | SECURE COMMUNICATION NETWORK - The present invention is directed to a secure communication network that enables multi-point to multi-point proxy communication over the network. The network employs a smart server that establishes a secure communication link with each of a plurality of smart client devices deployed on local client networks. Each smart client device is in communication with a plurality of agent devices. A plurality of remote devices can access the smart server directly and communicate with an agent device via the secure communication link between the smart server and one of the smart client devices. | 01-29-2015 |
20150033320 | Safety Protection Method, Firewall, Terminal Device and Computer-Readable Storage Medium - Various examples provide a safety protection method, a firewall, a terminal device and a computer-readable storage medium. According to the method, a firewall injects a code module including a first function capable of modifying package safety information corresponding to an illegal application into a target process, and triggers the first function to modify the package safety information corresponding to the illegal application to make the illegal application fail to perform an operation due to the modified package safety information. | 01-29-2015 |
20150040206 | SYSTEMS FOR FINDING A LOST TRANSIENT STORAGE DEVICE - Processes for identifying and recovering a lost transient storage device are provided. In some processes, information regarding the owner of the device is obtained. The device ownership information may be stored on a remote service with which the device is registered and/or may be stored on the device itself. In one process, the remote service provides the device with customized device-executable code when the device is registered. The device may also contain information regarding trusted systems. The process includes obtaining status information indicating whether a device is lost when the device is connected to a host system. In some processes, the status is determined by a remote service. In other processes, the status is determined by the device. If the device is lost then a device recovery plan is executed. Portions of a device recovery plan may be executed on the remote service, the host system, and/or the device. | 02-05-2015 |
20150047008 | AUTOMATIC BLOCKING OF BAD ACTORS ACROSS A NETWORK - According to one aspect, embodiments of the invention provide a system for restricting access to a network, the system comprising a monitoring module configured to be coupled to a plurality of network access points and to monitor transmissions to the network via a plurality of network security appliances, and a blocking module, wherein the monitoring module is further configured to identify a potential bad actor based on a transmission from the potential bad actor to the network via a first one of the plurality of network access points and a first one of the plurality of network security appliances and provide information related to the potential bad actor to the blocking module, and wherein the blocking module is configured to confirm that the potential bad actor should be blocked and in response, to automatically configure each network security appliance to block the potential bad actor from accessing the network. | 02-12-2015 |
20150047009 | ACCESS CONTROL METHOD, ACCESS CONTROL SYSTEM AND ACCESS CONTROL DEVICE - A management terminal belonging to a first network periodically receives a registration request of information of a communication terminal belonging to a second network from a gateway device belonging to the second network. A control device belonging to the first network receives a communication request that a communication path be secured between the management terminal and the communication terminal from the management terminal. The control device includes the communication request in a latest response to a registration request received from the gateway device periodically and transmits the communication request to the gateway device. The gateway device permits an access to the communication terminal from the management terminal via a tunnel formed in response to the communication request. | 02-12-2015 |
20150047010 | PATH CONTROL SYSTEM, CONTROL DEVICE, AND PATH CONTROL METHOD - To provide a path control system, a control device and a path control method that can achieve reduction of the load on a gateway device, there are included a communication device, a communication device, a security device that provides a security feature to data transmitted and received between the communication device and the communication device, and a path control device that selects one of a first path through the security device and a second path not through the security device as a communication path of the data based on a path information table where an attribute of the data and a communication path between the communication device and the communication device are associated. | 02-12-2015 |
20150058966 | Method and Apparatus for Virtual Firewalling in a Wireless Communication Network - This disclosure provides example details for apparatuses and methods that manage virtual firewalls in a wireless communication network that includes a Core Network, CN, and an associated Radio Access Network, RAN. The virtual firewalls process traffic for respective wireless devices supported by the network. For example, the virtual firewall associated with a given wireless device is maintained in the RAN at the RAN node supporting the device, and is migrated from that RAN node in response to detecting a handover event involving the device. Advantageously, migration may be “horizontal,” where the associated virtual firewall is moved between nodes in the RAN, or may be “vertical,” where the associated virtual firewall is moved from the RAN to the CN. | 02-26-2015 |
20150058967 | Remote Access Manager for Virtual Computing Services - A series of NAT connection rules are revised in a dynamic manner such that a pool of ports is available to connect a plurality of remote users to local virtual compute resources over one or more public IP addresses. Once a connection is established, an entry is made in a firewall state table, associating IP addresses, ports and protocol types, such that the firewall state table allows uninterrupted use of the established connection. After an entry has been made in the state table, or the routing rule has timed out, the port associated with the original NAT routing rule is removed and the same port can be re-used to establish another connection without disrupting active connections. A connection between a virtual compute resource and a local compute resource can be associated with multiple ports and multiple protocol types. | 02-26-2015 |
20150067815 | CONFIGURATION OF ENERGY SAVINGS - According to one example embodiment, a modem or other network device include an energy module configured to enter a low-power, low-bandwidth state when not in active use by a user. The low-power state may be maintained under certain conditions where network activity is not present, and or when only non-bandwidth-critical traffic is present. The network device may include a user interface for configuring firewall rules, and the user may be able to concurrently designate particular types of traffic as important or unimportant. The energy module may also be integrated with a firewall, and power saving rules may be inferred from firewall rules. | 03-05-2015 |
20150067816 | AUTOMATED SECURITY GATEWAY - A security device may be configured to receive information regarding traffic that has been outputted by a particular user device; and compare the information regarding the traffic to security information. The security information may include device behavior information, traffic policy information, or device policy information. The security device may determine, based on the comparing, that a security threat exists with regard to the traffic; and take, based on determining that the security threat exists, remedial action with respect to the traffic. Taking the remedial action may include preventing the traffic from being forwarded to an intended destination associated with the traffic, providing an alert, regarding the security threat, to the particular user device, or providing an alert, regarding to the security threat, to another device. | 03-05-2015 |
20150067817 | FIREWALL TRAVERSAL DRIVEN BY PROXIMITY - Disclosed is a system and method enabling a mobile device to establish a communication channel with a device residing in the corporate network and in close physical proximity, without the requirement for a direct high speed network connection between the mobile and corporate devices. The system and method allow the mobile device tot maintain its existing network connection, with no special user/network credential access. The system and method enable an improved security control over the traffic that is transferred between the devices as these are filtered and controlled through a Firewall Traversal pairing server and not directly between devices. | 03-05-2015 |
20150067818 | BOOKMARKING SUPPORT OF TUNNELED ENDPOINTS - Methods and systems for managing tunneled endpoints are provided. One method includes preventing a user from accessing an endpoint that was previously accessed by the user via a first URL including an address with a first port designation, creating a constructive bookmark to the previously accessed endpoint, and establishing a tunnel to the previously accessed endpoint based on the constructive bookmark. Another method includes preventing a user from bookmarking a URL to an endpoint. A system includes a processor coupled to a memory a module for managing tunneled endpoints that, when executed by the processor, cause the processor to perform one or more of the above methods. | 03-05-2015 |
20150074788 | Firewall Security Between Virtual Devices - When communication from a first virtual device to a second virtual device is received, it is determined a first virtual interface associated with the first virtual device and a second virtual interface associated with the second virtual device. It is then determined a first security domain associated with the first virtual interface and a second security domain associated with the second virtual interface to implement a security policy between the first security domain and second security domain. The communication between the virtual devices is allowed or blocked. | 03-12-2015 |
20150082412 | APPLICATION STATE SHARING IN A FIREWALL CLUSTER - A firewall cluster system comprises a first node operable to receive a connection in a firewall cluster having three or more nodes, monitor packets of the received connection and determining application state data associated with the connection from the monitored packets in the first node, and share application state data with at least another node in the firewall cluster. | 03-19-2015 |
20150089625 | Access Control Manager - A network access manager controls access to a network interface according to a set of access control instructions specifying permissible and impermissible addresses and domains on a network. The network access manager establishes a graylist of addresses based on a domain request that is associated with a whitelisted domain that is accessed via a blacklisted address. When a request to establish a connection is received directed to a graylisted address, the connection is permitted to establish and the connection is added to a session graylist. When a session data transfer packet is received, if the session corresponds to a session on the session graylist, the session data transfer packet is examined to determine if it matches a whitelisted domain, in which case the session is associated with a session whitelist and permitted access to the network. The access control instructions may be automatically updated from a trusted access control management system. | 03-26-2015 |
20150096007 | Distributed Identity-Based Firewalls - Systems and techniques are described for monitoring network communications using a distributed firewall. One of the techniques includes receiving, at a driver executing in a guest operating system of a virtual machine, a request to open a network connection from a process associated with a user, wherein the driver performs operations comprising: obtaining identity information for the user; providing the identity information and data identifying the network connection to an identity module external to the driver; and receiving, by a distributed firewall, data associating the identity information with the data identifying the network connection from the identity module, wherein the distributed firewall performs operations comprising: receiving an outgoing packet from the virtual machine; determining that the identity information corresponds to the outgoing packet; and evaluating one or more routing rules based at least in part on the identity information. | 04-02-2015 |
20150101035 | DUPLICATING PACKETS EFFICIENTLY WITHIN A NETWORK SECURITY APPLIANCE - A network security appliance uses a switch to switch packets between cores configured for fast path processing and slow path processing. The switch duplicates packets for delivery to the slow path processing cores, eliminating the need for the fast path processing cores to expend processor resources on packet duplication. The switch can use IEEE 802.1ad Q-in-Q VLAN tags in the packet to perform the switching and packet duplication. Slow path processing cores may also broadcast packets to other slow path processing cores via the switch. | 04-09-2015 |
20150128244 | Systems and Methods for Secure Remote Access - Embodiments of the disclosure can include systems and methods for secure remote transfers. The onsite monitoring system secure file transfer solution can allow for transferring operational data by an onsite system behind a firewall to a central monitoring and diagnostic infrastructure by sending asynchronous, concurrent, parallel files over a port using a previously opened connection. The asynchronous TLS tunneling based remote desktop protocol solution is uni-directional because the communication ports are typically open outbound only. | 05-07-2015 |
20150135300 | LITIGATION SUPPORT IN CLOUD-HOSTED FILE SHARING AND COLLABORATION - In embodiments, the disclosure provides a method for managing content, including providing an electronic discovery facility of a secure data exchange environment, wherein at least one of a plurality of users of a first entity utilizes a network-based content storage service of a second entity to store content, and wherein the storage and access of the content with the network-based content storage service is tracked by the electronic discovery facility. The method includes receiving, at the electronic discovery facility, a discovery request, the discovery request comprising a request for a legal counsel of a third entity to access content stored on the network-based content storage service, the discovery request being, for example, in association with a litigation discovery action in relation to the first entity. Further, the method includes identifying and securing, by the electronic discovery facility and as a result of the discovery request, at least one item of content on the network-based content storage service; and providing, by the electronic discovery facility of the secure data exchange environment, access to the identified and secured item of content stored on network-based content storage service to the legal counsel of the third entity. | 05-14-2015 |
20150143501 | PATH SELECTION IN A MULTI-SERVICE AND MULTI-TENANT SECURE CLOUD ENVIRONMENT - A device and method are provided to provide multi-exit firewall capabilities for cloud server or cloud service deployments without prior knowledge of reachability information of a client device where the client device may belong to one of several networks accessing the cloud server or cloud service. The reachability information may be derived based on flow of data to and from the client device in response to a data transfer initiation request. A firewall connection table may be updated to record routability to the client device comprising the derived reachability information. The recorded reachability information in the connection table may be used for the data transfer with the client device instead of a default route in a routing table. | 05-21-2015 |
20150143502 | SYSTEM AND METHOD FOR AUTOMATED CONFIGURATION OF APPLICATION FIREWALLS - In a system for configuring a web application firewall, one or more parameters of the firewall are adjusted such that a test configured for exposing a vulnerability of an application protected by the application firewall is blocked by the firewall and another test configured to invoke functionality of the application but that does not expose or exploit any security vulnerability is not blocked by the firewall. A notification is provided to a user if such a firewall configuration is not found after a specified number of attempts. | 05-21-2015 |
20150143503 | SYSTEMS AND METHODS FOR CONTENT MANAGEMENT IN AN ON-DEMAND ENVIRONMENT - The technology disclosed relates to hosting legacy data sources in a cloud environment. In particular, it relates to providing users with flyweight access to content stored in legacy content repositories from within cloud based applications. It uses full-duplex secure transport tunnels and repository-specific connectors to traverse security layers and access the content repositories. It also creates virtual objects representing the content in the content repositories and embeds them in the cloud based applications. | 05-21-2015 |
20150150112 | APPARATUS AND METHOD FOR CONNECTING COMPUTER NETWORKS - Apparatus ( | 05-28-2015 |
20150295889 | Compilation of Finite Automata Based on Memory Hierarchy - At least one per-pattern non-deterministic finite automaton (NFA) may be generated for a single regular expression pattern and may include a respective set of nodes. Nodes of the respective set of nodes of each per-pattern NFA generated may be distributed for storing in a plurality of memories based on hierarchical levels mapped to the plurality of memories and per-pattern NFA storage allocation settings configured for the hierarchical levels, optimizing run time performance for matching regular expression patterns in an input stream. | 10-15-2015 |
20150295890 | SYSTEM AND METHOD FOR SECURE NETWORK COMMUNICATIONS - A system and method for establishing secure communication between a first device and a second device, wherein the first device is behind a firewall. A Secure Shell (SSH) connection is established between the first device and the second device, wherein establishing a connection includes establishing a secured communications tunnel from the first device to the second device via an SSH protocol. The first device is registered with the second device, wherein registering includes sending an SSH protocol REGISTER DEVICE message from the first device to the second device. The REGISTER DEVICE message is acknowledged by the second device, wherein acknowledging includes receiving the REGISTER DEVICE message, determining the client applications to register, determining a separate socket port number to be used as a remote port on the second device for each the registered client applications from the list of one or more client applications running on the first device, and transmitting a REGISTER DEVICE ACK message including the remote port number for each registered client application from the second device to the first device. A reverse port forwarding request is made based on the local port number and the remote port number received from in the REGISTER DEVICE ACK message. | 10-15-2015 |
20150295891 | Processing of Finite Automata Based on a Node Cache - Nodes of a per-pattern NFA may be stored amongst one or more of a plurality of memories based on a node distribution determined as a function of hierarchical levels mapped to the plurality of memories and per-pattern NFA storage allocation settings configured for the hierarchical levels. At least one processor may be configured to cache one or more nodes of the per-pattern NFA in the node cache based on a cache miss of a given node of the one or more nodes and a hierarchical node transaction size associated with a given hierarchical level mapped to a given memory in which the given node is stored, optimizing run time performance of the walk. | 10-15-2015 |
20150304278 | SYSTEMS AND METHODS FOR SECURE NETWORK-BASED MONITORING OF ELECTRICAL POWER GENERATORS - A computer-based method for monitoring power generation uses a first computing device including a processor and a memory. The method includes receiving, at the first computing device, controller data from a controller associated with a power generator. The first computing device and the controller are coupled in two-way communication. The method also includes transmitting the controller data to a second computing device associated with monitoring the power generator. The first computing device transmits the controller data in one-way communication to the second computing device. | 10-22-2015 |
20150304280 | INTRUSION PREVENTION AND DETECTION IN A WIRELESS NETWORK - The invention provides an intrusion detection and prevention system and computer program which, when operated or executed by a security element ( | 10-22-2015 |
20150312215 | GENERATING OPTIMAL PATHWAYS IN SOFTWARE-DEFINED NETWORKING (SDN) - A method for optimizing delivery of digital information packets across a network of linked, packet switching nodes is disclosed. A suitably programmed computer translates business oriented requests into network technical requirements. The computer then uses knowledge including pre-stored or real-time discovered topographical maps of the network, and a database of the current attributes of the components of the network, to automatically determine settings for software addressable forwarding devices on the network to implement the network technical requirements. This may take the form of a security setting that may be delivered to a network security appliance such as a firewall. Each firewall may then configure all or part of the network via the software addressable switches at nodes under its control. | 10-29-2015 |
20150312216 | LEGACY DEVICE SECURITIZATION WITHIN A MICROGRID SYSTEM - Devices, methods, systems, and computer-readable media for legacy device securitization within a microgrid system are described herein. One or more embodiments include a system having a microgrid network with at least one remote network connection to a non-local network device and the network having at least one local legacy device in communication with the non-local network device and a bump-in-the-wire (BITW) security device between the local legacy device and the at least one remote connection. | 10-29-2015 |
20150312218 | TRAVERSING FIREWALLS - A remote administrator device is provided outside a firewall that prevents remote devices from accessing, but allows remote devices to send electronic mail messages to a plurality of local network devices. The remote administrator device can send an electronic mail message to a respective one of the plurality of local network devices behind the firewall. The electronic mail message can include instructions for the respective local network device to establish a connection with the remote administrator device through the firewall. Once the connection is established, the remote administrator device can monitor state data received over the connection for the respective local network device. | 10-29-2015 |
20150312219 | Asset Management Via Virtual Tunnels - An asset management system is presented. The management system includes monitoring devices able to provide asset data across firewalls without requiring reconfiguration of the firewalls. The asset data pass through a forwarding service that instantiates a virtual tunnel comprising a communication channel between the monitoring devices and remote asset management engines. The asset management engines can also be located behind firewalls. As the management engines aggregate asset data, the engines can present one or more alerts via a management interface. | 10-29-2015 |
20150319136 | MALWARE ANALYSIS SYSTEM - In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack. | 11-05-2015 |
20150319138 | FILTERING HIDDEN DATA EMBEDDED IN MEDIA FILES - Systems and methods for filtering unsafe content at a network security appliance are provided. According to one embodiment, a network security appliance captures network traffic and extracts a media file from the network traffic. The network security appliance then determines the presence of a hidden data item embedded in the media file in a machine-readable form. When such a hidden data item is identified, the network security appliance performs one or more actions on the media file based on a predefined security policy. | 11-05-2015 |
20150319190 | PREVENTING NETWORK TOMOGRAPHY IN SOFTWARE DEFINED DATACENTER NETWORKS - Technologies are provided for preventing abuse of software-defined datacenter networks. In some examples, an SDN abuse prevention module within a control layer of an SDN may use graph analysis rules and monitor network paths over time to detect and prevent abusive network conformation change command series. Instance-generated network paths may be analyzed to determine if the paths attempt to repeatedly traverse one or more sensitive network paths. If so, the paths may be implemented or denied based on, among other things, the time scale within which they attempt to repeatedly traverse the sensitive network paths. | 11-05-2015 |
20150326530 | Firewall Security for Computers with Internet Access and Method - A firewall security platform is provided for enhancing security of a network. The firewall security platform includes at least one interface to communicate the identity and current status of one or more traffic requesters and at least one device for receiving instructions from a user. Communication data packets associated with the one or more traffic requesters are allowed for communication via the network or denied and blocked by the firewall security platform based on the current status of each of the one or more traffic requesters. The user's instructions include making a selection, with the selection including members that are at least one of the one or more traffic requesters. The current status of each member of the selection is altered in response to the making of the selection. | 11-12-2015 |
20150326533 | LOAD BALANCING AMONG A CLUSTER OF FIREWALL SECURITY DEVICES - A method for balancing load among firewall security devices in a network is disclosed. According to one embodiment, a switch causes firewall security devices (FSDs) of a cluster to enter into a load balancing mode. Responsive to receiving a heartbeat signal from an FSD, information regarding the FSD and the port on which the heartbeat signal was received are added to a table maintained by the switch that maps outputs of a load balancing function to ports of the switch. A received packet is forwarded to an FSD of the cluster by: (i) extracting a configurable number of bit values from a configurable set of bit positions within the packet; (ii) determining the output of the load balancing function; (iii) identifying the port to which the FSD is coupled based on the output and the table; and (iv) transmitting the packet to the FSD via the identified port. | 11-12-2015 |
20150326599 | Evaluating URLS For Malicious Content - A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Requests by a user system for a resource at a URL may be received by a firewall, a honey client module may access the URL and permit installation of malicious code or other malicious activities. In response to detecting malicious activities, the honey client module characterizes the malicious activity to generate a descriptor used to detect malicious code in other systems. The URL may also be blacklisted by the firewall. | 11-12-2015 |
20150334124 | METHOD AND APPARATUS FOR PROCESSING PACKET ON TRILL NETWORK - The present invention provides a method for processing a packet on a TRILL network, relates to the field of communications, and can effectively defend against a network packet attack. The method includes: receiving a packet sent by a device on a network; if it is determined that the device is a trusted RB, giving up performing a security check on the packet coming from the device; and if it is determined that the device is not a trusted RB, performing a security check on the packet coming from the device. The present invention further provides a corresponding apparatus. | 11-19-2015 |
20150341311 | AUTOMATED CONFIGURATION OF ENDPOINT SECURITY MANAGEMENT - Systems and methods for managing configuration of a client security application based on a network environment in which the client device is operating are provided. According to one embodiment, a network connection state of a client device with respect to a private network is determined by a client security application running on the client device. The client security application, then selects a configuration based on the determined network connection state. Finally, the client security application launches one or more functions of the client security application that are designated by the selected configuration. | 11-26-2015 |
20150341312 | FIREWALL TRAVERSAL FOR WEB REAL-TIME COMMUNICATIONS - The system and method monitor a secure Web Real Time Communication (WebRTC) session between browsers. To do so, a WebRTC application receives a first WebRTC offer with a fingerprint of a first browser to establish a secure communication session. The WebRTC application sends session information and the fingerprint of the first browser to a media relay. The WebRTC application receives a fingerprint of a media relay. A second WebRTC offer with a fingerprint of the media relay is sent to a second browser. An answer to the second WebRTC offer is received. Session information and the fingerprint of the second browser are sent to the media relay so the media relay can decrypt the secure communication session. The first WebRTC offer is answered. A secure communication session is established via the media relay using the fingerprints. The media relay, based on the fingerprints, can monitor the secure communication session. | 11-26-2015 |
20150341315 | Network Security Device - The present invention provides for a security device for location within a network device and having first and second Medium Independent Interfaces for functional connection within the network device, whereby the MII interfaces can callow for location of the security device between a PHY chip and a MAC chip of the host network device. | 11-26-2015 |
20150341318 | DISTRIBUTED FIREWALL SECURITY SYSTEM FOR CLOUD COMPUTING ENVIRONMENTS - An application profile specifies server groups, components, and computing flows among the server groups and components. Each computing flow may be identified as malicious or not malicious. Firewall rules are generated based on the computing flows. The firewall rules are distributed to a server group. According to the firewall rules distributed to the server group, data that is malicious is directed to another server for quarantine. | 11-26-2015 |
20150350236 | SYSTEM AND METHODS THEREOF FOR MONITORING AND PREVENTING SECURITY INCIDENTS IN A COMPUTERIZED ENVIRONMENT - A system detects and handles security incidents in a computerized environment. The system collects metadata respective of one or more user devices communicatively coupled in the computerized environment. Respective of the collected metadata, the system generates expected behavior patterns of the user devices within the computerized environment. The system continuously monitors the actual behavior of the user devices. Upon detection of deviations from the expected behavior patterns, the system sends a terminable agent to the user device in which the deviation was detected. The system then receives from the terminable agent metadata respective of the deviation. Upon determination that the deviation is a security incident respective of the metadata, the system configures the terminable agent to initiate actions respective thereto. The type of actions required is determined respective of the metadata received from the terminable agent. Upon removal of the security incident, the agent may be terminated. | 12-03-2015 |
20150350914 | GROUND AND AIR VEHICLE ELECTROMAGNETIC SIGNATURE DETECTION AND LOCALIZATION - Systems and methods can support identifying radio transmissions associated with autonomous or remote-controlled vehicles. Radio frequency signals may be received using one or more sensors, wherein the sensors comprise radio receivers. Radio frequency fingerprints may be identified within one or more of the radio frequency signals, wherein the radio frequency fingerprints comprise radio signal characteristics or radio hardware identifiers. A stored radio frequency fingerprint may be determined as matching the received radio frequency fingerprint. A motion characteristic may be computed. The received radio frequency fingerprint may be associated with an autonomous or remote-controlled vehicle based upon the stored radio frequency fingerprint or the motion characteristic. Information regarding the identified autonomous or remote-controlled vehicle may be presenting to one or more operator interfaces. | 12-03-2015 |
20150358286 | ON-THE-FLY PATTERN RECOGNITION WITH CONFIGURABLE BOUNDS - Some embodiments of on-the-fly pattern recognition with configurable bounds have been presented. In one embodiment, a pattern matching engine is configured based on user input, which may include values of one or more user configurable bounds on searching. Then the configured pattern matching engine is used to search for a set of features in an incoming string. A set of scores is updated based on the presence of any of the features in the string while searching for the features. Each score may indicate a likelihood of the content of the string being in a category. The search is terminated if the end of the string is reached or if the user configurable bounds are met. After terminating the search, the scores are output. | 12-10-2015 |
20150358292 | NETWORK SECURITY MANAGEMENT - Methods and apparatus are disclosed for processing status messages for use in network security management in respect of a network of computing devices, the status messages comprising data relating to a plurality of attributes; the method comprising: filtering received status messages according to filtering rules in order to identify (i) status messages indicative of potential or actual network security events in respect of which a predetermined response is deemed applicable; (ii) status messages in respect of which a null response is deemed applicable; and (iii) residue messages not identified as (i) or (ii); processing messages identified as (i) such that a predetermined response may be initiated; performing analysis involving clustering in respect of messages identified as residue messages; and updating the filtering rules for use in subsequent filtering of received status messages in dependence on the result of the analysis. | 12-10-2015 |
20150370878 | Hybrid Business Process Application for Accessing Multiple Content Management Repositories - Hybrid, configurable business process applications can be used in conjunction with features of a content management system. For example, a first content management system installation executes a workflow instance based on a business process application whose definition is maintained in by the first content management system installation and synchronizes a workflow state of the workflow instance to a second content management system installation using a mirrored workflow state in which both content of the workflow state and metadata characterizing parameters of the workflow state are mirrored from the first content management system repository to the second content management system repository such that a content item retained in the second content management system repository is accessed for use in the workflow instance via the mirrored workflow state at the second content management system repository. Methods, systems, and articles of manufacture are described. | 12-24-2015 |
20150372976 | NETWORK THREAT PREDICTION AND BLOCKING - A firewall monitors network activity and stores information about that network activity in a network activity log. The network activity is analyzed to identify a potential threat. The potential threat is further analyzed to identify other potential threats that are related to the potential threat, and are likely to pose a future risk to a protected network. A block list is updated to include the potential threat and the other potential threats to protect the protected network from the potential threat and the other potential threats. | 12-24-2015 |
20160006694 | CONNECTION CONFIGURATION - A connection method is provided. The method includes retrieving by a data retrieval device, unique data comprising an identifier associated with a wireless device. The unique data is transmitted to a router transmitting an authorization request and a configuration request for a configuration change to an authorization service. The authorization request is presented to a user and in response the user transmits an authorization code to the authorization service. In response, the router generates a virtual SSID and preconfigured firewall rules based on the unique data and the wireless device is automatically connected to the router based on the virtual SSID and the preconfigured firewall rules. | 01-07-2016 |
20160006796 | INFORMATION PROCESSING SYSTEM - An information processing system includes multiple network segments to which one or more information processors are connectable. The network segments includes a first network segment to which at least one first information processor configured to store predetermined information is connected, a second network segment to which at least one second information processor is connected, and a third network segment to which at least one third information processor is connected. The second network segment includes multiple predefined application programming interface (API)s, and the at least one second information processor executes a process corresponding to a called one of the APIs using the predetermined information stored in the at least one first information processor. In response to receiving a request from outside the information processing system, the at least one third information processor controls a process corresponding to the request by calling one of the APIs which corresponds to the request. | 01-07-2016 |
20160014076 | USING INDIVIDUALIZED APIS TO BLOCK AUTOMATED ATTACKS ON NATIVE APPS AND/OR PURPOSELY EXPOSED APIS | 01-14-2016 |
20160014077 | System, Method and Process for Mitigating Advanced and Targeted Attacks with Authentication Error Injection | 01-14-2016 |
20160014081 | SYSTEM, APPARATUS, AND METHOD FOR PROTECTING A NETWORK USING INTERNET PROTOCOL REPUTATION INFORMATION | 01-14-2016 |
20160014084 | Using Individualized APIs to Block Automated Attacks on Native Apps and/or Purposely Exposed APIs with Forced User Interaction | 01-14-2016 |
20160014085 | SYSTEMS AND METHODS OF DATA TRANSMISSION AND MANAGEMENT | 01-14-2016 |
20160021056 | CYBER-SECURITY SYSTEM AND METHODS THEREOF - A system and method for adaptively securing a protected entity against cyber-threats are presented. The method includes selecting at least one security application configured to handle a cyber-threat, wherein the at least one security application executes a plurality of security services assigned to the at least one security application; determining at least one workflow rule respective of the at least one security application; receiving a plurality of signals from the plurality of security services, wherein each signal of the plurality of signals is generated with respect to a potential cyber-threat; generating at least one security event respective of the plurality of received signals; checking determining if the at least one security event satisfies the at least one workflow rule; and upon determining that the at least one security event satisfies the workflow rule, generating at least one action with respect to the potential cyber-threat. | 01-21-2016 |
20160028687 | Internet Security Assembly - An internet security assembly includes a firewall computer. The firewall computer comprises a housing. A processor is coupled to the housing. An input is coupled to the housing, the processor and a modem. The input receives an internet signal from the modem. An electronic memory is coupled to the housing and the processor. The electronic memory contains a firewall protection program. The firewall protection program identifies and removes malware in the internet signal. An output is coupled to the housing and the processor. The output receives the internet signal after the malware is removed. The output is operationally coupled to a plurality of external computers. The plurality of external computers receives the internet signal. A transceiver is coupled to the housing and the processor. The transceiver receives the internet signal after the malware is removed from the internet signal. The transceiver is in communication with the plurality of external computers. | 01-28-2016 |
20160028689 | Methods and system for controlling access to content using prior access information - A device that intercepts requests to resources and information destined for the public Internet which uses a Uniform Resource Locator (URL) or resource address. As a result of this request, a transaction ensues to deliver content back to the requesting device. Within the response from the content resource, items like a referer (SIC) and other content can be used to make future decisions on the delivery of the content to the requesting device. This system specifically defines methods and processes to use a multitude of criteria delivered over the span of multiple requests to authorize, reject or modify the delivery of or the modification of the request for content thus changing the response delivered to the requesting devices. | 01-28-2016 |
20160028692 | METHODS AND SYSTEMS FOR CONTEXT-BASED APPLICATION FIREWALLS - Context-based application firewall functionality. A user session is initiated with a client device. The user session allows access a remote resource on a server device coupled with the client device over a network. The connection between the client device and the remote resource is through an application firewall. An application firewall context setup is performed with the application firewall in response to the user session. The application firewall context comprises firewall context information to be used during the user session to perform network and application security operations with the application firewall. A response is created to provide information from the remote resource to the client device. The response includes metadata to be used to update the firewall context information. The firewall context information is updated with the application firewall based on the metadata. The response is transmitted to the client device. | 01-28-2016 |
20160057107 | APPLICATION PROGRAMMING INTERFACE WALL - Application programming interfaces (APIs) can be unintentionally exposed and allow for potentially undesirable use of corporate resources. An API call filtering system configured to monitor API call requests received via an endpoint and API call responses received via a supporting service of an API or web service. The API call filtering system enables enterprises to improve their security posture by identifying, studying, reporting, and securing their APIs within their enterprise network. | 02-25-2016 |
20160080321 | INTERFACE GROUPS FOR RULE-BASED NETWORK SECURITY - Systems and methods for designating interfaces of a network security appliance as source/destination interfaces in connection with defining a security rule are provided. According to one embodiment, a security rule configuration interface is displayed through which a network administrator can specify parameters of security rules to be applied to traffic attempting to traverse the network security appliance. Information defining a traffic flow to be controlled by a security rule is received via the security rule configuration interface. The information defining the traffic flow includes: (i) a set of source interfaces; and (ii) a set of destination interfaces. At least one of which includes multiple interfaces such that the security rule permits the traffic flow to be defined in terms of multiple source interfaces and/or multiple destination interfaces. | 03-17-2016 |
20160087938 | LOAD BALANCING IN A NETWORK WITH SESSION INFORMATION - Methods and systems for balancing load among firewall security devices (FSDs) are provided. According to one embodiment, session data, including session entries representing previously established traffic sessions from a particular source to a particular destination and forming an association between the previously established session and a particular FSD, is maintained for each port of a session-aware switching device. When a TCP SYN packet is received, the switching device: (i) reduces its vulnerability to a DoS attack by foregoing installation of a forward session entry for the forward traffic session within the session data until a processed TCP SYN/ACK packet associated with the corresponding reverse traffic session is received; (ii) selects an FSD to associate with the forward traffic session and a corresponding reverse traffic session by performing a load balancing function on the TCP SYN packet; and (iii) causes the TCP SYN packet to be processed by the selected FSD. | 03-24-2016 |
20160087939 | HIERARCHICAL RULE DEVELOPMENT AND BINDING FOR WEB APPLICATION SERVER FIREWALL - At least one of an HTTP request message and an HTTP response message is intercepted. A corresponding HTTP message model includes a plurality of message model sections. A representation of the at least one of an HTTP request message and an HTTP response message is parsed into message sections in accordance with the message model sections of the HTTP message model. A plurality of security rules are bounds to the message model sections. The plurality of security rules each specify at least one action to be taken in response to a given condition, which is based, at least in part, on a corresponding given one of the message sections. The at least one of an HTTP request message and an HTTP response message is processed in accordance with the plurality of security rules. Techniques for developing rules for a web application server firewall are also provided. | 03-24-2016 |
20160105396 | DATA LEAK PROTECTION IN UPPER LAYER PROTOCOLS - Methods and systems for Data Leak Prevention (DLP) in a private network are provided. A data structure is maintained within a network security appliance identifying candidate upper layer protocols, corresponding commands of interest and a corresponding suspect field within each of the commands that is to be subjected to DLP scanning as a result of its potential for carrying sensitive information. A packet is received by the network security appliance. A protocol associated with the packet is identified. It is determined whether the identified protocol is among those of the candidate protocols. Responsive to an affirmative determination and when a command represented by the packet is among those of the corresponding commands of interest for the candidate protocol, then a DLP scan is performed on the packet. Otherwise, the packet is allowed to pass through the network security appliance without being subject to a DLP scan. | 04-14-2016 |
20160105397 | Firewall Packet Filtering - Mechanisms are provided for performing an operation on a received data packet. A data packet is received and a hash operation on a header field value of a header of the data packet is performed to generate a hash value. A lookup operation is performed in a hash table associated with a type of the header field value to identify a hash table entry. A bit string associated with the hash table entry is retrieved, where each bit in the bit string corresponds to a class of rules of a rule set of a firewall. A matching operation of the header field value to rules in classes of rules corresponding to bits set in the bit string is performed to select one or more search trees. Operations are performed based on rules in the classes of rules being matched by header field value of the data packet. | 04-14-2016 |
20160119286 | IDENTIFYING MALICIOUS DEVICES WITHIN A COMPUTER NETWORK - This disclosure describes techniques for proactively identifying possible attackers based on a profile of a device. For example, a device includes one or more processors and network interface cards to receive, from a remote device, network traffic directed to one or more computing devices protected by the device, determine, based on content of the network traffic, a first set of data points for the device, send a response to the remote device to ascertain a second set of data points for the device, and receive, from the remote device, at least a portion of the second set of data points. The device also includes a security module operable by the processors to determine a maliciousness rating, and selectively manage, based on the maliciousness rating, additional network traffic directed to the one or more computing devices protected by the security device and received from the remote device. | 04-28-2016 |
20160134588 | REMEDIATING COMPUTER SECURITY THREATS USING DISTRIBUTED SENSOR COMPUTERS - A data processing system comprising: a sensor computer that is coupled to and co-located with a compromised computer, the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computer is coupled to a firewall that is configured to control ingress of packets to the compromised computer and is logically between one or more attacker computers and the one or more enterprise networks or enterprise computers; a security control computer that is coupled to the sensor computer; one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform: obtaining, from the sensor computer, detection data relating to network messages that the compromised computer emits, as the compromised computer emits the network messages; using the detection data, identifying one or more security threats that are indicated by the network messages; determining a specified remediation measure to remediate one or more of the security threats; providing the specified remediation measure to one or more of the compromised computer, the sensor computer, the firewall, and an enterprise computer. | 05-12-2016 |
20160149862 | Systems and Methods For Implementing A Privacy Firewall - Systems and methods for protecting private data behind a privacy firewall are disclosed. A system for implementing a privacy firewall to determine and provide non-private information from private electronic data includes a data storage repository, a processing device, and a non-transitory, processor-readable storage medium. The storage medium includes programming instructions that, when executed, cause the processing device to analyze a corpus of private electronic data to identify a first one or more portions of the data having non-private information and a second one or more portions of the data having private information, tag the first one or more portions of the data as allowed for use, determine whether the second one or more portions of the data includes non-private elements, and if the second one or more portions of the data comprises non-private elements, extract the non-private elements and tag the non-private elements as information allowed for use. | 05-26-2016 |
20160164837 | CUSTOMIZABLE WEB APPLICATION FIREWALL FOR SOFTWARE AS A SERVICE PLATFORM - Disclosed herein are technologies for implementing a web application firewall specific to tenants, and providing different security rules that are particular to the tenants. In accordance with one implementation, authentication instructions as to one or more tenants may be received and the one or more tenants may be registered. Rules associated to and specific to each of the one or more tenants may further be identified and implemented. | 06-09-2016 |
20160173446 | PRESENTATION OF THREAT HISTORY ASSOCIATED WITH NETWORK ACTIVITY | 06-16-2016 |
20160173447 | User Interface For Security Protection And Remote Management Of Network Endpoints | 06-16-2016 |
20160182454 | Real-Time Reconfigurable Web Application Firewall For a Distributed Platform | 06-23-2016 |
20160191463 | SYSTEMS AND METHODS FOR AUTOMATICALLY APPLYING FIREWALL POLICIES WITHIN DATA CENTER APPLICATIONS - The disclosed method may include (1) identifying a data center application whose functionality is provided by a set of systems, (2) organizing, automatically by the computing device, the set of systems into one or more application model groups by, for each system in the set of systems, identifying an attribute of the system that is indicative of a security context under which the system should operate and assigning the system to an application model group for which the security context will be provided, and (3) for each application model group in the one or more application model groups, protecting the application model group by selecting a firewall configuration that will provide the security context for the application model group and by using the selected firewall configuration to protect the application model group. Various other methods, systems, and computer-readable media are also disclosed. | 06-30-2016 |
20160191564 | PLUGGABLE API FIREWALL FILTER - A web server includes a servlet and a pluggable API firewall filter coupled to the servlet. The pluggable filter protects the web server from content based attacks by rejecting messages received from a client device. The pluggable filter includes a .jar, and the .jar is placed into a class path of the web server or packaged into a target web application archive (WAR). | 06-30-2016 |
20160380969 | SYSTEMS AND METHODS FOR DETECTING UNDESIRABLE NETWORK TRAFFIC CONTENT - A method of detecting a content desired to be detected includes receiving electronic data at a first host, determining a checksum value using the received electronic data, sending the checksum value to a processing station, the processing station being a second host that is different from the first host, and receiving a result from the processing station, the result indicating whether the electronic data is associated with a content desired to be detected. A method of detecting a content desired to be detected includes receiving electronic data at a receiving station, and determining whether the received electronic data is associated with a content desired to be detected, wherein the receiving station does not include content detection data for identifying the content desired to be detected. | 12-29-2016 |
20160381028 | INSTALLING VIRTUAL MACHINES WITHIN DIFFERENT COMMUNICATION PATHWAYS TO ACCESS PROTECTED RESOURCES - One or more processors fractionate a computer application into disparate components, and assign two or more of the disparate components to different communication pathways, where the different communication pathways lead to requisite resources needed to execute the disparate components. The processor(s) create a virtual machine that controls access to a particular requisite resource by a particular disparate component, and install the virtual machine within at least one of the different communication pathways to control access to the particular requisite resource by the particular disparate component. The processor(s) transmit a resource retrieval instruction to retrieve the particular requisite resource via the virtual machine and at least one of the different communication pathways, and adjust a quantity of virtual machines between the computer application and the particular requisite resource according to a threat level for the particular disparate component. | 12-29-2016 |
20160381030 | Router Based Securing of Internet of Things Devices on Local Area Networks - IoT devices are secured on multiple local area networks. Each local network contains a router which monitors activities of IoT devices, and transmits corresponding information to a backend server. The backend amalgamates this information, calculates dynamic reputation scores, and determines expected authorized activities for specific IoT devices. Based thereon, the backend creates a constraint profile for each IoT device, and transits the constraint profiles to the routers for enforcement. Enforcing a constraint profile can include creating multiples VLANs with varying levels of restricted privileges on a given local area network, and isolating various IoT devices in specific VLANs based on their reputation scores. Constraint profiles can specify to enforce specific firewall rules, and/or to limit an IoT device's communication to specific domains and ports, and/or to specific content. The backend continues to receive monitored information concerning IoT devices from multiple routers over time, and periodically updates constraint profiles. | 12-29-2016 |
20170235955 | Access Management and Credential Protection | 08-17-2017 |
20180026943 | Modifying Authentication for an Application Programming Interface | 01-25-2018 |
20180027006 | SYSTEM AND METHOD FOR SECURING AN ENTERPRISE COMPUTING ENVIRONMENT | 01-25-2018 |
20190149512 | THIRD-PARTY SERVICE CHAINING USING PACKET ENCAPSULATION IN A FLOW-BASED FORWARDING ELEMENT | 05-16-2019 |
20190149515 | METHOD FOR SECURING A DHCP SERVER FROM UNAUTHORIZED CLIENT ATTACKS IN A SOFTWARE DEFINED NETWORK | 05-16-2019 |
20190149517 | SYSTEM FOR DYNAMICALLY IMPLEMENTING FIREWALL EXCEPTIONS | 05-16-2019 |
20190149518 | PACKET INDUCED REVALIDATION OF CONNECTION TRACKER | 05-16-2019 |
20190149574 | TRACKING USAGE OF CORPORATE CREDENTIALS | 05-16-2019 |
20220141185 | COMMUNICATION TERMINAL DEVICE, COMMUNICATION CONTROL METHOD, AND COMMUNICATION CONTROL PROGRAM - A communication terminal apparatus includes processing circuitry configured to collect communication of an application and control the communication of the application based on a first control condition, analyze the communication collected to determine whether the application is a communication control target, and generate the first control condition based on a normal communication range of the application that is the communication control target, and transmit at least a part of first shared information including identification information about the application and the first control condition to a second communication terminal apparatus that is different from the communication terminal apparatus. | 05-05-2022 |