Entries |
Document | Title | Date |
20080209541 | Computer Network Intrusion Detection System and Method - A method and system for identifying an attacker device attempting an intrusion into a TCP/IP protocol based network that includes a managed device and a security event log. The managed device detects an incoming TCP/IP connection by the attacker device to the network. TCP/IP information relating to the attacker device is extracted from a TCP/IP stack of the managed device. It is ascertained that a port number of the incoming TCP/IP connection is identical to a predefined port number. A performed process includes determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device. Event log information, which is associated with the detected incoming TCP/IP connection, is retrieved from the security event log. A generated report is generated and stored in a database of the network. The report includes the extracted TCP/IP information and the retrieved event log information. | 08-28-2008 |
20080209542 | Communications Systems Firewall - Methods, apparatus, programs and signals for providing communications network security. The approach is based on using established “standard” protocols, but packets (or cells or frames) are deliberately malformed by the sender, optionally according to a predetermined rule (for example by inverting a packet check digit). A filter forwards only packets identified as being invalid, optionally in accordance with the rule; packets which are valid with respect to the “standard” protocol are dropped. The filter is preferably implemented in hardware to mitigate the risk of its being compromised by a malicious attack. | 08-28-2008 |
20080222717 | Detecting Anomalous Network Application Behavior - System and Method for detecting anomalous network application behavior. Network traffic between at least one client and one or more servers may be monitored. The client and the one or more servers may communicate using one or more application protocols. The network traffic may be analyzed at the application-protocol level to determine anomalous network application behavior. Analyzing the network traffic may include determining, for one or more communications involving the client, if the client has previously stored or received an identifier corresponding to the one or more communications. If no such identifier has been observed in a previous communication, then the one or more communications involving the client may be determined to be anomalous. A network monitoring device may perform one or more of the network monitoring, the information extraction, or the information analysis. | 09-11-2008 |
20080235786 | Computer Maintenance Method and System - Provided is a method of remotely maintaining a computer system connected to a first private network of a first organization from a maintenance computer connected to a second private network of a second organization. The first and second private networks are connected to a public network and protected from the public network by respective first and second external firewalls. The first private network is separated from the computer system using a separation firewall configured to block network traffic that initiates at the computer system and is directed to the first private network. An isolation pipe is established that extends from the separation firewall over the first private network to the first external firewall, using virtual-private-network technology. A request to log into the computer system is transmitted from the maintenance computer through the isolation pipe to the computer system. | 09-25-2008 |
20080244727 | Privacy protection for mobile internet protocol sessions - A method of establishing communication protocols between a mobile node and a home agent in a mobile communications networks. The method uses the steps of: generating, at the mobile node plural care of addresses (CoAs) and a corresponding number of security parameter indices; sending the generated CoAs and security parameter indices to the home agent in an encrypted form; generating, at the home agent, on the basis of the received CoAs and security parameter indices, an equal number of home addresses (HoAs) and associated security parameter indices; sending the list of HoAs and associated security parameter indices generated at the home agent to the mobile node, and; using the generated CoAs, HoAs and associated security parameter indices as the basis for communication protocol addresses and encryption for communication between the home agent and the mobile node. A system employing the method is also provided. | 10-02-2008 |
20080244728 | RELAY APPARATUS, RELAY METHOD, A COMPUTER-READABLE RECORDING MEDIUM RECORDING A RELAY PROGRAM THEREIN AND INFORMATION PROCESSING APPARATUS - The present relay apparatus includes: a first security information obtaining unit which obtains security information from transmission data sent from the first apparatus during specification establishing communication previously performed to encryption communication; a first registering unit which registers the obtained security information and the address of the first apparatus, as first routing information, in association with each other; a second security information obtaining unit which obtains security information from the transmission data sent from the second apparatus; and a first distributing unit which distributes the transmission data to its destination first apparatus with reference to the first routing information based on the security information obtained by the second security information obtaining unit. This construction makes it possible to perform specification establishing communication normally from multiple first apparatuses, and to correctly distribute encrypted packets to the LAN end first apparatuses. | 10-02-2008 |
20080256621 | SYSTEM AND APPARATUS FOR TRANSFERRING DATA BETWEEN COMMUNICATION ELEMENTS - A system and apparatus for transferring data between communication elements is disclosed. A system that incorporates teachings of the present disclosure may include, for example, a communication device having a controller element to receive data from a web server to update one or more entries of an identity module coupled to the controller element. The data can be retrieved by the web server from a second communication device. Additional embodiments are disclosed. | 10-16-2008 |
20080256622 | Reduction of false positive reputations through collection of overrides from customer deployments - An automated arrangement for reducing the occurrence and/or minimizing the impact of false positives by a reputation service is provided in which overrides for a reputation of an adversary are reported to a reputation service from security devices, such as unified threat management systems, deployed in enterprise or consumer networks. An override is typically performed by an administrator at a customer network to allow the security device to accept traffic from, or send traffic to a given IP address or URL. Such connectivity is allowed—even if such objects have a blacklisted reputation provided by a reputation service—in cases where the administrator recognizes that the blacklisted reputation is a false positive. The reputation service uses the reported overrides to adjust the fidelity (i.e., a confidence level) of that object's reputation, and then provides an updated reputation, which reflects the fidelity adjustment, to all the security devices that use the reputation service. | 10-16-2008 |
20080256623 | Method and system for protecting a computer system from denial-of-service attacks and other deleterious resource-draining phenomena related to communications - Embodiments of the present invention include a variety of different integrated, multi-tiered methods and systems for preventing various types of attacks on computer systems, including denial-of-service attacks and SYN-flood attacks. Components of these integrated methods and systems include probabilistic packet droppers, packet-rate throttles, resource controls, automated firewalls, and efficient connection-state-information storage in memory resources and connection-state-information distribution in order to prevent draining of sufficient communications-related resources within a computer system to seriously degrade or disable electronics communications components within the computer system. | 10-16-2008 |
20080256624 | SYSTEMS AND METHOD FOR DISTRIBUTED NETWORK PROTECTION - Through the use of an intermediate party, a first party is given the ability to communicate with a second party, with the communication appearing as if it originated with the intermediate party. Specifically, in a protected network system, the protected network is capable of acting as a conduit through which an entity, such as law enforcement, can communicate with an entity attempting an unauthorized access attempt unbeknownst to the entity attempting the unauthorized access attempt. This allows, for example, the detection and identification of the entity attempting the unauthorized access attempt. | 10-16-2008 |
20080271135 | Remote network device with security policy failsafe - A remote network device having a network security policy, includes: a firewall component embedded within the network device to filter data flow with a network; a user-defined network security policy for the firewall component to define constraints on data flows permitted by the network device; and a failsafe protocol to enable remote control of the device independent of the user-defined network security policy and the firewall filter. | 10-30-2008 |
20080271136 | METHOD AND SYSTEM FOR CONTROLLING SOFTWARE LOADS ON A THIRD-PARTY MOBILE STATION - A system and method for allowing a licensee having mobile station hardware to support its own set of carriers and software demands of these carriers, the software including licensor software, the method comprising the steps of: assigning a unique third party identifier to the licensee; assigning a range of carrier identifiers for the licensee; allowing the licensee to create a unique identifier by combining the unique third party identifier with an identifier chosen from the range of carrier identifiers; and associating, in a gateway program, the unique identifier with one or more software versions acceptable by a carrier for download onto the mobile station hardware. | 10-30-2008 |
20080282340 | SAFE HASHING FOR NETWORK TRAFFIC - Secure network communications between a source computer and a destination computer utilizing a firewall. The firewall determines a remote endpoint and the local physical memory address associated with a local endpoint included in the outbound request. The remote endpoint and the local physical memory address are hashed to generate an index value corresponding to an entry in an internal state table of the firewall. When an inbound request is received, the firewall determines a remote endpoint and the local physical memory address associated with a local endpoint included in the inbound request. The remote endpoint and the local physical memory address of the inbound request are hashed to generate an index value corresponding to an entry in the internal state table of the firewall. The firewall forwards the inbound request to the local endpoint if a matching entry is found in the internal state table at the index value. | 11-13-2008 |
20080295164 | MASHUP COMPONENT ISOLATION VIA SERVER-SIDE ANALYSIS AND INSTRUMENTATION | 11-27-2008 |
20080301799 | Method and apparatus for reliable, high speed data transfers in a high assurance multiple level secure environment - A method, apparatus for passing data from a first application at a first security level to a second application in a second security level higher than the first security level is disclosed. A backchannel communications link is established between the first application and the second application, and the backchannel link is used to transmit information such as an acknowledgement message to from the second application to the first application. | 12-04-2008 |
20090007254 | RESTRICTING COMMUNICATION SERVICE - In response to a command to start restrictions on a communication service of a computer, the communication service is restricted by a countermeasures apparatus which replaces the communication address of a second computer, which has been stored in a first computer, with the communication address of the countermeasures apparatus, and replaces a communication address of the first computer, which has been stored in the second computer, with the communication address of the countermeasures apparatus. Accordingly, the countermeasures apparatus acquires a packet from the first computer to the second computer and determines whether or not this acquired packet is to be transmitted to the second computer. | 01-01-2009 |
20090019539 | METHOD AND SYSTEM FOR WIRELESS COMMUNICATIONS CHARACTERIZED BY IEEE 802.11W AND RELATED PROTOCOLS - A method for protecting wireless communications from denial of service attacks is provided. The method comprises establishing a first wireless connection between an access point device and a client device. The method also comprises receiving at the access point device a request for establishing a second wireless connection between the access point device and the client device while a state of the first wireless connection being an established state at an access point device side endpoint. The method comprises verifying whether the first wireless connection is in the established state at the client device side endpoint. | 01-15-2009 |
20090025078 | SECURE SHARING OF TRANSPORT LAYER SECURITY SESSION KEYS WITH TRUSTED ENFORCEMENT POINTS - Embodiments of the present invention address deficiencies of the art in respect to security enforcement point operability in a TLS secured communications path and provide a novel and non-obvious method, system and computer program product for the secure sharing of TLS session keys with trusted enforcement points. In one embodiment of the invention, a method for securely sharing TLS session keys with trusted enforcement points can be provided. The method can include conducting a TLS handshake with a TLS client to extract and decrypt a session key for a TLS session with the TLS client traversing at least one security enforcement point. The method further can include providing the session key to a communicatively coupled key server for distribution to the at least one security enforcement point. Finally, the method can include engaging in secure communications with the TLS client over the TLS session. | 01-22-2009 |
20090025079 | COMMUNICATION SYSTEM FOR AUTHENTICATING OR RELAYING NETWORK ACCESS, RELAYING APPARATUS, AUTHENTICATION APPARATUS, AND COMMUNICATION METHOD - A switching equipment stores identification information of communication established with respect to an infrastructure network system in a storage unit, and when an access request is received from a terminal device, the switching equipment adds the stored identification information to the access request and transfers the access request to a 1× Radius server. When the terminal device having requested the access is authenticated, the 1× Radius server notifies a PANA PAA of address information of the terminal device associated with the identification information added to the access request. The PANA PAA approves the same network access as the switching equipment with respect to the terminal device in the received address information. | 01-22-2009 |
20090038000 | System and Method for Multiple Address of Record Registration Using a Single Explicit SIP Request - One embodiment of the present invention is a method for registering multiple addresses of record. The method comprises receiving a session initiation protocol register request. The session initiation protocol register request comprises a plurality of addresses of record and a contact address for a session initiation protocol endpoint. The method further comprises associating each of the plurality of addresses of record with the contact address for the session initiation protocol endpoint. | 02-05-2009 |
20090038001 | Correlation of Log Information In A Distributed Computing Environment Using Relative Timestamps - Methods and apparatus, including computer program products, are provided for using a relative timestamp to log activity in a distributed computing system. In one aspect, there is provided a computer-implemented method. The method may include receiving a message including a first timestamp representative of when the message is sent at a first processor. A second processor may generate an entry logging receipt of the received message. The second processor may determine a second timestamp representative of a time relative to the first timestamp. The second timestamp may be included as an entry at a log at the second processor. | 02-05-2009 |
20090044264 | SPAM REDUCTION IN REAL TIME COMMUNICATIONS BY HUMAN INTERACTION PROOF - The claimed subject matter provides a system and/or a method that facilitates authenticating a data communication. An interface component can receive data related to a real time data communication between two or more clients. A verification component can employ a human interaction proof (HIP) to a client participating within the real time data communication, wherein a human identity of the client is authenticated as a function of a response to the HIP. | 02-12-2009 |
20090044265 | Attack Resistant Continuous Network Service Trustworthiness Controller - An attack resistant continuous network service trustworthiness controller comprising: state estimation module(s), response selection module(s), actuation module(s), and client dispatcher communication module(s) for maintaining the availability and integrity of online server(s). The state estimation module(s) are configured to generate state estimate(s) for online server(s) using behavior data obtained using sensor module(s). The response selection module(s) are configured to determine corrective action(s) to maintain the availability and integrity of online server(s) when state estimate(s) indicate that the integrity of an online server(s) is compromised. The actuation module(s) are configured to activate actuator(s) based upon the corrective action(s). Client dispatcher communication module(s) are configured to communicate online server availability information to a client dispatcher. | 02-12-2009 |
20090044266 | SYSTEM AND METHOD FOR PROVIDING TRANSACTIONAL SECURITY FOR AN END-USER DEVICE - A network system comprises a transaction network operative to provide a transaction with an end user; a trusted source of a security mechanism (e.g., a start/stop trigger module, an application lockout module, a network/file I/O control module, a trusted driver manager, a keystrokes generator driver, a keystrokes deletion hook, and/or a transaction network VPN manager) for at least partially protecting an end-user device from malicious code operative thereon that attempts to capture confidential data presented during the transaction, the security mechanism being maintained by a party other than the end user; and an agent for providing the security mechanism to the end-user device to protect the end-user device during the transaction | 02-12-2009 |
20090049539 | Generic Hub To Increase Security When Accessing Business Systems - In a method and system for increasing security when accessing a business system, a generic hub receives a request having a first transfer protocol from a user to access an application or application data maintained in an application server. In response to the user request, the generic hub verifies the authorization of the user to access the application server. If the user is authorized, a user interface to the application is presented to the user and input data is received from the user interface. The input data is checked for validity based on application-specific metadata and type checks bound to this metadata associated with fields in the user interface, and any extraneous or non-expected data is removed from the input data. The input data and user request of a first transfer protocol are tunneled to the application using a second transfer protocol. | 02-19-2009 |
20090049540 | METHOD AND SYSTEM FOR PROVIDING TARGETED WEB FEED SUBSCRIPTION RECOMENDATIONS CALCULATED THROUGH KNOWLEDGE OF IP ADDRESSES - A system for providing targeted Web feed subscription suggestions calculated based on IP (“Internet Protocol”) addresses. Web feeds are automatically suggested to users based on the IP (Internet Protocol) address of the user's computer system and previous feed subscriptions made from other computer systems having similar IP addresses. Feed suggestions may be weighted based on differing levels of IP address similarity, in order to reflect differing levels of geographic proximity between users. Users may be permitted to expressly indicate which of their feed subscriptions are to be made public through the feed reader user interface when they make subscriptions. In response to such user indications, the disclosed system passes the IP address of the user's computer system to the centralized server system together with a name or other identifier of the feed that was subscribed to. | 02-19-2009 |
20090055921 | FILE ACCESS IN MULTI-PROTOCOL ENVIRONMENT - Aspects of the subject matter described herein relate to providing file access in a multi-protocol environment. In aspects, a file server is operable to receive requests formatted according to two or more file access protocols. If a request is formatted according to a first file access protocol, the file server applies access rights associated with the file to an account associated with a requester to determine whether to grant access. If the request is formatted according to the second file access protocol, the file server may first attempt to find an account for the requester. If an account is not found, the file server may then grant access based on access rights associated with the file as applied to information in the request without consulting an account on the file server. | 02-26-2009 |
20090064311 | SECURE WEB INTERACTIONS USING A DESKTOP AGENT - An application server enables a secure network interaction. The application server receives a request for the secure network interaction from a third-party server. In response, the application server determines a security procedure, such as an authentication procedure, and a client corresponding to the secure network interaction. The client includes a secure desktop agent (SDA). The application server sends a message to the client that activates the SDA. The SDA establishes a secure connection with the application server. The SDA receives user credentials in a secure desktop environment and transmits them to the application server over the secure connection. The application verifies the user credentials and sends a digitally-signed authenticated response to the third-party server. | 03-05-2009 |
20090070866 | METHODS AND SYSTEMS FOR SECURE EMAIL TRANSMISSIONS - Systems and methods for email monitoring and providing sender notification of security levels for outbound email recipients prior to transmission or sending of emails. | 03-12-2009 |
20090077649 | Secure messaging system and method - A system and method for secure data communication between users when logged on to a central server through a network. The system permits subscribers to the system to create associations with non-subscribers which permits those non-subscribers to access the system to send and receive secure data communication to the subscriber that created the association with the non-subscriber. | 03-19-2009 |
20090077650 | INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING SYSTEM, AND COMPUTER READABLE MEDIUM - An information processing apparatus includes: a connecting section; an information storage; a request accepting section; a searching section; a setting information storage; a determining section; and a process executing section. | 03-19-2009 |
20090113541 | Method and apparatus for coding identification information into a security transmission and method and apparatus for automatic learning of replacement security codes - A method for use in relation to a security system includes receiving one or more items of information that each identify things or users associated with the security system, and forming a fixed portion of a security code using the one or more items of information. The fixed portion of the security code is stored in an apparatus that is configured to transmit the security code. A method and apparatus involving the receipt of such a security code are also disclosed. A method for use in relation to a security system includes generating a fixed portion of a security code, and setting a value of the fixed portion of the security code to a value that has a relationship to a fixed portion of a previously learned security code. The relationship indicates that the fixed portion of the security code is a replacement for the fixed portion of the previously learned security code. The fixed portion of the security code is stored in an apparatus that is configured to transmit the security code. A method and apparatus involving the receipt of such a security code are also disclosed. | 04-30-2009 |
20090119770 | Firewall Control for Public Access Networks - An apparatus comprising a policy enforcement point (PEP) configured to enforce firewall policies in a network, and a policy decision point (PDP) coupled to the PEP and configured to manage the PEP based on at least one firewall policy option received from at least one node. Also disclosed is a network component comprising at least one processor configured to implement a method comprising receiving a request from a node regarding a firewall policy entry, authenticating the node, processing the request to manage a firewall using a firewall control protocol, and sending a reply to the node regarding processing the request. Also disclosed is a method comprising signaling a PDP to establish a session associated with a source address and a requested protocol, and receiving an indication when the session is allowed. | 05-07-2009 |
20090126005 | METHOD, APPARATUS AND SYSTEM FOR MANAGING MALICIOUS-CODE SPREADING SITES USING FIREWALL - A method for managing a website is provided in which a web page including a malicious code is classified to be registered in a network firewall, so that a network terminal is prevented from being accessed to the web page including a malicious code. | 05-14-2009 |
20090138960 | Control access rule conflict detection - Methods and systems for access control systems such as firewalls. The system detects conflicts between two access control rules by finding all common variables between the two rules and determining if there are values for all the common variables that simultaneously satisfy both rules. If there are such values, and if the end result of the two rules are different, then the two rules are in conflict with one another. | 05-28-2009 |
20090165116 | Methods And Systems For Providing A Trust Indicator Associated With Geospatial Information From A Network Entity - Methods and systems are described for providing a trust indicator associated with geospatial information from a network entity. In one embodiment, first geospatial information identifying a first geospatial region reported as associated with a first network entity is received. The first geospatial information is included in a message from the first network entity. Second geospatial information is received from a second network entity associated with the first network entity. The second geospatial information identifies a second geospatial region verified as associated with the second network entity. A geospatial relationship between the first geospatial region reported as associated with the first network entity and the second geospatial region verified as associated with the second network entity is determined. A trust indicator identifying a level of trust associated with the first geospatial region is generated based on the determined geospatial relationship. | 06-25-2009 |
20090165117 | Methods And Apparatus Supporting Access To Physical And Virtual Trusted Platform Modules - A data processing system features a hardware trusted platform module (TPM), and a virtual TPM (vTPM) manager. When executed, the vTPM manager detects a first request from a service virtual machine (VM) in the processing system, the first request to involve access to the hardware TPM (hTPM). In response, the vTPM manager automatically determines whether the first request should be allowed, based on filter rules identifying allowed or disallowed operations for the hTPM. The vTPM manager may also detect a second request to involve access to a software TPM (sTPM) in the processing system. In response, the vTPM manager may automatically determine whether the second request should be allowed, based on a second filter list identifying allowed or disallowed operations for the sTPM. Other embodiments are described and claimed. | 06-25-2009 |
20090165118 | Method and Arrangement for Position-Dependent Configuration of a Mobile Appliance - An access element and method for controlling access of a network element are provided. A plurality of network elements which are connected to a connection of an access element and at least one second network element is connected to the access element via a first network element. The first network element is authenticated at the access element. Another operation of authenticating the first network element at the access element is initiated by the first network element. An authentication request which is transmitted by the access element and is received at the first network element is forwarded to the second network element. The second network element responds to the authentication request with a response message and the response message is forwarded to the access element via the first network element. | 06-25-2009 |
20090172804 | IDENTITY-BASED-ENCRYPTION MESSAGE MANAGEMENT SYSTEM - Systems and methods for managing email are provided. Some of the email may be encrypted using identity-based-encryption (IBE) techniques. When an incoming IBE-encrypted message for a recipient in an organization is received by a gateway at the organization, the gateway may request an IBE private key from an IBE private key generator. The IBE private key generator may generate the requested IBE private key for the gateway. The gateway may use an IBE decryption engine to decrypt the incoming message. The decrypted message can be scanned for viruses and spam and delivered to the recipient. Outgoing email messages can also be processed. If indicated by message attributes or information provided by a message sender, an outgoing message can be encrypted using an IBE encryption engine and the IBE public key of a desired recipient. | 07-02-2009 |
20090199291 | Communication apparatus, a firewall control method, and a firewall control program - A communication apparatus used in a plurality of networks is disclosed. The communication apparatus includes a firewall which allows communication with outside of the communication apparatus when disabled, and prohibits communication with outside of the communication apparatus when enabled. Then, the communication apparatus includes a firewall control unit which acquires a first MAC address of a first default gateway provided for a predetermined specific network and a second MAC address of a second default gateway provided for a network in which the communication apparatus is being connected, and controls the firewall according to a result of comparison of the first MAC address and the second MAC address. | 08-06-2009 |
20090205040 | COMPUTER DATA PRODUCT LICENSE INSTALLATION / UPDATE CONFIRMATION - An authenticated digital confirmation of an installation or an update of a licensed computer data product, for providing the licensor with a validation that the installation/update was carried out as intended, and conveying relevant details of the installation/update. The installation/updating facility (internal software, external hardware device, or combination thereof) examines and documents the pre-installation/update state of the target computer system, performs the installation/update, examines and documents the post-installation/update state, and generates the confirmation, which is a summary or digest of the process and the status thereof. The confirmation is securely authenticated and sent to the licensor for validation, to be used for order fulfillment, billing and accounting, and other purposes. | 08-13-2009 |
20090210936 | SYSTEM AND METHOD FOR PROVIDING REMOTE DATA ACCESS FOR A MOBILE COMMUNICATION DEVICE - In one exemplary embodiment, a system for providing data access between an information source and a mobile communication device includes a transcoding system and a first network device. The transcoding system includes a plurality of transcoders, and each transcoder is operable to transcode information content from a respective first content type into a respective second content type. The first network device is in communication with the transcoding system and includes a connection handler system. The connection handler system is operable to receive connection data for a connection between the information source and the mobile communication device and to select a corresponding connection handler. The connection handler is operable to select one or more transcoders from the plurality of transcoders to transcode the information content. | 08-20-2009 |
20090249472 | HIERARCHICAL FIREWALLS - A method of implementing a firewall that receives a layer of policies from each of multiple entities with different levels of authority. The method evaluates received packets based on the received layers of policies. A layer of policies of a higher level of authority can accept a received packet, block the received packet, or delegate a decision of whether to accept or block the received packet to a layer of policies of a lower level of authority. | 10-01-2009 |
20090320121 | SYSTEM AND METHODS FOR SECURE SERVICE ORIENTED ARCHITECTURES - Provided is a method for intercepting a message between a requesting web service and a source web service, validating the message, logging the result of the validations, and adding a security profile to the message. The method may also include examining the message to determine whether a security profile is embedded therein. If the message is valid, access to the message by the requesting web service is permitted. If the message is not valid, access to the message by the requesting web service is prevented. | 12-24-2009 |
20090328188 | CONTEXT-BASED SEMANTIC FIREWALL FOR THE PROTECTION OF INFORMATION - A method, information processing system, and network limit access to an electronically available information asset. A request ( | 12-31-2009 |
20090328189 | SECURE WIRELESS COMMUNICATION INITIALIZATION SYSTEM AND METHOD - A wireless communication system for use with a vehicle is disclosed. The communication system comprises a portable wireless device comprising a first manual interface device, the portable wireless device adapted to transmit an activation signal in response to manipulation of the first manual interface device, and an onboard wireless communication device for a vehicle. The onboard wireless communication device can be adapted to transmit Wi-Fi Protected Setup initiation signals in response to receiving the activation signal. | 12-31-2009 |
20090328190 | METHOD AND APPARATUS TO PERFORM SECURITY AND VULNERABILITY TESTING OF PROTOCOLS - Flaws in information security infest modern software, and pervasive computing has made network systems vulnerable. Information security is constantly endangered by errors in protocol implementations. Testing a protocol implementation for errors directly from a network where a device implementing the protocol resides limits the coverage of protocols tested. In contrast, testing protocols from an access network that internetworks a customer premises with one or more service networks greatly expands the coverage of protocols tested. Accordingly, a method and corresponding apparatus are provided to test from the access network, testing both service network devices and customer premises devices, and the protocols implemented on those devices. | 12-31-2009 |
20090328191 | APPARATUS AND METHOD FOR SYNCHRONIZING SECURITY ASSOCIATION STATE IN MOBILE COMMUNICATION TERMINAL - An apparatus and a method for synchronizing a Security Association (SA) state as SA information of a mobile communication terminal is lost are provided. In the method, an IPSec tunnel is established by performing an SA procedure with a server, and a secure port is obtained. A service request message is transmitted to the server via the obtained secure port, and an unsecure port is opened. When a service response message is received from the server, it is determined whether the service response message is received via the unsecure port. When the service response message is received via the unsecure port, the SA procedure is re-performed. Therefore, the terminal may use a service through a secure network without interruption, and reduce a waste of resources by avoiding unnecessary retransmission of a message for requesting a service. | 12-31-2009 |
20100011434 | APPARATUS AND METHOD FOR ASSOCIATING CATEGORIZATION INFORMATION WITH NETWORK TRAFFIC TO FACILITATE APPLICATION LEVEL PROCESSING - An apparatus is described that associates categorization information with network traffic to facilitate application level processing through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, wherein at least one microcode state machine processes at least one input data field using a hash function to generate a hash identifier. This embodiment further includes a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that at least one individual microcode controlled state machine applies a rule to the input data to produce the at least one input data field, and to produce modification instructions based on the hash identifier. This embodiment further includes a first circuit that appends the hash identifier to the input data to produce modified input data based on the modification instructions, and that routes the modified input data in accordance with an output routing strategy. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security and monitoring features and network traffic analysis. | 01-14-2010 |
20100017870 | MULTI-AGENT, DISTRIBUTED, PRIVACY-PRESERVING DATA MANAGEMENT AND DATA MINING TECHNIQUES TO DETECT CROSS-DOMAIN NETWORK ATTACKS - The present invention is a method and a system that uses privacy-preserving distributed data stream mining algorithms for mining continuously generated data from different network sensors used to monitor data communication in a computer network. The system is designed to compute global network-threat statistics by combining the output of the network sensors using privacy-preserving distributed data stream mining algorithms. | 01-21-2010 |
20100017871 | Security In Networks - Embodiments related to security in networks are described and depicted. | 01-21-2010 |
20100071055 | Two Parallel Engines for High Speed Transmit IPSEC Processing - The invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, and a security system. The network interface offloads IPsec processing from the host processor. According to the invention, the security system includes two processors for encrypting and authenticating the outgoing data. Outgoing data packets are sent alternately to one or the other processor, whereby transmission processing can be accelerated relative to receive processing. | 03-18-2010 |
20100115603 | METHOD AND SYSTEM FOR SECURING DATA FROM A NON-POINT OF SALE DEVICE OVER AN EXTERNAL NETWORK - A data control system prevents non-point of sale devices ( | 05-06-2010 |
20100138910 | METHODS FOR ENCRYPTED-TRAFFIC URL FILTERING USING ADDRESS-MAPPING INTERCEPTION - The present invention discloses methods, media, and perimeter gateways for encrypted-traffic URL filtering using address-mapping interception, methods including the steps of: providing a client system having a client application for accessing websites from web servers; upon the client application attempting to access an encrypted website, performing a name-to-address query to resolve a name of the encrypted website; intercepting address-mapping responses; creating a mapping between the name and at least one network address of the encrypted website; intercepting incoming encrypted traffic; extracting a server's network address from the incoming encrypted traffic; establishing a resolved name being accessed using the mapping; and filtering the resolved name. Preferably, the step of filtering includes redirecting the encrypted traffic. Preferably, the method further includes the step of: blocking all encrypted traffic for unresolved names. | 06-03-2010 |
20100162384 | Method and system to detect breaks in a border of a computer network - A method for detecting breaks in a border of a network is disclosed. The method may include monitoring network regulation and shaping traffic passing through the border. The method may also include providing, by a first confederate server on a first side of the border, a first connection request to a second confederate server on a second side of the border. Further, the method may include providing, by the second confederate server on the second side of the border, a second connection request to the first confederate server on the first side of the border. The method may also include executing a network diagnostic command if one or more of the first or second connection request is granted. Further, the method may also include copying any outputs of the network diagnostic command to a file. | 06-24-2010 |
20100186079 | REMOTE ACCESS TO PRIVATE NETWORK RESOURCES FROM OUTSIDE THE NETWORK - In some embodiments of the invention, techniques may make private identifiers for private network resources usable to establish connections to those private network resources from computing devices connected to an outside network. For example, when a computing device is connected to an outside network and attempting to contact a private network resource, DNS may be used to resolve a domain name for the private network resource to an IP address for an edge resource of the private network. Communications may be passed between the computing device and the edge resource according to protocols which embed the identifier originally used to identify the private network resource. The edge resource of the private network may analyze communications over the connection to determine this identifier, and use it to pass the communication to the desired private network resource. | 07-22-2010 |
20100212006 | PEER-TO-PEER TRAFFIC MANAGEMENT BASED ON KEY PRESENCE IN PEER-TO-PEER DATA TRANSFERS - Various exemplary embodiments relate to a method and related network element including one or more of the following: receiving a plurality of packets belonging to an IP flow, the packets received in a network element in the telecommunications network; performing deep packet inspection (DPI) to identify an application protocol associated with the flow; when the application protocol is a peer-to-peer (P2P) protocol, performing DPI to extract a key from one or more of the packets in the flow, the key uniquely identifying a P2P content item; querying a P2P content database using the key, the P2P content database maintaining a mapping between keys and corresponding traffic management actions; and when the key is located in the P2P content database, performing the traffic management action associated with the key in the P2P content database. | 08-19-2010 |
20100263041 | SUSPICIOUS AUTONOMOUS SYSTEM PATH DETECTION - A system includes a memory to store instructions and an autonomous system path (AS-path) and a processor. The processor executes instructions in the memory to determine an origin degree for each autonomous system in the AS-path, compare the origin degree of a first adjacent autonomous system in the AS-path with each subsequent autonomous system in the AS-path, and sum percentage increase values determined by comparing the origin degree of the first adjacent autonomous system in the AS-path with each subsequent autonomous system in the AS-path to determine a suspicion score for the AS-path. | 10-14-2010 |
20100269172 | FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS - Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall receives incoming VoIP packets having a user alias (e.g., an email address) and an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on the port indication to a Session Initiation Protocol (SIP) server within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts. | 10-21-2010 |
20100287609 | CONTENT PROTECTION MANAGEMENT SYSTEM - A content protection management system that enables interoperability with other Content Protection and DRM technologies. A managed security domain provides a simple, consistent and reliable experience to whole-home network subscribers. The architectural concept for the whole-home network includes an underlying control plane with an overlaying content security control plane running a particular DRM technology. | 11-11-2010 |
20100299743 | SESSION INITIATION AND MAINTENANCE WHILE ROAMING - The technology disclosed addresses initiation of peer-to-peer media exchange sessions, with traversal of NAT and firewall devices, in a manner adapted to roaming. In particular, involves preliminary determination of NAT/firewall topology, which reduces latency at initiation, and hole punching technologies to select a routing and traversal strategy that reduce reliance on external media relay devices. | 11-25-2010 |
20100319065 | Firewall Configuration In A Base Station - The invention is directed towards methods of configuring a firewall in a first base station ( | 12-16-2010 |
20110035796 | Providing Differentiated Network Services and Priorities to VPN Routers/Clients - In one embodiment, a first network device receives a priority message from a second network device, wherein the priority message conforms to a connection establishment protocol and indicates a priority associated with the second network device. The first network device obtains the priority from the priority message and stores the priority. The first network device allocates resources for at least one of control or data plane processing to the second network device in accordance with the priority. | 02-10-2011 |
20110067096 | SYSTEM AND METHOD FOR PROVIDING SECURE CONFIGURATION FILE PROVISIONING - A system and method for providing secure configuration file exchange is disclosed. The system may comprise a Voice over Internet Protocol (VoIP) device comprising a receiver and a processor, wherein the VoIP device is configured to: receive, at the receiver, an encrypted first configuration file from a server using a default Uniform Resource Locator (URL) stored in the VoIP device; decrypt, at the processor, the first configuration file using a default key stored in the VoIP device; apply, at the processor, a first set of profile parameters stored in the first configuration file, wherein applying further comprises updating the default URL and the default key in the VoIP device with a new URL and a new key stored in the first configuration file; receive, at the receiver, an encrypted second configuration file from the server using the new URL; decrypt, at the processor, the second configuration file using the new key; and apply, at the processor, a second set of profile parameters stored in the second configuration file in order to provide network service from the server to a customer premise equipment (CPE) communicatively coupled to the VoIP device. | 03-17-2011 |
20110099623 | SYSTEM AND METHOD FOR PROVIDING UNIFIED TRANSPORT AND SECURITY PROTOCOLS - The system and method described herein may provide unified transport and security protocols. In particular, the unified transport and security protocols may include a Secure Frame Layer transport and security protocol that includes stages for initially configuring a requester device and a responder device, identifying the requester device and the responder device to one another, and authenticating message frames communicated between the requester device and the responder device. Additionally, the unified transport and security protocols may further include a Secure Persistent User Datagram Protocol that includes modes for processing message frames received at the requester device and the responder device, recovering the requester device in response to packet loss, retransmitting lost packets sent between the requester device and the responder device, and updating location information for the requester device to restore a communications session between the requester device and the responder device. | 04-28-2011 |
20110138457 | Securing Communications Between Different Network Zones - In an embodiment, a method is provided for communicating a protocol request at a network zone. In this method, the protocol request is received from a computing device and this protocol request is encapsulated in a different protocol. The protocol request is then transmitted to a different network zone by way of the different protocol. A message is then accessed from the different network zone by way of the different protocol, and this message includes a protocol response to the protocol request. The protocol response is extracted from the message and transmitted to the computing device. | 06-09-2011 |
20110154476 | SYSTEM AND METHOD FOR COLLECTING AND VALIDATING INTELLECTUAL PROPERTY ASSET DATA - A comprehensive platform for merchandising intellectual property (IP) and conducting IP transactions is disclosed. A standardized data collection method enables IP assets to be characterized, rated and valuated in a consistent manner. Project management, workflow and data security functionality enable consistent, efficient and secure interactions between the IP Marketplace participants throughout the IP transaction process. Business rules, workflows, valuation models and rating methods may be user defined or based upon marketplace, industry or technology standards. | 06-23-2011 |
20110179480 | System and method to protect web forms against spam messages using Tokens instead of using CAPTCHAs - The problem we solve with this system is the spam on website's forms. Until now this problem has been solved with CAPTHCHAs that help to distinguish between the human users and spambots [ | 07-21-2011 |
20110179481 | NETWORK AWARE FIREWALL - Among other things, one or more systems and/or methods for a network aware firewall are disclosed. A method comprises accessing a first network connection from a client computer system and determining whether the first network connection is a first network type or a second network type. The method further comprises dynamically modifying security parameters associated with a firewall local to the client computer system in response to determining whether the network connection is the first network type or the second network type. | 07-21-2011 |
20110214175 | METHOD FOR MITIGATING ON-PATH ATTACKS IN MOBILE IP NETWORK - In one aspect of the invention, a mobile node (MN) participates in a first return routability procedure with a home agent (HA) and a correspondent node (CN), including generating a first binding management key (Kbm). A first proof of knowledge (PoK) is generated by hashing the first Kbm. The MN participates in a second return routability procedure, including generating a second Kbm. A first binding update and binding acknowledgement (BU/BA) key is generated by hashing the second Kbm and the first PoK. A first binding update (BU) message is transmitted to the CN, where the second BU message is transmitted with the first BU/BA key. In response to a first binding acknowledgement (BA) message received from the CN, the MN authenticates the first BA message using the first BU/BA key. | 09-01-2011 |
20110225647 | Cloud Based Firewall System And Service - A cloud-based firewall system and service is provided to protect customer sites from attacks, leakage of confidential information, and other security threats. In various embodiments, such a firewall system and service can be implemented in conjunction with a content delivery network (CDN) having a plurality of distributed content servers. The CDN servers receive requests for content identified by the customer for delivery via the CDN. The CDN servers include firewalls that examine those requests and take action against security threats, so as to prevent them from reaching the customer site. The CDN provider implements the firewall system as a managed firewall service, with the operation of the firewalls for given customer content being defined by that customer, independently of other customers. In some embodiments, a customer may define different firewall configurations for different categories of that customer's content identified for delivery via the CDN. | 09-15-2011 |
20110239291 | Detecting and Thwarting Browser-Based Network Intrusion Attacks For Intellectual Property Misappropriation System and Method - Detecting and thwarting browser-based network intrusion attacks for intellectual property misappropriation is provided by enabling a local machine to direct retrieval of resources using uniform resource identifiers to a browser operating within a virtual machine whose internet protocol address is within a range external to a trusted network sub-circuit. Such a virtual machine is constrained by not having access to the Active Director Server of the trusted network. Such a virtual machine is constrained by not having access to other resources of the trusted network. Such a virtual machine is constrained by a monitor application which terminates the virtual machine if characteristics of intrusion or network attack are observed within the virtual machine. | 09-29-2011 |
20110252470 | SYSTEM FOR REGULATING HOST SECURITY CONFIGURATION - A recommendation engine coupled to a server computer in communication with a plurality of hosts is described. The recommendation engine includes computer readable intrusion-protection instructions stored in a memory device, which cause a processor of said server computer to determine a current host-protection configuration for a target host; detect discrepancy between said current host-protection configuration and a prior host-protection configuration; install said current host-protection configuration in said target host upon detecting said discrepancy; record successive host-reconfiguration periods, a host reconfiguration period being a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration; determine a monitoring period according to a value of at least one of said successive host-reconfiguration periods; and a scheduler for activating said intrusion-protection instructions according to said monitoring period. | 10-13-2011 |
20110258696 | System and Method for Centralized Station Management - In one embodiment of the invention, a wireless network is adapted with a wireless network switch in communication with a plurality of access points, which are in communication with one or more stations. Coupled to the access points over an interconnect, the wireless network switch is adapted to receive a DEAUTHENTICATION message sent by one of the plurality of access points in the same coverage area of the station so as to detect the DEAUTHENTICATION message and to block communications between the plurality of access points and the station in response to determining that the DEAUTHENTICATION message is invalid. | 10-20-2011 |
20110283351 | How to stop external and most internal network "Hacking"attacks by utilizing a dual appliance/server arrangement that allows for the use of peering servers and/or client software running on said peering servers or on proxy servers, web servers, or other legacy equipment - Method and system that allows for the input of secure data through a non-secure means and preventing the accessing of the secure data through electronic subterfuge (i.e. Hacking). When this patent is utilized with the current state-of-the-art network security systems, it will be possible to preventing external and most internal accessing of secure computer systems, aka “Hacking.” The method and system can allow access to approved users and either prevents the access of secure information from users that do not have access and/or “kill” the processes of said users. The method and system is capable of detecting unauthorized access to systems and should an attack reach certain thresholds can allow the system to recover and prevent access beyond the specific boundary set. The method and system is also capable of apportioning data to users who may not have the necessary privileges for all of the information but who do need a portion of it. The system is also capable of identifying the individuals who removed the data from secure storage and can track the chain of possession of the electronic document. This is a not a traditional network-centric approach to network data access and as a result is much more effective in handling security issues. This system does not address DoS (Denial of Service) attacks. | 11-17-2011 |
20110289581 | TRUSTED E-MAIL COMMUNICATION IN A MULTI-TENANT ENVIRONMENT - Trusted e-mail communication may be provided. A message source organization may be validated. When a message is received from the validated message source organization for a recipient organization, a determination may be made as to whether the recipient organization supports an attribution data extension. If so, the message may be transmitted to the recipient organization with an attribution element associated with the message source organization. | 11-24-2011 |
20110296520 | FIREWALL PROXY SYSTEMS AND METHODS IN A BACKUP ENVIRONMENT - According to certain aspects, a method for performing remote backup operations is provided that includes receiving a first unidirectional connection request from a media agent module to a proxy device within an enterprise network, through a firewall. The method also includes receiving a second unidirectional connection request from a remote device coupled to an untrusted network, such as through a second firewall. Secure connections are established from the media agent module to the proxy and from the remote device to the proxy. Additionally, the method can include routing with the proxy device backup data from the remote computing device to the media agent over the secured connections. The method also may include storing the backup data on a storage device within the enterprise network. In certain embodiments, during establishment of the secure connections, identification of the media agent or the storage device is not exposed to the untrusted network. | 12-01-2011 |
20120005744 | COMMUNICATING APPARATUS FOR PERFORMING COMMUNICATION OVER IP NETWORK BY USING SIP, CONTROLLING METHOD THEREFOR, AND PROGRAM - A communicating apparatus that is able to perform IP-FAX communication without making the user aware of the attack and without any difficulty, even if the device recognizes a DoS attack or the like. communication that uses a SIP server on a network is performed by a communicating unit. Unauthorized communication from the communication performed by the communicating unit is detected. A port number of a receiving port of the communicating unit is changed when the unauthorized communication is detected. it is determined whether or not the detected unauthorized communication has passed through the SIP server. The communicating apparatus is controlled to request the SIP server to delete the port number of the receiving port that has not been changed yet if it is determined that the unauthorized communication has passed through the SIP server and to re-register on the SIP server a port number of a receiving port that has been changed if it is determined that the unauthorized communication has bypassed the SIP server. | 01-05-2012 |
20120060212 | INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING SYSTEM, AND COMPUTER-READABLE STORAGE MEDIUM - An information processing apparatus is connectable via a network to service providing devices and a collecting apparatus. The information processing apparatus acquires a selection policy for selecting the devices that lay open to public types of providable services and service level information, and acquires service type information and the service level information from the collecting apparatus which detects the devices and collects the service type information including the types of providable services of the devices and the service level information. The devices capable of providing the accepted type of service are selected according to the selection policy. | 03-08-2012 |
20120222108 | SYSTEM AND METHOD FOR AUTOMATICALLY INITIATING AND DYNAMICALLY ESTABLISHING SECURE INTERNET CONNECTIONS BETWEEN A FIRE-WALLED SERVER AND A FIRE-WALLED CLIENT - A system and method for automatically and dynamically initiating and establishing secure connections between a Server and a Client using a session control server (SCS). Both the Server and the Client are connected to an untrusted network (such as the Internet) through a Network Address Translator or Translation (NAT) router or a firewall. The SCS, independently trusted by both the Server and the Client, brokers the required connection parameters to establish a secure connection between the Server and the Client. The system and method does not require any user configuration on the Client and eliminates the need for the Server to accept explicit connection requests or packets from the Client, thereby allowing the Server firewall to always remain closed to all inbound traffic. | 08-30-2012 |
20120240216 | Method for Lawfully Intercepting Communication IP Packets Exchanged Between Terminals - A method for lawfully intercepting communication IP packets exchanged between terminals is provided. The method involves assigning an IP address associated with a telecommunication service provider to, for example, a sending terminal for use as its IP address in communications with a receiving terminal, the telecommunication service provider providing SIP proxy services for establishing communication between the sending and receiving terminals. The communication IP packets are intercepted in such a way that the terminals are unaware of the interception. | 09-20-2012 |
20120246712 | FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS - Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall receives incoming VoIP packets having a user alias (e.g., an email address) and an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on the port indication to a Media Gateway Control Protocol (MGCP) media gateway within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts. | 09-27-2012 |
20120304279 | System for Isolating a Secured Data Communication Network - A system for isolating a data communication network has been developed. The system includes an internal computer system with an internal computer that is in data communication with the internal computer system, and an external computer system with an external computer that is in data communication with the external computer system. The internal and external computers are connected with an ethernet adapter that only allows transmission of data from the internal computer system and prohibits the receipt of data by the internal computer system. | 11-29-2012 |
20120311693 | UPDATING FIREWALL RULES - A host rule mapping module in a firewall server may receive an update notification from a name server. The update notification may indicate a change to an address associated with a host name of a host machine. In response to receiving the update notification, the host rule mapping module may request a record corresponding to the host name identified in the update notification. The host rule mapping module may receive a contents of the record in response to the request from the name server, and update a firewall rule corresponding to the address identified in the update notification to include the contents of the record. | 12-06-2012 |
20120324569 | RULE COMPILATION IN A FIREWALL - A firewall system comprises a rule compiler operable to use florets and factoring to produce a rule data structure that enables a rules engine to apply a rule from a rule set in phases, including rules applicable during a first scan with second factors not available and rules applicable during a second scan such that only the second factors need be applied. | 12-20-2012 |
20130067562 | SYSTEM, METHOD AND PROGRAM TO LIMIT RATE OF TRANSFERRING MESSAGES FROM SUSPECTED SPAMMERS - A system, method and program product for managing e-mails from a source suspected of sending spam. The e-mails are received at a firewall or router en route to a mail server. A determination is made whether a source has sent an e-mail which exhibits characteristics of spam. In response, subsequent e-mails from the source destined for the mail server are rate-limiting at the firewall or router such that the firewall or router limits a rate at which the subsequent e-mails are forwarded from the firewall or router to the mail server. The rate is predetermined and less than a maximum rate at which the firewall or router can physically forward e-mails to the mail server absent the rate limit. A determination is made whether another source has sent another e-mail which exhibits more characteristics of spam than the first said e-mail. In response, subsequent e-mails from this other source are blocked at the firewall or router. The rate limit can be a limit on a number of e-mails per unit of time from the source that will be forwarded from the firewall or router to the mail server. | 03-14-2013 |
20130097692 | SYSTEM AND METHOD FOR HOST-INITIATED FIREWALL DISCOVERY IN A NETWORK ENVIRONMENT - A method is provided in one example embodiment that includes intercepting a network flow to a destination node having a network address and sending a discovery query based on a discovery action associated with the network address in a firewall cache. A discovery result may be received and metadata associated with the flow may be sent to a firewall before releasing the network flow. In other embodiments, a discovery query may be received from a source node and a discovery result sent to the source node, wherein the discovery result identifies a firewall for managing a route to a destination node. Metadata may be received from the source node over a metadata channel. A network flow from the source node to the destination node may be intercepted, and the metadata may be correlated with the network flow to apply a network policy to the network flow. | 04-18-2013 |
20130117837 | FAST UPDATE FILTER - A method may include defining a filter for a network device, the filter including a rule and a particular number of prioritized fields, where at least one of the prioritized fields is formatted to accept input as a range of values. The method may also include receiving a rule modification for the filter, the rule modification including at least one input as a range of values, and performing a check for conflicts of the rule modification with the rule in the filter. The method may further include expanding the input range of values to form multiple rules equivalent to the rule modification with the input range of values, establishing backtracking links to integrate the multiple rules with the existing rule, and adding the multiple rules to the filter. | 05-09-2013 |
20130139247 | FIREWALL APPARATUS, SYSTEMS, AND METHODS EMPLOYING DETECTION OF APPLICATION ANOMALIES - In one embodiment, a processor-implemented method for monitoring network traffic between a first device executing a software application and a second device coupled to the first device. The method includes: (a) the processor analyzing application-level data contained within traffic originating from and/or received by the first device, the application-level data including data provided to and/or provided by the software application; (b) based on the results of the analysis in step (a), the processor creating one or more access rules; (c) the processor receiving a request from the second device to access the first device, the request including application-level data; and (d) the processor determining whether the request received in step (c) complies with one or more of the access rules. | 05-30-2013 |
20130152191 | TIMING MANAGEMENT IN A LARGE FIREWALL CLUSTER - A firewall cluster comprises three or more firewall processing nodes, which report primary node status based on the reporting node's membership in a preexisting cluster. A controller uses the reported status to assign a primary node in the distributed firewall cluster. Reported primary node status includes reported primary node eligibility if the node is a member of a preexisting cluster, reported primary node status comprising reporting primary node ineligibility if the node is not a member of a preexisting cluster, reported primary node status if the node is a primary node in a preexisting cluster, and reported primary node eligibility in a node that has timed out | 06-13-2013 |
20130174246 | SYSTEM AND METHOD FOR CLOUD BASED SCANNING FOR COMPUTER VULNERABILITIES IN A NETWORK ENVIRONMENT - A method in one embodiment includes establishing a first secure tunnel between a scanner and a configuration manager, and a second secure tunnel between the scanner and a scan controller, where the scanner is located in a public network and the configuration manager and the scan controller are located in a private network, communicating scanner configuration information between the scanner and the configuration manager over the first secure tunnel, and communicating scan information between the scanner and the scan controller over the second secure tunnel. The secure tunnels may be established from within the private network, by forwarding a first origination port and a second origination port to a first destination port and a second destination port, respectively. The first and second origination ports may be located in the public network, and the first and second destination ports may be located in the private network. | 07-04-2013 |
20130219485 | SYSTEM AND METHOD FOR PROVIDING UNIFIED TRANSPORT AND SECURITY PROTOCOLS - The system and method described herein may provide unified transport and security protocols. In particular, the unified transport and security protocols may include a Secure Frame Layer transport and security protocol that includes stages for initially configuring a requester device and a responder device, identifying the requester device and the responder device to one another, and authenticating message frames communicated between the requester device and the responder device. Additionally, the unified transport and security protocols may further include a Secure Persistent User Datagram Protocol that includes modes for processing message frames received at the requester device and the responder device, recovering the requester device in response to packet loss, retransmitting lost packets sent between the requester device and the responder device, and updating location information for the requester device to restore a communications session between the requester device and the responder device. | 08-22-2013 |
20130247170 | HOST TRUST REPORT BASED FILTERING MECHANISM IN A REVERSE FIREWALL - Disclosed is a computer implemented method to report a bad host. A receiver host receives a packet from a sender host. The receiver host detects that the packet contains suspect hostile content. The receiver host transmits a negative trust report. | 09-19-2013 |
20130263249 | Enhancing IPSEC Performance and Security Against Eavesdropping - A network element (NE) comprising a memory device configured to store instructions, and a processor configured to execute the instructions by dividing a first plurality of data packets of a data flow into a first plurality of sub-flows, and causing the first plurality of sub-flows to be transmitted to a second NE via a network, wherein the first plurality of sub-flows are transmitted using a first Internet Protocol Security (IPsec) security association (SA) cluster comprising a plurality of parallel sub-SAs. The disclosure also includes a NE comprising a processor configured to create an IPsec SA cluster comprising a first plurality of sub-SAs between the NE and a second NE using an internet key exchange (IKE) or an IKEv2, wherein the first sub-SAs are unidirectional, and wherein the first sub-SAs are configured to transport a first plurality of data packets in a common direction. | 10-03-2013 |
20130269023 | Cloud Based Firewall System And Service - A cloud-based firewall system and service is provided to protect customer sites from attacks, leakage of confidential information, and other security threats. In various embodiments, such a firewall system and service can be implemented in conjunction with a content delivery network (CDN) having a plurality of distributed content servers. The CDN servers receive requests for content identified by the customer for delivery via the CDN. The CDN servers include firewalls that examine those requests and take action against security threats, so as to prevent them from reaching the customer site. The CDN provider implements the firewall system as a managed firewall service, with the operation of the firewalls for given customer content being defined by that customer, independently of other customers. In some embodiments, a customer may define different firewall configurations for different categories of that customer's content identified for delivery via the CDN. | 10-10-2013 |
20130291089 | DATA COMMUNICATION METHOD AND DEVICE AND DATA INTERACTION SYSTEM BASED ON BROWSER - The present invention, relating to the field of network technologies, discloses a data communication method and device and data interaction system based on browser. The method includes: receiving request data input by a user by using a browser; generating a request data packet using the request data according to a preset private protocol; and sending the request data packet to a server. The client includes: a receiving unit, a generating unit, and a sending unit. The data interaction system includes a client and a server. According to the present invention, a request data packet is generated for request data according to a preset private protocol, and then sent to a server. In addition, during the data communication process, other protocol-specific fields in HTTP are not carried, thereby reducing data transmission amount, saving bandwidths, and improving data transmission efficiency. | 10-31-2013 |
20140007219 | METHOD AND ARRANGEMENT FOR PROVIDING SECURITY THROUGH NETWORK ADDRESS TRANSLATIONS USING TUNNELING AND COMPENSATIONS | 01-02-2014 |
20140033296 | METHOD AND ARRANGEMENT FOR PROVIDING SECURITY THROUGH NETWORK ADDRESS TRANSLATIONS USING TUNNELING AND COMPENSATIONS - This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments. | 01-30-2014 |
20140041013 | METHOD AND SYSTEM FOR MESSAGING SECURITY - An e-mail firewall applies policies to e-mail messages transmitted between a first site and a plurality of second sites. The e-mail firewall includes a plurality of mail transfer relay modules for transferring e-mail messages between the first site and one of the second sites. Policy managers are used to enforce and administer selectable policies. The policies are used to determine security procedures for the transmission and reception of e-mail messages. The e-mail firewall employs signature verification processes to verify signatures in received encrypted e-mail messages. The e-mail firewall is further adapted to employ external servers for verifying signatures. External servers are also used to retrieve data that is employed to encrypt and decrypt e-mail messages received and transmitted by the e-mail firewall, respectively. | 02-06-2014 |
20140075541 | SYSTEMS AND METHODS FOR ACCESSING RESOURCES THROUGH A FIREWALL - Systems, methods, and computer-readable storage media for providing access to a firewalled resource are provided. A system includes a controller configured to be positioned outside of the firewall and configured to receive connection information from the resource through the firewall. The controller is configured to generate instructions for establishing a connection between the client device and the resource through the firewall based on the connection information received from the resource. The controller is configured to transmit the instructions to the client device. The client device is configured to open a connection between the client device and the resource through the firewall based on the instructions transmitted to the client device from the controller. | 03-13-2014 |
20140123267 | METHOD AND SYSTEM FOR TCP TURN OPERATION BEHIND A RESTRICTIVE FIREWALL - A method at a computing client located behind a NAT and restrictive-access firewall, including establishing a control connection with a TCP TURN server utilizing a port capable of traversing the restrictive-access firewall; requesting an allocation of an client service identity from the TCP TURN server; and receiving, from the TCP TURN server, a response containing the client service identity, the client service identity being independent of any port used to communicate with the TCP TURN server. Further a method at a TCP TURN server, including listening on a first port for communications from a computing client, the computing client being behind a restrictive access firewall and the first port capable of traversing the restrictive-access firewall; establishing a control connection with the client on the first port; receiving a request for an allocation of an client service identity from the computing client; and sending a response containing the client service identity. | 05-01-2014 |
20140143853 | NETWORK QUARANTINE SYSTEM, NETWORK QUARANTINE METHOD AND PROGRAM THEREFOR - To isolate a terminal from a network immediately after a quarantine agent is uninstalled therefrom, a policy readout unit reads out a policy from a policy database and a policy check unit determines whether or not a terminal satisfies the policy that was read out. If it is determined that the terminal satisfies the read out policy, a quarantine server control unit instructs a bridge to destroy a packet with no VLAN tag among the packets sent from the terminal while controlling a quarantine agent to send a packet with a VLAN tag when sending the packet from the terminal. | 05-22-2014 |
20140143854 | LOAD BALANCING AMONG A CLUSTER OF FIREWALL SECURITY DEVICES - A method for balancing load among firewall security devices in a network is disclosed. Firewall security devices are arranged in multiple clusters. A switching device is configured with the firewall security devices by communicating control messages and heartbeat signals. Information regarding the configured firewall security devices is then included in a load balancing table. A load balancing function is configured for enabling the distribution of data traffic received by the switching device. A received data packet by the switching device is forwarded to one of the firewall security devices in a cluster based on the load balancing function, the load balancing table and the address contained in the data packet. | 05-22-2014 |
20140143855 | Methods, devices and systems for establishing end-to-end secure connections and for securely communicating data packets - The invention provides methods, devices ( | 05-22-2014 |
20140189846 | COST-EFFECTIVE MOBILE CONNECTIVITY PROTOCOLS - Structures and protocols are presented for signaling a status or decision concerning a wireless service or device within a region to a network participant or other communication device (smartphone or motor vehicle, e.g.). | 07-03-2014 |
20140196141 | HIERARCHICAL RULE DEVELOPMENT AND BINDING FOR WEB APPLICATION SERVER FIREWALL - At least one of an HTTP request message and an HTTP response message is intercepted. A corresponding HTTP message model includes a plurality of message model sections. A representation of the at least one of an HTTP request message and an HTTP response message is parsed into message sections in accordance with the message model sections of the HTTP message model. A plurality of security rules are bounds to the message model sections. The plurality of security rules each specify at least one action to be taken in response to a given condition, which is based, at least in part, on a corresponding given one of the message sections. The at least one of an HTTP request message and an HTTP response message is processed in accordance with the plurality of security rules. Techniques for developing rules for a web application server firewall are also provided. | 07-10-2014 |
20140201829 | FILE-BASED APPLICATION PROGRAMMING INTERFACE PROVIDING SELECTABLE SECURITY FEATURES - A data communication security system is disclosed that includes a network interface including a first security module implementing a first security architecture, and a second security module implementing a second security architecture different from the first security architecture. The network interface further includes a file-based application programming interface defining a plurality of attributes of the network interface and including at least one attribute associated with data security managed by one of the first and second security modules. The file-based application programming interface includes at least one attribute from among the plurality of attributes that is associated with selecting between the first or second security modules. | 07-17-2014 |
20140208413 | SYSTEM AND METHOD FOR AN ENDPOINT HARDWARE ASSISTED NETWORK FIREWALL IN A SECURITY ENVIRONMENT - A method is provided in one example embodiment and includes receiving a traffic flow at a tamper resistant environment from an application, where the tamper resistant environment is separated from a host operating system. The method also includes applying a security token to the traffic flow and sending the traffic flow to a server. In specific embodiments, a security module may add information about the application to traffic flow. A trapping module may monitor for a memory condition and identify the memory condition. The trapping module may also, responsive to identifying the memory condition, initiate a virtual environment for the application, and check the integrity of the traffic flow. | 07-24-2014 |
20140237584 | SYSTEM AND METHOD FOR REDIRECTED FIREWALL DISCOVERY IN A NETWORK ENVIRONMENT - A method is provided in one example embodiment that includes receiving metadata from a host over a metadata channel. The metadata may be correlated with a network flow and a network policy may be applied to the connection. In other embodiments, a network flow may be received from a host without metadata associated with the flow, and a discovery redirect may be sent to the host. Metadata may then be received and correlated with the flow to identify a network policy action to apply to the flow. | 08-21-2014 |
20140245425 | CONFIGURABLE-QUALITY RANDOM DATA SERVICE - Methods and apparatus for a configurable-quality random data service are disclosed. A method includes implementing programmatic interfaces enabling a determination of respective characteristics of random data to be delivered to one or more clients of a random data service of a provider network. The method includes implementing security protocols for transmission of random data to the clients, including a protocol for transmission of random data to trusted clients at devices within the provider network. The method further includes obtaining, on behalf of a particular client and in accordance with the determined characteristics, random data from one or more servers of the provider network, and initiating a transmission of the random data directed to a destination associated with the particular client. | 08-28-2014 |
20140259147 | SMART ROUTER - An example router device disclosed herein functions as a transport level proxy and application level proxy, is able to host both authenticated user and device sessions with stored session state and access control to resources for enhanced performance and ease of use. The device is able to function as a protocol proxy for improved performance and security. The device may be configured to implement a captive portal login mechanism, and may programmatically force unsecure LAN-side client requests to secure WAN-side connections. The device may execute an API for remote applications to utilize. The router device may pre-fetch content for client devices, and may communicate with other servers and peer routers to ascertain congestion on the WAN, and perform intelligent routing of WAN traffic based on the detected congestion. The device may also employ techniques to enhance privacy, virtualized address spaces, cookie filters, and traffic modification. | 09-11-2014 |
20140310797 | METHOD AND APPARATUS TO SCALE AUTHENTICATED FIREWALL TRAVERSAL USING TRUSTED ROUTING POINT - A Trusted Routing Point (TROP) generates a signaling message that includes an authorization token used to authorize a firewall to open a pinhole. The signaling message contains a first indicator that indicates whether a data field in the signaling message represents a source address of a media flow. The signaling message also includes a second indicator that indicates whether the firewall should derive the source address of the media flow from the data field. The authorization token is generated using a one-way hash function over information that may be included in the signaling message, including the first indicator and the second indicator. | 10-16-2014 |
20140317720 | NEGOTIATION OF SECURITY PROTOCOLS AND PROTOCOL ATTRIBUTES IN SECURE COMMUNICATIONS ENVIRONMENT - Methods of communicatively connecting first and second endpoints are disclosed. One method includes transmitting from a first endpoint to a second endpoint a connection request, the connection request including an IP address of the second endpoint. The method further includes, based at least in part on the IP address of the second endpoint, selecting IPsec from among a plurality of available security protocols to first attempt to use in forming a tunnel between the first and second endpoints, and forming the tunnel between the first and second endpoints based on the connection request. | 10-23-2014 |
20140325636 | LOAD BALANCING IN A NETWORK WITH SESSION INFORMATION - Methods and systems for balancing load among firewall security devices (FSDs) are provided. According to one embodiment, a switch maintains session data the session entries of which represent established traffic sessions between a source and a destination and form an association between the traffic session and a particular FSD. A data packet of a traffic session from a client device directed to a target device is received at the switch. When none of the session entries are determined to correspond to the data packet, an FSD is selected to associate with the first traffic session by performing a load balancing function on at least a portion of the data packet. When a matching session entry exists, an FSD identified by the matching session entry is selected to process the data packet. The data packet is then caused to be processed by the selected firewall security device. | 10-30-2014 |
20140351920 | Method and Apparatus for Dynamic Tunneling - Method and Apparatus for rapid scalable unified infrastructure system management platform are disclosed by discovery of compute nodes, network components across data centers, both public and private for a user; assessment of type, capability, VLAN, security, virtualization configuration of the discovered unified infrastructure nodes and components; configuration of nodes and components covering add, delete, modify, scale; and rapid roll out of nodes and components across data centers both public and private. | 11-27-2014 |
20140351921 | Method and Apparatus for Remotely Manageable, Declaratively Configurable Data Stream Aggregator with Guaranteed Delivery for Private Cloud Compute Infrastructure - Method and Apparatus for rapid scalable unified infrastructure system management platform are disclosed by discovery of compute nodes, network components across data centers, both public and private for a user; assessment of type, capability, VLAN, security, virtualization configuration of the discovered unified infrastructure nodes and components; configuration of nodes and components covering add, delete, modify, scale; and rapid roll out of nodes and components across data centers both public and private. | 11-27-2014 |
20140351922 | Method and Apparatus for Remotely Manageable, Declaratively Configurable Data Stream Aggregator with Guaranteed Delivery for Private Cloud Compute Infrastructure - Method and Apparatus for rapid scalable unified infrastructure system management platform are disclosed by discovery of compute nodes, network components across data centers, both public and private for a user; assessment of type, capability, VLAN, security, virtualization configuration of the discovered unified infrastructure nodes and components; configuration of nodes and components covering add, delete, modify, scale; and rapid roll out of nodes and components across data centers both public and private. | 11-27-2014 |
20140351923 | Method and Apparatus for Remotely Manageable, Declaratively Configurable Data Stream Aggregator with Guaranteed Delivery for Private Cloud Compute Infrastructure - Method and Apparatus for rapid scalable unified infrastructure system management platform are disclosed by discovery of compute nodes, network components across data centers, both public and private for a user; assessment of type, capability, VLAN, security, virtualization configuration of the discovered unified infrastructure nodes and components; configuration of nodes and components covering add, delete, modify, scale; and rapid roll out of nodes and components across data centers both public and private. | 11-27-2014 |
20140373130 | Integrating Web Protocols With Applications and Services - Techniques for integrating a security protocol in an application include receiving a web protocol request generated by the application at an interceptor, the interceptor configured to read and write the web protocol request; receiving a selection of a role comprising one or more validation aspects and a plurality of extended application components; based on reading the web protocol request, retrieving configuration data associated with the web protocol request; adding the plurality of extended application components using the configuration data; and executing the web protocol in the application using the selected role. | 12-18-2014 |
20140380460 | Dynamic Communication Between Secure Endpoints - In one implementation, a hub and spoke network is made up of hub network devices and spoke network devices. A security protocol channel is established between the hub and at least a first spoke. The hub receives a resolution request from the first spoke via the security protocol channel. The resolution request includes data indicative of a second endpoint. The hub queries a next hop client database for a WAN address of the second endpoint. The first endpoint and the second endpoint are geographically separated nodes of the same enterprise network. The hub sends a resolution reply to the first endpoint including the WAN address for the second endpoint. The hub also sends a message to the second endpoint including a WAN address of the first endpoint and a summary of the data packet received at the first endpoint. | 12-25-2014 |
20150128248 | SYSTEM, METHOD, AND COMPUTER PROGRAM FOR PREVENTING INFECTIONS FROM SPREADING IN A NETWORK ENVIRONMENT USING DYNAMIC APPLICATION OF A FIREWALL POLICY - A method for containing a threat in network environment using dynamic firewall policies is provided. In one example embodiment, the method can include detecting a threat originating from a first node having a source address in a network, applying a local firewall policy to block connections with the source address, and broadcasting an alert to a second node in the network. In more particular embodiments, an alert may be sent to a network administrator identifying the source address and providing remedial information. In yet other particular embodiments, the method may also include applying a remote firewall policy to the first node blocking outgoing connections from the first node. | 05-07-2015 |
20150150114 | Method and System for Providing Secure Remote External Client Access to Device or Service on a Remote Network - In order to provide secure user access to a device or service on a remote network, upon receipt of a request to access the device or service on a portal on a central server, a request is sent to a probe application installed on the remote network to establish a secure link to the central server. A message is then sent to the user directing the user to initiate a specific session request to the central server. The session request is cross connected to the probe application installed on the remote network over the secure link to establish a secure tunnel to the probe application. A secure user session is set up through the secure tunnel to the device or service via the probe application. | 05-28-2015 |
20150150115 | METHOD FOR THE TRANSMISSION OF A MESSAGE BY A SERVER OF AN IMS MULTIMEDIA IP CORE NETWORK, AND SERVER - A method for the transmission of a message by a server of a multimedia IP core network is disclosed. In one aspect, following the reception, by the server, of a request from a terminal to register with the core network, the registration request proposing an authentication method for the establishment of a secure tunnel between the terminal and an entity for the connection of the terminal to the core network. The transmission method may comprise identifying an access network used by the terminal for registering with the multimedia IP core network, drawing-up, according to the identified access network, a recommendation concerning the establishment or otherwise of the secure tunnel between the terminal and the connection entity for the authentication method, and inserting said recommendation into the message transmitted by the server. | 05-28-2015 |
20150350160 | METHOD AND APPARATUS FOR DYNAMIC DETECTION OF GEO-LOCATION OBFUSCATION IN CLIENT-SERVER CONNECTIONS THROUGH AN IP TUNNEL - Methods and systems are disclosed for dynamic detection of fraudulent client connections to a server, in which, for example, the connection is made using an internet protocol (IP) tunneling technology such as networking on a virtual private network (VPN) and making the connection via a VPN tunnel in order to obfuscate the client IP address, in which a user of a client device may employ spoofing of IP-geo location mechanisms and IP classification on the server side. Such a user may have various motivations for obfuscating the client device's geo-location by using an IP tunnel when connecting to a server such as gaining access to services that are not allowed in certain locations (e.g., certain movie and television content providers); browsing server data while maintaining a higher level of anonymity; and performing fraudulent actions on the server. | 12-03-2015 |
20150350246 | DYNAMIC SECURE PACKET BLOCK SIZING - Disclosed herein are methods, systems, and software for handling secure transport of data between end users and content serving devices. In one example, a method of operating a content server includes identifying a content request from an end user device. The method further includes, responsive to the user request, determining a transmission control protocol window size and a secure layer protocol block size. The method also provides scaling the secure layer protocol block size to match the transmission control protocol window size, and transferring secure layer protocol packets to the end user device using the scaled secure layer protocol block size. | 12-03-2015 |
20150365379 | SYSTEM AND METHOD FOR MANAGING, CONTROLLING AND CONFIGURING AN INTELLIGENT PARENTAL CONTROL FILTER - A system and a method for intelligently learning a list of allowed IP content at one or more internet connected devices by implementing an intelligent parental control means is provided. The means includes a router and a filter. The router monitors and records web based operations done at the internet connected devices during a learning mode to create a list of allowed IP content at the internet connected devices. The filter implements the list and accordingly allows and blocks the content. Further, a remote device communicating with the router via a central server remotely controls and configures the router and the filter. The remote device permits the router to approve or disapprove a blocked IP content, when the blocked content is accessed at the internet connected devices. | 12-17-2015 |
20160014149 | Network Security System and Method | 01-14-2016 |
20160028725 | INTEGRATED CIRCUIT FOR DETERMINING WHETHER DATA STORED IN EXTERNAL NONVOLATIVE MEMORY IS VALID - An integrated circuit may comprise a secure volatile memory configured to store first data-validity information associated with first data stored in an external nonvolatile memory; and a secure processor configured to: retrieve the first data-validity information from a secure remote server over a secure communication channel, wherein the secure processor uses mutual authentication with the secure remote server to secure the secure communication channel; store the first data-validity information in the secure volatile memory; retrieve the first data from the external nonvolatile memory; obtain second data-validity information associated with the first data; compare the first data-validity information stored in the secure volatile memory with the second data-validity information to generate a comparison value; and determine, based on the comparison value, whether the first data is valid. | 01-28-2016 |
20160119311 | CARRIER NETWORK SECURITY INTERFACE FOR FIELDED DEVICES - Carrier-side security services for fielded devices is disclosed. In contrast to conventional authentication systems for fielded devices, wherein an end-to-end communications pathway is typically established for authentication of a fielded device by a back-end service provider, authentication and security services can be moved into devices associated with a carrier network. A device associated with the carrier network can authenticate field components to service components without first establishing a communications pathway to a back-end service provider. Further, the device can provide for secured communications with an authenticated field component and are not readable by carrier devices. In an aspect, this can allow for centralization of security elements from the periphery of back-end service providers into a device associated with the carrier network. In a further aspect, the device can host a security services platform for back-end service providers. | 04-28-2016 |
20160119378 | METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR SECURITY PROTOCOL SELECTION IN INTERNET PROTOCOL MULTIMEDIA SUBSYSTEM NETWORKS - A method includes receiving a first secured registration request message from user equipment at a registration server in an Internet Protocol multimedia subsystem network, the first secured registration request message being secured using a first security protocol, determining at the registration server that the first secured registration request message cannot be decoded using the first security protocol, sending a message from the registration server to the user equipment proposing a second security protocol, and receiving a second secured registration request message from the user equipment at the registration server, the second secured registration request message being secured using the second security protocol. | 04-28-2016 |
20160127317 | METHOD AND APPARATUS FOR DISPLAYING HTTPS BLOCK PAGE WITHOUT SSL INSPECTION - The present disclosure discloses a method and system for displaying an HTTPS block page without SSL inspection. Specifically, a network device snoops a first message transmitted between a client device and a network resource. The first message is transmitted as part of a SSL Handshake between the client device and the network resource to establish a SSL session. Moreover, the network device determines whether the client device is authorized to access the network resource. If not, the network device blocks the establishment of a SSL session between the client device and the network resource, and spoofs the network resource for establishing the SSL session between the client device and the network device instead of establishment of the SSL session between the client device and the network resource. Otherwise, the network device refrains from blocking the establishment of the SSL session between the client device and the network resource. | 05-05-2016 |
20160134606 | CHANGING GROUP MEMBER REACHABILITY INFORMATION - In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group. | 05-12-2016 |
20160164910 | Processing Method and Apparatus for Preventing Packet Attack - A processing method and apparatus for preventing a packet attack. A network protocol negotiation status of a port of a network device is monitored; a port that succeeds in network protocol negotiation is set to a trusted port, a protocol packet is selected, according to a first access control list (ACL), from packets received by the trusted port, and a rate at which the protocol packet is sent to a central processing unit (CPU) is limited to a first committed access rate (CAR); a port that fails in network protocol negotiation is set to an untrusted port, a protocol packet is selected, according to a second ACL, from packets received by the untrusted port, and a rate at which the protocol packet is sent to the CPU is limited to a second CAR. Configuration accuracy of the trusted port and the untrusted port is improved, and packet attack is prevented. | 06-09-2016 |
20160173450 | Systems And Methods For Automatic Device Detection, Device Management, And Remote Assistance | 06-16-2016 |
20160182448 | SCANNER ENABLED WITH A SECURE INPUT/OUTPUT (I/O) MODULE (SIOM) | 06-23-2016 |