Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


Security protocols

Subclass of:

726 - Information security

726002000 - ACCESS CONTROL OR AUTHENTICATION

726003000 - Network

726011000 - Firewall

Patent class list (only not empty are listed)

Deeper subclasses:

Class / Patent application numberDescriptionNumber of patent applications / Date published
726015000 Virtual Private Network or Virtual Terminal Protocol (i.e., VPN or VTP) 108
Entries
DocumentTitleDate
20110179480System and method to protect web forms against spam messages using Tokens instead of using CAPTCHAs - The problem we solve with this system is the spam on website's forms. Until now this problem has been solved with CAPTHCHAs that help to distinguish between the human users and spambots [07-21-2011
20100017870MULTI-AGENT, DISTRIBUTED, PRIVACY-PRESERVING DATA MANAGEMENT AND DATA MINING TECHNIQUES TO DETECT CROSS-DOMAIN NETWORK ATTACKS - The present invention is a method and a system that uses privacy-preserving distributed data stream mining algorithms for mining continuously generated data from different network sensors used to monitor data communication in a computer network. The system is designed to compute global network-threat statistics by combining the output of the network sensors using privacy-preserving distributed data stream mining algorithms.01-21-2010
20080256624SYSTEMS AND METHOD FOR DISTRIBUTED NETWORK PROTECTION - Through the use of an intermediate party, a first party is given the ability to communicate with a second party, with the communication appearing as if it originated with the intermediate party. Specifically, in a protected network system, the protected network is capable of acting as a conduit through which an entity, such as law enforcement, can communicate with an entity attempting an unauthorized access attempt unbeknownst to the entity attempting the unauthorized access attempt. This allows, for example, the detection and identification of the entity attempting the unauthorized access attempt.10-16-2008
20080256623Method and system for protecting a computer system from denial-of-service attacks and other deleterious resource-draining phenomena related to communications - Embodiments of the present invention include a variety of different integrated, multi-tiered methods and systems for preventing various types of attacks on computer systems, including denial-of-service attacks and SYN-flood attacks. Components of these integrated methods and systems include probabilistic packet droppers, packet-rate throttles, resource controls, automated firewalls, and efficient connection-state-information storage in memory resources and connection-state-information distribution in order to prevent draining of sufficient communications-related resources within a computer system to seriously degrade or disable electronics communications components within the computer system.10-16-2008
20080256622Reduction of false positive reputations through collection of overrides from customer deployments - An automated arrangement for reducing the occurrence and/or minimizing the impact of false positives by a reputation service is provided in which overrides for a reputation of an adversary are reported to a reputation service from security devices, such as unified threat management systems, deployed in enterprise or consumer networks. An override is typically performed by an administrator at a customer network to allow the security device to accept traffic from, or send traffic to a given IP address or URL. Such connectivity is allowed—even if such objects have a blacklisted reputation provided by a reputation service—in cases where the administrator recognizes that the blacklisted reputation is a false positive. The reputation service uses the reported overrides to adjust the fidelity (i.e., a confidence level) of that object's reputation, and then provides an updated reputation, which reflects the fidelity adjustment, to all the security devices that use the reputation service.10-16-2008
20100115603METHOD AND SYSTEM FOR SECURING DATA FROM A NON-POINT OF SALE DEVICE OVER AN EXTERNAL NETWORK - A data control system prevents non-point of sale devices (05-06-2010
20090138960Control access rule conflict detection - Methods and systems for access control systems such as firewalls. The system detects conflicts between two access control rules by finding all common variables between the two rules and determining if there are values for all the common variables that simultaneously satisfy both rules. If there are such values, and if the end result of the two rules are different, then the two rules are in conflict with one another.05-28-2009
20090044264SPAM REDUCTION IN REAL TIME COMMUNICATIONS BY HUMAN INTERACTION PROOF - The claimed subject matter provides a system and/or a method that facilitates authenticating a data communication. An interface component can receive data related to a real time data communication between two or more clients. A verification component can employ a human interaction proof (HIP) to a client participating within the real time data communication, wherein a human identity of the client is authenticated as a function of a response to the HIP.02-12-2009
20120311693UPDATING FIREWALL RULES - A host rule mapping module in a firewall server may receive an update notification from a name server. The update notification may indicate a change to an address associated with a host name of a host machine. In response to receiving the update notification, the host rule mapping module may request a record corresponding to the host name identified in the update notification. The host rule mapping module may receive a contents of the record in response to the request from the name server, and update a firewall rule corresponding to the address identified in the update notification to include the contents of the record.12-06-2012
20130067562SYSTEM, METHOD AND PROGRAM TO LIMIT RATE OF TRANSFERRING MESSAGES FROM SUSPECTED SPAMMERS - A system, method and program product for managing e-mails from a source suspected of sending spam. The e-mails are received at a firewall or router en route to a mail server. A determination is made whether a source has sent an e-mail which exhibits characteristics of spam. In response, subsequent e-mails from the source destined for the mail server are rate-limiting at the firewall or router such that the firewall or router limits a rate at which the subsequent e-mails are forwarded from the firewall or router to the mail server. The rate is predetermined and less than a maximum rate at which the firewall or router can physically forward e-mails to the mail server absent the rate limit. A determination is made whether another source has sent another e-mail which exhibits more characteristics of spam than the first said e-mail. In response, subsequent e-mails from this other source are blocked at the firewall or router. The rate limit can be a limit on a number of e-mails per unit of time from the source that will be forwarded from the firewall or router to the mail server.03-14-2013
20090007254RESTRICTING COMMUNICATION SERVICE - In response to a command to start restrictions on a communication service of a computer, the communication service is restricted by a countermeasures apparatus which replaces the communication address of a second computer, which has been stored in a first computer, with the communication address of the countermeasures apparatus, and replaces a communication address of the first computer, which has been stored in the second computer, with the communication address of the countermeasures apparatus. Accordingly, the countermeasures apparatus acquires a packet from the first computer to the second computer and determines whether or not this acquired packet is to be transmitted to the second computer.01-01-2009
20080295164MASHUP COMPONENT ISOLATION VIA SERVER-SIDE ANALYSIS AND INSTRUMENTATION11-27-2008
20080271135Remote network device with security policy failsafe - A remote network device having a network security policy, includes: a firewall component embedded within the network device to filter data flow with a network; a user-defined network security policy for the firewall component to define constraints on data flows permitted by the network device; and a failsafe protocol to enable remote control of the device independent of the user-defined network security policy and the firewall filter.10-30-2008
20110283351How to stop external and most internal network "Hacking"attacks by utilizing a dual appliance/server arrangement that allows for the use of peering servers and/or client software running on said peering servers or on proxy servers, web servers, or other legacy equipment - Method and system that allows for the input of secure data through a non-secure means and preventing the accessing of the secure data through electronic subterfuge (i.e. Hacking). When this patent is utilized with the current state-of-the-art network security systems, it will be possible to preventing external and most internal accessing of secure computer systems, aka “Hacking.” The method and system can allow access to approved users and either prevents the access of secure information from users that do not have access and/or “kill” the processes of said users. The method and system is capable of detecting unauthorized access to systems and should an attack reach certain thresholds can allow the system to recover and prevent access beyond the specific boundary set. The method and system is also capable of apportioning data to users who may not have the necessary privileges for all of the information but who do need a portion of it. The system is also capable of identifying the individuals who removed the data from secure storage and can track the chain of possession of the electronic document. This is a not a traditional network-centric approach to network data access and as a result is much more effective in handling security issues. This system does not address DoS (Denial of Service) attacks.11-17-2011
20110289581TRUSTED E-MAIL COMMUNICATION IN A MULTI-TENANT ENVIRONMENT - Trusted e-mail communication may be provided. A message source organization may be validated. When a message is received from the validated message source organization for a recipient organization, a determination may be made as to whether the recipient organization supports an attribution data extension. If so, the message may be transmitted to the recipient organization with an attribution element associated with the message source organization.11-24-2011
20110296520FIREWALL PROXY SYSTEMS AND METHODS IN A BACKUP ENVIRONMENT - According to certain aspects, a method for performing remote backup operations is provided that includes receiving a first unidirectional connection request from a media agent module to a proxy device within an enterprise network, through a firewall. The method also includes receiving a second unidirectional connection request from a remote device coupled to an untrusted network, such as through a second firewall. Secure connections are established from the media agent module to the proxy and from the remote device to the proxy. Additionally, the method can include routing with the proxy device backup data from the remote computing device to the media agent over the secured connections. The method also may include storing the backup data on a storage device within the enterprise network. In certain embodiments, during establishment of the secure connections, identification of the media agent or the storage device is not exposed to the untrusted network.12-01-2011
20130219485SYSTEM AND METHOD FOR PROVIDING UNIFIED TRANSPORT AND SECURITY PROTOCOLS - The system and method described herein may provide unified transport and security protocols. In particular, the unified transport and security protocols may include a Secure Frame Layer transport and security protocol that includes stages for initially configuring a requester device and a responder device, identifying the requester device and the responder device to one another, and authenticating message frames communicated between the requester device and the responder device. Additionally, the unified transport and security protocols may further include a Secure Persistent User Datagram Protocol that includes modes for processing message frames received at the requester device and the responder device, recovering the requester device in response to packet loss, retransmitting lost packets sent between the requester device and the responder device, and updating location information for the requester device to restore a communications session between the requester device and the responder device.08-22-2013
20090165116Methods And Systems For Providing A Trust Indicator Associated With Geospatial Information From A Network Entity - Methods and systems are described for providing a trust indicator associated with geospatial information from a network entity. In one embodiment, first geospatial information identifying a first geospatial region reported as associated with a first network entity is received. The first geospatial information is included in a message from the first network entity. Second geospatial information is received from a second network entity associated with the first network entity. The second geospatial information identifies a second geospatial region verified as associated with the second network entity. A geospatial relationship between the first geospatial region reported as associated with the first network entity and the second geospatial region verified as associated with the second network entity is determined. A trust indicator identifying a level of trust associated with the first geospatial region is generated based on the determined geospatial relationship.06-25-2009
20100071055Two Parallel Engines for High Speed Transmit IPSEC Processing - The invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, and a security system. The network interface offloads IPsec processing from the host processor. According to the invention, the security system includes two processors for encrypting and authenticating the outgoing data. Outgoing data packets are sent alternately to one or the other processor, whereby transmission processing can be accelerated relative to receive processing.03-18-2010
20080244728RELAY APPARATUS, RELAY METHOD, A COMPUTER-READABLE RECORDING MEDIUM RECORDING A RELAY PROGRAM THEREIN AND INFORMATION PROCESSING APPARATUS - The present relay apparatus includes: a first security information obtaining unit which obtains security information from transmission data sent from the first apparatus during specification establishing communication previously performed to encryption communication; a first registering unit which registers the obtained security information and the address of the first apparatus, as first routing information, in association with each other; a second security information obtaining unit which obtains security information from the transmission data sent from the second apparatus; and a first distributing unit which distributes the transmission data to its destination first apparatus with reference to the first routing information based on the security information obtained by the second security information obtaining unit. This construction makes it possible to perform specification establishing communication normally from multiple first apparatuses, and to correctly distribute encrypted packets to the LAN end first apparatuses.10-02-2008
20080209541Computer Network Intrusion Detection System and Method - A method and system for identifying an attacker device attempting an intrusion into a TCP/IP protocol based network that includes a managed device and a security event log. The managed device detects an incoming TCP/IP connection by the attacker device to the network. TCP/IP information relating to the attacker device is extracted from a TCP/IP stack of the managed device. It is ascertained that a port number of the incoming TCP/IP connection is identical to a predefined port number. A performed process includes determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device. Event log information, which is associated with the detected incoming TCP/IP connection, is retrieved from the security event log. A generated report is generated and stored in a database of the network. The report includes the extracted TCP/IP information and the retrieved event log information.08-28-2008
20100138910METHODS FOR ENCRYPTED-TRAFFIC URL FILTERING USING ADDRESS-MAPPING INTERCEPTION - The present invention discloses methods, media, and perimeter gateways for encrypted-traffic URL filtering using address-mapping interception, methods including the steps of: providing a client system having a client application for accessing websites from web servers; upon the client application attempting to access an encrypted website, performing a name-to-address query to resolve a name of the encrypted website; intercepting address-mapping responses; creating a mapping between the name and at least one network address of the encrypted website; intercepting incoming encrypted traffic; extracting a server's network address from the incoming encrypted traffic; establishing a resolved name being accessed using the mapping; and filtering the resolved name. Preferably, the step of filtering includes redirecting the encrypted traffic. Preferably, the method further includes the step of: blocking all encrypted traffic for unresolved names.06-03-2010
20090119770Firewall Control for Public Access Networks - An apparatus comprising a policy enforcement point (PEP) configured to enforce firewall policies in a network, and a policy decision point (PDP) coupled to the PEP and configured to manage the PEP based on at least one firewall policy option received from at least one node. Also disclosed is a network component comprising at least one processor configured to implement a method comprising receiving a request from a node regarding a firewall policy entry, authenticating the node, processing the request to manage a firewall using a firewall control protocol, and sending a reply to the node regarding processing the request. Also disclosed is a method comprising signaling a PDP to establish a session associated with a source address and a requested protocol, and receiving an indication when the session is allowed.05-07-2009
20100287609CONTENT PROTECTION MANAGEMENT SYSTEM - A content protection management system that enables interoperability with other Content Protection and DRM technologies. A managed security domain provides a simple, consistent and reliable experience to whole-home network subscribers. The architectural concept for the whole-home network includes an underlying control plane with an overlaying content security control plane running a particular DRM technology.11-11-2010
20080282340SAFE HASHING FOR NETWORK TRAFFIC - Secure network communications between a source computer and a destination computer utilizing a firewall. The firewall determines a remote endpoint and the local physical memory address associated with a local endpoint included in the outbound request. The remote endpoint and the local physical memory address are hashed to generate an index value corresponding to an entry in an internal state table of the firewall. When an inbound request is received, the firewall determines a remote endpoint and the local physical memory address associated with a local endpoint included in the inbound request. The remote endpoint and the local physical memory address of the inbound request are hashed to generate an index value corresponding to an entry in the internal state table of the firewall. The firewall forwards the inbound request to the local endpoint if a matching entry is found in the internal state table at the index value.11-13-2008
20080209542Communications Systems Firewall - Methods, apparatus, programs and signals for providing communications network security. The approach is based on using established “standard” protocols, but packets (or cells or frames) are deliberately malformed by the sender, optionally according to a predetermined rule (for example by inverting a packet check digit). A filter forwards only packets identified as being invalid, optionally in accordance with the rule; packets which are valid with respect to the “standard” protocol are dropped. The filter is preferably implemented in hardware to mitigate the risk of its being compromised by a malicious attack.08-28-2008
20080271136METHOD AND SYSTEM FOR CONTROLLING SOFTWARE LOADS ON A THIRD-PARTY MOBILE STATION - A system and method for allowing a licensee having mobile station hardware to support its own set of carriers and software demands of these carriers, the software including licensor software, the method comprising the steps of: assigning a unique third party identifier to the licensee; assigning a range of carrier identifiers for the licensee; allowing the licensee to create a unique identifier by combining the unique third party identifier with an identifier chosen from the range of carrier identifiers; and associating, in a gateway program, the unique identifier with one or more software versions acceptable by a carrier for download onto the mobile station hardware.10-30-2008
20090165118Method and Arrangement for Position-Dependent Configuration of a Mobile Appliance - An access element and method for controlling access of a network element are provided. A plurality of network elements which are connected to a connection of an access element and at least one second network element is connected to the access element via a first network element. The first network element is authenticated at the access element. Another operation of authenticating the first network element at the access element is initiated by the first network element. An authentication request which is transmitted by the access element and is received at the first network element is forwarded to the second network element. The second network element responds to the authentication request with a response message and the response message is forwarded to the access element via the first network element.06-25-2009
20090165117Methods And Apparatus Supporting Access To Physical And Virtual Trusted Platform Modules - A data processing system features a hardware trusted platform module (TPM), and a virtual TPM (vTPM) manager. When executed, the vTPM manager detects a first request from a service virtual machine (VM) in the processing system, the first request to involve access to the hardware TPM (hTPM). In response, the vTPM manager automatically determines whether the first request should be allowed, based on filter rules identifying allowed or disallowed operations for the hTPM. The vTPM manager may also detect a second request to involve access to a software TPM (sTPM) in the processing system. In response, the vTPM manager may automatically determine whether the second request should be allowed, based on a second filter list identifying allowed or disallowed operations for the sTPM. Other embodiments are described and claimed.06-25-2009
20080256621SYSTEM AND APPARATUS FOR TRANSFERRING DATA BETWEEN COMMUNICATION ELEMENTS - A system and apparatus for transferring data between communication elements is disclosed. A system that incorporates teachings of the present disclosure may include, for example, a communication device having a controller element to receive data from a web server to update one or more entries of an identity module coupled to the controller element. The data can be retrieved by the web server from a second communication device. Additional embodiments are disclosed.10-16-2008
20090049540METHOD AND SYSTEM FOR PROVIDING TARGETED WEB FEED SUBSCRIPTION RECOMENDATIONS CALCULATED THROUGH KNOWLEDGE OF IP ADDRESSES - A system for providing targeted Web feed subscription suggestions calculated based on IP (“Internet Protocol”) addresses. Web feeds are automatically suggested to users based on the IP (Internet Protocol) address of the user's computer system and previous feed subscriptions made from other computer systems having similar IP addresses. Feed suggestions may be weighted based on differing levels of IP address similarity, in order to reflect differing levels of geographic proximity between users. Users may be permitted to expressly indicate which of their feed subscriptions are to be made public through the feed reader user interface when they make subscriptions. In response to such user indications, the disclosed system passes the IP address of the user's computer system to the centralized server system together with a name or other identifier of the feed that was subscribed to.02-19-2009
20090025079COMMUNICATION SYSTEM FOR AUTHENTICATING OR RELAYING NETWORK ACCESS, RELAYING APPARATUS, AUTHENTICATION APPARATUS, AND COMMUNICATION METHOD - A switching equipment stores identification information of communication established with respect to an infrastructure network system in a storage unit, and when an access request is received from a terminal device, the switching equipment adds the stored identification information to the access request and transfers the access request to a 1× Radius server. When the terminal device having requested the access is authenticated, the 1× Radius server notifies a PANA PAA of address information of the terminal device associated with the identification information added to the access request. The PANA PAA approves the same network access as the switching equipment with respect to the terminal device in the received address information.01-22-2009
20110225647Cloud Based Firewall System And Service - A cloud-based firewall system and service is provided to protect customer sites from attacks, leakage of confidential information, and other security threats. In various embodiments, such a firewall system and service can be implemented in conjunction with a content delivery network (CDN) having a plurality of distributed content servers. The CDN servers receive requests for content identified by the customer for delivery via the CDN. The CDN servers include firewalls that examine those requests and take action against security threats, so as to prevent them from reaching the customer site. The CDN provider implements the firewall system as a managed firewall service, with the operation of the firewalls for given customer content being defined by that customer, independently of other customers. In some embodiments, a customer may define different firewall configurations for different categories of that customer's content identified for delivery via the CDN.09-15-2011
20090199291Communication apparatus, a firewall control method, and a firewall control program - A communication apparatus used in a plurality of networks is disclosed. The communication apparatus includes a firewall which allows communication with outside of the communication apparatus when disabled, and prohibits communication with outside of the communication apparatus when enabled. Then, the communication apparatus includes a firewall control unit which acquires a first MAC address of a first default gateway provided for a predetermined specific network and a second MAC address of a second default gateway provided for a network in which the communication apparatus is being connected, and controls the firewall according to a result of comparison of the first MAC address and the second MAC address.08-06-2009
20090049539Generic Hub To Increase Security When Accessing Business Systems - In a method and system for increasing security when accessing a business system, a generic hub receives a request having a first transfer protocol from a user to access an application or application data maintained in an application server. In response to the user request, the generic hub verifies the authorization of the user to access the application server. If the user is authorized, a user interface to the application is presented to the user and input data is received from the user interface. The input data is checked for validity based on application-specific metadata and type checks bound to this metadata associated with fields in the user interface, and any extraneous or non-expected data is removed from the input data. The input data and user request of a first transfer protocol are tunneled to the application using a second transfer protocol.02-19-2009
20090210936SYSTEM AND METHOD FOR PROVIDING REMOTE DATA ACCESS FOR A MOBILE COMMUNICATION DEVICE - In one exemplary embodiment, a system for providing data access between an information source and a mobile communication device includes a transcoding system and a first network device. The transcoding system includes a plurality of transcoders, and each transcoder is operable to transcode information content from a respective first content type into a respective second content type. The first network device is in communication with the transcoding system and includes a connection handler system. The connection handler system is operable to receive connection data for a connection between the information source and the mobile communication device and to select a corresponding connection handler. The connection handler is operable to select one or more transcoders from the plurality of transcoders to transcode the information content.08-20-2009
20090205040COMPUTER DATA PRODUCT LICENSE INSTALLATION / UPDATE CONFIRMATION - An authenticated digital confirmation of an installation or an update of a licensed computer data product, for providing the licensor with a validation that the installation/update was carried out as intended, and conveying relevant details of the installation/update. The installation/updating facility (internal software, external hardware device, or combination thereof) examines and documents the pre-installation/update state of the target computer system, performs the installation/update, examines and documents the post-installation/update state, and generates the confirmation, which is a summary or digest of the process and the status thereof. The confirmation is securely authenticated and sent to the licensor for validation, to be used for order fulfillment, billing and accounting, and other purposes.08-13-2009
20090249472HIERARCHICAL FIREWALLS - A method of implementing a firewall that receives a layer of policies from each of multiple entities with different levels of authority. The method evaluates received packets based on the received layers of policies. A layer of policies of a higher level of authority can accept a received packet, block the received packet, or delegate a decision of whether to accept or block the received packet to a layer of policies of a lower level of authority.10-01-2009
20100263041SUSPICIOUS AUTONOMOUS SYSTEM PATH DETECTION - A system includes a memory to store instructions and an autonomous system path (AS-path) and a processor. The processor executes instructions in the memory to determine an origin degree for each autonomous system in the AS-path, compare the origin degree of a first adjacent autonomous system in the AS-path with each subsequent autonomous system in the AS-path, and sum percentage increase values determined by comparing the origin degree of the first adjacent autonomous system in the AS-path with each subsequent autonomous system in the AS-path to determine a suspicion score for the AS-path.10-14-2010
20100162384Method and system to detect breaks in a border of a computer network - A method for detecting breaks in a border of a network is disclosed. The method may include monitoring network regulation and shaping traffic passing through the border. The method may also include providing, by a first confederate server on a first side of the border, a first connection request to a second confederate server on a second side of the border. Further, the method may include providing, by the second confederate server on the second side of the border, a second connection request to the first confederate server on the first side of the border. The method may also include executing a network diagnostic command if one or more of the first or second connection request is granted. Further, the method may also include copying any outputs of the network diagnostic command to a file.06-24-2010
20100186079REMOTE ACCESS TO PRIVATE NETWORK RESOURCES FROM OUTSIDE THE NETWORK - In some embodiments of the invention, techniques may make private identifiers for private network resources usable to establish connections to those private network resources from computing devices connected to an outside network. For example, when a computing device is connected to an outside network and attempting to contact a private network resource, DNS may be used to resolve a domain name for the private network resource to an IP address for an edge resource of the private network. Communications may be passed between the computing device and the edge resource according to protocols which embed the identifier originally used to identify the private network resource. The edge resource of the private network may analyze communications over the connection to determine this identifier, and use it to pass the communication to the desired private network resource.07-22-2010
20090044266SYSTEM AND METHOD FOR PROVIDING TRANSACTIONAL SECURITY FOR AN END-USER DEVICE - A network system comprises a transaction network operative to provide a transaction with an end user; a trusted source of a security mechanism (e.g., a start/stop trigger module, an application lockout module, a network/file I/O control module, a trusted driver manager, a keystrokes generator driver, a keystrokes deletion hook, and/or a transaction network VPN manager) for at least partially protecting an end-user device from malicious code operative thereon that attempts to capture confidential data presented during the transaction, the security mechanism being maintained by a party other than the end user; and an agent for providing the security mechanism to the end-user device to protect the end-user device during the transaction02-12-2009
20090077650INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING SYSTEM, AND COMPUTER READABLE MEDIUM - An information processing apparatus includes: a connecting section; an information storage; a request accepting section; a searching section; a setting information storage; a determining section; and a process executing section.03-19-2009
20090077649Secure messaging system and method - A system and method for secure data communication between users when logged on to a central server through a network. The system permits subscribers to the system to create associations with non-subscribers which permits those non-subscribers to access the system to send and receive secure data communication to the subscriber that created the association with the non-subscriber.03-19-2009
20090328191APPARATUS AND METHOD FOR SYNCHRONIZING SECURITY ASSOCIATION STATE IN MOBILE COMMUNICATION TERMINAL - An apparatus and a method for synchronizing a Security Association (SA) state as SA information of a mobile communication terminal is lost are provided. In the method, an IPSec tunnel is established by performing an SA procedure with a server, and a secure port is obtained. A service request message is transmitted to the server via the obtained secure port, and an unsecure port is opened. When a service response message is received from the server, it is determined whether the service response message is received via the unsecure port. When the service response message is received via the unsecure port, the SA procedure is re-performed. Therefore, the terminal may use a service through a secure network without interruption, and reduce a waste of resources by avoiding unnecessary retransmission of a message for requesting a service.12-31-2009
20090328190METHOD AND APPARATUS TO PERFORM SECURITY AND VULNERABILITY TESTING OF PROTOCOLS - Flaws in information security infest modern software, and pervasive computing has made network systems vulnerable. Information security is constantly endangered by errors in protocol implementations. Testing a protocol implementation for errors directly from a network where a device implementing the protocol resides limits the coverage of protocols tested. In contrast, testing protocols from an access network that internetworks a customer premises with one or more service networks greatly expands the coverage of protocols tested. Accordingly, a method and corresponding apparatus are provided to test from the access network, testing both service network devices and customer premises devices, and the protocols implemented on those devices.12-31-2009
20090328189SECURE WIRELESS COMMUNICATION INITIALIZATION SYSTEM AND METHOD - A wireless communication system for use with a vehicle is disclosed. The communication system comprises a portable wireless device comprising a first manual interface device, the portable wireless device adapted to transmit an activation signal in response to manipulation of the first manual interface device, and an onboard wireless communication device for a vehicle. The onboard wireless communication device can be adapted to transmit Wi-Fi Protected Setup initiation signals in response to receiving the activation signal.12-31-2009
20090328188CONTEXT-BASED SEMANTIC FIREWALL FOR THE PROTECTION OF INFORMATION - A method, information processing system, and network limit access to an electronically available information asset. A request (12-31-2009
20110067096SYSTEM AND METHOD FOR PROVIDING SECURE CONFIGURATION FILE PROVISIONING - A system and method for providing secure configuration file exchange is disclosed. The system may comprise a Voice over Internet Protocol (VoIP) device comprising a receiver and a processor, wherein the VoIP device is configured to: receive, at the receiver, an encrypted first configuration file from a server using a default Uniform Resource Locator (URL) stored in the VoIP device; decrypt, at the processor, the first configuration file using a default key stored in the VoIP device; apply, at the processor, a first set of profile parameters stored in the first configuration file, wherein applying further comprises updating the default URL and the default key in the VoIP device with a new URL and a new key stored in the first configuration file; receive, at the receiver, an encrypted second configuration file from the server using the new URL; decrypt, at the processor, the second configuration file using the new key; and apply, at the processor, a second set of profile parameters stored in the second configuration file in order to provide network service from the server to a customer premise equipment (CPE) communicatively coupled to the VoIP device.03-17-2011
20100269172FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS - Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall receives incoming VoIP packets having a user alias (e.g., an email address) and an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on the port indication to a Session Initiation Protocol (SIP) server within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts.10-21-2010
20090320121SYSTEM AND METHODS FOR SECURE SERVICE ORIENTED ARCHITECTURES - Provided is a method for intercepting a message between a requesting web service and a source web service, validating the message, logging the result of the validations, and adding a security profile to the message. The method may also include examining the message to determine whether a security profile is embedded therein. If the message is valid, access to the message by the requesting web service is permitted. If the message is not valid, access to the message by the requesting web service is prevented.12-24-2009
20120246712FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS - Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall receives incoming VoIP packets having a user alias (e.g., an email address) and an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on the port indication to a Media Gateway Control Protocol (MGCP) media gateway within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts.09-27-2012
20090113541Method and apparatus for coding identification information into a security transmission and method and apparatus for automatic learning of replacement security codes - A method for use in relation to a security system includes receiving one or more items of information that each identify things or users associated with the security system, and forming a fixed portion of a security code using the one or more items of information. The fixed portion of the security code is stored in an apparatus that is configured to transmit the security code. A method and apparatus involving the receipt of such a security code are also disclosed. A method for use in relation to a security system includes generating a fixed portion of a security code, and setting a value of the fixed portion of the security code to a value that has a relationship to a fixed portion of a previously learned security code. The relationship indicates that the fixed portion of the security code is a replacement for the fixed portion of the previously learned security code. The fixed portion of the security code is stored in an apparatus that is configured to transmit the security code. A method and apparatus involving the receipt of such a security code are also disclosed.04-30-2009
20090038001Correlation of Log Information In A Distributed Computing Environment Using Relative Timestamps - Methods and apparatus, including computer program products, are provided for using a relative timestamp to log activity in a distributed computing system. In one aspect, there is provided a computer-implemented method. The method may include receiving a message including a first timestamp representative of when the message is sent at a first processor. A second processor may generate an entry logging receipt of the received message. The second processor may determine a second timestamp representative of a time relative to the first timestamp. The second timestamp may be included as an entry at a log at the second processor.02-05-2009
20090038000System and Method for Multiple Address of Record Registration Using a Single Explicit SIP Request - One embodiment of the present invention is a method for registering multiple addresses of record. The method comprises receiving a session initiation protocol register request. The session initiation protocol register request comprises a plurality of addresses of record and a contact address for a session initiation protocol endpoint. The method further comprises associating each of the plurality of addresses of record with the contact address for the session initiation protocol endpoint.02-05-2009
20090070866METHODS AND SYSTEMS FOR SECURE EMAIL TRANSMISSIONS - Systems and methods for email monitoring and providing sender notification of security levels for outbound email recipients prior to transmission or sending of emails.03-12-2009
20110035796Providing Differentiated Network Services and Priorities to VPN Routers/Clients - In one embodiment, a first network device receives a priority message from a second network device, wherein the priority message conforms to a connection establishment protocol and indicates a priority associated with the second network device. The first network device obtains the priority from the priority message and stores the priority. The first network device allocates resources for at least one of control or data plane processing to the second network device in accordance with the priority.02-10-2011
20090064311SECURE WEB INTERACTIONS USING A DESKTOP AGENT - An application server enables a secure network interaction. The application server receives a request for the secure network interaction from a third-party server. In response, the application server determines a security procedure, such as an authentication procedure, and a client corresponding to the secure network interaction. The client includes a secure desktop agent (SDA). The application server sends a message to the client that activates the SDA. The SDA establishes a secure connection with the application server. The SDA receives user credentials in a secure desktop environment and transmits them to the application server over the secure connection. The application verifies the user credentials and sends a digitally-signed authenticated response to the third-party server.03-05-2009
20110214175METHOD FOR MITIGATING ON-PATH ATTACKS IN MOBILE IP NETWORK - In one aspect of the invention, a mobile node (MN) participates in a first return routability procedure with a home agent (HA) and a correspondent node (CN), including generating a first binding management key (Kbm). A first proof of knowledge (PoK) is generated by hashing the first Kbm. The MN participates in a second return routability procedure, including generating a second Kbm. A first binding update and binding acknowledgement (BU/BA) key is generated by hashing the second Kbm and the first PoK. A first binding update (BU) message is transmitted to the CN, where the second BU message is transmitted with the first BU/BA key. In response to a first binding acknowledgement (BA) message received from the CN, the MN authenticates the first BA message using the first BU/BA key.09-01-2011
20100212006PEER-TO-PEER TRAFFIC MANAGEMENT BASED ON KEY PRESENCE IN PEER-TO-PEER DATA TRANSFERS - Various exemplary embodiments relate to a method and related network element including one or more of the following: receiving a plurality of packets belonging to an IP flow, the packets received in a network element in the telecommunications network; performing deep packet inspection (DPI) to identify an application protocol associated with the flow; when the application protocol is a peer-to-peer (P2P) protocol, performing DPI to extract a key from one or more of the packets in the flow, the key uniquely identifying a P2P content item; querying a P2P content database using the key, the P2P content database maintaining a mapping between keys and corresponding traffic management actions; and when the key is located in the P2P content database, performing the traffic management action associated with the key in the P2P content database.08-19-2010
20110179481NETWORK AWARE FIREWALL - Among other things, one or more systems and/or methods for a network aware firewall are disclosed. A method comprises accessing a first network connection from a client computer system and determining whether the first network connection is a first network type or a second network type. The method further comprises dynamically modifying security parameters associated with a firewall local to the client computer system in response to determining whether the network connection is the first network type or the second network type.07-21-2011
20110252470SYSTEM FOR REGULATING HOST SECURITY CONFIGURATION - A recommendation engine coupled to a server computer in communication with a plurality of hosts is described. The recommendation engine includes computer readable intrusion-protection instructions stored in a memory device, which cause a processor of said server computer to determine a current host-protection configuration for a target host; detect discrepancy between said current host-protection configuration and a prior host-protection configuration; install said current host-protection configuration in said target host upon detecting said discrepancy; record successive host-reconfiguration periods, a host reconfiguration period being a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration; determine a monitoring period according to a value of at least one of said successive host-reconfiguration periods; and a scheduler for activating said intrusion-protection instructions according to said monitoring period.10-13-2011
20110099623SYSTEM AND METHOD FOR PROVIDING UNIFIED TRANSPORT AND SECURITY PROTOCOLS - The system and method described herein may provide unified transport and security protocols. In particular, the unified transport and security protocols may include a Secure Frame Layer transport and security protocol that includes stages for initially configuring a requester device and a responder device, identifying the requester device and the responder device to one another, and authenticating message frames communicated between the requester device and the responder device. Additionally, the unified transport and security protocols may further include a Secure Persistent User Datagram Protocol that includes modes for processing message frames received at the requester device and the responder device, recovering the requester device in response to packet loss, retransmitting lost packets sent between the requester device and the responder device, and updating location information for the requester device to restore a communications session between the requester device and the responder device.04-28-2011
20120304279System for Isolating a Secured Data Communication Network - A system for isolating a data communication network has been developed. The system includes an internal computer system with an internal computer that is in data communication with the internal computer system, and an external computer system with an external computer that is in data communication with the external computer system. The internal and external computers are connected with an ethernet adapter that only allows transmission of data from the internal computer system and prohibits the receipt of data by the internal computer system.11-29-2012
20090025078SECURE SHARING OF TRANSPORT LAYER SECURITY SESSION KEYS WITH TRUSTED ENFORCEMENT POINTS - Embodiments of the present invention address deficiencies of the art in respect to security enforcement point operability in a TLS secured communications path and provide a novel and non-obvious method, system and computer program product for the secure sharing of TLS session keys with trusted enforcement points. In one embodiment of the invention, a method for securely sharing TLS session keys with trusted enforcement points can be provided. The method can include conducting a TLS handshake with a TLS client to extract and decrypt a session key for a TLS session with the TLS client traversing at least one security enforcement point. The method further can include providing the session key to a communicatively coupled key server for distribution to the at least one security enforcement point. Finally, the method can include engaging in secure communications with the TLS client over the TLS session.01-22-2009
20110154476SYSTEM AND METHOD FOR COLLECTING AND VALIDATING INTELLECTUAL PROPERTY ASSET DATA - A comprehensive platform for merchandising intellectual property (IP) and conducting IP transactions is disclosed. A standardized data collection method enables IP assets to be characterized, rated and valuated in a consistent manner. Project management, workflow and data security functionality enable consistent, efficient and secure interactions between the IP Marketplace participants throughout the IP transaction process. Business rules, workflows, valuation models and rating methods may be user defined or based upon marketplace, industry or technology standards.06-23-2011
20110258696System and Method for Centralized Station Management - In one embodiment of the invention, a wireless network is adapted with a wireless network switch in communication with a plurality of access points, which are in communication with one or more stations. Coupled to the access points over an interconnect, the wireless network switch is adapted to receive a DEAUTHENTICATION message sent by one of the plurality of access points in the same coverage area of the station so as to detect the DEAUTHENTICATION message and to block communications between the plurality of access points and the station in response to determining that the DEAUTHENTICATION message is invalid.10-20-2011
20090126005METHOD, APPARATUS AND SYSTEM FOR MANAGING MALICIOUS-CODE SPREADING SITES USING FIREWALL - A method for managing a website is provided in which a web page including a malicious code is classified to be registered in a network firewall, so that a network terminal is prevented from being accessed to the web page including a malicious code.05-14-2009
20110138457Securing Communications Between Different Network Zones - In an embodiment, a method is provided for communicating a protocol request at a network zone. In this method, the protocol request is received from a computing device and this protocol request is encapsulated in a different protocol. The protocol request is then transmitted to a different network zone by way of the different protocol. A message is then accessed from the different network zone by way of the different protocol, and this message includes a protocol response to the protocol request. The protocol response is extracted from the message and transmitted to the computing device.06-09-2011
20100017871Security In Networks - Embodiments related to security in networks are described and depicted.01-21-2010
20090172804IDENTITY-BASED-ENCRYPTION MESSAGE MANAGEMENT SYSTEM - Systems and methods for managing email are provided. Some of the email may be encrypted using identity-based-encryption (IBE) techniques. When an incoming IBE-encrypted message for a recipient in an organization is received by a gateway at the organization, the gateway may request an IBE private key from an IBE private key generator. The IBE private key generator may generate the requested IBE private key for the gateway. The gateway may use an IBE decryption engine to decrypt the incoming message. The decrypted message can be scanned for viruses and spam and delivered to the recipient. Outgoing email messages can also be processed. If indicated by message attributes or information provided by a message sender, an outgoing message can be encrypted using an IBE encryption engine and the IBE public key of a desired recipient.07-02-2009
20120060212INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING SYSTEM, AND COMPUTER-READABLE STORAGE MEDIUM - An information processing apparatus is connectable via a network to service providing devices and a collecting apparatus. The information processing apparatus acquires a selection policy for selecting the devices that lay open to public types of providable services and service level information, and acquires service type information and the service level information from the collecting apparatus which detects the devices and collects the service type information including the types of providable services of the devices and the service level information. The devices capable of providing the accepted type of service are selected according to the selection policy.03-08-2012
20120005744COMMUNICATING APPARATUS FOR PERFORMING COMMUNICATION OVER IP NETWORK BY USING SIP, CONTROLLING METHOD THEREFOR, AND PROGRAM - A communicating apparatus that is able to perform IP-FAX communication without making the user aware of the attack and without any difficulty, even if the device recognizes a DoS attack or the like. communication that uses a SIP server on a network is performed by a communicating unit. Unauthorized communication from the communication performed by the communicating unit is detected. A port number of a receiving port of the communicating unit is changed when the unauthorized communication is detected. it is determined whether or not the detected unauthorized communication has passed through the SIP server. The communicating apparatus is controlled to request the SIP server to delete the port number of the receiving port that has not been changed yet if it is determined that the unauthorized communication has passed through the SIP server and to re-register on the SIP server a port number of a receiving port that has been changed if it is determined that the unauthorized communication has bypassed the SIP server.01-05-2012
20120222108SYSTEM AND METHOD FOR AUTOMATICALLY INITIATING AND DYNAMICALLY ESTABLISHING SECURE INTERNET CONNECTIONS BETWEEN A FIRE-WALLED SERVER AND A FIRE-WALLED CLIENT - A system and method for automatically and dynamically initiating and establishing secure connections between a Server and a Client using a session control server (SCS). Both the Server and the Client are connected to an untrusted network (such as the Internet) through a Network Address Translator or Translation (NAT) router or a firewall. The SCS, independently trusted by both the Server and the Client, brokers the required connection parameters to establish a secure connection between the Server and the Client. The system and method does not require any user configuration on the Client and eliminates the need for the Server to accept explicit connection requests or packets from the Client, thereby allowing the Server firewall to always remain closed to all inbound traffic.08-30-2012
20100299743SESSION INITIATION AND MAINTENANCE WHILE ROAMING - The technology disclosed addresses initiation of peer-to-peer media exchange sessions, with traversal of NAT and firewall devices, in a manner adapted to roaming. In particular, involves preliminary determination of NAT/firewall topology, which reduces latency at initiation, and hole punching technologies to select a routing and traversal strategy that reduce reliance on external media relay devices.11-25-2010
20130174246SYSTEM AND METHOD FOR CLOUD BASED SCANNING FOR COMPUTER VULNERABILITIES IN A NETWORK ENVIRONMENT - A method in one embodiment includes establishing a first secure tunnel between a scanner and a configuration manager, and a second secure tunnel between the scanner and a scan controller, where the scanner is located in a public network and the configuration manager and the scan controller are located in a private network, communicating scanner configuration information between the scanner and the configuration manager over the first secure tunnel, and communicating scan information between the scanner and the scan controller over the second secure tunnel. The secure tunnels may be established from within the private network, by forwarding a first origination port and a second origination port to a first destination port and a second destination port, respectively. The first and second origination ports may be located in the public network, and the first and second destination ports may be located in the private network.07-04-2013
20100011434APPARATUS AND METHOD FOR ASSOCIATING CATEGORIZATION INFORMATION WITH NETWORK TRAFFIC TO FACILITATE APPLICATION LEVEL PROCESSING - An apparatus is described that associates categorization information with network traffic to facilitate application level processing through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, wherein at least one microcode state machine processes at least one input data field using a hash function to generate a hash identifier. This embodiment further includes a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that at least one individual microcode controlled state machine applies a rule to the input data to produce the at least one input data field, and to produce modification instructions based on the hash identifier. This embodiment further includes a first circuit that appends the hash identifier to the input data to produce modified input data based on the modification instructions, and that routes the modified input data in accordance with an output routing strategy. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security and monitoring features and network traffic analysis.01-14-2010
20090055921FILE ACCESS IN MULTI-PROTOCOL ENVIRONMENT - Aspects of the subject matter described herein relate to providing file access in a multi-protocol environment. In aspects, a file server is operable to receive requests formatted according to two or more file access protocols. If a request is formatted according to a first file access protocol, the file server applies access rights associated with the file to an account associated with a requester to determine whether to grant access. If the request is formatted according to the second file access protocol, the file server may first attempt to find an account for the requester. If an account is not found, the file server may then grant access based on access rights associated with the file as applied to information in the request without consulting an account on the file server.02-26-2009
20080301799Method and apparatus for reliable, high speed data transfers in a high assurance multiple level secure environment - A method, apparatus for passing data from a first application at a first security level to a second application in a second security level higher than the first security level is disclosed. A backchannel communications link is established between the first application and the second application, and the backchannel link is used to transmit information such as an acknowledgement message to from the second application to the first application.12-04-2008
20120240216Method for Lawfully Intercepting Communication IP Packets Exchanged Between Terminals - A method for lawfully intercepting communication IP packets exchanged between terminals is provided. The method involves assigning an IP address associated with a telecommunication service provider to, for example, a sending terminal for use as its IP address in communications with a receiving terminal, the telecommunication service provider providing SIP proxy services for establishing communication between the sending and receiving terminals. The communication IP packets are intercepted in such a way that the terminals are unaware of the interception.09-20-2012
20120324569RULE COMPILATION IN A FIREWALL - A firewall system comprises a rule compiler operable to use florets and factoring to produce a rule data structure that enables a rules engine to apply a rule from a rule set in phases, including rules applicable during a first scan with second factors not available and rules applicable during a second scan such that only the second factors need be applied.12-20-2012
20110239291Detecting and Thwarting Browser-Based Network Intrusion Attacks For Intellectual Property Misappropriation System and Method - Detecting and thwarting browser-based network intrusion attacks for intellectual property misappropriation is provided by enabling a local machine to direct retrieval of resources using uniform resource identifiers to a browser operating within a virtual machine whose internet protocol address is within a range external to a trusted network sub-circuit. Such a virtual machine is constrained by not having access to the Active Director Server of the trusted network. Such a virtual machine is constrained by not having access to other resources of the trusted network. Such a virtual machine is constrained by a monitor application which terminates the virtual machine if characteristics of intrusion or network attack are observed within the virtual machine.09-29-2011
20080244727Privacy protection for mobile internet protocol sessions - A method of establishing communication protocols between a mobile node and a home agent in a mobile communications networks. The method uses the steps of: generating, at the mobile node plural care of addresses (CoAs) and a corresponding number of security parameter indices; sending the generated CoAs and security parameter indices to the home agent in an encrypted form; generating, at the home agent, on the basis of the received CoAs and security parameter indices, an equal number of home addresses (HoAs) and associated security parameter indices; sending the list of HoAs and associated security parameter indices generated at the home agent to the mobile node, and; using the generated CoAs, HoAs and associated security parameter indices as the basis for communication protocol addresses and encryption for communication between the home agent and the mobile node. A system employing the method is also provided.10-02-2008
20080235786Computer Maintenance Method and System - Provided is a method of remotely maintaining a computer system connected to a first private network of a first organization from a maintenance computer connected to a second private network of a second organization. The first and second private networks are connected to a public network and protected from the public network by respective first and second external firewalls. The first private network is separated from the computer system using a separation firewall configured to block network traffic that initiates at the computer system and is directed to the first private network. An isolation pipe is established that extends from the separation firewall over the first private network to the first external firewall, using virtual-private-network technology. A request to log into the computer system is transmitted from the maintenance computer through the isolation pipe to the computer system.09-25-2008
20080222717Detecting Anomalous Network Application Behavior - System and Method for detecting anomalous network application behavior. Network traffic between at least one client and one or more servers may be monitored. The client and the one or more servers may communicate using one or more application protocols. The network traffic may be analyzed at the application-protocol level to determine anomalous network application behavior. Analyzing the network traffic may include determining, for one or more communications involving the client, if the client has previously stored or received an identifier corresponding to the one or more communications. If no such identifier has been observed in a previous communication, then the one or more communications involving the client may be determined to be anomalous. A network monitoring device may perform one or more of the network monitoring, the information extraction, or the information analysis.09-11-2008
20130139247FIREWALL APPARATUS, SYSTEMS, AND METHODS EMPLOYING DETECTION OF APPLICATION ANOMALIES - In one embodiment, a processor-implemented method for monitoring network traffic between a first device executing a software application and a second device coupled to the first device. The method includes: (a) the processor analyzing application-level data contained within traffic originating from and/or received by the first device, the application-level data including data provided to and/or provided by the software application; (b) based on the results of the analysis in step (a), the processor creating one or more access rules; (c) the processor receiving a request from the second device to access the first device, the request including application-level data; and (d) the processor determining whether the request received in step (c) complies with one or more of the access rules.05-30-2013
20130097692SYSTEM AND METHOD FOR HOST-INITIATED FIREWALL DISCOVERY IN A NETWORK ENVIRONMENT - A method is provided in one example embodiment that includes intercepting a network flow to a destination node having a network address and sending a discovery query based on a discovery action associated with the network address in a firewall cache. A discovery result may be received and metadata associated with the flow may be sent to a firewall before releasing the network flow. In other embodiments, a discovery query may be received from a source node and a discovery result sent to the source node, wherein the discovery result identifies a firewall for managing a route to a destination node. Metadata may be received from the source node over a metadata channel. A network flow from the source node to the destination node may be intercepted, and the metadata may be correlated with the network flow to apply a network policy to the network flow.04-18-2013
20090019539METHOD AND SYSTEM FOR WIRELESS COMMUNICATIONS CHARACTERIZED BY IEEE 802.11W AND RELATED PROTOCOLS - A method for protecting wireless communications from denial of service attacks is provided. The method comprises establishing a first wireless connection between an access point device and a client device. The method also comprises receiving at the access point device a request for establishing a second wireless connection between the access point device and the client device while a state of the first wireless connection being an established state at an access point device side endpoint. The method comprises verifying whether the first wireless connection is in the established state at the client device side endpoint.01-15-2009
20130152191TIMING MANAGEMENT IN A LARGE FIREWALL CLUSTER - A firewall cluster comprises three or more firewall processing nodes, which report primary node status based on the reporting node's membership in a preexisting cluster. A controller uses the reported status to assign a primary node in the distributed firewall cluster. Reported primary node status includes reported primary node eligibility if the node is a member of a preexisting cluster, reported primary node status comprising reporting primary node ineligibility if the node is not a member of a preexisting cluster, reported primary node status if the node is a primary node in a preexisting cluster, and reported primary node eligibility in a node that has timed out06-13-2013
20100319065Firewall Configuration In A Base Station - The invention is directed towards methods of configuring a firewall in a first base station (12-16-2010
20090044265Attack Resistant Continuous Network Service Trustworthiness Controller - An attack resistant continuous network service trustworthiness controller comprising: state estimation module(s), response selection module(s), actuation module(s), and client dispatcher communication module(s) for maintaining the availability and integrity of online server(s). The state estimation module(s) are configured to generate state estimate(s) for online server(s) using behavior data obtained using sensor module(s). The response selection module(s) are configured to determine corrective action(s) to maintain the availability and integrity of online server(s) when state estimate(s) indicate that the integrity of an online server(s) is compromised. The actuation module(s) are configured to activate actuator(s) based upon the corrective action(s). Client dispatcher communication module(s) are configured to communicate online server availability information to a client dispatcher.02-12-2009

Patent applications in class Security protocols

Patent applications in all subclasses Security protocols