公开(公告)号：WO2005094034A1

公开(公告)日：2005-10-06

申请号：PCT/EP2005/051321

申请日：2005-03-22

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION ,  IBM UNITED KINGDOM LIMITED ,  KEOHANE, Susann, Marie ,  MCBREARTY, Gerald, Francis ,  MURILLO, Jessica, Kelley ,  MULLEN, Shawn, Patrick ,  SHIEH, Johnny, Meng-Han

Inventor： KEOHANE, Susann, Marie ,  MCBREARTY, Gerald, Francis ,  MURILLO, Jessica, Kelley ,  MULLEN, Shawn, Patrick ,  SHIEH, Johnny, Meng-Han

IPC: H04L29/06

CPC classification number: H04L63/0869 ,  H04L9/3263 ,  H04L9/3273 ,  H04L63/0823 ,  H04L2209/76

Abstract: A mechanism for mutual authorization of a secondary resource in a grid of resource computers is provided. When a primary resource attempts to offload a grid computing job to a secondary resource, the primary resource sends a proxy certificate request to the user machine. Responsive to a proxy certificate request, the user machine performs authorization with the secondary resource. If authorization with the secondary resource is successful, the user machine generates and returns a valid proxy certificate. The primary resource then performs mutual au­thentication with the secondary resource. If the authorization with the secondary resource fails, the user machine generates and returns an invalid proxy certificate. Mutual authentication between the primary resource and the secondary resource will fail due to the invalid proxy certificate. The primary resource then selects another secondary resource and repeats the process until a resource is found that passes the mutual authorization with the user machine.

Abstract translation: 提供了一种用于资源计算机网格中的辅助资源的相互授权的机制。 当主资源尝试将网格计算作业卸载到辅助资源时，主资源会向用户计算机发送代理证书请求。 响应于代理证书请求，用户机器使用辅助资源执行授权。 如果辅助资源的授权成功，用户计算机将生成并返回有效的代理证书。 然后，主资源与辅助资源执行相互验证。 如果辅助资源的授权失败，则用户计算机生成并返回无效的代理证书。 由于无效的代理证书，主资源和辅助资源之间的相互验证将失败。 然后，主资源选择另一个辅助资源，并重复该过程，直到找到通过用户机器的相互授权的资源。

公开(公告)号：WO2008148659A1

公开(公告)日：2008-12-11

申请号：PCT/EP2008/056438

申请日：2008-05-27

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION ,  IBM UNITED KINGDOM LIMITED ,  KEOHANE, Susann, Marie ,  MCBREARTY, Gerald, Francis ,  MULLEN, Shawn ,  MURILLO, Jessica, Carol ,  SHIEH, Johnny, Meng-Han

Inventor： KEOHANE, Susann, Marie ,  MCBREARTY, Gerald, Francis ,  MULLEN, Shawn ,  MURILLO, Jessica, Carol ,  SHIEH, Johnny, Meng-Han

IPC: G06F21/20

CPC classification number: G06F21/46

Abstract: A method, system and computer program product for automatically displaying the potential risk associated with cracking a password. While creating or modifying a password, feedback is provided describing the risk associated with cracking the password. Risk assessment may be presented as a percentage, accompanied by an explanation of why the value was ascertained. Risk feedback during password creation provides an opportunity to improve computer, document, and file security.

Abstract translation: 一种用于自动显示与破解密码相关的潜在风险的方法，系统和计算机程序产品。 在创建或修改密码时，会提供反馈意见，说明与破解密码相关的风险。 风险评估可以以百分比表示，同时解释为什么确定价值。 密码创建期间的风险反馈提供了改进计算机，文档和文件安全性的机会。

公开(公告)号：WO2004079482A2

公开(公告)日：2004-09-16

申请号：PCT/GB2004000919

申请日：2004-03-04

Applicant: IBM ,  IBM UK ,  KEOHANE SUSANN MARIE ,  MCBREARTY GERALD FRANCIS ,  MULLEN SHAWN PATRICK ,  MURILLO JESSICA KELLEY ,  SHIEH JOHNNY MENG-HAN

Inventor： KEOHANE SUSANN MARIE ,  MCBREARTY GERALD FRANCIS ,  MULLEN SHAWN PATRICK ,  MURILLO JESSICA KELLEY ,  SHIEH JOHNNY MENG-HAN

IPC: H04L12/18 ,  H04L29/06 ,  H04L29/08 ,  G06F

CPC classification number: H04L67/1008 ,  H04L67/1002 ,  H04L67/101

Abstract: A method, apparatus, and computer instructions for obtaining a logical unit. A request is sent for the logical unit. In the depicted examples, the request is sent to a multicast IP address. Responses to the request for the logical unit are received from a number of responders. A responder is identified from the set of responders to form a selected responder. The selected responder is identified based on at least one connection metric between the data processing system and the set of responders. The logical unit is retrieved from the selected responder.

Abstract translation: 一种用于获得逻辑单元的方法，装置和计算机指令。 发送逻辑单元的请求。 在所示的示例中，请求被发送到多播IP地址。 从多个响应者接收到对逻辑单元的请求的响应。 从响应者集合中识别响应者以形成选择的响应者。 基于数据处理系统和响应者集合之间的至少一个连接度量来识别所选择的响应者。 从所选择的响应者检索逻辑单元。

公开(公告)号：WO2011076567A1

公开(公告)日：2011-06-30

申请号：PCT/EP2010/069149

申请日：2010-12-08

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION ,  IBM UNITED KINGDOM LIMITED ,  MULLEN, Shawn Patrick ,  SHIEH, Johnny Meng-Han ,  MURILLO, Jessica Carol ,  McBREARTY, Gerald Francis ,  KEOHANE, Susann Marie

Inventor： MULLEN, Shawn Patrick ,  SHIEH, Johnny Meng-Han ,  MURILLO, Jessica Carol ,  McBREARTY, Gerald Francis ,  KEOHANE, Susann Marie

IPC: H04L29/06 ,  H04L12/22

CPC classification number: H04L63/1466 ,  H04L43/10 ,  H04L63/0428 ,  H04L63/1475 ,  H04L63/1483

Abstract: Provided are techniques for to enable a virtual input/output server (VIOS) to establish cryptographically secure signals with target LPARs to detect an imposter or spoofing LPAR. The secure signal, or "heartbeat," may be configured as an Internet Key Exchange/Internet Protocol Security (IKE/IPSec) encapsulated packet (ESP) connection or tunnel. Within the tunnel, the VIOS pings each target LPAR and, if a heartbeat is interrupted, the VIOS makes a determination as to whether the tunnel is broken, the corresponding LPAR is down or a media access control (MAC) spoofing attack is occurring. The determination is made by sending a heartbeat that is designed to fail unless the heartbeat is received by a spoofing device.

Abstract translation: 提供的是用于使虚拟输入/输出服务器（VIOS）能够使用目标LPAR建立加密安全信号以检测冒牌者或欺骗性LPAR的技术。 安全信号或“心跳”可以配置为Internet密钥交换/互联网协议安全（IKE / IPSec）封装数据包（ESP）连接或隧道。 在隧道内，VIOS对每个目标LPAR进行ping，如果心跳中断，VIOS就判断隧道是否断开，相应的LPAR是否关闭，或是发生媒体访问控制（MAC）欺骗攻击。 通过发送设计为失败的心跳来进行确定，除非由欺骗设备接收到心跳。

公开(公告)号：WO2004079483A3

公开(公告)日：2004-12-09

申请号：PCT/GB2004000926

申请日：2004-03-04

Applicant: IBM ,  IBM UK ,  KEOHANE SUSANN MARIE ,  MCBREARTY GERALD FRANCIS ,  MULLEN SHAWN PATRICK ,  MURILLO JESSICA KELLEY ,  SHIEH JOHNNY MENG-HAN

Inventor： KEOHANE SUSANN MARIE ,  MCBREARTY GERALD FRANCIS ,  MULLEN SHAWN PATRICK ,  MURILLO JESSICA KELLEY ,  SHIEH JOHNNY MENG-HAN

IPC: G06F21/00 ,  G06F1/00

CPC classification number: G06F21/51 ,  G06F21/33

Abstract: A method, apparatus, and computer instructions for authorizing execution of an application on the data processing system. A request is received to execute the application, wherein the request originates from a remote data processing system and wherein the request includes a digital certificate and the application. The digital certificate is verified in response to receiving the request. Responsive to verifying the digital certificate, a digital digest is calculated for the application to form a calculated digital digest. The calculated digital digest is compared with a set of digital digests from a trusted source. The application is executed if a match between the calculated digital digest and set of digital digests occurs.

Abstract translation: 一种用于授权在数据处理系统上执行应用程序的方法，装置和计算机指令。 接收到执行应用程序的请求，其中该请求源自远程数据处理系统，并且其中该请求包括数字证书和应用程序。 数字证书在接收到请求后进行验证。 响应于验证数字证书，为应用计算数字摘要以形成计算的数字摘要。 将计算出的数字摘要与来自可信来源的一组数字摘要进行比较。 如果计算出的数字摘要和一组数字摘要发生匹配，则执行该应用程序。

公开(公告)号：WO2004104902A1

公开(公告)日：2004-12-02

申请号：PCT/GB2004/001629

申请日：2004-04-15

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION ,  IBM UNITED KINGDOM LIMITED ,  KEOHANE, Susann, Marie ,  MCBREARTY, Gerald, Francis ,  MULLEN, Shawn, Patrick ,  MURILLO, Jessica, Kelley ,  SHIEH, Johnny, Meng-Han

Inventor： KEOHANE, Susann, Marie ,  MCBREARTY, Gerald, Francis ,  MULLEN, Shawn, Patrick ,  MURILLO, Jessica, Kelley ,  SHIEH, Johnny, Meng-Han

IPC: G06F21/00

CPC classification number: G06F17/30067 ,  G06F21/606 ,  G06F21/6218 ,  G06F2221/2141 ,  H04L63/102 ,  H04L67/10 ,  H04L69/329

Abstract: A security protocol that dynamically implements enhanced mount security of a filesystem when access to sensitive files on a networked filesystem is requested. When the user of a client system attempts to access a specially-tagged sensitive file, the server hosting the filesystem executes a software code that terminates the current mount and reconfigures the server ports to accept a re-mount from the client via a more secure port. The server reconfigured server port is provided the IP address of the client and matches the IP address during the re-mount operation. The switch to a secure mount is completed in a seamless manner so that authorized users are allowed to access sensitive files without bogging down the server with costly encryption and other resource-intensive security features. No significant delay is experienced by the user, while the sensitive file is shielded from unauthorized capture during transmission to the client system.

Abstract translation: 请求访问联网文件系统上的敏感文件时，动态实现文件系统增强的安装安全性的安全协议。 当客户端系统的用户尝试访问特别标记的敏感文件时，托管文件系统的服务器将执行终止当前安装的软件代码，并重新配置服务器端口，以通过更安全的端口从客户端接受重新安装 。 服务器重新配置的服务器端口提供了客户端的IP地址，并在重新安装操作期间匹配IP地址。 以无缝的方式完成对安全安装的切换，从而允许授权用户访问敏感文件，而不会使用昂贵的加密和其他资源密集型安全功能来阻止服务器。 用户不会发生显着的延迟，而敏感文件在传输到客户端系统时被屏蔽，防止未经授权的捕获。

公开(公告)号：WO2008055772A3

公开(公告)日：2008-05-15

申请号：PCT/EP2007/061277

申请日：2007-10-22

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION ,  IBM UNITED KINGDOM LIMITED ,  KEOHANE, Susann, Marie ,  MCBREARTY, Gerald, Francis ,  MULLEN, Shawn, Patrick ,  MURILLO, Jessica, Carol ,  SHIEH, Johnny, Meng-Han

Inventor： KEOHANE, Susann, Marie ,  MCBREARTY, Gerald, Francis ,  MULLEN, Shawn, Patrick ,  MURILLO, Jessica, Carol ,  SHIEH, Johnny, Meng-Han

IPC: G06Q20/00

Abstract: A financial transaction system detects an identifier for a user requesting a transaction at an interface of the financial transaction system. The financial transaction system accesses from the electronic message service provider for the user using the identifier, at least one electronic message addressed to the user and sent to the user over a network for delivery to the user by the electronic message service provider at at least one system accessible via the network and logged into using the identifier. The accessed electronic message is delivered to the user at the interface for the financial transaction system.

公开(公告)号：WO2005034465A1

公开(公告)日：2005-04-14

申请号：PCT/EP2004/052255

申请日：2004-09-21

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION ,  IBM UNITED KINGDOM LIMITED ,  KEOHANE, Susann, Marie ,  MCBREARTY, Gerald, Francis ,  MULLEN, Shawn, Patrick ,  MURILLO, Jessica ,  SHIEH, Johnny, Meng-Han

Inventor： KEOHANE, Susann, Marie ,  MCBREARTY, Gerald, Francis ,  MULLEN, Shawn, Patrick ,  MURILLO, Jessica ,  SHIEH, Johnny, Meng-Han

IPC: H04L29/06

CPC classification number: H04W12/08 ,  H04L63/0428 ,  H04L63/105 ,  H04L67/32 ,  H04W28/14

Abstract: Providing a necessary level of security for a computer capable of connecting to different computing environments, including monitoring (402) a type of connection between the computer and a network in a computing environment; determining (406) a security level of data (408) before sending the data across the network; storing (416) the data in a buffer instead of sending the data across the network if the connection to the network lacks a security control (4 10) required for t e determined security level of the data; and sending (420) the data from the buffer when the computer is connected to a changed computing environment having a new type of connection that has (412) the security control required for the data.

Abstract translation: 为能够连接到不同计算环境的计算机提供必要的安全级别，包括在计算环境中监视（402）计算机与网络之间的连接类型; 在通过网络发送数据之前确定（406）数据的安全级别（408）; 如果与网络的连接缺少所确定的数据的安全级别所需的安全控制（410），则将数据存储（416）到缓冲器中而不是通过网络发送数据; 以及当所述计算机连接到具有（412）所述数据所需的安全控制的新型连接的改变的计算环境时，从所述缓冲器发送（420）所述数据。

公开(公告)号：WO2004079483A2

公开(公告)日：2004-09-16

申请号：PCT/GB2004/000926

申请日：2004-03-04

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION ,  IBM UNITED KINGDOM LIMITED ,  KEOHANE, Susann, Marie ,  MCBREARTY, Gerald, Francis ,  MULLEN, Shawn, Patrick ,  MURILLO, Jessica, Kelley ,  SHIEH, Johnny, Meng-Han

Inventor： KEOHANE, Susann, Marie ,  MCBREARTY, Gerald, Francis ,  MULLEN, Shawn, Patrick ,  MURILLO, Jessica, Kelley ,  SHIEH, Johnny, Meng-Han

IPC: G06F

CPC classification number: G06F21/51 ,  G06F21/33

Abstract: A method, apparatus, and computer instructions for authorizing execution of an application on the data processing system. A request is received to execute the application, wherein the request originates from a remote data processing system and wherein the request includes a digital certificate and the application. The digital certificate is verified in response to receiving the request. Responsive to verifying the digital certificate, a digital digest is calculated for the application to form a calculated digital digest. The calculated digital digest is compared with a set of digital digests from a trusted source. The application is executed if a match between the calculated digital digest and set of digital digests occurs.

Abstract translation: 一种用于授权在数据处理系统上执行应用的方法，装置和计算机指令。 接收到执行应用的请求，其中所述请求源自远程数据处理系统，并且其中所述请求包括数字证书和所述应用。 响应于接收到请求，验证数字证书。 为了验证数字证书，计算应用程序的数字摘要以形成计算的数字摘要。 将计算的数字摘要与来自可信来源的一组数字摘要进行比较。 如果发生计算的数字摘要和数字摘要集之间的匹配，则执行应用程序。

公开(公告)号：WO2009043745A1

公开(公告)日：2009-04-09

申请号：PCT/EP2008/062593

申请日：2008-09-22

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION ,  IBM UNITED KINGDOM LIMITED ,  KEOHANE, Susann, Marie ,  MCBREARTY, Gerald, Francis ,  MULLEN, Shawn, Patrick ,  MURILLO, Jessica, Carol ,  SHIEH, Johnny, Meng-Han

Inventor： KEOHANE, Susann, Marie ,  MCBREARTY, Gerald, Francis ,  MULLEN, Shawn, Patrick ,  MURILLO, Jessica, Carol ,  SHIEH, Johnny, Meng-Han

IPC: H04L29/06 ,  H04L12/56 ,  H04L12/26

CPC classification number: H04L41/12 ,  H04L45/00 ,  H04L45/20 ,  H04L63/1441

Abstract: A computer implemented method, data processing system, and computer program product for discovering an unauthorized router in a network. The process in the illustrative embodiments first obtains a physical address of a suspected router or destination device. A data packet is created which comprises at least a destination media access control field, a destination internet protocol field, and a time-to-live field, wherein the destination media access control field comprises the physical address of the destination device, wherein the destination internet protocol field comprises a bogus internet protocol address, and wherein the time-to-live field comprises a value indicating the data packet has exceeded a time limit. The data packet is sent to the destination device using the physical address in the destination media access control field. If a time exceeded message is received from the destination device, the destination device is determined to be enabled for routing.

Abstract translation: 一种计算机实现的方法，数据处理系统和用于发现网络中的未经授权的路由器的计算机程序产品。 说明性实施例中的过程首先获得可疑路由器或目的地设备的物理地址。 创建包括至少目的地媒体访问控制字段，目的地互联网协议字段和生存时间字段的数据分组，其中目的地媒体访问控制字段包括目的地设备的物理地址，其中目的地 互联网协议字段包括虚假的因特网协议地址，并且其中所述生存时间字段包括指示所述数据分组已超过时间限制的值。 使用目标介质访问控制字段中的物理地址将数据包发送到目标设备。 如果从目的地设备接收到超时消息，则确定目的地设备被启用以进行路由。