Abstract: Static buffer overflow exploits belong to the most feared and frequently launched attacks on todays Internet. These exploits target vulnerabilities in daemon processes which provide important network services. Ever since the buffer overflow hacking technique has reached a broader audience due to the Morris Internet worm [21] in 1988 and the infamous paper by AlephOne in the phrack magazine [1], new weaknesses in many programs have been discovered and abused. Current intrusion detection systems (IDS) address this problem in different ways. Misuse based network IDS attempt to detect the signature of known exploits in the payload of the network packets. This can be easily evaded by a skilled intruder as the attack code can be changed, reordered or even partially encrypted. Anomaly based network sensors neglect the packet payload and only analyze bursts of traffic thus missing buffer overflows altogether. Host based anomaly detectors that monitor process behavior can notice a successful exploit but only a-posteriori when it has already been successful. In addition, both anomaly variants suffer from high false positive rates. In this paper we present an approach that accurately detects buffer overflow code in the request's payload by concentrating on the sledge of the attack. The sledge is used to increase the chances of a successful intrusion by providing a long code segment that simply moves the program counter towards the immediately following exploit code. Although the intruder has some freedom in shaping the sledge it has to be executable by the processor. We perform abstract execution of the payload to identify such sequences of executable code with virtually no false positives. A prototype implementation of our sensor has been integrated into the Apache web server. We have evaluated the effectivity of our system on several exploits as well as the performance impact on services.

Abstract: A method improves mobility and service recovery for a user in a wireless communication network. Service information concerning the user is stored in a registrar. A subscription message is sent from a user terminal to the registrar. A header in the subscription message contains a unique indication. In response to the subscription message containing a unique indication in a header, the registrar returns a notification message to the user terminal. The payload of the notification message includes service information for the user to be used by the user terminal for communication services.

Abstract: A network device for enforcing service level agreements is described that is able to scan the contents of entire data packets including header and payload information The network device includes memory for storing subscriber information, policies and statistics The traffic flow scanning processor scans the header and payload information from each data packet, which is used to associate each data packet with a particular subscriber, classify the type of network traffic in the data packet and to enforce the particular policies associated with the subscriber The traffic flow scanning processor produces a treatment for the data packet based on the scanning The scanned data packets and the associated treatments are then passed to a quality of service processor, which modifies the data packets if necessary and enforces resource allocation according to the preprogrammed policies

Abstract: This document specifies a real-time transport protocol (RTP) payload format to be used for Adaptive Multi-Rate (AMR) and Adaptive Multi- Rate Wideband (AMR-WB) encoded speech signals. The payload format is designed to be able to interoperate with existing AMR and AMR-WB transport formats on non-IP networks. In addition, a file format is specified for transport of AMR and AMR-WB speech data in storage mode applications such as email. Two separate MIME type registrations are included, one for AMR and one for AMR-WB, specifying use of both the RTP payload format and the storage format.

Abstract: This paper shows three approaches for detecting steganograms with low change density. MP3Stego is a steganographic algorithm with a very low embedding rate. The attack presented here is a statistical analysis of block sizes. It is able to detect 0.001 % of steganographic payload in MP3 files. The second approach is the use of hash functions to combine sample categories for the chi-square attack. One of these hash functions enables us to detect about 0.2 bits per pixel in true colour images. Another algorithm (Hide) was presented at the last workshop and constructed to be secure against visual and statistical chi-square attacks. The detection method for Hide combines the three colour components of each pixel to recognise an increased number of "neighbour colours".

Abstract: Different bits in a payload of data to be transmitted from a sending application receive different classes of treatment. The payload data is divided into a first group of bits associated with a first treatment class and a second group of bits associated with a second treatment class. A first packet is created which includes the first group of bits and a first header that identifies the first packet with the first treatment class. Similarly, a second packet is created that includes the second group of bits and second header that identifies the second packet with the second treatment class. Using the first header, the first packet is mapped to a first communications bearer, (e.g., a radio bearer), that is configured to support the first treatment class. Using the second header, the second packet is mapped to a second communications bearer which is configured to support the second treatment class.

Abstract: A method for securely streaming real-time content from a caching server to an authorized client. The method includes the steps of encrypting an RTSP (real-time streaming protocol) message having a header and a payload, the RTSP message being encrypted in its entirety; and providing a first clear header for the encrypted RTSP message. Further, the method includes the steps of encrypting an RTCP (real-time control protocol) message having a header and a payload, the RTCP message being encrypted in its entirety; and providing a second clear header for the encrypted RTCP message. Thereafter, the encrypted RTSP message and the first clear header are transmitted, and the encrypted RTCP message and the second clear header are transmitted in order to securely stream the real-time content from the caching server to the authorized client.

Abstract: An all-optical address and data separation scheme is presented for short 10-Gb/s packets. The technique uses a novel packet clock recovery circuit that consists of a Fabry-Perot filter and a ultrafast nonlinear interferometer (UNI) gate to generate a local packet clock. A second cascaded UNI gate is used to separate the header and the payload, performing a simple AND operation between the packet and its self-derived clock. The proposed technique requires a small number of bits as guard band and this number is independent of the line rate.

Abstract: A secure and scalable broadcast system (1) and method of creating the same, having a plurality of nodes (12) connected to a network with pre-positioned public/private encryption keys, relaying the published digital messages, and a plurality of leaf nodes for receiving the published and relayed messages. Each digital message includes an encrypted payload, and a symmetric key for decrypting the payload. The root and interior nodes publish and relay the message by encrypting the public key of each node that will receive the published/relayed message from the node. Each interior and leaf node decrypts the symmetric key using its private key. Only the leaf nodes decrypt the message payload using the symmetric key. A back channel sends messages from the leaf nodes to the root nodes in the same manner.

Abstract: Network intrusion detection systems often rely on matching patterns that are gleaned from known attacks. While this method is reliable and rarely produces false alarms, it has the obvious disadvantage that it cannot detect novel attacks. An alternative approach is to learn a model of normal traffic and report deviations, but these anomaly models are typically restricted to modeling IP addresses and ports, and do not include the application payload where many attacks occur. We describe a novel approach to anomaly detection. We extract a set of attributes from each event (IP packet or TCP connection), including strings in the payload, and induce a set of conditional rules which have a very low probability of being violated in a nonstationary model of the normal network traffic in the training data. In the 1999 DARPA intrusion detection evaluation data set, we detect about 60% of 190 attacks at a false alarm rate of 10 per day (100 total). We believe that anomaly detection can work because most attacks exploit software or configuration errors that escaped field testing, so are only exposed under unusual conditions.

Abstract: Disclosed is a method of loading data, such as software, into a mobile terminal, where the data is loaded from a loading station, and the data comprises payload data and header data. The mobile terminal accepts the data conditioned on a verification process based on the header data. The step of receiving the data further comprises the steps of receiving a header message including the header data from the loading station by the mobile terminal, verifying the received header data by the mobile terminal, and receiving at least a first payload message including the payload data, if the header data is verified successfully.

Abstract: The present invention relates to a link control automatic repeat request (ARQ) operation in a wireless communication environment. When a terminal sends an original request for communication resources, the request includes not only payload size, but preferably quality of service parameters associated with the data to be transmitted. During uplink communications, the base station performs the link control based ARQ for lost or corrupt packets. When lost or corrupt packets are identified, a link control entity at the base station determines the appropriate retransmission parameters and contacts the uplink scheduler, if necessary, to obtain the corresponding communication resources for retransmission. The additional communication resources for retransmission are provided in a message, such as a negative acknowledgement message, which is sent to the mobile terminal to trigger retransmission of the lost or corrupted data.

Abstract: This document describes a Real-time Transport Protocol (RTP) payload format for transporting comfort noise (CN). The CN payload type is primarily for use with audio codecs that do not support comfort noise as part of the codec itself such as ITU-T Recommendations G.711, G.726, G.727, G.728, and G.722.

Abstract: A transport protocol receiver for receiving a packet from a network, the packet having a header, payload, and connection context. The receiver includes an analysis engine, coupled to receive the packet from the network and adapted to parse and validate the header, locate the connection context, and generate a classification of the header. The receiver further includes a context processing engine, coupled to the analysis engine, and adapted to evaluate and update the connection context, responsive to the classification; and a data dispatch engine, coupled to the analysis engine and the context processing engine, and adapted to convey the payload to a destination, responsive to the connection context, such that the analysis engine, the context processing engine, and the data dispatch engine operate substantially asynchronously.

Abstract: A bit-stream converter (104) capable of converting a first synchronous compressed bit-stream of data at a first sampling rate to second synchronous compressed bit-stream frame of data at a second sampling rate is disclosed. The bit-stream converter architecture may include a payload length detector (304) and a zero stuffing unit in signal communication with the payload length detector. The zero stuffing unit (306) is capable of zero stuffing section responsive to the payload length detector detecting the payload length.

Abstract: An apparatus, system and method maintain synchronization of an encryption key stream at the transmitter to a decryption key stream at a receiver. The transmitter applies a portion of a fixed segment of the continuous encryption key stream to data to form an encrypted payload. At least a portion of a session count is combined with the encrypted payload to form an encrypted data packet. The receiver decrypts the encrypted data packet by applying a portion of a current fixed segment of a continuous decryption key stream to the encrypted payload if the difference between a received session count and locally generated session count is less than a threshold. Otherwise, the packet is discarded and the system is reset. Since fixed length segments of the encryption key streams are dedicated to each packet, synchronization of the key streams is maintained even if synchronization for a particular packet is lost.

Abstract: The invention may be broadly conceptualized as an approach in which a wireless device is able to receive broadcast data over a payload channel established in another network and establishing payload channels directly with the wireless device when high bandwidth data exchanges are need, and in times of emergency enabling barge-in functionality controlled by the management network.

Abstract: The sites join respective location area multicast addresses to receive messages from other sites in their location area. Communication units desiring to participate in talkgroup calls need only to register affiliation with a first site of the location area. Upon the first site receiving an affiliation message, it joins a payload multicast group address to receive payload for the talkgroup. In alternative embodiments, the first site sends, via the location area multicast address, either control message(s) or tunneled payload associated with the talkgroup call to secondary site(s) of the location area. The sites initiate paging sequences to determine whether communication units at their sites desire to participate in the call and, based on the responses, the sites may deliver stored payload and/or join the payload multicast group address to receive payload for the call.

Abstract: The present invention provides various techniques for encoding hidden information in checks and other security documents. The hidden information provides an authentication tool. In one implementation, we provide a method for encoding a security document with information. The security document includes a substrate having printing thereon. The information is hidden in the printing and corresponds to text or numbers conveyed by at least a portion of the printing. The method includes dividing the information into a plurality of payload sets, wherein each payload set includes a sub-set of the information, and encoding the payload sets across the substrate. The plurality of payload sets is concatenated in order to retrieve the information.

Abstract: A session establishment method is disclosed. A first data processing unit starts an application to apply for a session to a second data processing unit by using an SIP (Session Initiation Protocol). The second data processing unit permits the session to the first data processing unit by using the SIP. The second data processing unit starts application, and a step, in which the session is established between the applications started by the first and second data processing units. In the session application or permission by using the SIP, application parameters are provided in the payload.

Abstract: A mixed waveform configuration for wireless communications including a first portion that is modulated according to a single-carrier modulation scheme and a second portion that is modulated according to a multi-carrier modulation scheme. The waveform is specified so that a channel impulse response (CIR) estimate obtainable from the first portion is reusable for acquisition of the second portion. The first portion includes a preamble and header and the second portion typically incorporates the payload.

Abstract: A data structure, method and apparatus providing efficient retrieval of data from a segmented information stream. The invention utilizes a segmented data stream having an initial directory payload portion and a following payload portion including one or more object tables. The directory includes table descriptors associated with each object table including various field indicative of parameters of the respective object table. One of the fields comprises a bit array having at least one bit corresponding to each of the segments in the respective object table. By changing a state of a corresponding bit upon receiving a table segment, the memory and processing resources required to read the segments associated with a table are decreased.

Abstract: A method of transmitting data from a sender to a number of recipients in a system with a multilayer protocol architecture, in which the data are divided for organizational purposes into data packets having header data and payload data, a transmitting and/or receiving unit and a communication system. The transmission of data in the form of a point-to-multipoint transmission over a general channel, in particular in a mobile radio system, is carried out by adding to packet data which are being sent to multicast groups control data for the identification of a specific multicast group.

Abstract: At present, "capacity" is the prevailing paradigm for covert channels. With respect to steganography, however, capacity is at best insufficient, and at worst, is incorrect. In this paper, we propose a new paradigm called "capability" which gauges the effectiveness of a steganographic method. It includes payload carrying ability, detectability, and robustness components. We also discuss the use of zero-error capacity for channel analysis and demonstrate that a JPEG compressed image always has the potential to carry hidden information.

Abstract: To achieve coordination during generation of a plurality of mixed media streams, there is suggested a method of generating a mixed media stream (62-64) from input media streams (40-50) having payload data elements and related identifiers. The method comprises the step (S12) of aligning the input media streams (40-50) according to a pre-specified relation between identifiers in different input media streams (40-50) before generating the mixed media stream.

Abstract: A method of generating cryptographically protected digital data encoding content and arranged intomessages each message being decodable by a decoder application on a client terminal having a service interface to assemble each message for the decoder application, includes:retrieving a message from a machine-readable medium; encrypting at least part of the message; andproviding the encrypted messages as output in a format enabling a server service interface to arrange the message into at least one packet including at least one header and a payload, each payload including at least part of the message, at least one header including information enablingthe service interface on the client to assemble each message for the decoder application from thepayload of the packets The method comprises separating each message into a first and at least one further message section At least one of the message sections is encrypted in such a way asto be decryptable independently of the other message sections The encrypted message is assembled by adding a resynchronisation marker, separating a message section from an adjacentmessage section and including explicit synchronisation information, to at least the further messagesections

Abstract: A method and apparatus for virtual application of features to electronic messages is disclosed. When a device applies a set of features to an electronic message, one or more of the features may be virtually applied instead of actually applied. For example, instead of encrypting a payload portion of a packet and adding an encryption header, the packet may not be encrypted. However, an appropriate encryption header may still be included in the packet such that the packet appears to have been encrypted when other features are applied. Prior to sending the packet, the payload portion is actually encrypted, such as by using a hardware accelerator. Some implementations may use a dual processor router, in which the input/output processor controls the hardware accelerator, the routing processor performs the virtual application of a feature, and prior to sending the packet the input/output processor actually applies the virtually applied feature.

Abstract: A method and apparatus for converting packetized data received from a broadband network to a multi-channel payload network having a narrower bandwidth is disclosed The method includes converting a packet received from the broadband network to a serial stream having first and second pluralities of bytes, the second plurality of bytes being idle; removing the idle bytes from the serial stream thereby providing a reduced data; demultiplexing sequentially occurring reduced data across plural channels of a narrower bandwidth payload network and converting each channels reduced data to corresponding second packets of the payload network The method also includes receiving the respective second packets from the respective channels of the payload network; converting the packets to corresponding serial data streams and multiplexing the streams to restore an original sequence; inserting substitute idle bytes in substitution of the idle bytes removed from the first serial stream thereby providing a restored data; and converting the multiplexed and restored data to a third packet of the broadband network

Abstract: This invention relates to a method of embedding a watermark pattern with a payload in a time dependent information signal, comprising the steps of determining a number of robust signatures in the information signal, creating the payload being dependent of at least one of the number of robust signatures and a predefined message, embedding the watermark pattern according to the payload in the information signal. The invention also relates to a corresponding method and arrangement for detecting a watermark pattern in an information signal.