Abstract: Utilizing the AAA infrastructure to dynamically allocate the various parameters needed to establish the security association between the Foreign Agent and the Home Agent. The present invention uses the AAA server as a central entity to dynamically generate and distribute the chosen security association parameters needed to support the Foreign Agent and Home Agent security association based on a request from the Foreign Agent. The AAA server can also dynamically assigns a unique SPI value to the Foreign Agent and Home Agent pairs. The various parameters that can be allocated in the present invention include a FA-HA shared secret key or a public/private key pair, an authentication algorithm and mode, a FA-HA secret key lifetime, and security parameter index or security index values. The present invention also can assist in making sure that the Foreign Agent and the Home Agent stay synchronized with respect to their security association.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for offline shared security key calculation. In one aspect, a method includes entering a first secure communication session with a remote device. A plurality of nonces are provided to the remote device during the first secure communication session. The first secure communication session is exited. A communication is received from the remote device after exiting the first communication session. The communication includes an indication of one of the plurality of nonces. A session key is generated using the indicated one of the plurality of nonces. A second secure communication session is entered with the remote device using the generated session key. Other embodiments of this aspect include corresponding systems, apparatus, and computer programs, configured to perform the actions of the methods, encoded on computer storage devices.

Abstract: A method and apparatus for location-based access control applies a location-based identifier to a document, wherein the location-based identifier indicates an original storage location of the document. The original storage location is an authorized node having access privileges specific to the document. In response to the document being moved or copied, an access control engine compares a current location of the document to the original storage location and denies access when there is a discrepancy. When the document is moved consistent with an access control policy, such as when an administrator moves the document, an original storage location identifier is changed consistent with a new location. The document is only accessible when accessed from an authorized location. The locations may be referred to as access nodes, wherein each access node corresponds to a folder.

Abstract: A system and method provides secure channels for communication in a virtual universe by employing a packet interception layer for incoming and outgoing data packets. A data path is defined and is sequentially encrypted with the public keys of servers in the path. Decryption and identification of the next server occurs in a sequential manner in which the path is known only to the sender.

Abstract: A portable electronic device includes a storage unit in which information indicating correct process contents is stored. A reception unit of the portable electronic device receives a command for requesting a process from an external device, and the portable electronic device determines whether or not process contents to be executed according to the received command are matched with process contents stored in the storage unit. When it is determined that process contents according to the received command are matched with process contents stored in the storage unit, the portable electronic device executes a process according to the command received by the reception unit.

Abstract: The disclosure addresses the detection of anomalous activity. Some embodiments are directed towards a system for receiving an indication relating to a plurality of controls, identification information associated with a responsible account, and instructions from a responsible account associated with the monitoring of thresholds of controls being monitored. The plurality of user account may be organized into groups based upon information relating to the user accounts, and instructions may be applied to the groups to create a dynamic security policy.

Abstract: A cryptography device which reduces side channel information including a first computing block adapted to either encrypt or decrypt received first input data and to output the encrypted or decrypted first input data as first output data at a first data output, a second computing block adapted to either encrypt or decrypt received second input data and to output the encrypted or decrypted second input data as second output data at a second data output, and a control unit connected to the first and second computing blocks and adapted in a first operating condition on the one hand to partially or completely assign the first output data to the first computing block as the first input data and on the other hand to completely or partially assign the first output data to the second computing block as part of the second input data.

Abstract: A computer implemented method correlates a digital resource with an electronic message. A processor detects a focus on a targeted item that identifies a digital resource. The targeted item is in a user history that presents a history of a user's access to multiple digital resources. The processor then auto-populates a draft of an electronic message with the targeted item that was focused in the user history.

Abstract: An apparatus, system and method are described for use in detecting the presence of malware on subscribers computers. The apparatus, system and method are network based and may be deployed within an Internet Service Provider (ISP) network. The system may include a plurality of network sensors for receiving and analyzing network traffic to determine the presence of malware. An aggregating apparatus receives alerts of the presence of malware and translates a network identifier of the alert to a subscriber identifier. The aggregating apparatus aggregates alert information and forwards it to a reporting infrastructure that can generate notifications in order to notify a subscriber that malware has been detected on a computer associated with the subscriber.

Abstract: A method and telecommunication node for authenticating with an IP Multimedia Subsystem (IMS) network, a nomadic user in an access network. The node receives from the access network, an access identifier defining a mobile terminal's physical location. In response, the node retrieves from a database, a registered access identifier associated with the user and determines whether the received identifier matches the registered identifier. If the identifiers match, the node authenticates the user in the IMS network. If the identifiers do not match, the node performs an alternate authentication method.

Abstract: This disclosure describes a method of and system for provisioning of shared account credentials to provide authorized access to shared or delegated accounts. Preferably, an enterprise single sign-on (E-SSO) system is used to manage the shared account or control delegation of account access, and preferably the shared or delegated account credential is not exposed to the end user. The described technique enables temporary delegation of account privileges to a member of a shared role. Using the described approach, an information technology (IT) account may be shared so that a user who needs to perform a shared duty can do so in the context of a shared role and without having control over the account itself. The approach facilitates delegating the use of a single account to one of a member of the shared role.

Abstract: A computing device configured for allocating products to licenses is described. The computing device includes a processor and instructions stored in memory that is in electronic communication with the processor. The computing device obtains license data that identifies a plurality of licenses. The computing device also obtains product data that identifies a plurality of products. The computing device determines a degree of constraint for each of the plurality of products. The computing device also allocates at least one of the plurality of products to at least one of the plurality of licenses based on the degree of constraint. The computing device further performs an operation based on the allocation.

Abstract: Providing secure network access in a networked client device. A client device is provided with a secure connection adapter. In operation, the secure connection adapter detects the network environment of the client device and determines of the network environment is trusted or untrusted. If the client device is operating in an untrusted network environment, the secure connection adapter establishes a secure connection to an enterprise host using a secure tunnel such as IPSec, SSL, or other secure connection. Programs executing on the client device now operate in the secure network environment, with all network activity routed through the secure connection to the enterprise. Optionally, a split tunnel mechanism may be used to direct some network traffic directly to the Internet from the client device.

Abstract: A method and apparatus for providing software security is provided. In the software security method, an installation file of software that includes at least one execution file and at least one data file which are stored in a user terminal is executed. Accordingly, at least one virtual execution file corresponding to the at least one execution file and at least one virtual data file corresponding to the at least one data file are installed in a user area of the user terminal, and the at least one execution file, the at least one data file, and a controller for controlling the at least one virtual execution file and the at least one execution file are installed in a security area of the user terminal.

Abstract: Exemplary systems and methods for providing a network credential in order to access a communication network are provided. In exemplary embodiments, a digital device attempting to access the communication network receives an authentication request from the network device. An authentication record based on the authentication request is retrieved from a credential server. The network credential is then provided within the authentication record and transmitted as an authentication response to the network device. Upon authentication by the network device, the digital device is provided access to the communication network.

Abstract: Systems and methods for controlling accuracy of transmitted information are described. A package is assembled based on a numerical value, such as a measurement, and one or more policies associated with the sender. When the package is received by a receiver, it is unpacked to yield a second value representing the numerical value and having a reduced accuracy with respect to the first value. The accuracy reduction depends on policies associated with the receiver and/or the sender. Examples of numerical values in different applications include geo-location data, medical data, and financial data.

Abstract: A system and method is disclosed, including establishing of data connections between electronic devices. One embodiment provides a method for establishing a data connection between a first and a second electronic device, wherein establishing the data connection is authorized by executing at least one action with at least one physical tool.

Abstract: A measure selecting apparatus determines whether a vulnerability of a resource employed in a predetermined task has been addressed or not based on information stored in a memory. When the vulnerability of the resource is determined not to have been addressed and when a recovery time defined in the memory corresponding to the resource is longer than a predetermined time, the measure selecting apparatus evaluates measures defined in the memory corresponding to the vulnerability determined not to have been addressed, and calculates an evaluation value of each measure. The measure selecting apparatus selects a measure with a high evaluation value.

Abstract: The APPARATUSES, METHODS AND SYSTEMS FOR A SECURE RESOURCE ACCESS AND PLACEMENT PLATFORM (“SRAP PLATFORM”) provides a secure supporting infrastructure within a corporate network framework and applications based thereon for use and placement of corporate resources. A non-trusted device may be authorized to access and use corporate resources, and the corporate network server may manage the placement of resources via the SRAP PLATFORM.

Abstract: An IMS User Equipment (UE) is provided. The IMS UE comprises: searching means for searching, based on UPnP technology, a UPnP network for a host device that has IMS subscription information, establishing means for establishing a session with the host device discovered by the searching means, subscription retrieving means for retrieving, from the host device via the session, the IMS subscription information, registering means for registering with the IMS network using the IMS subscription information, key retrieving means for retrieving, from the host device via the session, a first encryption key shared with an IMS application server (AS) in an IMS network by sending identity of the IMS AS to the host device via the session, and communicating means for performing encrypted communication with the IMS AS using the first encryption key.