Abstract: A cleared sites list includes one or more hostname descriptors. A firewall includes rules associated with a cleared IP list including cleared IP addresses, and permits transfer of a cleared HTTP request from a user device to a cleared destination IP address that matches one of the cleared IP addresses. A controller examines a non-cleared HTTP request from the user device to a non-cleared destination IP address that does not match one of the cleared IP addresses, and acts as a transparent proxy between the user device and the non-cleared destination IP address when a destination host header of the non-cleared HTTP request matches a hostname descriptor of the cleared sites list. The controller further acts as a transparent proxy between the user device and the non-cleared destination IP address when a referrer header of the non-cleared HTTP request matches a hostname descriptor of the cleared sites list.

Abstract: Various methods and apparatuses of protection mechanism are described. A target intellectual property block may field and service requests from an initiator intellectual property block in a system-on-chip network. The target intellectual property block has an associated protection mechanism with logic configured to restrict access for the requests to the target intellectual property block. The request's access is restricted based on access permissions associated with a region within the target intellectual property block and attributes of the request trying to access that region.

Abstract: Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.

Abstract: Embodiments of the present invention relate generally to application security. In an embodiment, a method for altered token sandboxing includes creating a process based on a naked token and suspending the process. The method further includes obtaining an impersonation token and resuming the process with the impersonation token. The method further includes acquiring resources needed for the process with the impersonation token. The method also includes replacing the impersonation token with the naked token. In a further embodiment, the method further includes executing the suspended process with the naked token and the acquired resources. In another embodiment, a system for user-mode, altered token sandboxing includes a security module, an acquisition module and a replacement module. In a further embodiment, the system may include an execution module. In another embodiment, the system may include a request module.

Abstract: A dynamic image encoding technique provides high image quality encoding while eliminating the formation of a subjectively undesirable vector field. A dynamic image encoding device includes: an inter-frame predictor, a motion vector calculator, a prediction motion vector calculator, a skip mode motion vector calculator, and a skip mode validity judger. The skip mode validity judger calculates a code amount of a differential motion vector of the motion vector estimated by considering the motion vector of the skip mode and the subjective image quality, and uses a value of the code amount of the differential motion vector weighted by a block quantization parameter for the skip mode validity judgment.

Abstract: The method for elliptic curve scalar multiplication may provide several countermeasures to protect scalar multiplication of a private key k by a point P to produce the product kP from power analysis attacks. First, the private key, k, is partitioned into a plurality of key partitions, which are processed in a random order, the resulting points being accumulated to produce the scalar product kP. Second, in each partition, the encoding is randomly selected to occur in binary form or in Non-Adjacent Form (NAF), with the direction of bit inspection being randomly assigned between most-to-least and least-to-most. Third, in each partition, each zero in the key may randomly perform a dummy point addition operation in addition to the doubling operation. The method may be implemented in software, smart cards, circuits, processors, or application specific integrated circuits (ASICs) designed to carry out the method.

Abstract: A video processing system. In a specific embodiment, the system implements a system for processing macroblocks that includes a first module for processing a macroblock. A controller provides a first macroblock to the first module and provides a second macroblock to the first module, without waiting for the first module to complete processing of the first macroblock, when information is available to the first module to process the second macroblock. The first module may implement a pipelined processor that is adapted to process macroblocks simultaneously. Alternatively, the first module includes a first engine and a second engine, which may run in parallel as parallel engines. In a more specific embodiment, an entire image frame is treated as a single slice and processed by the system via a pipelined engines or parallel engines.

Abstract: A system and method for restricting access to network performance information associated with communications over a packet network. A request may be received from a user to access network performance information associated with communications of data packets over a packet network. A determination as to whether the user has permission to access the network performance information may be made. In response to determining that the user has permission to access the network performance information, the user may be enabled to access the network performance information; otherwise, the user may be prevented from accessing the network performance information. The network performance information may include information associated with communications of data packets including real-time content and non-real-time content.

Abstract: In one embodiment, a network device generates a protection policy responsive to identifying undesired voice data traffic. The network device then distributes the generated protection policy along a call path used for transferring the undesired voice data traffic. The proxy may distribute the protection policy by inserting the protection policy in a call response or other message that traces the call path back to a calling endpoint.

Abstract: The present invention is directed to a method and system for protecting data. In accordance with a particular embodiment of the present invention a new file is created. Key information is retrieved for the file from a keyserver. The key information includes, a key, a key identifier, and encryption algorithm information. The file is encrypted using the encryption algorithm. The key identifier is stored in a data repository. The data repository relates the key identifier to the encrypted file.

Abstract: An apparatus, arrangement, method and computer program product for digital video processing encodes a video stream while dynamically adjusting the complexity level of the encoder. One apparatus includes a processor providing processing resources, a video encoder utilizing the resources to encode a digital video that includes a plurality of complexity levels used to encode video frames forming the video, a usage meter to measure repeatedly a usage level of the resources during running of the encoder, and an optimizer to direct repeatedly the encoder to utilize the resources adaptively by calculating a usage level of the resources for a plurality of the frames encoded before a current frame using the measured usage levels, comparing the calculated usage level to a predetermined level of the resources, and selecting one of the complexity levels to encode the current frame based on a comparison of the calculated usage level to the predetermined level.

Abstract: This invention is to provide a method applied to a network system comprising Internet and at least two private networks each having at least one NAT router and at least one network terminal device. Each network terminal device can link to Internet through an ICE proxy and the NAT router in the corresponding private network. The method allows an ICE proxy in a private network to hijack connection signals sent from a network terminal device, to write a plurality of candidate access points provided by an ICE protocol standard into a SDP packet containing the connection signals, and to transmit the SDP packet to a remote ICE proxy in another private network via Internet. As a result, the ICE proxies of two private networks can selectively use the candidate access points provided by the ICE protocol standard in order to pass through the respective NAT routers and firewalls thereof.

Abstract: A method, computer program product, and data processing system are disclosed for ensuring that applications executed in the data processing system originate only from trusted sources are disclosed. In a preferred embodiment, a secure operating kernel maintains a “key ring” containing keys corresponding to trusted software vendors. The secure kernel uses vendor keys to verify that a given application was signed by an approved vendor. To make it possible for users to execute software from independent software developers, an administrative user may disable the above-described vendor key-checking as an option.

Abstract: A storage device has a data erasing function. A controller of a storage device, such as an USB, has a lost timer section and an emergency timer section. Both timer sections halt clocking operation as a result of initiation of use of the storage device by an authorized user. The lost timer section commences clocking operation as a result of completion of use of the storage device by the authorized user. The emergency timer section commences clocking operation as a result of unauthorized removal of the storage device. When either the lost timer section or the emergency timer section outputs a count-up signal, data in flash ROM are erased.

Abstract: A virtualized computer system includes at least one guest environment (guest), a service guest environment (SG) and trusted software. The at least one guest includes at least one driver having a first private message interface. The SG includes a first USB host controller (HC) driver, which is in communication with a USB HC. The first USB HC driver includes a second private message interface. The trusted software is in communication with the guest and the SG. The trusted software includes a data intercept/routing mechanism that facilitates secure communication between at least one USB device coupled to the USB HC and the guest using the first and second private message interfaces.

Abstract: A method and system for generating one or more keys includes obtaining at two or more devices data based on movement of at least one of the devices with the respect to the other device. At least one key is generated based on the obtained data at each of the devices for use in securing communications between the devices. The key at each of the devices is substantially the same.

Abstract: A distress signal sender and a distress signal receiver receive beacon-name generation parameters and generate a beacon name based at least in part on the received parameters, the beacon name representing a network location. Responsive to detecting an unexpected lack of access to network communications, the distress signal sender sends a beacon message to the generated beacon name, the beacon message describing a security state of the client. The distress signal receiver detects the beacon message sent by the distress signal sender, and responsive to receiving the beacon message, performs a remedial action.

Abstract: A system may include a sender computing system, an intermediary component, and a receiver computing system. The sender computing system may transmit first authentication data and second authentication data, and the intermediary component may receive the first authentication data and second authentication data from the sender computing system, perform an authentication action based on the second authentication data, and transmit the first authentication data. The receiver computing system may receive the first authentication data.

Abstract: The present invention is directed to establishing an island of trust using credentials issued by a manufacturer or service provider and protecting the credentials by embedding them in application code.

Abstract: A system may include a sender computing system, an intermediary service component, and a receiver computing system. The sender computing system may transmit a message and authentication data, and the intermediary service component may receive the message and the authentication data from the sender computing system, process the message, and transmit the authentication data and the processed message. The receiver computing system may receive the authentication data and the processed message.