Abstract: A method and apparatus for processing an electronic document in a secure manner is provided. A scanner may verify that the configuration state of a file server has not changed since a prior configuration state by issuing a request to a security server. The security server may process the request to determine whether the configuration state of the file server has changed since the file server was registered with the security server. The security server may also verify that the scanner issued a request to store an electronic document using a file server or that the file server received the request. A storage medium of a file server may be protected against unauthorized removal of the storage medium by storing, separate from the storage medium, a password required to access the storage medium, and when the file server is powered on, the password is provided to the storage medium.

Abstract: A delivery of application data within a predetermined attribute type of protocol message across a communication network is disclosed. The non-specific application data is deployed within one or more attribute types for extraction and use by a protocol's server after establishing authentication of the user device. In one or more preferred implementations, the protocol reflects the principles of an Authentication, Authorization and Accounting (AAA) framework type.

Abstract: A mechanism that allows a user to easily configure a rules engine to apply rules to decide which requests for access to a user's computer resources are to be granted and which are denied. A trusted token, such as a certificate of identity issued by a trusted third party authority that verifies identities of computer users, is included in a calling card object provided by the requesting user to the (server) computer that controls the resources desired by the requester. Additional conditions for access may be specified as desired by the user of the server computer.

Abstract: A particular method includes receiving a request to access a secured wireless local network at a security device of the secured wireless local network from a wireless-enabled device that is not authorized to access the secured wireless local network when the request is received. The method includes receiving identification information from the wireless-enabled device at the security device. The method also includes automatically sending an access request message from the security device to at least one messaging address. The access request message provides a recipient of the access request message with at least a portion of the identification information and a selectable option to allow the wireless-enabled device access to the secured wireless local network without requiring user input of a network password associated with the secured wireless local network via the wireless-enabled device.

Abstract: To provide for cryptographic separation, embodiments of the invention employ containment mechanisms provided by trusted operating systems to ensure that plaintext data which must be encrypted in accordance with a security policy (or, in reverse, ciphertext data which is to be decrypted) is processed by a suitable encryption routine before being sent onwards for transmission, storage, or the like. Such containment mechanisms usually include mandatory system access control rules which specify to which system resources the output of a system resource (such as an application) may be supplied. By specifying a suitable set of such rules, mandatory encryption can be enforced at the operating system kernel level.

Abstract: Systems, methods, and other embodiments associated with authentication via monitoring are described. One example method includes detecting a data flow in which indicia of identity (DFWIOI) travel between a first endpoint and a second endpoint. The DFWIOI may be partially encrypted. The example method may also include collecting an identity data associated with the DFWIOI from the DFWIOI, the first endpoint, the second endpoint, and so on. The example method may also include making an authentication policy decision regarding the DFWIOI based, at least in part, on the identity data. The example method may also include controlling a networking device associated with the DFWIOI based, at least in part, on the authentication policy decision.

Abstract: Methods and a tool or instrument for performing the methods of protecting a computer program with a parameter cloud are disclosed. A parameter cloud comprising a plurality of elements may be created. Called functions of a computer program may have defined expected parameter cloud states so that proper behavior of the called function is achieved when the parameter cloud state is the expected parameter cloud state. An expected parameter cloud state may include a selected set of elements of the parameter cloud having assigned values. Static portions of the called functions may depend on a current parameter cloud state, and calling functions may transform the parameter cloud state prior to calling their respective called functions. The methods and instrument may operate on original source code or post-binary targets of the computer program. A fingerprint may be used to identify a specific computer program from a sequence of state transitions.

Abstract: The present invention relates to using authorization information provided by an asserting agent to control insight-related interactions between a receiving agent and an insight agent. The insight may be information that relates to an entity with whom or a device with which the asserting agent is associated. Such insight is generally referred to as insight of the asserting agent. An insight source maintains the insight of the asserting agent, and the insight agent provides controlled access to the insight by the receiving agent through the insight-related interactions. For others to gain access to at least certain of the asserting agent's insight, the asserting agent must authorize the insight agent to provide the asserting agent's insight to the receiving agent. Upon obtaining the proper authorization, the insight agent will interact with the receiving agent and distribute the asserting agent's insight to the receiving agent.

Abstract: A system controls policy distribution with partial evaluation to permit/deny access to protected alternatives. The system includes a database to store access control policy functions for protected alternatives, a guard to guard access to a protected alternative and construct an access control request including attributes regarding the protected alternative, a policy decider to receive the access control request from the guard, a policy distributor connected to the database and policy decider, to collect the static attributes of the protected alternative, and send them to the policy distributor, which constructs a partial access control request from the static attributes, performs partial evaluation against the stored access control policy function, resulting in a simplified access control policy function, and sends the simplified function to the policy decider, to evaluate access control requests regarding the protected alternative, and return a permit or deny response to the guard.

Abstract: A system and method for securing the mobile device applies the rules to determine if an event associated with an application is a secure event. If the event is a secure event, the system applies the rules to determine if the event is authenticated. If the event is authenticated, the event is authorized and the system updates rule data associated with the event and/or other associated events. Updating the rule data allows other associated events to be authenticated. If the event is not authenticated, the system requests authentication from a user. If the authentication is valid, the event is authorized and the system updates the rule data associated with the event and/or other associated events. If the authentication is not valid, the system secures the mobile device. Authorizing the event enables a user to access the application and/or data associated with the application.

Abstract: In certain embodiments, detecting scans may include receiving packets, where each packet has a target. The number of distinct targets of the packets may be counted using one or more Bloom counters. The number of distinct targets may satisfy a scan threshold for detecting a scan. If the scan threshold is satisfied, it is determined a scan is present.

Abstract: A system and method are disclosed for improving a statistical message classifier. A message may be tested with a machine classifier, wherein the machine classifier is capable of making a classification on the message. In the event the message is classifiable by the machine classifier, the statistical message classifier is updated according to the reliable classification made by the machine classifier. The message may also be tested with a first classifier. In the event that the message is not classifiable by the first classifier, it is tested with a second classifier, wherein the second classifier is capable of making a second classification. In the event that the message is classifiable by the second classifier, the statistical message classifier is updated according to the second classification.

Abstract: In accordance with some embodiments of the present invention, systems and methods that protect an application from attacks are provided. In some embodiments of the present invention, input from an input source, such as traffic from a communication network, can be routed through a filtering proxy that includes one or more filters, classifiers, and/or detectors. In response to the input passing through the filtering proxy to the application, a supervision framework monitors the input for attacks (e.g., code injection attacks). The supervision framework can provide feedback to tune the components of the filtering proxy.

Abstract: Techniques for sharing data between users in a manner that maintains anonymity of the users. Tokens are generated and provided to users for sharing data. A token comprises information encoding an identifier and an encryption key. A user may use a token to upload data that is to be shared. The data to be shared is encrypted using the encryption key associated with the token and the encrypted data is stored such that it can be accessed using the identifier associated with the token. A user may then use a token to access the shared data. The identifier associated with the token being used to access the shared data is used to access the data and the encryption key associated with the token is used to decrypt the data. Data is shared anonymously without revealing the identity of the users using the tokens.

Abstract: A Digital Rights Management (DRM) system for distribution of digital content such as audio or video uses a method to enhance security of the content from unauthorized access and use, including access by unauthorized players. The method does not necessarily require a token exchange and thereby minimizes storage demands on the server which distributes the digital content. The system generates and distributes keys for decryption of the digital content whereby the keys are unique to a specific player and user account.

Abstract: A method of authenticating a network client to a relying party computer via a computer server comprises the computer server receiving a transaction code from a token manager via a first communications channel. The network client is configured to communicate with a token manager which is configured to communicate with a hardware token interfaced therewith. The network client is also configured to communicate with the relying party computer and the computer server. The computer server also receives a transaction pointer from the relying party computer via a second communications channel that is distinct from the first communications channel. Preferably, the transaction pointer is unpredictable by the computer server. The computer server transmits an authorization signal to the relying party computer in accordance with a correlation between the transaction code and the transaction pointer. The authorization signal facilitates authentication of the network client to the relying party computer.

Abstract: According to one embodiment, a system including a memory and a processor is provided. The memory may be operable to store a plurality of accounts. Each account may be associated with a user and with a mobile device. The processor may be coupled to the memory and operable to receive user credentials, sent by a requesting user and originating from a requesting device, in conjunction with a request for authentication. The user credentials may include an account identifier. The processor may be further operable to retrieve, from the plurality of accounts, the account associated with the account identifier that matches the account identifier included in the user credentials. The processor may compare information included within the user credentials with information associated the account. If the information included within the user credentials matches the information associated with the account, the processor may send an authentication-confirmation message to a second device.

Abstract: In one embodiment, the methods and apparatuses to assign a routing address to a wireless computer that is in a different logical network from the routing addresses of other wireless computers within the same physical wireless network; and to prevent a wireless computer from learning the routing address of another wireless computer within the same physical wireless network.

Abstract: The present invention prevents illegitimate access to a user computing machine. A method in accordance with an embodiment includes: setting an authentication routine in the user computing machine; generating a virtual keyboard on the user computing machine; entering a user identification through the virtual keyboard, the user identification being entered according to a virtual keyboard form factor; comparing the entered user identification with a secure user identification previously stored in the user computing machine; and validating the user access to the user computing machine if a match occurs, otherwise denying access.

Abstract: According to one embodiment, maintenance points of a maintenance entity group are identified. The maintenance points comprise end points and intermediate points. A secure connectivity association set is established for the maintenance points. The following is performed for each frame of a number of frames: determining security data of the secure connectivity association set; placing the security data into a frame; and communicating the frame to a maintenance point. The maintenance point is configured to determine whether a frame is acceptable from the security data of the frame.