Abstract: An apparatus comprising a memory, a processor coupled to the memory, wherein the memory contains instructions that when executed by the processor cause the apparatus to receive an information centric network (ICN) name prefix announcement message comprising a message prefix specific to a publisher, a public key certificate specific to the content publisher, and a signature specific to the content publisher, verify the signature with a name registration service (NRS), and update internal data indicating that the content publisher is a trusted publisher, wherein the internal data comprises the prefix, the public key, and the signature.

Abstract: A content-centric-network (CCN)/named-data networking (NDN) system to support seamless mobility for a mobile node (MN) comprising a first point of attachment (PoA) configured to indicate to the MN that attaches to the first PoA one or more neighbor PoAs and to multicast an interest for content from the MN to the neighbor PoAs in a CCN or NDN when the MN starts a handoff procedure, and a second PoA from the one or more neighbor PoAs of the first PoA configured to receive the multicast interest from the first PoA, forward the interest to the CCN or NDN, receive content data from the CCN or NDN, and forward the content data to the MN.

Abstract: Techniques for representation and verification of data are disclosed. The techniques are especially useful for representation and verification of the integrity of data (integrity verification) in safe computing environments and/or systems (e.g., Trusted Computing (TC) systems and/or environments). Multiple independent representative values can be determined independently and possibly in parallel for respective portions of the data. The independent representative values can, for example, be hash values determined at the same time for respective distinct portions of the data. The integrity of the data can be determined based on the multiple hash values by, for example, processing them to determine a single hash value that can serve as an integrity value.

Abstract: Techniques for protecting content to ensure its use in a trusted environment are disclosed. A trusted security component provided for a device can verify the internal integrity of the stored content and the host before it allows the content to come in contact with the host. As a counter part, a trusted security component provided for the host can verify and attest to the integrity of the host and/or specific host computing environment that can be provided for the content stored in the device. The trusted security component provided for a device effectively verify the host integrity based on the information attested to by the trusted security component provided for the host. If the trusted security component trusts the host, it allows the trusted host to provide a trusted host computing environment trusted to be safe for the content stored in the device.

Abstract: Techniques for assessing the cost of allocation of execution and affecting the allocation of execution are disclosed. The cost of allocation of execution between a first computing device (e.g., mobile device) and one or more computing resource providers (e.g., Clouds) can be determined during runtime of the code. A computing system can operate independently of the first computing device and a computing resource provider and provide execution allocation cost assessment. Execution allocation cost can be assessed based on execution allocation data pertaining to the first computing device and computing resource providers. Power consumption of a mobile device can be used as a factor in determining how to allocate individual components of an application program between a mobile phone and a Cloud. In an Elastic computing environment, external computing resources can be used to extend the computing capabilities beyond that which can be provided by internal computing resources.

Abstract: An apparatus comprising a processor configured to perform at least one transcoding operation on a first encrypted video frame to generate a second encrypted video frame. Also, a method comprising performing at least one transcoding operation on a first encrypted video frame to generate a second encrypted video frame. Also, an apparatus comprising a processor configured to retrieve a first encrypted video frame, wherein the first encrypted video frame is generated by encrypting an original video frame using an encryption key, and perform a transcoding operation on the encrypted video frame without revealing content of the original video frame.

Abstract: A networking system comprising an application service that runs on a cloud infrastructure and is configured to receive dual encrypted content from a content provider and re-encrypt the dual encrypted content to enable dynamic user group control for group-based user authorization, and a cloud storage service coupled to the application service and configured to store the dual encrypted content from the content provider and the re-encrypted dual encrypted content from the application service, wherein the application service and the storage service are configured to communicate and operate with a content delivery service that uses a content delivery network (CDN) to deliver the re-encrypted content to one or more users in a group authorized by the content provider.

Abstract: A user device comprising a processor configured to enable a mnemonic based digital signature scheme for user authentication that is based on a combination of one or more secrets and one or more actions implemented on the user device and associated with the secrets, and a device input system coupled to the processor and configured to detect the actions implemented on the user device. Also disclosed is an apparatus comprising a processor configured to implement a mnemonic based digital signature for authenticating a user, a device input system configured to enable the mnemonic based digital signature, and a memory unit configured to store input data that is used to recognize the mnemonic based digital signature, wherein the mnemonic based digital signature comprises a secret, an action associated with the secret and implemented using the device input system, and a cue associated with the action.

Abstract: A network node, comprising a receiver configured to receive a request for a service, wherein the request comprises a hierarchically structured name comprising a root and a suffix, a data storage component comprising a network synchronized policy rule associated with a service name root, wherein the network synchronized policy rule is applied to any request for a service whose name comprises a root matching the service name root, and a processor coupled to the receiver and to the data storage component, wherein the processor is configured to apply the network synchronized policy rule to the request, wherein the processor is configured to synchronize service definitions and service policies with other nodes in a network based on the name of the service, and wherein the network synchronized policy rule is synchronized with the other nodes in the network using name-based routing.

Abstract: In one embodiment, a multi-stakeholder environment is controlled by first assigning a first domain to a first stakeholder and a second domain to a second stakeholder. Then a first access policy is defined for the first domain and access is restricted to the first domain for the second stakeholder according to the first access policy. In another embodiment, an access request is handled in a multi-stakeholder environment by first receiving parameters forwarded by hooks in system call functions in a kernel of the multi-stakeholder environment, wherein the parameters contain information about a first stakeholder requesting access to a domain corresponding to a second stakeholder. Then it is determined whether to allow the first stakeholder to access the domain based at least partially upon security settings corresponding to the domain.

Abstract: Embodiments of the present invention disclose a ciphertext processing method, apparatus, and system. The method includes: selecting a random secret value; calculating a private key according to a partial private key acquired by the local end and the random secret value; calculating a proxy key according to the private key of the local end and a public key publicized by an opposite end, where the public key is calculated by the opposite end according to a random secret value selected by itself and a system public parameter; and sending the proxy key, so that the opposite end acquires a ciphertext obtained after a re-encryption operation is performed, according to the proxy key, on a ciphertext sent by the local end, and performs decryption. Therefore, information security is ensured better and the Public Key Infrastructure (PKI) is avoided, thereby having better extensibility.

Abstract: A networking system comprising a content router for an information-centric network (ICN) comprising a content store (CS), a pending interest table (PIT), a forwarding information base (FIB), and a plurality of interfaces, and configured to receive and forward interest from one or more users and data from one or more applications via the interfaces using a dual-mode data forwarding plane, and a plurality of next hop nodes of the ICN coupled to the content router and configured to forward the interest and data to the content router via the interfaces, wherein the dual-mode forwarding plane forwards the interest and data using the FIB without the CS and PIT for conversational traffic and using the CS, PIT, and FIB for content dissemination traffic.

Abstract: Techniques for allocating individually executable portions of executable code for execution in an Elastic computing environment are disclosed. In an Elastic computing environment, scalable and dynamic external computing resources can be used in order to effectively extend the computing capabilities beyond that which can be provided by internal computing resources of a computing system or environment. Machine learning can be used to automatically determine whether to allocate each individual portion of executable code (e.g., a Weblet) for execution to either internal computing resources of a computing system (e.g., a computing device) or external resources of an dynamically scalable computing resource (e.g., a Cloud). By way of example, status and preference data can be used to train a supervised learning mechanism to allow a computing device to automatically allocate executable code to internal and external computing resources of an Elastic computing environment.

Abstract: Techniques for execution of commands securely within a storage device are disclosed. Integrity of a command interpreter is verified before allowing it to execute commands within the storage device. The integrity of the commands can also be checked to safeguard against various threats including, for example, malicious attacks, unintentional errors and defects that can adversely affect stored content and execution. Error recovery techniques can be used to reconstruct the command interpreter and/or commands that are found to be defective. In addition, secure techniques can be used to obtain trusted versions of the command interpreter and/or commands from an authenticated external source.

Abstract: A content router comprising storage configured to cache, in a content oriented network (CON), a content object with a signature signed by a publisher based on a known identity to a subscriber; and a transmitter coupled to the storage and configured to forward the content object with the signature upon request to the subscriber, wherein the subscriber uses the signature to verify one of the content object's integrity and the content object's authenticity based on the known identity without verifying a trust of a publisher key for the publisher, and wherein the known identity is trusted by the publisher and does not require verifying trust from the publisher.

Abstract: Techniques for controlling access are disclosed. The techniques can be used for reference monitoring in various computing systems (e.g., computing device) including those that may be relatively more susceptible to threats (e.g., mobile phones). Allowed access can be disallowed. In other words, permission to access a component can be effectively withdrawn even though access may be on-going. After permission to access a component has been allowed, one or more disallow access conditions or events can be effectively monitored in order to determine whether to withdraw the permission to access the component. As a result, allowed access to the component can be disallowed. Access can be disallowed by effectively considering the behavior of a component in the aggregate and/or over a determined amount of time. By way of example, a messaging application can be disallowed access to a communication port if the messaging application sends more messages than an acceptable limit during a session or in 4 hours.

Abstract: Techniques for managing and protecting computing environments are disclosed. A safe computing environment can be provided for ensuring the safety and/or management of a device. The safe computing environment can be secured by a safe component that isolates and protects it from unsafe computing environments which may also be operating. As a result, various security and management activities can be securely performed from a safe computing environment. A safe computing environment can, for example, be provided on a device as a safe virtual computing environment (e.g., a safe virtual machine) protected by a safe virtual computing monitor (e.g., a safe virtual machine monitor) from one or more other virtual computing environments that are not known or not believed to be safe for the device. It will also be appreciated that the safe components can, for example, be provided as trusted components for a device.

Abstract: Access permission can be assigned to a particular individually executable portion of computer executable code (“component-specific access permission”) and enforced in connection with accessing the services of a service provider by the individually executable portion (or component). It should be noted that least one of the individually executable portions can request the services when executed by a dynamically scalable computing resource provider. In addition, general and component-specific access permissions respectively associated with executable computer code as a whole or one of it specific portions (or components) can be cancelled or rendered inoperable in response to an explicit request for cancelation.

Abstract: Techniques for detecting unauthorized use (e.g., malicious attacks) of the computing systems (e.g., computing devices) are disclosed. Unauthorized use can be detected based on patterns of use (e.g., behavioral patterns of use typically associated with a human being) of the computing systems. Acceptable behavioral pattern data can be generated for a computing system by monitoring the use of a support system (e.g., an operating system, a virtual environment) operating on the computing system. For example, a plurality of system support provider components of a support system (e.g., system calls, device drivers) can be monitored in order to generate the acceptable behavioral pattern data in a form which effectively defines an acceptable pattern of use (usage pattern) for the monitored system support provider components, thereby allowing detection of unauthorized use of a computing system by detecting any deviation from the acceptable pattern of use of the monitored system support provider components.

Abstract: Techniques for execution of commands securely within a storage device are disclosed. Integrity of a command interpreter is verified before allowing it to execute commands within the storage device. The integrity of the commands can also be checked to safeguard against various threats including, for example, malicious attacks, unintentional errors and defects that can adversely affect stored content and execution. Error recovery techniques can be used to reconstruct the command interpreter and/or commands that are found to be defective. In addition, secure techniques can be used to obtain trusted versions of the command interpreter and/or commands from an authenticated external source.