Abstract: According to one embodiment, a storage system includes a plurality of memory nodes that are connected to each other in a plurality of different directions. Each memory node stores a count value. Each memory node, when receiving an update command of which destination is not own memory node, transmits the update commando to other memory nodes connected thereto. Each memory node, when receiving an update command of which destination is own memory node, executes the update command, increases the stored count value, and issues a notice indicating the increased count value.

Abstract: Systems and methods for injecting sensitive data into outgoing traffic on behalf of a user of a private network are provided. According to one embodiment, a network security appliance maintains a database of sensitive data. Secure submission of sensitive data of a user is facilitated by the security appliance in connection with interactions between a client and a server by: (i) intercepting outgoing traffic from the client to the server; (ii) determining whether the outgoing traffic matches a policy configured by an administrator of the private network that causes the sensitive data to be injected into the outgoing traffic by the network security device on behalf of the user; and (iii) when the determining is affirmative: (a) retrieving the sensitive data from the database; (b) modifying the outgoing traffic by injecting the sensitive data into the outgoing traffic; and (c) sending the modified outgoing traffic to the server.

Abstract: An enhanced Session Initiation Protocol (“SIP”) registration message having extended header information that is used by an Internet Protocol Multimedia Subsystem (“IMS”) core to determine the registration status of a mobile device and the physical location of the mobile device. The extended header information includes hardware and subscriber identifiers, such as an International Mobile Equipment Identity (“IMEI”) and International Mobile Subscriber Identity (“IMSI”). The IMS core queries an equipment identity register to validate IMEI/IMSI identifiers in the header to determine whether to deny registration to a mobile device. The IMS core also queries a capability database using an IMEI to determine which location determination techniques are supported by or suitable for the associated mobile device.

Abstract: A processing device receives a plurality of discrete log entries from a first data store and generates an event for each discrete log entry that satisfies a criterion. To generate an event the processing device determines a source type associated with a discrete log entry, parses the discrete log entry based on the source type, determines a plurality of fields of the discrete log entry, identifies a subset of the plurality of fields, wherein one or more fields in the subset are to be used as keys for indexing events, and assigns a field type to each field in the subset of the plurality of fields. The processing device additionally writes a plurality of event entries for the event into a second data store. A separate event entry is written for each field of the subset of the plurality of fields having an assigned field type.

Abstract: A method includes determining a topic and a media type of a communication to be sent from a sending communication device to a designated receiving communication device, assigning one or more security requirements to the communication based on the topic and the media type, identifying a security state of the receiving communication device for receiving the communication via the media type, and transmitting the communication from the sending communication device to the receiving communication device only in response to the security state of the receiving communication device satisfying the one or more security requirements.

Abstract: Encryption-based data access management may include a variety of processes. In one example, a device may transmit a user authentication request for decrypting encrypted data to a data storage server storing the encrypted data. The computing device may then receive a validation token associated with the user's authentication request, the validation token indicating that the user is authenticated to a domain. Subsequently, the computing device may transmit the validation token to a first key server different from the data storage server. Then, in response to transmitting the validation token the computing device may receive, from the first key server, a key required for decrypting the encrypted data. The device may then decrypt at least a portion of the encrypted data using the key.

Abstract: Exemplary embodiments for enabling planned network changes such as an upgrade or downgrade of a network device are disclosed. The systems and methods provide for planned upgrades and downgrades for network devices without impacting existing network sessions, by utilizing two network devices simultaneously, and creating a redirect network session for a predetermined period of time. In so doing, all network traffic may be gradually transferred to the second network device, until the sessions processed by the first network device time out. The first network device can then be taken offline for upgrade or downgrade, without any disruption to the network service or loss of network traffic.

Abstract: Cryptographic techniques for encrypting images, and decrypting and reconstructing images, are provided to facilitate preventing unauthorized access to images. A holographic cryptographic component (HCC) generates complex holograms of multi-dimensional source images of a multi-dimensional object scene. The HCC generates phase holograms, based on the complex holograms, using a stochastic hologram generation process, and encrypts the phase holograms to generate encrypted holograms based on a random phase mask, which can be the private encryption key. At the decoding end, an HCC overlays a conjugate phase mask on the encrypted holograms to decrypt them, wherein the decrypted holograms are illuminated with a coherent light source to generate holographic images that reconstruct the source images. The source images are only reconstructed properly if the correct phase mask is used. If HCC applies the encryption process repetitively to the same source image, HCC can generate a different encrypted hologram in each run.

Abstract: The present disclosure relates to a system and methods for exchanging information between a plurality of mobile devices by pairing the two mobile devices based on proximity of the two mobile devices. In some implementations, the method includes determining a geographic position and angular orientation of the devices. In other implementations, the method includes determining that at least one mobile device heard a unique sound produced by the other mobile device. Once paired, the server can send information to one or both of the mobile devices and, in some cases, can revoke the exchanged information, e.g., in response to a revocation request.

Abstract: Embodiments described herein provide enhanced computer- and network-based systems and methods for providing data security with respect to computing services, such as a digital transaction service (DTS). Example embodiments further provide a discovery service that enables nodes that are included in, or otherwise communicatively coupled to, the DTS to actively or passively “discover” roles and keys associated with the nodes. These node roles are associated with the various services provided by the DTS. A security module provides at least a portion of the security services.

Abstract: A client device and method for maintaining NAT mapping. In one embodiment the client device includes: (1) a network interface circuit operable to transmit a keepalive message on an interval to a NAT gateway and (2) an interval adjust circuit configured to: (2a) increment the interval upon an acknowledgment of the keepalive message and (2b) decrement the interval upon a failure to receive the acknowledgment.

Abstract: A method and apparatus for decoding a compressed video is disclosed. The method comprises scrambling the compressed video, to produce a scrambled compressed video; delivering the scrambled compressed video to a decoder, for decoding the scrambled compressed video to produce a scrambled decompressed video; receiving from the decoder the scrambled decompressed video; and descrambling the scrambled decompressed video, to produce a descrambled decompressed video.

Abstract: A communications system (40) comprises a first entity (42), a first encryption device (48) and a network (46). The first encryption device (48) is adapted to decrypt, using a first decryption algorithm, data sent from a first destination to said first entity via said network (46). The first encryption device (48) is adapted to pass network metric data concerning at least one route between said first entity and said first destination to said first entity without subjecting said network metric data to said first decryption algorithm.

Abstract: Provided are a beacon service method, apparatus, and system for providing a plurality of services using one beacon device by allowing the beacon device to broadcast a plurality of beacon signals for providing the plurality of services to a certain user terminal. The beacon device includes a first communication module configured to broadcast a beacon signal, a storage module configured to store transmission information for a plurality of beacon signals, and a control module configured to use the transmission information for the plurality of beacon signals stored in the storage module to control the first communication module to alternately broadcast the plurality of beacon signals.

Abstract: A second computer transmits, to a first computer, confirmation data including identification information and a version number of copy data updated in a cache. Based on the confirmation data received from the second computer and information stored in the persistent storage device, the first computer extracts the identification information and the version number corresponding to the copy data to be written to the persistent storage device, from the confirmation data, and transmits response data including the extracted identification information and the version number to the second computer. Based on the response data received from the first computer and information stored in the cache, the second computer determines the copy data in the cache to be transmitted to the first computer so as to be written to the persistent storage device.

Abstract: The disclosed embodiments provide a system that drives a display from a computer system. During operation, the system writes graphical output to protected memory and drives the display from the protected memory. If the graphical output lacks protection, the system discontinues the driving of the display from the protected memory. In particular, upon detecting a lack of protection in the graphical output, the system continues to drive the display from the protected memory during a grace period associated with the lack of protection in the graphical output. The system then discontinues driving of the display from the protected memory if protection of the graphical output does not resume during the grace period.

Abstract: A method of authenticating a target device using a reader and a data store comprising: sending a selected challenge data value from the reader to the target device multiple times; receiving at the reader the respective response data value generated by the target device in response to each instance of the challenge data value sent by the reader; determining a representative response data value from the response data values received by the reader; comparing the representative response data value against the response data values in the respective challenge-response data set; and determining that the target device is authentic if the representative data value matches any one of the response data values from a respective challenge-response data set.

Abstract: A shared access user appliance having a client component; a server component; interactive user components providing functions to a first user; an interactive access management component allowing the first user to select second users, and select whether to grant or deny access to the user components for the second users; and a control component generating access control data and granting or denying access to the user components for the second users. The server component generates an appliance graphical user interface representing an interactive user environment including independently selectable graphical objects. Selecting each graphical object causes the server to modify the appliance graphical user interface to include the graphical user interface of the interactive user component. The server component receives requests from other users and sends a graphical user interface of the interactive user component for display only if the access data indicates the first user has allowed the second user access.

Abstract: A request to store a file to be protected is received. It is detected whether the file to be protected is a file to be synchronized. The encryption key is selected based on the detection of whether the file is a file to be synchronized. The file to be protected is encrypted using the selected encryption key.

Abstract: Disclosed are systems and methods for delegating computations of resource-constrained mobile clients, in which multiple servers interact to construct an encrypted program representing a garbled circuit. Implementing the garbled circuit, garbled outputs are returned. Such implementations ensure privacy of each mobile client's data, even if an executing server has been colluded. The garbled circuit provides secure cloud computing for mobile systems by incorporating cryptographically secure pseudo random number generation that enables a mobile client to efficiently retrieve a result of a computation, as well as verify that an evaluator actually performed the computation. Cloud computation and communication complexity are analyzed to demonstrate the feasibility of the proposed system for mobile systems.

Abstract: A method for automatically encrypting files is disclosed. In some cases, the method may be performed by computer hardware comprising one or more processors. The method can include detecting access to a first file, which may be stored in a primary storage system. Further, the method can include determining whether the access comprises a write access. In response to determining that the access comprises a write access, the method can include accessing file metadata associated with the first file and accessing a set of encryption rules. In addition, the method can include determining whether the file metadata satisfies the set of encryption rules. In response to determining that the file metadata satisfies the set of encryption rules, the method can include encrypting the first file to obtain a first encrypted file and modifying an extension of the first encrypted file to include an encryption extension.

Abstract: Apparatus and associated methods relate to securely transmitting, directly between two mobile devices, AES-256 encrypted file attachments which are decrypted within an application program (APP) using a decryption key that is available only to the APP. In an illustrative embodiment, the encrypted file may be attached to an e-mail. The e-mail may be transmitted directly to another mobile device via direct Wi-Fi, for example. The e-mail may be transmitted directly to another mobile device using Bluetooth, for example. In encrypted attachment may be deciphered only within the APP running on the receiving mobile device using a private key accessible to only the APP.

Abstract: A key value storage (KVS) system comprising: a client-side agent configured to encrypt data; three nodes hosted respectively in three cloud service providers, wherein each node comprises: a management node configured to receive encrypted data from the client-side agent, a homomorphic encryption (HE) key manager configured to fetch a public key of a given object in the KVS system, a homomorphic encryption and processing engine configured to execute commands over the encrypted data without decrypting it, a homomorphic memory store, a hypervisor configured to monitor performance of the management node in order to assess the quality of service of the management node; and wherein each node serves on a rotating basis in a master node role, a secondary node role, or a back-up node role, wherein the nodes rotate their roles when the master node's hypervisor detects a reduced quality of service of the master node's management node.

Abstract: A tool for administering virtual recognition of a group of users is provided. The group of users may be specifically identified or dynamically generated based on criteria selected by an administrative entity submitting a request to administer virtual recognition. The tool may be configured for generating user and badge recommendations based at least in part on the group of users identified to receive the virtual recognition.

Abstract: A system includes a session and resource manager and a video pump. The session and resource manager negotiates encryption keys from a headend controller and provides the encryption keys to a video pump. The video pump uses the encryption keys from the session and resource manager to encrypt content. Thus, the video pump uses encryption keys to encrypt the content so that it is encrypted right from the video pump prior to transmission over the entire transport system. A generic modulation device may thus be used to modulate the encrypted content over the delivery network.

Abstract: Managing confidence data in a question-answering environment is disclosed. Managing confidence data can include sorting, based on a set of answer categories for a subject matter, a first set of a plurality of answers into a first answer category. The first set can correspond to at least one of a third set of a plurality of confidence scores and the second set can correspond to at least one of a fourth set of the plurality of confidence scores. Managing confidence data can include classifying confidence scores of the third set into one of a plurality of confidence buckets using a first threshold and determining a fifth set of a plurality of thresholds using the plurality of confidence scores. Managing confidence data can include classifying unclassified confidence scores of the third set into one of the plurality of confidence buckets using the fifth set of the plurality of thresholds.

Abstract: A security solution provides secure communication in a multi-tenant environment which includes a connection-based fabric, storage cells holding data associated with different tenants, database servers which provide a plurality of database services using said data, application servers hosting database service consumers. The fabric is configured into partitions isolating the storage cells from the database service consumers. The application servers securely associate unique database service consumer identities with each database service consumer and all communications with the database servers. The database servers reject all communications from the application servers which do not include an identity and use an access control list to control access from the database service consumers to the database services using address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: An integrated firewall provides security in a multi-tenant environment having a connection-based switched fabric directly connecting database servers which provide a plurality of database services with application servers hosting database service consumers each having a different database service consumer identity. The firewall functionality integrated into each database server provides access control by discarding communication packets which do not include a database service consumer identity and using the database service consumer identity in combination with an access control list to control access from the database service consumers to the database services. The access control includes address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: A method of providing a restricted set of application programming interfaces includes decrypting, by a secure object information reader executing on a computing device, an encrypted data object using information associated with the encrypted data object to generate a decrypted data object, the information received from an access control management system. The method includes intercepting, by a kernel driver executing on the computing device, from a process executing on the computing device, a request to access the decrypted data object. The method includes identifying, by the kernel driver, using the information associated with the encrypted data object, a usage requirement restricting a set of operations available to the process in accessing the decrypted data object. The method includes providing, by the kernel driver, to the process, a restricted set of application programming interfaces with which to interact with the decrypted data object, as permitted by the restricted set of operations.

Abstract: The invention relates to a method for providing a computerized system which is protected from malicious programs coming from an external source, the method comprises the steps of (a) secretly, and in a manner unknown to authors of external programs, modifying one or more essential elements at the protected system in a manner which causes all running programs to fail, unless they are subjected to a compatible modification which enables them to run properly; and (b) modifying each program at the computerized system which is known to be benign in order to comply with said modification of one or more essential elements, thereby to enable it to be executed properly.

Abstract: Architecture for providing pre-authenticated information from an endpoint for subsequently authenticating a device and/or user associated with the previously-authenticated information. A pre-authentication module of the architecture can be a trust component as part of an application that facilitates the utilization of user information and/or endpoint information in a media session protocol message to replace information that would otherwise be gathered via a dialog. In the context of IP-based voice communications, a call can be made from a client that is pre-authenticable, and no longer requires that an IP-based telephone interact with the phone user to facilitate sign-on.

Abstract: For multi-node encryption, a method communicates communication data from a first upstream node to a first downstream node in response to the first upstream node initiating secure communication with the first downstream node. The method further generates a downstream node nonce from communication data exchanged with the first downstream node. The method generates a first downstream message transformation as a function of the downstream node nonce. The method receives a request encrypted with the first downstream message transformation through the first downstream node. The method communicates the upstream message transformation encrypted with the first downstream message transformation through the first downstream node to the destination node in response to the request. In addition, the method generates a tunnel transformation at the destination node as a function of one or more upstream message transformations and the first downstream message transformation.

Abstract: A system and method for obtaining an authorization key to use a product utilizes a secured product identification code, which includes a serial number and at least one code that is generated based on a cryptographic algorithm.

Abstract: The invention relates to a method and system for watermarking in a content providing system having multiple parties. A first party system selects a first party watermark by selecting a watermarked copy of at least one first content element of the content elements. A second party system selects a second party watermark by selecting a watermarked copy of at least one second content element, different from the at least one first content element, of the content elements. Watermarked content is delivered to an end user device, the watermarked content containing the watermarked copy for the first content element selected by the first party system and the watermarked copy for the second content element selected by the second party system such that the watermarked content contains the first party watermark and the second party watermark.

Abstract: According to an embodiment, a communication control device includes an acquisition unit, first and second authentication units, an output unit, and a connection permission unit. The acquisition unit acquires first authentication information for authenticating a communication device during initialization, via a first communication unit, from a terminal device that acquires and decodes encoded first authentication information. During initialization, the first authentication unit executes a connection authentication of the communication device via a second communication unit, based on the first authentication information. When the authentication is successful, the output unit encrypts second authentication information different from the first authentication information, and output the encrypted second authentication information to the communication device.

Abstract: Methods and apparatus are provided for securing device-to-device communications. A method can comprise: at an access network apparatus, obtaining from a core network apparatus and storing a first key shared between a first user equipment and the core network apparatus for device-to-device communications of the first user equipment; receiving from a second user equipment, a request for generating a second key for a device-to-device communication between the first user equipment and the second user equipment; in response to the request, generating the second key based on the first key and security parameters; and sending the second key to the second user equipment.

Abstract: Data can be serialized in such a manner as to facilitate later delta encoding, even when the serialization is performed using a lossy compression algorithm or an algorithm in which portions of the serialized data are encoded relative to other portions which may be modified. This can be achieved by approaches including preserving keyframe information across modified versions of a file, duplicating information from a previously created compressed file when serializing a later version, or adding change information showing differences between versions of a file during the serialization process.

Abstract: Improved methods and systems for granular opportunistic locking mechanisms (oplocks) are provided for increasing file caching efficiency. Oplocks can be specified with a combination of three possible granular caching intentions: read, write, and/or handle. An oplock can be specified with an identifier that indicates a client/specific caller to avoid breaking the original oplock due to an incompatibility from other requests of the same client. An atomic oplock flag is added to create operations that allow callers to request an atomic open with an oplock with a given file.

Abstract: Disclosed are systems and method for generating a set of antivirus records to be used for detection of malicious files on a user's devices. An exemplary method includes maintaining, by a server, a database of malicious files; generating, by the server, at least one antivirus record for each malicious file; calculating an effectiveness of each antivirus record by determining how many different malicious files were detected using each antivirus record; generating a set of most effective antivirus records; and transmitting, by the server, the set of most effective antivirus records to a client device.

Abstract: A method for encrypting a database includes the following step. Keywords in the database are encrypted to obtain encrypted search tags for the keywords. A table of reverse indices is generated for the encrypted search tags. A table of cross keyword indices is generated. A method for searching in an encrypted database includes the following steps. A search is formulated as a conjunct of two or more atomic search queries. One of the conjuncts is selected as a primary atomic search query. Search capabilities are generated for a secondary atomic search query using the primary atomic search query and the secondary atomic search query. Such methods mask query data and the actual composition of the database to reduce computation complexity and privacy leakage.

Abstract: The redaction process/system operates on temporarily captured/saved audio file during an agent-customer-call center (CC) call. Voice-based audio data is captured and processed by monitoring data input from CC-agent into a defined data field (field in a CC-agent-presented form). The redact process generates a start-record time based upon initial data input into the field and further generates an end-of-recording (“EOR”) time for the field. The audio file is filtered and segments are permanently saved audio data (A-data) bounded by the start-record and EOR times. Thereafter, all stored audio data is deleted (preferably crypto-shredded) except the saved A-data to substantially eliminate retrieval of initially stored audio data. An IVR process can be used to trigger record ON/OFF instructions. Audio file segments can be trimmed with precursive and successive time periods to move the start and end times of the audio segments. System Operator sets time-trim periods.

Abstract: Systems and methods provide for scaling and management of a gateway. In one embodiment, a method includes: in response to a request from a client device, establishing, by a computer system implementing a gateway to a private network, a network tunnel between the client device and the gateway; and after establishing the network tunnel, starting a separate firewall service with a separate set of firewall rules on the computer system for selectively blocking and allowing network traffic between the client device and one or more network devices in the private network.

Abstract: A method of sharing secure content in a group may include receiving a one-time pad (OTP) key. The method may include encrypting content using the OTP key. The encrypting may include generating intermediate codes from the content and the OTP key. The encrypting may also include adding a first common constant to each of the intermediate codes to generate a corresponding encrypted code that includes a predetermined number of digits. The method may include sending encrypted content that includes encrypted codes corresponding to the intermediate codes.

Abstract: The invention is a method for loading data into a portable secure token comprising a plurality of security domains. A first security domain comprises a first administration agent and a second security domain comprises a second administration agent. A remote application server comprises a first data to be provided to the second administration agent. A syndication server, which is distinct from the remote application server, contains a list which comprises a reference to the first data. The list is sent in response to a polling request that is sent by the first administration agent. This list is comprised in a polling response which is sent by the syndication server.

Abstract: Described is a method of assigning a network address to a trap, the network address being a dark address of a virtual private network. The network traffic destined for the network address is monitored and a classification of the network traffic is determined. After the classification, a predetermined response is executed based on the classification of the traffic.

Abstract: A method in a User Equipment (UE) of an Evolved Packet System (EPS) establishes a security key (K_eNB) for protecting Radio Resource Control/User Plane (RRC/UP) traffic exchanged with a serving eNodeB. The method comprises sending a Non-Access Stratum (NAS) Service Request to a Mobility Management Entity (MME), the request indicating a NAS uplink sequence number (NAS_U_SEQ). The method further comprises receiving an indication of the NAS_U_SEQ of the NAS Service Request sent to the MME, back from the MME via the eNodeB. The method further comprises deriving the K_eNB from at least the received indication of the NAS_U_SEQ and from a stored Access Security Management Entity-key (K_ASME) shared with said MME.

Abstract: A mechanism is provided for sensor sharing control dynamically. One or more sensor use permissions are received from one or more sensor provider terminals. For each sensor use permission, a sensor use permission is recorded in an authorization policy thereby forming a set of authorization policies. A use request is recorded for sensor use request information received from a sensor user terminal in a request policy. A search is performed for any authorization policy in the set of authorization policies that matches the request policy. Responsive to identifying the authorization policy that matches the request policy, a list of sensors included in the sensor use permissions of an authorization policy that matches the request policy is created. The list of sensors is transmitted to the sensor user terminal, where the search is performed again dynamically when the request policy or one of the set of authorization policies is changed.

Abstract: A convenient, easy to use ubiquitous secure communications capability can automatically encrypt and decrypt messages without requiring any special intermediating security component such as gateways, proxy servers or the like. Trusted/secure applications for the mobile workforce can significantly improve productivity and effectiveness while enhancing personal and organizational security and safety.

Abstract: System and method embodiments are provided for content encryption in a key/value store. The embodiments include encrypting both the key and value of client data blocks for storage so that the data can be retrieved reliability without compromising the key. An embodiment method includes obtaining a key from a data block comprising the key and a value, encrypting the key using a deterministic encryption algorithm with an encryption key to map the key to a cypher text in a one-to-one mapping, and encrypting the value using a second encryption algorithm to randomly map the value to a second cypher text. Encrypting both the key and the value provides more protection to the client data instead of encrypting only the value and leaving the key vulnerable without encryption. The encrypted key can also be protected from unauthorized access and from the owner of the database or the storage system.

Abstract: A data selection method for reducing the decoding computational complexity of a vehicle-to-X communication system. The communication unit is used to transmit and receive vehicle-to-X messages, wherein the vehicle-to-X messages each include at least one useful data portion and at least one header data portion, wherein the at least one header data portion in each case is transmitted in uncoded form, and wherein the at least one useful data portion in each case is transmitted in coded form. The received vehicle-to-X messages are weighted into at least two categories on the basis of the at least one header data portion in each case, wherein the at least one useful data portion in each case is decoded on the basis of the weighting.