Abstract: A physical unclonable function (PUF) imaged through two faces is disclosed. The PUF is difficult to counterfeit because the view through both faces must be duplicated for a successful counterfeit. PUF may be incorporated into a user-replaceable supply item for an imaging device. A PUF reader may be incorporated into an imaging device to read the PUF. Other systems and methods are disclosed.

Abstract: A system for detecting user credentials comprising an interface and a processor. The interface is configured to receive a plurality of data chunks. The processor is configured to determine a number of continuous bytes in the plurality of data chunks having appropriate values and, in the event that the number of the continuous bytes is greater than or equal to a threshold number of bytes, determine whether continuous byte data of the continuous bytes comprises a credential.

Abstract: Systems and methods of managing the security of a networked environment based on activity associated with deployed pseudo-accounts are presented. In one embodiment, a plurality of pseudo-accounts are deployed in one or more networks, domains, or virtual machines and activity associated with the pseudo-accounts is collected to identify security risks to facilitate remediation and mitigation.

Abstract: Disclosed are various embodiments for distributed generation of network pages from portions of network pages. A first request for a network page is obtained. A second request for a network page portion is sent to a server application. The second request includes a protocol header that specifies a base uniform resource locator (URL). The network page portion is obtained from the server application. The network page portion is based at least in part on the base URL. The network page is generated from the network page portion and other data.

Abstract: A method for controlling actions for browser extensions includes registering, at a browser process module, a list of one or more rules from a browser extension, where the rules define one or more conditions and one or more corresponding actions to take when the conditions are satisfied. A renderer process module that is in communication with the browser process module applies the conditions to content of web pages rendered in the browser application. The renderer process module determines whether any of the conditions are satisfied by the content of the web pages rendered in the browser application using the renderer process module. The browser process module or the renderer process module performs the actions defined in the rules in response to at least one of the conditions defined in the rules being satisfied.

Abstract: One embodiment provides a system that facilitates efficient and secure transportation of content. An intermediate node receives a packet that corresponds to a fragment of a content object message that is fragmented into a plurality of fragments. One or more fragments of the plurality of fragments indicate a unique name that is a hierarchically structured variable-length identifier that comprises contiguous name components ordered from a most general level to a most specific level. The received fragment indicates an intermediate state which is based on a hash function performed on an intermediate state from a previous fragment and data included in the received fragment. In response to determining that the received fragment is a first fragment, the system identifies a first entry in a pending interest table for an interest with a name that is based on a hash of a content object and that corresponds to the first fragment.

Abstract: Systems and techniques are provided for trust agents. Trust agents may be enabled. A state determination may be received from each of the enabled trust agents. The state determination may indicate either a trusted state or an untrusted state. The received state determinations may be combined to determine a security state. A security measure may be enabled or disabled based on the determined security state.

Abstract: Stacked tab views are described. A computing device can display multiple content panes in a web browser window. Each content pane can correspond to a different web site. The content panes can be arranged in a visual stack, where content pane are positioned one in front of another in a three-dimensional view. In the three-dimensional view, a distance between content panes can appear to separate the content panes. Each content pane can display snapshot image of content of a web site. The content panes can be used in place of tabs for navigating between web pages.

Abstract: Features are disclosed for facilitating remote management of browser add-ons on multiple user computing devices from a centralized add-on management system. A browser application on the user computing devices may include an integrated application programming interface that can be remotely accessed by the add-on management system. In some embodiments, a management add-on or some other object that is separate from or otherwise not integrated with the browsing application may be used to facilitate the remote management of add-ons. Management of add-ons may include permitting and/or blocking installation and/or execution of particular add-ons on a case-by-case basis. The determination may be based on user permissions, add-on characteristics, observed execution of add-ons, and the like.

Abstract: A method and apparatus for authenticating packets in a controller area network (CAN) are disclosed. The method includes transmitting messages using a mixture of message authentication codes (MACs) in a controller area network (CAN). In addition, a first MAC is generated using a first message and the first MAC is divided into a first MAC part and a second MAC part. A second MAC is generated using a second message and the second MAC is divided into a third MAC part and a fourth MAC part. A linear operation is performed between the second MAC part and the third MAC part to generate a first authentication MAC. The first message is transmitted with the first MAC part and the second message is transmitted with the first authentication MAC.

Abstract: In one embodiment, a layered/distributed grid-specific network services system comprises grid sensors in the utility grid configured to generate grid data values such as raw grid data values, processed grid data values, and/or any combination thereof, and to communicate the grid data values using a communication network. Distributed grid devices in the utility grid may be configured to receive the grid data values, and one or more of the grid devices may be configured to convert raw grid data values into processed grid data values. Application devices in the utility grid may be configured to access the grid data values from the distributed grid devices, and to further process the grid data values according to a particular grid application operating at the corresponding application device into application data values.

Abstract: An example method includes receiving an indication of a selection of a first application environment that includes a first virtual environment associated with a first security domain and is configured to isolate execution of software applications within the first application environment, suspending execution of a second application environment that includes a second virtual environment associated with a second security domain different from the first security domain, initiating execution of the first application environment, identifying information associated with the first security domain and provided by the first application environment that is to be sent to an external computing device associated with the first security domain, selecting communication network(s) from one or more communication networks that are each available to the mobile computing device for data communication, encrypting, based on the first security domain and network(s), the information, and sending, to the external computing device via

Abstract: An anomaly detection system is provided in connection with a transport service. The anomaly detection system can construct routine route profiles for individual users of the transport service using historical route data. The anomaly detection system can monitor a current route traveled by a user. The anomaly detection system can further identify a matching routine route profile of the respective user. The anomaly detection system can utilize the matching routine route profile to identify a probable anomaly in the current route. In response to detecting the probable anomaly, the anomaly detection system can enable a safety protocol to perform a number of actions.

Abstract: Techniques are generally described for user authentication. Example techniques may include providing a data set including audio data and image data, wherein the audio data includes voice recordings of multiple people, wherein the image data includes at least a facial image of at least one of the multiple people, receiving a response to the data set from a user device, and determining whether the received response corresponds to at least a part of content of the voice recording of the one of the multiple people whose facial image is included in the image data.

Abstract: The backup-in-the-middle primary-backup configuration is created by placing a backup-in-the-middle forwarder in the routing path between the primary and the environment. The backup-in-the-middle forwarder intercepts output messages along with required state information sent by the primary to the environment. The backup-in-the-middle forwarder backs up the primary by updating its state information and forwards the output packets to the environment.

Abstract: A music distribution server according to an embodiment provides a service in which users can easily enjoy digital contents. The server may include an information storage unit storing various tables and data bases, a playback transmission unit transmitting, in response to playback requests, music data to a terminal device in a streaming method, and a purchase transmission unit transmitting, in response to a purchase request, the music data to the terminal device in a downloading method, a ticket possession status update unit updating a possession status of virtual tickets used for playback of the music data possessed by users, a ticket providing unit providing the virtual tickets to users, a comment management unit managing users' comments on music pieces, a recommendation management unit managing recommendation of music pieces by one user to other users, and a ticket offer management unit offering the virtual tickets from one user to other users.

Abstract: Methods and apparatus for validating a system include reading protected record data for a section of the system from a secure storage element, and verifying integrity of the section of the system using the record data. The secure storage element independently verifies that all record data and data to be written to the system is valid.

Abstract: An encryption method for packaging, encrypting, and transmitting a plurality of contents included in a web application to a communication device, the encryption method includes: acquiring performance information relating to performance of the communication device; determining, by circuitry, an encryption algorithm to be applied to each of the plurality of contents, based on the performance information; performing first encryption processing on the plurality of contents using the encryption algorithm respectively; performing second encryption processing on identification information that identifies the encryption algorithm used for the plurality of contents respectively; packaging encrypted contents and encrypted identification information, the encrypted identification information being stored in a location specified by the communication device; and transmitting the encrypted contents and the encrypted identification information, which are packaged, to the communication device.

Abstract: Described herein is a computing platform incorporating a trusted entity, which is controllable to perform cryptographic operations using selected ones of a plurality of cryptographic algorithms and associated parameters, the entity being programmed to record mode of operation information, which is characterized by the algorithms and associated parameters that are selected to perform an operation.

Abstract: Systems and methods for account security are provided. In one example embodiment, a first login request including a username and a password is analyzed to identify a first internet protocol (IP) address and a first request time associated with the first login request. A login history comprising login request data for the server computer is analyzed to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from the first IP address within a threshold time period of the first request time. In response to determining a login success ratio is below a threshold login success ratio and a number of unique usernames in the analyzed data is above the unique username threshold, the system automatically performs a security action.

Abstract: A system includes a processor configured to execute a web browser in a first browser execution process initiated by an operating system of the system. The system includes a browser extension installed in the web browser, the browser extension including a markup language file and a file specifying at least one type of action related to a page element on which the browser extension seeks to act. The web browser may be configured to receive a set of rules from a web publisher associated with a first web page prior to rendering the first web page, determine based on the file, without loading the browser extension, that the browser extension is configured to implement a first action prohibited by the set of rules, and restrict the browser extension from implementing the first action on the first web page.

Abstract: A Web page vulnerability detection method and apparatus are described, where the method can receive a vulnerability detection task for performing vulnerability detection on a to-be-detected target Web page; acquiring a configuration file corresponding to the vulnerability according to the vulnerability detection task. The vulnerability detection task being is at least used to indicate a vulnerability that needs to be detected, and the configuration file includes a matching condition used to match the to-be-detected target Web page in to-be-detected Web pages and indication information of a test sample used to perform vulnerability detection on the to-be-detected target Web page. The method also detects whether the vulnerability indicated by the configuration file exists on the to-be-detected target Web page by using the configuration file.

Abstract: A method and apparatus for encrypted universal resource identifier (URI) based messaging is described. In one embodiment of the method, a server computing system receives an encrypted message from a first client computing system over a network, decrypts the encrypted message, stores the decrypted message in a message data store, and generates a shortened uniform resource locator (URL) for subsequent retrieval of the stored message. The server computing system sends the shortened URL to the first client computing system. Subsequently, the server computing system receives from a requesting computing system, a request, including the shortened URL, to retrieve the stored message, encrypts the stored message in a uniform resource identifier (URI) with an encryption type URI, and sends the encrypted URI to the requesting computing system.

Abstract: A method and apparatus for delaying responses to requests in a server are described. Upon receipt, from a client device, of a first request for a resource at a first location, an identification of a second server is performed. A response that includes a redirection instruction to a second location is transmitted. The response includes a first number of redirects to be completed prior to the first request being fulfilled. Upon receipt of a following request including a number of redirects, the remote server determines whether the number of redirects has been performed. When the number of redirects has not been performed the transmission of the redirection instruction is repeated with a number of redirects smaller than the first number of redirects until the receipt of a request indicating that the number of redirects has been performed. When the number of redirects has been performed the request is fulfilled.

Abstract: Disclosed are a method, device, and system for implementing network access, and a network system. The method comprises: in the case that a terminal requests to access a webpage, a server determining content of the webpage that the terminal requests to access; and the server searching for a webpage, used as a reference webpage, with relevant content matching the content of the webpage, and providing information of the found reference webpage for the terminal. The present invention can enable a user terminal to obtain multiple associated access results by performing webpage access once.

Abstract: A content access request from a first computing device for a digital content can be received. The content associated with request can be a digital content associated with a second computing device. A facial biometric identification challenge can be conveyed to the first computing device. The conveying can trigger the capture of a digital self-portrait photograph of a portion of a face of a user associated with the first computing device. A facial biometric of the face of a user within the digital self-portrait photograph can be compared to facial features of human faces within historic digital media associated with a different user. When the facial biometric matches a facial biometric within historic digital media, the digital content associated with the content access request can be conveyed to the first computing device.

Abstract: A system for detecting user credentials comprising a data chunker, a data chunk storage, a bytewise checker, a bit counter, and a credential checker. The data chunker is for determining a data chunk. The data chunk storage is for storing the data chunk. The bytewise checker is for checking that each byte of the data chunk comprises an appropriate value. The bit counter is for: determining a continuous number of bytes greater than or equal to the threshold byte value; and in the event the continuous number of bytes is greater than or equal to a threshold number of bytes, determining a credential address range corresponding to the continuous number of bytes. The credential checker is for determining whether data stored in the data chunk storage corresponding to the credential address range comprises a credential.

Abstract: The invention provides a computer-implemented method of analyzing symbols in a computer system, the symbols conforming to a specification for the symbols, in which the specification has been codified into a set of computer-readable rules; and, the symbols analyzed using the computer-readable rules to obtain patterns of the symbols by determining the path that is taken by the symbols through the rules that successfully terminates, and grouping the symbols according to said paths, the method comprising; upon receipt of a message at a computer, performing a lexical analysis of the message; and, in dependence on lexical analysis of the message assigning the message to one of the groups identified according to said paths. The invention also provides a computer programmed to perform the method and a computer program comprising program instructions for causing a computer to perform the method.

Abstract: The real-time cyber threat indicator verification mechanism technology (hereinafter “TIVM”) instantiates one or more virtual client emulators to access a source of a threat, in response to a received threat indicator, so as to evaluate validity and/or severity of the potential threat. In one embodiment, the TIVM may receive a cyber threat indicator having identifying information of a cyber threat source; instantiate, in response to the cyber threat indicator, a virtual client emulator; send a control message to cause the virtual client emulator to interact with the cyber threat source based on the identifying information; obtain a confidence indicator relating to the cyber threat indicator based on interaction between the virtual client emulator and the cyber threat source; and generate a cyber threat indicator confirmation report including the confidence indicator.

Abstract: A system and a method transmit data in a first codec from a first terminal to a second terminal. The first terminal establishes a connection with the second terminal and/or transmits, transfers and/or sends the data to the second terminal via the connection between the first terminal and the second terminal. The connection between the first terminal and the second terminal has a first channel and/or a second channel to transmit the data from the first terminal to the second terminal. The first terminal transmits the data in a first codec to the second terminal via the first channel and/or the second channel of the connection without receiving capabilities of and/or intentions from the second terminal. The second terminal may be incapable of receiving, of processing, of accepting and/or of displaying the data in the first codec. The capabilities of and/or the intentions from the second terminal is transmitted to the first terminal via the connection.

Abstract: Computerized methods, systems, and computer-readable media for promoting cooperation between a first and second virtual network overlay (“overlay”) are provided. The first overlay is governed by a first authority domain and includes members assigned virtual IP addresses from a first address range. The second overlay is governed by a second authority domain, which is associated with a second federation mechanism, for negotiating on behalf of the second overlay. The second federation mechanism is capable of negotiating with, or soliciting delegation of authority from, a first federation mechanism that is associated with the first authority domain. When negotiations are successful or authority is delegated, the second federation mechanism establishes a communication link between the second overlay and the first overlay or joins a member of the second overlay to the first overlay. Joining involves allocating a guest IP address from the first address range to the member.

Abstract: A variety of techniques for performing identity verification are disclosed. As one example, a verification request is received from a remote user. The verification request pertains to a cryptographic key. In response to receiving a confirmation from a local user of the local device, a verification process is initiated. A result of the verification process is transmitted to the remote user. As a second example, a verification request can be received at the local device, from a local user of the device. A verification process with respect to the local user is initiated, and a result of the verification process is transmitted to a remote user that is different from the local user.

Abstract: Systems and methods embedding a guest module within an embedder module are disclosed. According to some aspects, an embedder module is executed at a computer. A request to access a guest module is received via the embedder module. The request comprises a tag in a programming language. The tag identifies the guest module. An event is provided, using information associated with the tag, to an executing instance of the guest module responsive to the request to access the guest module. Processing of the event at the executing instance of the guest module is signaled.

Abstract: Methods and apparatus relating to constrained boot techniques in multi-core platforms are described. In one embodiment, a processor may include logic that controls which specific core(s) are to be powered up/down and/or which power state these core(s) need to enter based, at least in part, on input from OS and/or software application(s). Other embodiments are also claimed and disclosed.

Abstract: Requests submitted to a computer system are evaluated for compliance with policy to ensure data security. Plaintext and associated data are used as inputs into a cipher to produce ciphertext. Whether a result of decrypting the ciphertext can be provided in response to a request is determined based at least in part on evaluation of a policy that itself is based at least in part on the associated data. Other policies include automatic rotation of keys to prevent keys from being used in enough operations to enable cryptographic attacks intended to determine the keys.

Abstract: A method for securely transferring a service from a first mobile device to a second mobile device, the service being associated with a server configured for facilitating provisioning of services to mobile devices over a wireless communications network. The method includes generating in the first mobile device a shared key, the shared key being generated using a master key unique to the server and to the first mobile device, the master key being accessible by the server and by the first mobile device; and sending said shared key from the first mobile device to the second mobile device using an alternate communication mechanism independent from the server.

Abstract: A distributed storage system that dispatches an input/output request is described. In an exemplary embodiment, a storage controller client receives the input/output request, wherein the distributed storage system includes the storage controller client, a plurality of storage controller servers, a plurality of virtual nodes distributed among a plurality of physical nodes, and each of the plurality of physical nodes is hosted on one of the plurality of storage controller servers. The storage controller client further computes a target virtual node for the input/output request, where the target virtual node is one of the plurality of virtual nodes. Using the computed target virtual node, the storage controller client determines a target physical node that corresponds to the target virtual node, where the target physical node is one of the plurality of physical nodes.

Abstract: The present disclosure discloses a method and system for displaying an HTTPS block page without SSL inspection. Specifically, a network device snoops a first message transmitted between a client device and a network resource. The first message is transmitted as part of a SSL Handshake between the client device and the network resource to establish a SSL session. Moreover, the network device determines whether the client device is authorized to access the network resource. If not, the network device blocks the establishment of a SSL session between the client device and the network resource, and spoofs the network resource for establishing the SSL session between the client device and the network device instead of establishment of the SSL session between the client device and the network resource. Otherwise, the network device refrains from blocking the establishment of the SSL session between the client device and the network resource.

Abstract: To control access to a source storage device shared by a plurality of host systems, methods and systems include confirming a presence of an application on each host system of the plurality of host systems accessing the storage device. After confirming the presence of the application on each host system accessing the storage device, the application is run allowing each host system to access the storage device. A request is received from a new host system to access the storage device. A presence of the application is verified on the new host system. If the presence of the application is verified on the new host system, the new host system is provided with access to the storage device. If the presence of the application is not verified on the new host system, the new host system is denied access to the storage device.

Abstract: A method and system for verifying the integrity of virtual machines and for verifying the integrity of discrete elements of the virtual machines throughout the lifecycle of the virtual machines. A virtual machine manager capable of managing one or more virtual machine images is installed on a physical hardware platform. An integrity verification component can be communicatively coupled to the virtual machine manager and an integrity reference component so that the integrity verification component can compare digests of the virtual machine image or discrete virtual machine image elements to virtual machine integrity records accessible from the integrity reference component.

Abstract: A system for providing a secure management agent for high-availability continuity for cloud systems includes a computer processor and logic executable by the computer processor. The logic is configured to implement a method. The method includes receiving operating parameters and threshold settings for a plurality of computing clouds. Secure relationships are established with the plurality of computing clouds based on the operating parameters. Data is mirrored across the plurality of computing clouds. Threshold data is then monitored for the plurality of computing clouds to maintain a continuity of resources for the plurality of computing clouds.

Abstract: A method for providing a secure management agent for high-availability continuity for cloud systems includes receiving operating parameters and threshold settings for a plurality of computing clouds. Secure relationships are established with the plurality of computing clouds based on the operating parameters. Data is mirrored across the plurality of computing clouds. Threshold data is then monitored for the plurality of computing clouds to maintain a continuity of resources for the plurality of computing clouds.

Abstract: Software applications are analyzed to determine if they are legitimate applications and warnings are provided to users to avoid installation and/or purchases of unnecessary and/or potentially harmful software based on comparisons of user-interface characteristics of the software applications to visual characteristics of authentic applications to determine to what extent they match (or do not match) or are attempting to mirror the legitimate application.

Abstract: Described is a technology by which a signature used by network traffic intrusion prevention/detection systems includes logic that helps a prevention/detection engine detect that signature. A signature to detect is compiled into executable logic that is executed to communicate with an engine that evaluates network traffic. The signature logic provides an expression set (such as group of regular expressions) for the engine to match against a token corresponding to the network traffic. When matched, the engine notifies the logic and receives a further expression set to match, or a communication indicative that that the signature was detected. The signature thus directs the analysis, facilitating a lightweight, generic engine. Safety of the signature logic is described as being accomplished through layers, including by publisher signing, and by compilation and execution (e.g., interpretation) in safe environments.

Abstract: A system and method for providing a variety of medium access and power management methods are disclosed. A defined frame structure allows a hub and a node to use said methods for secured or unsecured communications with each other. Contended access is available during a random access phase. The node uses an alternate doubling of a backoff counter to reduce interference and resolve collisions with other nodes attempting to communicate with the hub in the random access phase. Non-contended access is also available, and the hub may schedule reoccurring or one-time allocation intervals for the node. The hub and the node may also establish polled and posted allocation intervals on an as needed basis. The node manages power usage by being at active mode at times during the beacon period when the node is expected to transmit or receive frames.

Abstract: Disclosed herein are methods, systems, and software for handling secure transport of data between end users and content serving devices. In one example, a method of operating a content server includes identifying a content request from an end user device. The method further includes, responsive to the user request, determining a transmission control protocol window size and a secure layer protocol block size. The method also provides scaling the secure layer protocol block size to match the transmission control protocol window size, and transferring secure layer protocol packets to the end user device using the scaled secure layer protocol block size.

Abstract: A method and apparatus for detecting malware transmission through a web portal is provided. In one embodiment, a method for detecting malicious software transmission through the web portal comprises accessing a security scan history that comprises information regarding a plurality of executables that are scanned upon executable creation and comparing current executable creation activity with the security scan history to identify at least one executable that is not scanned.

Abstract: A user apparatus connected to database apparatus via network comprises: unit that manages key information in order to encrypt and decrypt; storage unit that stores security configuration information of data and/or metadata; application response unit that determines whether or not encryption is necessary for database operation command, and if encryption is necessary, selects encryption algorithm corresponding to data and/or metadata, performs encryption, and transmits result to database control unit to cause database control unit to execute database operation, if encryption is not necessary, transmits database operation command to database control unit to cause database control unit to execute database operation, and receives processing result transmitted by database control unit, and if decryption or conversion of data and/or metadata of processing result is necessary, performs necessary decryption or conversion, and returns response to database operation command; and security configuration unit that configur

Abstract: Certain aspects of the present disclosure provide methods and apparatus for secure transmission of packets with short headers. The methods may include temporarily suspending the use of packets that use a short MAC header (that lack a Key ID field) during re-keying procedures and resuming the use of such packets after a new default Key ID is established via the re-keying procedures.

Abstract: A method of operating a security token to authenticate a user in a multi-factor authentication system is disclosed. The method includes: monitoring user custody of the token, the token having an identifying characteristic representing a possession factor for use through possession factor authentication; during a period of continuous user custody of the token based on the monitoring, obtaining a knowledge factor from a user having the continuous user custody; caching the knowledge factor in a memory of the token; and in response to a second authentication request, retrieving the knowledge factor from the memory to demonstrate to an authentication system knowledge of the knowledge factor, during the period of the continuous user custody.