Abstract: Systems and methods for selectively providing access to a media device based on a profile associated with the media device. In certain embodiments, the profile of the media device can be user-defined as a development profile or a personal profile. When the device is connected to a host computer system, the profile of the media device is accessed. If the profile of the media device is a development profile, an integrated development environment on the host computer system can access the media device. If the profile of the media device is a personal profile, the integrated development environment is prevented from accessing the device.

Abstract: Server-side encrypted pattern matching may minimize the risk of data theft due to server breach and/or unauthorized data access. In various implementations, a server for performing the server-side encrypted pattern matching may include an interface component to receive an encrypted query token. The server may further include a query component to find a match for the encrypted query token in the encrypted data string. The query component may find such a match without decrypting the encrypted data string and the encrypted query token by using an encrypted dictionary that includes information on the edges of the encrypted suffix tree.

Abstract: Various embodiments of a system and method for reporting and measuring consumption of media content are described. Embodiments may include computing a set of registration hash values for an encrypted content file representing each of one or more content items. To distribute a content item to a consumer, an encrypted content file representing the content item is delivered to a content viewer system. At the content viewer system, a set of playback sums is computed that corresponds to segments of the content item actually played on the content viewer system. The playback hash values can be matched with registration hash values to establish that one or more segments of a content item associated with the matched hash values have been played.

Abstract: A system detects an attack on the computer system. The system identifies the attack as polymorphic, capable of modifying itself for every instance of execution of the attack. The modification of the attack is utilized to defeat detection of the attack. In one embodiment, the system determines generation of an effective signature of the attack has failed. The signature is utilized to prevent execution of the attack. The system then adjusts access to an interface to prevent further damage caused to the computer system by the attack.

Abstract: An apparatus, system, or method for (i) processing a System Renewability Message (SRM) that includes first and second generation SRM portions that respectively comprise first and second lists of unique privilege-revoked identifiers for receiver devices; (ii) storing the first and second SRM portions based on whether a source device is a first generation HDCP device, (iii) processing an additional SRM that includes additional first and second generation SRM portions that respectively comprise additional first and second lists of unique privilege-revoked identifiers for receiver devices and a third generation SRM portion that comprises another list of unique privilege-revoked identifiers; and (iv) storing the additional first and second SRM portions and the third SRM portion based on whether the source device is a third generation HDCP device.

Abstract: A method for security monitoring of an electronic device includes determining whether a storage system of the electronic device is a secured storage system according to a signal of a first switch of the electronic device, determining whether an encryption key of the secured storage system is modifiable according to a detected signal of a second switch of the electronic device. Decrypting the secured storage system using a decryption key if the decryption key is the same as a preset decryption key in the secured storage system.

Abstract: A method of and system for encrypting and decrypting data on a computer system is disclosed. In one embodiment, the system comprises an encrypting operating system (EOS), which is a modified UNIX operating system. The EOS is configured to use a symmetric encryption algorithm and an encryption key to encrypt data transferred from physical memory to secondary devices, such as disks, swap devices, network file systems, network buffers, pseudo file systems, or any other structures external to the physical memory and on which can data can be stored. The EOS further uses the symmetric encryption algorithm and the encryption key to decrypt data transferred from the secondary devices back to physical memory. In other embodiments, the EOS adds an extra layer of security by also encrypting the directory structure used to locate the encrypted data.

Abstract: An information processing apparatus which updates a basic software package is disclosed. The information processing apparatus includes an encryption and decryption unit which stores values calculated uniquely from software and encrypts information based on the calculated values and decrypts encrypted information based on the calculated values. The basic software package includes a firmware authenticating module for authenticating a firmware updating file which includes new software for updating the basic software package, a value uniquely calculated from the new software, and a public key signature. The information processing apparatus further includes a software updating module which updates the basic software package by using the authenticated firmware updating file, and an encryption key managing module for encrypting again the information encrypted by the values based on a value changed by updating the basic software package.

Abstract: A method of processing digital content performed by an apparatus for storing digital content. In the method, a hardware regional code extracted from a memory of a content storage device is compared with a firmware regional code extracted from firmware, and the digital content is selectively encrypted and stored according to a corresponding regional code only when the hardware regional code matches the firmware regional code.

Abstract: Systems and method for partial encryption are disclosed. One example method comprises: creating a program association table to include a first program number which identifies a program encrypted in accordance with a first encryption scheme, and a second program number which identifies the same program encrypted in accordance with a second encryption scheme; and creating a program map table for the same program to include first audio and video identifiers associated with the first encryption scheme and second audio and video identifiers associated with the second encryption scheme.

Abstract: A system and method efficiently deletes a file from secure storage, i.e., a cryptainer, served by a storage system. The cryptainer is configured to store a plurality of files, each of which stores an associated file key within a special metadata portion of the file. Notably, special metadata is created by a security appliance coupled to the storage system and attached to each file to thereby create two portions of the file: the special metadata portion and the main, “file data” portion. The security appliance then stores the file key within the specially-created metadata portion of the file. A cryptainer key is associated with the cryptainer. Each file key is used to encrypt the file data portion within its associated file and the cryptainer key is used to encrypt the part of the special metadata portion of each file. To delete the file from the cryptainer, the file key of the file is deleted and the special metadata portions of all other files stored in the cryptainer are re-keyed using a new cryptainer key.

Abstract: A method for protecting a CAP file including one or more applets to be installed in an IC Card, includes the applets encoding into the CAP file by a CAP file provider. The method also includes the CAP file downloading into the IC Card by a CAP file issuer, and storing an installation program inside the IC Card. The installation program extracts the applets from the CAP file and installs them in the IC Card, after the downloading. The CAP file provider encrypts the CAP file into a protected CAP file to avoid the applets being extracted before the downloading. The IC Card includes a decryption circuit for decrypting the protected CAP file downloaded into the IC Card. The installation of the applet is enabled by the decryption circuit.

Abstract: A method for processing video content is disclosed. The method comprises: receiving, in a hardware device connected in operation to a computer, encrypted, encoded video content; decrypting the encrypted, encoded video content to form decrypted, encoded video content; decoding a first portion of the decrypted, encoded video content to form a decrypted, decoded video content portion; re-encrypting the decrypted, decoded video content portion to form a re-encrypted, decoded video content portion; re-encrypting a second portion of the decrypted, encoded video content to form a re-encrypted, encoded video content portion; and outputting the re-encrypted, decoded video content portion and the re-encrypted, encoded video content portion to the computer.

Abstract: A cryptographic module selecting device includes a cryptographic module evaluation information storage device configured to store identification information of a cryptographic module and cryptographic module evaluation information describing a function and/or performance of the cryptographic module in relation to each other, a condition information acquiring device configured to acquire condition information for specifying the condition of the cryptographic module to be selected, an extracting device configured to extract cryptographic module evaluation information conforming to the acquired condition information, from the stored cryptographic module evaluation information of the cryptographic module, and an output device configured to read out the identification information of the cryptographic module corresponding to the cryptographic module evaluation information selected by the extracting device from the cryptographic module evaluation information storage device and output the read identification informat

Abstract: An apparatus including a microprocessor and a secure non-volatile memory. The microprocessor executes non-secure application programs and a secure application program. The microprocessor has secure execution mode initialization logic and an authorized public key. The secure execution mode initialization logic provides for initialization of a secure execution mode within the microprocessor. The secure execution mode initialization logic employs an asymmetric key algorithm to decrypt an enable parameter directing entry into the secure execution mode. The authorized public key is used to decrypt the enable parameter, the enable parameter having been encrypted according to the asymmetric key algorithm using an authorized private key that corresponds to the authorized public key.

Abstract: The described systems and methods are directed at configuring a server based on a selected role. An installation application is configured to install core components in a server where these core components enable the server to perform the basic functions of a network computing device. A role management application is configured to enable a system administrator to select a role for the server and to automatically determine software components associated with the selected role. The role management application is then configured to build the software components and install the components on the server. The role management application is further configured to configure the components for the selected role. The automated installation process performed by the role management application enables a server to be efficiently configured for a particular role without installing other unnecessary components unrelated to the role.

Abstract: A device management system for managing a device based on management information is presented. The system includes a device monitoring unit for obtaining management information from a device, a relay server coupled to the device monitoring unit over a network, and a management server, coupled to the relay server over a network, configured to manage the device based on the management information. The device monitoring unit obtains the management information from the device and transmits the obtained management information without encryption. Upon receiving the management information, the relay server encrypts and transmits to the management server the received management information.

Abstract: A processor capable of secure execution. The processor contains an execution unit and secure partition logic that secures a partition in memory. The processor also contains cryptographic logic coupled to the execution unit that encrypts and decrypts secure data and code.

Abstract: One aspect of the present invention is a method of playing multi-media content through a personal computer. The personal computer includes a processor and memory, with the memory having software instructions stored therein. The processor executes the instructions to carry-out the method. The method includes: receiving data representing multi-media content at the personal computer; receiving at the personal computer an initial set of data representing a base set of usage rights that is associated with the multi-media content, wherein the initial set of data defines a first set of rights that is permissible without upgrading or renewing the base set of usage rights; and upon receiving a request to perform an action involving the multi-media content, checking the initial set of data representing the base set of usage rights to determine whether the action is permissible, and providing an option to a user through the personal computer to contact a remote computer to negotiate for an upgraded set of usage rights.

Abstract: A method of operating a virtual machine includes determining a virtual machine signature, receiving an execution request from an application, and determining an application signature based on the request. The method further includes validating the application signature to the virtual machine signature and executing the application based on the validation.

Abstract: A digital escrow pattern is provided for backup data services including searchable encryption techniques for backup data, such as synthetic full backup data, stored at remote site or in a cloud service, distributing trust across multiple entities to avoid a single point of data compromise. In one embodiment, an operational synthetic full is maintained with encrypted data as a data service in a cryptographically secure manner that addresses integrity and privacy requirements for external or remote storage of potentially sensitive data. The storage techniques supported include backup, data protection, disaster recovery, and analytics on second copies of primary device data. Some examples of cost-effective cryptographic techniques that can be applied to facilitate establishing a high level of trust over security and privacy of backup data include, but are not limited to, size-preserving encryption, searchable-encryption, or Proof of Application, blind fingerprints, Proof of Retrievability, and others.

Abstract: In a device authentication control method and device, when a connection device is connected to a network mounted on a boat, it is determined whether or not the connection device corresponds to an authentication-free device. If the connection device does not correspond to an authentication-free device, an authenticating action is performed on the connection device. If the connection device does correspond to an authentication-free device, the connection device is exempted from the authenticating action. In this way, when a connection device does not correspond to an authentication-free device, an authenticating action is performed, but when the connection device corresponds to an authentication-free device, the connection device is exempted from an authenticating action. As a result, it is possible to handle specific connection devices as authentication-free.

Abstract: A highly configurable kernel supports a wide variety of content protection systems. The kernel may reside in a host that interacts with a secure processor maintaining content protection clients. After establishing communication with the secure processor, the host receives messages from content protection clients requesting rules for message handling operations to support client operations. This flexible configuration allows for dynamic reconfiguration of host and secure processor operation.

Abstract: The present invention provides methods and apparatuses that utilize a portable apparatus to securely operate a host electronic device. Typically, each portable apparatus includes a data storage unit which stores an operating system and other software. In one example, a portable apparatus can provide a virtual operating environment on top of a host's operating system for a host device. In another example, a portable apparatus containing its operating system can directly boot a host device with one or more hardware profiles. Furthermore, a device-dependent protection against software piracy, a user-dependent protection against sensitive data leaks, a controllable host operating environment to prevent unwanted information exposure, and a secure restoration procedure to prevent virus infection between the host device users may be incorporated. Moreover, an authorization signature may also be utilized to authorize a connected-state guest operation environment in the host device.

Abstract: Electronic documents corresponding to executed paper documents are certified. A certifying agent receives an electronic document and a corresponding paper document that had been executed pursuant to some transaction. The certifying agent compares the information contained in the paper to that in the electronic mortgage document. If the paper adequately corresponds to the electronic document and is otherwise sufficient, then the certifying agent certifies the electronic document so that other parties can reliably engage in transactions involving the electronic document without having to possess or otherwise inspect the executed paper document. Certification involves application of some form of indicia of certification to the electronic document, such as updating the value of a field corresponding to certification in the electronic document and/or applying a digital or electronic signature corresponding to the certifying agent to the electronic document.

Abstract: A method of protecting data in a computer system against attack from viruses and worms comprising; modifying micro-code of a processor of system to be protected to remove homogeneity between processors from a manufacturer; modifying op-codes of an application to match modified micro-code of the processor prior to execution.

Abstract: A wireless apparatus or the like downloads upgrade content information and an upgrade key generated from a production number of the user apparatus which are generated by an upgrade key support center apparatus to perform upgrading, and the upgrade key support center apparatus periodically acquires apparatus information of the wireless apparatus or the like to monitor whether illegal upgrading is not performed. This makes it possible to easily manage a wireless apparatus which can perform an increase/decrease in capacity, selection of redundancy, change of functions, and the like by using an upgrade key.

Abstract: Systems and methods in accordance with aspects of the present invention can be implemented to prevent automated, semi-automated, or manual searching, indexing, copying, and surveillance of electronic content, e.g., content in online documents or pages. Such systems and methods can also enable a human user to see the electronic content properly on a display, while the content remains unintelligible to computer programs. Thus, in accordance with the present invention, a computer application and a human user can interpret or “see” an electronic document differently.

Abstract: A method of scanning data for viruses in a computer device, the device having a browser for rendering the data for use. The method comprises storing the data in a buffer memory accessible to said browser and creating an instance of a browser plugin, said plugin providing a virus scanning function or providing a route to a virus scanning function. The data is scanned for viruses using the instance of the plugin and, if no viruses are detected in the data, it is returned to the browser for rendering. If a virus is detected in the data, rendering of the data is inhibited.

Abstract: Methods and systems for identifying a source of an attack in a network include transmitting an address associated with the attack target to a number of network devices. Each network device may then determine whether a received packet is destined for the attack target and identify, for each packet destined for the attack target, an input interface upon which the packet arrived. Each network device may also count the amount of data destined for the attack target per input interface. A potential source of the attack may then be identified based on the amount of data destined for the attack target.

Abstract: A computer-implemented method for evaluating the health of computing systems based on when operating-system changes occur is disclosed. In one example, this method may include: 1) identifying an operating-system change made to a computing system, 2) determining when the operating-system change occurred, and then 3) assessing the health of the computing system based at least in part on when the operating-system change occurred. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An image processing apparatus includes an installation unit configured to install an application for image processing and license information regarding the application, an information setting unit configured to set, as threshold information, operation restriction information, which is included in the license information, regarding the application, a counting unit configured to count operation information regarding an operation of the application, an application operation restriction unit configured to restrict an operation of the application according to the threshold information and the counted operation information, a reinstallation unit configured to reinstall the application, and an information setting control unit configured to inhibit the information setting unit from setting, as the threshold information, the operation restriction information, which is included in the license information, regarding the application reinstalled by the reinstallation unit.

Abstract: In a software management process, a software management apparatus, and a computer-readable medium storing a software management program for managing software installed in clients: a profile for a client is updated in accordance with a change notice on receipt of the change notice from the client; settings of the software in other clients which belong to the same group as the above client are determined to be synchronized with the settings of the software in the above client by reference to group information when the above profile for the above client is updated; and a synchronization notice indicating that the update of the above profile is to be reflected in the settings of the software in the other clients is sent to the other clients, and each of one or more profiles for the other clients is updated in accordance with the synchronization notice.

Abstract: A network switch automatically detects undesired network traffic and mirrors the undesired traffic to a security management device. The security management device determines the source of the undesired traffic and redirects traffic from the source to itself. The security management device also automatically sends a policy to a switch to block traffic from the source.

Abstract: A system defines at least one key event to be monitored by at least one agent, and creates a graphical model for the at least one key event. The system observes the at least one key event. The system infers a degree of attack on the computer system based on an observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical model. The system then adjusts a security policy based on an output of the graphical model.

Abstract: Embodiments provide systems and methods for the encryption of data to be stored on media in a library. A method of data encryption may comprise intercepting or monitoring commands sent to a library comprising one or more media stored at secure slots. If in response to a command or commands, media is moved from a secure slot to a drive, data stored on the media by the drive is encrypted, either by an encryption device, the drive or other encryption system, thus allowing encryption based on individual slots or media in a library.

Abstract: A semiconductor integrated circuit is provided, which includes: a first circuit; a second circuit; a data BUS; and first and second encryption/decryption circuits for encrypting/decrypting data transmitted between the first and second circuits on the data bus. The first encryption/decryption circuit is for encrypting data output from the first circuit, outputting the encrypted data to the data BUS, decrypting an encrypted data received from the second encryption/decryption circuit, and providing the decrypted data to the first circuit. The second encryption/decryption circuit is for decrypting the encrypted data received from the first encryption/decryption circuit, providing the decrypted data to the second circuit, encrypting data output from the second circuit, and outputting the encrypted data to the data BUS.

Abstract: An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.

Abstract: A system for loading application identifiers to a mobile device includes a mobile device, a card device insertable into the mobile device, and an application center. The card device is adapted to determine an effective mobile device identifier of the mobile device, and transmit the effective mobile device identifier to the application center. The effective mobile device identifier is based at least in part on the result of a process performed by the card device. The application center is adapted to (1) determine zero or more allotted application identifiers and zero or more application identifiers of applications loaded on the mobile device based at least in part on the effective mobile device identifier, (2) identify at least one application identifier of the zero or more allotted application identifiers which does not form part of the zero or more application identifiers of applications loaded on the mobile device, and (3) load the at least one application identifier to the mobile device.

Abstract: A method for accessing data in a data storage system is presented. The method includes supplying a host computer that is in communication with the data storage system, where the data storage system includes a data storage medium and a holographic data storage medium. A first request is generated to access a directory encoded in the data storage medium and includes a first encryption key. The requested directory recites a listing of data files encoded in the holographic storage medium. If the first encryption key decrypts the directory, the directory is read and a data file encoded in the holographic data storage medium is identified. A second request is then generated to access the data file and includes a second encryption key. Finally, if the second encryption key decrypts the data file, then it is read.

Abstract: A method and apparatus are provided for combating malicious code. In one embodiment, a method for combating malicious code in a network includes implementing a resource-limiting technique to slow a propagation of the malicious code and implementing a leap-ahead technique in parallel with the resource-limiting technique to defend against the malicious code reaching a full saturation potential in the network.

Abstract: One embodiment of the present invention sets forth a method for loading a secure firmware update onto an adapter device in a computer system. The method includes the steps of sending a duplet of encrypted data conveying a same portion of an encrypted update image along a transfer path to the adapter device, restoring two portions of source data from the duplet, and determining whether to accept the source data based on the result of a comparison of the two portions of source data.

Abstract: Database management and security is implemented in a variety of embodiments. In one such embodiment, data sets containing sensitive data elements are analyzed using aliases representing sensitive data elements. In another embodiment, the sensitive data elements are stored in an encrypted form for use from a secure access, while the alias is available for standard access.

Abstract: Various embodiments of a system and method for providing protection against malicious software programs are disclosed. The system and method may be operable to detect that a first window of a legitimate software program has been replaced by a second window of a malicious software program, e.g., where the second window includes features to mimic the first window in an effort to fool the user into inputting sensitive information into the second window. The method may operate to alert the user when the window replacement is detected.

Abstract: The present invention provides systems and methods for providing distributed, adaptive IP filtering techniques used in detecting and blocking IP packets involved in DDOS attacks through the use of Bloom Filters and leaky-bucket concepts to identify “attack” flows. In an exemplary embodiment of the present invention, a device tracks certain criteria of all IP packets traveling from IP sources outside a security perimeter to network devices within the security perimeter. The present invention examines the criteria and places them in different classifications in a uniformly random manner, estimates the amount of criteria normally received and then determines when a group of stored classifications is too excessive to be considered normal for a given period of time. After the device determines the criteria that excessive IP packets have in common, the device then determines rules to identify the packets that meet such criteria and filters or blocks so identified packets.

Abstract: A memory controller for a smart card including a non-volatile memory can include an internal circuit that is configured to perform cryptographic key processing responsive to a first clock and a non-volatile memory interface circuit for transferring/receiving a signal to/from the internal circuit in synchronization with the first clock and transferring/receiving the signal to/from an external device in synchronization with a second clock that is asynchronous relative to the first clock.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: An development environment of a high security level is provided for a key-installed system. Development of a program for a system having an LSI device which includes a secure memory is performed by providing another LSI device having the same structure and setting the provided LSI device to a development mode which is different from a product operation mode. Alternatively, the provided LSI device is set to an administrator mode to perform development and encryption of a key-generation program. The LSI device is set to a key-generation mode to execute the encrypted key-generation program, thereby generating various keys.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: Method and apparatus for using configuration memory for buffer memory is described. Drivers associated with a portion of the configuration memory are rendered incapable of creating a contentious state irrespective of information stored the portion of configuration memory. Configuration data is received in a non-configuration data format and buffered in the portion of the configuration memory.