Abstract: A signature system with a mechanism to identify element(s) of a signed document includes a sender having a signature module with a digest generator. The digest generator generates digests for identifying selected elements of the document. The resulting “identifying” digests are then used in generating a signature in which the sender signs the digests rather than the original elements. The receiver can then process the signature and use these digests to distinguish between elements, as needed.

Abstract: Security components of managed computers are configured using inoculation data. Inoculation data can be retrieved from an inoculation data provider. The inoculation data provider analyzes unauthorized software applications to develop inoculation data. The inoculation data configures the security component to block execution of unauthorized software applications. Inoculation data can be embedded into a script, which is distributed via a management protocol to one or more managed computers from a management computer. Unauthorized software applications can be identified by filenames, storage paths, registry keys, digital signatures, download locations, residuals, and ActiveX controls or classes.

Abstract: The example embodiments herein relate to an antivirus protection system and method for computers based on program behavior analysis. The antivirus protection system may comprise: a Process Behavior-Evaluating Unit for identifying the programs existing in the user's computers and classifying them into normal programs and suspect programs; a Program-Monitoring Unit for monitoring and recording the actions and/or behaviors of programs; a Correlation-Analyzing Unit for creating correlative trees and analyzing the correlations of actions and/or behaviors of programs, the correlative trees comprising a process tree and a file tree; a Virus-Identifying Knowledge Base, comprising a Program-Behavior Knowledge Base and a Database of Attack-Identifying Rules; a Virus-Identifying Unit for comparing captured actions and/or behaviors to the information in the Virus-Identifying Knowledge Base to determine whether the program is a virus program.

Abstract: GPRS Tunneling Protocol (“GTP”) packets are intercepted by receiving a GTP tunnel packet, determining whether the GTP tunnel packet is to be intercepted, intercepting GTP tunnel packets if it is determined that the GTP tunnel packet is to be intercepted, and processing the intercepted GTP tunnel packets. Multiple tunnels may be intercepted simultaneously and GTP tunnel packets from different tunnels may be processed differently. Implementations include both inline and offline interception of GTP traffic between SGSN and GGSN.

Abstract: A system for controlling an authorization procedure of a task according to a preferred embodiment is provided. The system includes: a database server for storing data about a task to be authorized; and an application server for obtaining basic information of the task to be authorized, configuring an authorization procedure for the task, designating an authorizer for each step of the authorization procedure, and controlling the whole authorization procedure.

Abstract: Method and apparatus providing program information to client devices for at least one multicast stream of digital content is described. In one embodiment, session description messages for the at least one multicast stream of digital content are generated. Each of the session description messages includes at least one content access parameter. The at least one content access parameter may include digital rights management (DRM) data, channel key identification data associated with the at least one channel of the at least one multicast stream of digital content, and/or data indicative of whether each session description message is associated with a channel, a program, or a program segment. Each of the session description messages is signed using a cryptographic key. The session description messages are then multicasted to the client devices using a predefined multicast address.

Abstract: An apparatus, and a computer program are provided for securing transmitted text. Once text has been produced by an application, the potential exists for an unintended third party to obtain sensitive data transmitted over computer networks. However, a parsing function can then operate either on an individual computer or on a network to scan text at an Open Systems Interconnection (OSI) Layer 1 to assist in the prevention of sensitive data transmission. By utilizing the parsing function, text can be scanned for potentially sensitive data by using a variety of techniques, such as a learning algorithm. The sensitive data can then be verified by a user, bypassed, or autostripped.

Abstract: A high-speed Galois Counter Mode-Advanced Encryption Standard (GCM-AES) block cipher apparatus and method is provided. The apparatus can operate at a low clock frequency of 125 MHz and provide a 2 Gbps link encryption function in an Optical Line Termination (OLT) and an Optical Network Unit (ONU) of an Ethernet Passive Optical Network (EPON). 11-round block cipher of 128- bit input data is implemented using an 8-round Counter-AES (CTR-AES) block cipher module and a 3-round CTR-AES block cipher module, so that it is possible to provide a 1 Gbps link security function for an input frequency of 62.5 MHz and a 2 Gbps link security function for an input frequency of 125 MHz.

Abstract: An objective is to provide a key management apparatus in a document security and editing system that controls and manages the usage rights of a document, allows a user with usage rights to read and edit freely according to user qualification, and manages the usage rights in compliance with document management rules established by an organization.

Abstract: The present invention discloses a technique provisioning network cryptographic keys to a client when direct physical transfer is not feasible. In an embodiment of the invention, a client token generates a temporary key encrypted with a first secret key known only in a master token database and passes this on to an enterprise network token of a network to which service is requested. The enterprise network token then further encrypts the encrypted temporary key with a second secret key and passes that on to the master token database. Since the second secret key is also known by the master token database, the originally encrypted temporary key can be securely decoded only by a master token coupled to the master token database. The decrypted temporary key can then be re-encrypted with a key known only by the enterprise network token and the master token, and returned to the enterprise network token.

Abstract: A method and an apparatus to perform dynamic secure re-routing of data flows for public services are disclosed. In one embodiment, the method includes receiving at a first security appliance a public service message from a second security appliance via a public network. The public service message being associated with a session between the first and the second security appliances, being destined to a first network device coupled to the first security appliance, and including one of a public service request and a public service response. In response to the public service message, the method may further include determining whether a secure communication path exists between the first and the second security appliances.

Abstract: A mechanism eliminates the number of times a user must login to individual services after initially logging into a computer system. A user only logs once into a computer system, and subsequent login requests by multiple services are handled automatically and transparently by the system. In one implementation, a user need only present a card to a card reader and enter a PIN, and the user is logged-in after presenting the card and a valid PIN. The system generates a token that is valid for this particular login session of the user, and when the user accesses a permissioned service, the system automatically logs-in the user to the application using the token. The system can perform the automatic login the user to a variety of applications including legacy applications, web-enabled applications, and commercial, off-the-shelf applications.

Abstract: Communication devices, communication systems and communication methods are disclosed, which are capable of easily changing the settings of a client and lightening the workload of a user. Even if the settings of a client device do not correspond to the settings of an access point, by changing the settings of the access point, setting information is sent to the client device to automatically change the settings of the client device to settings corresponding to the settings of the access point after change.

Abstract: A cryptographic module for limiting exposure of cryptographic keys protected by a trusted platform module (TPM) is provided. The cryptographic module includes logic for establishing a session with the TPM on behalf of a cryptographic client and logic for sending a request from the cryptographic client to the TPM to retrieve in plaintext a cryptographic key of the cryptographic client. Logic for receiving the cryptographic key in plaintext from the TPM are also included in cryptographic module. Further, cryptographic module includes logic for performing a cryptographic operation requested by the cryptographic client using the cryptographic key, and logic for sending the results of the cryptographic operation to the cryptographic client. A hardware-based method and system for limiting exposure of cryptographic keys also are described.

Abstract: A communication device comprises a receiver configured to receive a notification of a cipher parameter used for encryption of data and a requested start time at which the encryption starts; and a correction unit configured to determine whether the cipher parameter needs to be corrected in response to the notification having been retransmitted based on the requested start time and an actual start time at which the encryption actually starts, and correct the cipher parameter.

Abstract: Techniques for providing privacy protection are provided. A query is received. Privacy policy information, extracted knowledge and optional information about available public information are determined. Information about the knowledge extraction transformations applied to create the extracted knowledge and the source data is determined. Privacy protecting transformations are determined and applied to transform the extracted knowledge based on the selected privacy policy, optional information about available public information, the characteristics of the applied knowledge extractions transformations, the source data and optional previous user queries.

Abstract: An original identifier of an application in a computer system is changed to a new identifier. An attempt is made, using the original identifier, to run the application. In response to the attempt, the application is then launched in a restricted user account on the computer system using the new identifier.

Abstract: A combination of more frequent and less frequent security monitoring may be used to defeat worm or virus attacks. At periodic intervals, a risk assessment scan may be implemented to determine whether or not a worm attack has occurred. Prior thereto, an intermediate detection by an anomaly detection agent may determine whether or not a worm attack may have occurred. If a potential worm attack may have occurred, intermediate action, such as throttling of traffic, may occur. Then, at the next risk assessment scan, a determination may be made as to whether the attack is actually occurring and, if so, more effective and performance altering techniques may be utilized to counter the attack.

Abstract: In a computer to support security of information, a user authentication request is received as a request of remote operation call through a network, a user using an external application program is authenticated based on the user authentication request. An authentication result capable of detecting a falsification is generated, and the authentication result is returned as a response of the remote operation call to a request originator through the network.

Abstract: The present invention is a system and a method for extending multiple independent levels of security to a plurality of input/output buses and components connected to the buses. In an exemplary embodiment, the system may include a processing unit suitable for operation in a plurality of security level. A bus controller including security control logic may be coupled to the processing unit for restricting access and flow of information between the physical memory and the plurality of buses. The bus controller may employ base address registers to allocate and map the physical memory to control which partitions of the physical memory are accessible to each of the plurality of buses and thus, a device connected to at least one of the plurality of buses.