Abstract: A system for managing application service requests. The system processes requests using a first processor, stores a record of the requests in memory using a second processor, and counts the total number of requests received over a time interval using the second processor. If the total number of requests are less than a first threshold, the stored records are dropped. Otherwise, the stored records are analyzed to determine if requests from a single source Internet protocol address exceed a second threshold. If the number of requests from a single source Internet protocol address exceeds the second threshold, the subject Internet protocol address is blacklisted to a firewall through which the service requests pass before reaching the first processor. The requests are visible to the second processor before they are processed by the firewall.

Abstract: A video processing device for encrypting a compressed video signal that includes a key storage device for storing at least one encryption key. An encryption processing device retrieves the at least one encryption key from the key storage device, and directly encrypts an elementary bit stream into at least one encrypted elementary bit stream.

Abstract: In a first embodiment of the present invention, a method of providing security enforcements of widgets in a computer system having a processor and a memory is provided, comprising: extracting access control information from a widget process requesting a service, generating access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system.

Abstract: In accordance with embodiments, there are provided mechanisms and methods for security verification of communications to tenants of an on-demand database service. These mechanisms and methods for security verification of communications to tenants of an on-demand database service can enable embodiments to allow tenants to selectively implement security measures with respect to inbound communications, etc. The ability of embodiments to provide such feature may allow tenants to efficiently and effectively implement security measures for in-bound emails.

Abstract: Techniques for reducing executable code vulnerability are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for reducing executable code vulnerability comprising analyzing a binary file, using at least one computer processor, to identify a vulnerable executable code structure, and configuring the identified executable code structure to reduce vulnerability.

Abstract: A distributed system in which time-dependent credentials are supplied by controllers that operate according to different local times. Errors that might arise from the controllers generating inconsistent credentials because of time skew are avoided by identifying credentials generated during transition intervals in which different ones of the controllers may generate different credentials at the same absolute time. During a transition interval, controllers and other devices may use credentials differentially based on the nature of the authentication function. Each controller may periodically renew its credentials based on self-scheduled renewals or based on requests from other devices, such that renewal times are offset by random delays to avoid excessive network traffic. Controllers may determine which credential is valid for any given time, based on a cryptographically secure key associated with that time and information identifying the entity that is associated with that credential.

Abstract: Provided is an eigendecomposition cipher. Input data is formatted into a numerical representation and arranged as a data matrix. Eigendecomposition is performed on the data matrix to determine at least a first component matrix (of eigenvalues) and a second component matrix (of eigenvectors). The eigendecomposition process is modified to ensure that the first component matrix has a diagonalized matrix of eigenvalues. Provided are additional features of shaping, compression, and message generation for an eigendecomposition-based cipher. A first message is generated based upon the first component matrix. A second message is generated based upon the second component matrix. The first and second messages comprise separate indecipherable parts of the input data. The first and second messages may be transmitted or stored separately such that the source data may not be recovered without both messages.

Abstract: Multi-control password changing includes initiating a password change cycle to change a target user's password, selecting a plurality of administrators to provide password part inputs, receiving password part inputs separately and confidentially from the plurality of administrators, generating a multi-control password comprised of multiple password part inputs, changing the target user's password to the multi-control password, and transmitting either the single multi-control password or multiple password parts each separately to target user.

Abstract: A method of detecting a malware based on a white list comprises: receiving on a server side a program feature and/or a program behavior of a program to be detected sent from a client side; comparing the program feature and/or the program behavior of the detected program with legitimate program features and/or legitimate program behaviors stored in a white list; obtaining a legitimacy information of the unknown program based on the comparison result and feeding this back to the client side. In the invention, a legitimate program is determined by using a white list, thereby determining an illegitimate program excluded from the white list as a malware, which performs a determination and detecting and removing of a malware from another perspective.

Abstract: Methods, devices, and computer-readable storage media are provided. In some embodiments, a server receives from a browser on a client a request to access a first web page. In response to receiving the request, the server sends to the client a second web page including an embedded executable program configured to run within the browser on the client, wherein the embedded executable program, when executed on the client, is operable to obtain a ticket-granting ticket stored on the client and send the ticket-granting ticket to the server. The server receives the ticket-granting ticket from the embedded executable program on the client. Furthermore, the server determines whether a user associated with the ticket-granting ticket is authorized to access the first web page. In response to determining that the user is authorized to access the first web page, the server grants the requested access to the first web page.

Abstract: Methods, apparatus and articles of manufacture for defending against a cyber attack via asset overlay mapping are provided herein. A method includes determining which of multiple systems within an organization stores each of multiple assets, determining at least one relationship present between the multiple assets across the multiple systems of the organization, and identifying, upon an attack of a first system of the multiple systems within the organization, one or more additional systems of the multiple systems vulnerable to the attack based on at least one relationship between one or more of the multiple assets stored on the first system to one or more of the multiple assets stored on one or more additional systems.

Abstract: An apparatus and method for employing a token based arbiter. The apparatus includes a priority provider (26) comprising a processor for calculating an arbiter metric and an identity provider (18) having a processor for embedding the metric into a secured token. The apparatus also comprises memory coupled to the processor having one or more instructions executable at the processor. The processor is operable when executing the instructions to: collect authorization attributes (A) from one or more users seeking use of a resource (20) associated with a service provider; determine the level of priority to the one or more users based on prescribed policy of the priority provider; assign at least one arbiter metric (22, 32) to a secured token (T) for each of the one or more users based on the level of priority identified by the priority provider.

Abstract: Various embodiments provide a method and apparatus of providing accelerated encrypted connections in a cloud network supporting transmission of data including per-user encrypted data. Transmission of encrypted data from an application server uses an encryption scheme that encrypts static data using a first encryption scheme that derives keys from the content itself and encrypts dynamic data, such as dynamic website content with personalized user data, using a second encryption scheme.

Abstract: A semiconductor structure including a device configured to receive an input data-word. The device including a logic structure configured to generate an encrypted data-word by encrypting the input data-word through an encrypting operation. The device further including an eFuse storage device configured to store the encrypted data-word as eFuse data by blowing fuses in accordance with the encrypted data-word.

Abstract: Method and apparatus for SPS authentication, for example for use with GPS, are disclosed. The method may include receiving a first set of Y codes from a plurality of satellites, generating authentication decisions using W code estimates extracted from the first set of Y codes for satellite channels corresponding to the plurality of satellites, and generating an authentication response according to authentication decisions generated for the satellite channels.

Abstract: Multi-tiered distributed security authentication and filtering. One embodiment comprises managing user access to one or more computing resources, by centrally maintaining user subscription information comprising user authentication information and system authorization information, and providing relevant subscription information from the user subscription information to one or more remote computing systems. Managing user access further includes, in a remote computing system, authenticating a user login to the remote computing system based on user authentication information from said relevant subscription information, and upon user authentication, selectively authorizing user access to computing resources of the remote computing system based on system authorization information from said relevant subscription information.

Abstract: Methods and apparatus are provided for providing a DRM service by a user terminal apparatus consuming DRM content in a service environment that provides the DRM content using a plurality of incompatible DRM systems. A license corresponding to the DRM content is acquired from a service providing apparatus that provides the DRM content. It is determined whether the license is a common license having a common DRM interface format. The common DRM interface format of the common license is converted to a format of a first DRM system installed in the user terminal apparatus, when the license is the common license. The license having the format of the first DRM system is applied in reproducing the DRM content. The common license is provided from the service providing apparatus to the user terminal apparatus through a common DRM interface when the service providing apparatus does not support the first DRM system.

Abstract: A method for execution in a communication device, which comprises receiving a first data set and a second data set over a first communication path; receiving a series of requests over local communication path different from the first communication path; responding to a first one of the requests by releasing a first response including the first data set over the local communication path; and responding to a second one of the requests by releasing a second response including the second data set over the second communication path.

Abstract: Secure code verification enforcement in a trusted computing device, including: examining, by a secure code validation module, a trusted computing device that is locked in a powered down state in response to an impermissible physical access of the trusted computing device; determining, by the secure code validation module, whether content of trusted memory in the trusted computing device has been altered; and responsive to determining that the content of trusted memory in the trusted computing device has not been altered, unlocking, by the secure code validation module, the trusted computing device such that the trusted computing device can be powered up.

Abstract: A distributed system in which time-dependent credentials are supplied by controllers that operate according to different local times. Errors that might arise from the controllers generating inconsistent credentials because of time skew are avoided by identifying credentials generated during transition intervals in which different ones of the controllers may generate different credentials at the same absolute time. During a transition interval, controllers and other devices may use credentials differentially based on the nature of the authentication function. Each controller may periodically renew its credentials based on self-scheduled renewals or based on requests from other devices, such that renewal times are offset by random delays to avoid excessive network traffic. Controllers may determine which credential is valid for any given time, based on a cryptographically secure key associated with that time and information identifying the entity that is associated with that credential.