Abstract: In embodiments of the present invention improved capabilities are described for the operation of a threat management facility, wherein the threat management facility may provide for a plurality of computer asset protection services to a corporate computer network. The threat management facility may provide a policy management service as one of the plurality of protection services, wherein the policy management service may be adapted to provide corporate policy updates to a plurality of computer facilities associated with the corporate computer network. In addition, the corporate policy updates, and a related corporate policy, may relate to the acceptability of an operation of a computer application.

Abstract: To provide a backup management device that deletes a content so as to be restorable in the future while protecting a copyright of the content, in a case where there exists a backup of the content. In an HD recorder, a first information storage unit stores a content, a second information storage unit stores a backup of the content, a secure storage unit stores a hash value of the content. If receiving an instruction to delete the content so as to be restorable, a control unit deletes the content from the first information storage unit. When the content is played back, an encryption processing unit applies a calculation to the content to generate detection information, and the control unit compares the hash value with the detection information to judge whether the content has been tampered.

Abstract: This specification describes technologies relating to imparting cryptographic information in network communications.

Abstract: A measurement engine performs active platform observation. A program includes an integrity manifest to indicate an integrity check value for a section of the program's source code. The measurement engine computes a comparison value on the program's image in memory and determines if the comparison value matches the expected integrity check value. If the values do not match, the program's image is determined to be modified, and appropriate remedial action can be triggered. The integrity manifest can include a secure signature to verify the validity of the integrity manifest.

Abstract: An automated analysis system identifies the presence of malicious P-code or N-code programs in a manner that limits the possibility of the malicious code infecting a target computer. The target computer system initializes an analytical virtual P-code engine (AVPE). As initialized, the AVPE comprises software simulating the functionality of a P-code or intermediate language engine as well as machine language facilities simulating the P-code library routines that allow the execution of N-code programs. The AVPE executes a target program so that the target program does not interact with the target computer. The AVPE analyzes the behavior of the target program to identify occurrence of malicious code behavior and to indicate in a behavior pattern the occurrence of malicious code behavior. The AVPE is terminated at the end of the analysis process, thereby removing from the computer system the copy of the target program that was contained within the AVPE.

Abstract: The present invention provides a method, apparatus, and computer instructions for warning of a presence of a person in a zone having an inadequate security clearance. Movement of the person in the zone is detected. A message is broadcast to selected data processing systems associated with the zone, wherein the data processing systems initiate actions to protect data in the selected data processing systems.

Abstract: The present invention provides a method, apparatus, and computer instructions for warning of a presence of a person in a zone having an inadequate security clearance. Movement of the person in the zone is detected. A message is broadcast to selected data processing systems associated with the zone, wherein the data processing systems initiate actions to protect data in the selected data processing systems.

Abstract: A calculation apparatus capable of executing any of a first calculating process operation including a first matrix calculation, and a second calculating process operation including a second matrix calculation, includes: a first calculation unit for executing the second matrix calculation; at least one calculation unit other than the first calculation unit, for executing a matrix calculation in parallel to the first calculation unit so as to execute the first matrix calculation; and a logic circuit for performing a logic calculation with respect to a calculation result of the first calculation unit and a calculation result of the other calculation unit. Then, when a calculation result of the first matrix calculation is requested, the calculation apparatus acquires the calculation result from the logic circuit.

Abstract: A computer-readable recording medium which records a remote control program for allowing data on a network protected by a gateway device to be transferred to an external device by external remote-control operations; a portable terminal device; and a gateway device. The terminal device transmits to the gateway device an access ticket issue request. The gateway device generates key information and transmits to the terminal device an access ticket including the key information. The terminal device transfers to a data acquisition device a data acquisition instruction including the acquired access ticket. The acquisition device transmits to the gateway device a data request including the key information. When the key information added to the access ticket and the key information included in the data request are the same, the gateway device transfers the data request to a data server device. The server device transfers the data to the acquisition device.

Abstract: A flexible, efficient and easy-to-use computer security management system effectively evaluates and responds to informational risks on a wide variety of computing platforms and in a rapidly changing network environment. An individual computer system dynamically monitors its end user, without regard to network connectivity, in order to calculate a risk score and to ensure that the end user's behavior does not put corporate information or other assets at risk. Data regarding such risks and responses are analyzed and stored in real-time.

Abstract: A method, system, and program for security screening of electronic devices by device identifier are provided. A security scanning system detects an identifier from an electronic device. The identifier may be a radio frequency identifier or other type of identifier which is preferably detectable by the security scanning system regardless of the operating status of the electronic device. The security scanning system queries a database with the identifier for information about the electronic device. Responsive to receiving the information about the electronic device from the central database, at least one real-time scanned characteristic of the electronic device is compared with this information. The information includes characteristics of the components of the electronic device and an x-ray overlay of the electronic device. If the real-time scanned characteristics and the information match, then electronic device is designated as secure.

Abstract: A permission level associated with a user's access to a Web server is identified. A relationship ticket is obtained from an authentication server and a request is generated to set or modify the identified permission level. The request and the relationship ticket are sent to the Web server and a success code is received from the Web server if the requested permission level is established.

Abstract: A permission level associated with an entity's access to a Web server is identified. A relationship ticket is obtained from an authentication server and a request is generated to set the identified permission level. The request and the relationship ticket are sent to the Web server and a success code is received from the Web server if the requested permission level is established.

Abstract: A transfer source gives a challenge key, own public key, an ID for identifying the target data, and an encryption key type to a transfer destination that is authenticated by a certificate. In accordance with the given key type, the transfer destination generates a first session key (and a second session key), encrypts the first session key and own public key (or second session key) with the transfer source's public key, encrypts the resulting encrypted data with the challenge key, and transmits the data encrypted with the challenge key to the transfer source. The transfer source encrypts the target data with the second session key (or the transfer destination's public key) that is derived from the received data, encrypts the resulting encrypted data with the first session key, and transmits the data encrypted with the first session key to the transfer destination.

Abstract: A cryptographic method using dual encryption keys and a wireless local area network (LAN) system therefor includes (a) generating a first group key in N wireless terminals forming an ad-hoc group, where N is equal to or greater than two, (b) generating a second group key in a main wireless terminal to perform a key distribution center function among the N wireless terminals, and transmitting the second group key to (N?1) sub wireless terminal, and (c) encoding data using the second group key, and transmitting the encoded data between the N wireless terminals. Data security in a wireless LAN system of an ad-hoc network is increased by creating a first group key having a low frequency of use using a group password, and using a random key generation algorithm to create, distribute, and modify a second group key in a wireless terminal functioning as a key distribution center.

Abstract: A key distribution scheme comprising a generation and reception system and a specific operation protocol is described. This system allows fast and secure key distribution in optical channels by two stations A and B. One or two true-random physical sources are used to generate random bits and a random sequence received provides the cipher to the following one to be sent. A starting shared secret key is used and the method can be described as a one-time-pad unlimited extender. The minimum probability of error in signal determination by an eavesdropper can be set arbitrarily close to the pure guessing level of one-half and the security of the method comes from the quantum noise of light as well as from the starting secret key. This system allows for optical amplification without security degradation within its operational boundaries.

Abstract: Dynamic run-time verification of a module which is loaded in memory (in whole or in part) for execution is enabled by storing hashes of smaller portions of the module (e.g. page-level hashes) as they should look when loaded into memory for execution. After an initial authentication is completed, hashes of smaller portions of the module are stored. These hashes consist of the portion of memory as modified by changes which would be made by the operating system loader operating normally. Thus, the hashes can be used to verify that the portion as loaded into memory for execution is 1) a correct copy of the portion of the software module, 2) correctly modified for execution by the processor, and 3) not tampered with since loading.

Abstract: A novel method and apparatus for protection of streamed media content is disclosed. In one aspect, the apparatus includes control means for governance of content streams or content objects, decryption means for decrypting content streams or content objects under control of the control means, and feedback means for tracking actual use of content streams or content objects. The control means may operate in accordance with rules received as part of the streamed content, or through a side-band channel. The rules may specify allowed uses of the content, including whether or not the content can be copied or transferred, and whether and under what circumstances received content may be “checked out” of one device and used in a second device. The rules may also include or specify budgets, and a requirement that audit information be collected and/or transmitted to an external server. In a different aspect, the apparatus may include a media player designed to call plugins to assist in rendering content.

Abstract: A protocol management system is capable of detecting certain message protocols and applying policy rules to the detected message protocols that prevent intrusion, or abuse, of a network's resources. In one aspect, a protocol message gateway is configured to apply policy rules to high level message protocols, such as those that reside at layer 7 of the ISO protocol stack.

Abstract: An improved network architecture employs a super authority having an identity catalog to direct login authentication tasks to appropriate authorities. Authentication tasks may be performed by authorities across namespace boundaries if so directed by the super authority, such that a principal account may be moved without alteration of the account ID. In an embodiment of the invention, the identity catalog comprises a listing associating account IDs with appropriate authenticating authorities.