Abstract: A flexible, efficient and easy-to-use computer security management system effectively evaluates and responds to informational risks on a wide variety of computing platforms and in a rapidly changing network environment. An individual computer system dynamically monitors its end user, without regard to network connectivity, in order to calculate a risk score and to ensure that the end user's behavior does not put corporate information or other assets at risk. Data regarding such risks and responses are analyzed and stored in real-time.

Abstract: A system is provided for cycling encryption keys to prevent the guessing of encrypted presence information in a shared information space. The system of the invention prevents malicious publication of presence information and ensures that only valid presence information is published to the shared information space. A malicious subscriber is prevented from knowing that he/she has been detected while a search is underway to determine his/her identity. During such a search, authorized subscribers are shifted to a new source of presence information while the malicious subscriber remains at the previous source.

Abstract: A permission level associated with a child's access to a Web server is identified. A relationship ticket is obtained from an authentication server and a request is generated to set the identified permission level. The request and the relationship ticket are sent to the Web server and a success code is received from the Web server if the requested permission level is established.

Abstract: A process of controlling a flow of data in a wireless network providing wireless access to the wireless network by wireless devices is disclosed. Data is received from a wireless device by a network device, through one access point of a plurality of access points in communication with the network device, indicating a client identifier for the wireless device. The client identifier is forwarded to an authentication server and the network device mediated authentication of the wireless device with the authentication server. Thereafter, data packets received from portions of the wireless network and from the plurality of access points are evaluated and the received data packets are passed to portions of the wireless network and to the plurality of access points, based on the evaluation of the received data packets. In addition, the network device periodically polls for a status of the wireless device from the access point.

Abstract: A system and method for improved activation of a personal computer and/or other processing devices is provided. Power and security states are combined and further reduced to three activation states which may be operated by a single secure device. The system may include any number of activation states for operating the computer using only the single secure device. The secure access device handles both security and power management by authenticating physical access to the computer and the identity of the user. For this purpose, a device containing a biometric reader may be integrated with a smart card and the biometric identification used as an authentication code to secure the smartcard. The secure access device may be inserted into a locking mechanism used by the user to transition between activation states.

Abstract: Obfuscating an application program comprises reading an application program comprising code, transforming the application program code into transformed application program code that uses one of multiple opcode value encoding schemes of a dispatch table associated with the application program, and sending the transformed application program code. Executing an obfuscated application program comprises receiving an obfuscated application program comprising at least one instruction opcode value encoded using one of multiple instruction set opcode value encoding schemes, determining a dispatch table associated with the application program, and executing the application program using the associated dispatch table. The dispatch table corresponds to the one of multiple instruction set opcode value encoding schemes.

Abstract: Disclosed is a user authentication system, which is designed to present a presentation pattern to a user subject to authentication, and apply a one-time-password derivation rule serving as a password of the user to certain pattern elements included in the presentation pattern at specific positions so as to create a one-time password. An authentication server is operable to generate a pattern seed value adapted to be combined with a user ID so as to allow a presentation pattern to be uniquely determined, and transmit the generated pattern seed value to an authentication-requesting client. The authentication-requesting client is operable to display a presentation pattern created based on an entered user ID and the received pattern seed value and in accordance with a given pattern-element-sequence creation rule, so as to allow the user to enter therein a one-time password, and transmit the entered one-time password to the authentication server.

Abstract: Techniques for efficiently authenticating multiple objects and clustering objects based on access patterns are provided. For example, in an illustrative aspect of the invention, a technique for generating and/or reading authentication information, wherein the authentication information provides evidence that a plurality of objects were one of generated and sent by an entity, comprises using one or more object access patterns indicative of whether at least two of the plurality of objects are accessed within a similar time period to group objects together to reduce an overhead for at least one of generating and reading the authentication information.

Abstract: A data processing system includes a processor that can operate in a plurality of modes and in either a secure domain or a non-secure domain. At least one secure mode is a mode in the secure domain, and at least one non-secure mode is a mode in the non-secure domain. When the processor is executing a program in a secure mode and that program has access to secure data which is not accessible when the processor is operating in a non-secure mode, the processor is responsive to exception conditions for triggering exception processing. Specifically, the processor is responsive to a parameter specifying which of the exceptions should be handled by a secure mode exception handler executing in a secure mode and which should be handled by an exception handler executing in a mode within a current one of the secure domain and the non-secure domain when that exception occurs.

Abstract: The present invention provides for validating an association between computing devices using a succession of human-perceptible stimuli such as sounds, lights colors or shapes. Commands are sent from the initiating device to the responding device in encrypted messages. Human-perceptible stimuli are formed at the responding device in response to at least some of the commands. The responder searches for messages that the responder is unable to decrypt and that are received in a time interval before messages that the responder is able to decrypt. The succession of human-perceptible stimuli may be harmonized, in which case, an association between the initiating device and the responding device is validated when the human-perceptible stimuli formed by the initiating device and the human-perceptible stimuli formed by the responding device are harmonized together.

Abstract: An automated analysis system identifies the presence of malicious P-code or N-code programs in a manner that limits the possibility of the malicious code infecting a target computer. The target computer system initializes an analytical virtual P-code engine (AVPE). As initialized, the AVPE comprises software simulating the functionality of a P-code or intermediate language engine as well as machine language facilities simulating the P-code library routines that allow the execution of N-code programs. The AVPE executes a target program so that the target program does not interact with the target computer. The AVPE analyzes the behavior of the target program to identify occurrence of malicious code behavior and to indicate in a behavior pattern the occurrence of malicious code behavior. The AVPE is terminated at the end of the analysis process, thereby removing from the computer system the copy of the target program that was contained within the AVPE.

Abstract: A data cryptographer encrypts and decrypts character data of any given length using derivative equations and factors. The use of factors and derivative equations introduces the randomness required for effective encryption without the use of complex mathematics. A set of equations determined by the user is used in a manner similar to a key but with random results. Only a portion of the key is exposed to decrypt the encrypted information. The data cryptographer may be configured using either simple or complex equations and may be implemented in an unlimited number of variations. The data cryptographer is portable, and can be implemented in any programming language that supports cyclical character manipulation. The data cryptographer also supports input from a variety of sources, allowing control from the administrator side, string value side, or any other input that may be extracted from the desired programming language.

Abstract: The present invention provides a method, apparatus, and computer instructions for warning of a presence of a person in a zone having an inadequate security clearance. Movement of the person in the zone is detected. A message is broadcast to selected data processing systems associated with the zone, wherein the data processing systems initiate actions to protect data in the selected data processing systems.

Abstract: Example systems, methods, computer-readable mediums, and other forms of a secure foreign enterprise printing system are provided. An example system may include a wireless telephonic logic for communicating with a wireless network web services provider and a wireless network communication logic configured to communicate a print request to the wireless network web services provider using the wireless telephonic logic. The print item may be stored in a first enterprise and may be printed on an image forming device that is located in a second enterprise. The example system may also include an encryption logic configured to facilitate providing security for the print item as it travels from the first enterprise to the image forming device.

Abstract: Rather than downloading each content document on demand from the publisher location to the user site, at the publisher location, each content document is encrypted and then multiple encrypted documents are assembled into a distribution archive that is itself encrypted with a scheduled key. The distribution archive is then downloaded into a content server at the user site. When the content server receives the distribution archive, it decrypts the archive file and unpacks the encrypted documents. The scheduled key used to decrypt an archive file is included with an archive file that was sent previously to the user site in accordance with the subscription service. The scheduled key to decrypt the first archive file sent to the user is sent from the publisher to the user over a communication channel different from the communication channel used to send the archive file from the publisher to the user.

Abstract: A mark issuing server operated by a mark issuer manages mark information collectively. A terminal of a user sends an information providing request to an information providing server of an information provider, and issues a mark issuing request to the mark issuing server on the basis of the information providing request. The information providing server searches for information corresponding to the information providing request from the terminal of the user, and provides the terminal of the user with information including requested information and location information of the mark issuing server. The mark issuing server determines validity of information provided from the information providing server on the basis of the mark issuing request, and sends a mark to the terminal of the user when the validity is verified, and the terminal of the user displays the mark with the information provided from the information providing server.

Abstract: A method and system is disclosed for managing and implementing a plurality of network policies in a network device. Each of the plurality of policies are defined by one or more filters. The filters are installed in a policy engine. A layer identifies the network policy to be applied to a packet by sending a request to the policy engine. The policy engine then returns the policy to the requesting layer. The method and system may be used to implement a programmable, host-based, distributed, authenticating firewall that enables security and other policies to be applied at several protocol layers.

Abstract: The camera includes a sensor for sensing the photographer's iris image and registering the image in advance. The iris image is recorded in the image of a subject by a digital MCU at a timing different from that at which the image of the subject is captured. The recording timing is that at which the camera power supply is turned off, that at which a recording medium is ejected from the camera or that at which the iris image to be recorded is changed to the registered iris image of another photographer. The recording of the iris image is achieved by embedding it as a watermark or by appending it to metadata.

Abstract: Methods and apparatus in a partitionable computing system. A processor communicates with a packet former. The packet former can be configured to construct a data packet that can include security status information related to a partition or processor.

Abstract: A method, system, and program for security screening of electronic devices by device identifier are provided. A security scanning system detects an identifier from an electronic device. The identifier may be a radio frequency identifier or other type of identifier which is preferably detectable by the security scanning system regardless of the operating status of the electronic device. The security scanning system queries a database with the identifier for information about the electronic device. Responsive to receiving the information about the electronic device from the central database, at least one real-time scanned characteristic of the electronic device is compared with this information. The information includes characteristics of the components of the electronic device and an x-ray overlay of the electronic device. If the real-time scanned characteristics and the information match, then electronic device is designated as secure.