Abstract: Embodiments are directed towards providing protection to DNS servers against DNS flood attacks by causing a requesting device to perform multiple DNS lookup requests for resolving a resource record. A request from a network device for a resolution of a domain name may be received by a device interposed between the requesting network device and a DNS server. Upon receiving the request to resolve the domain name, the interposed device may respond with a CNAME that includes a cookie. The requesting device may then send another request that includes the cookie preceded CNAME. The interposed device may then validate the returned cookie returned in the CNAME and if valid, forward the domain name resolution request on to a DNS server. The response may then be forwarded to the requesting device.

Abstract: A password recovery technique for access to a system includes receiving a request from a first party to recover the first party's password to access the system, receiving a selection of a second party from the first party, sending a message to the second party requesting that the second party authorize the request to recover the first party's password, receiving authorization from the second party for the request to recover the first party's password, and resetting the first party's password responsive to receiving authorization from the second party.

Abstract: A system and method for presenting on-demand masking of data as a software service in a distributed environment is provided. An application hosted on a computing device receives request for access to application data from a user. Credentials of the user are first validated in order to determine whether the user is authorized to access the requested application data. For an authorized user, a category of the user is determined to ascertain whether the user is privileged to obtain full access. In case the user is a privileged user, unmasked application data is fetched from a database utility and provided to the user. In case the user is not a privileged user, application data access request is transferred to a data masking service. Application data is fetched from database utility, masked based on pre-defined masking rules and provided to the user.

Abstract: A method and apparatus for securing transactions using verified resource locations is described. In one embodiment, the method for authorizing a transaction request using published location information for at least one resource includes examining relationship data regarding at least one resource to identify at least one publisher computer and at least one subscriber computer, wherein the at least one publisher computer communicates location information for the at least one resource and in response to at least one transaction request from the at least one subscriber computer, comparing the location information with the at least one transaction request to verify at least one resource location.

Abstract: A system and method for employing memory forensic techniques to determine operating system type, memory management configuration, and virtual machine status on a running computer system. The techniques apply advanced techniques in a fashion to make them usable and accessible by Information Technology professionals that may not necessarily be versed in the specifics of memory forensic methodologies and theory.

Abstract: Disclosed is an operating method of a non-volatile memory device which comprises randomizing data to store the randomized data; erasing the randomized data; and outputting erase data according to information of a flag cell of the non-volatile memory device at a read operation.

Abstract: A system for transferring secured data has an authentication facilitator that transmits data indicative of a graphical key pad to a remote display device of a user computing device and, in response, receives from the user computing device icon location data indicative of locations of icons selected by a user. Additionally, the authentication facilitator recovers a personal identifier (PI) from the icon location data, translates the recovered PI to obtain a translated PI, and transmits the translated PI. The system further has a partner computing apparatus that receives the translated PI and allows the user access to a secured area based upon the translated PI.

Abstract: A system and method of protecting digital media contents, which maintain compatibility with an existing system and block any attempt to illegally use the digital media contents having various formats, and which reduce a system load and maximize a possibility of reusing the digital media contents. The system includes a packager for analyzing a format of contents and encoding at least a portion of a data region located in a payload of the contents, and for generating encoded contents by inserting encoding information including at least one of an encoding key value and contents information into the contents; and a digital rights management (DRM) server for receiving a request for a license and the encoding information from an external device which receives the encoded contents, for confirming the encoding information and then generating a license which is used to decode the encoded contents, and for providing the generated license to the external device.

Abstract: To improve network reliability and management in today's high-speed communication networks, we propose an intelligent system using adaptive statistical approaches. The system learns the normal behavior of the network. Deviations from the norm are detected and the information is combined in the probabilistic framework of a Bayesian network. The proposed system is thereby able to detect unknown or unseen faults. As demonstrated on real network data, this method can detect abnormal behavior before a fault actually occurs, giving the network management system (human or automated) the ability to avoid a potentially serious problem.

Abstract: An encryption based method of enabling a plurality of parties to share, create, hide, or reveal message or token information over a network includes a commutative group cipher (CGC), where the underlying CGC is secure against ciphertext-only attack (COA) and plaintext attacks (KPA), and is deterministic. The protocols do not require a trusted third party (TTP), and execute rapidly enough on ordinary consumer computers as to be effective for realtime play among more than two players. Protocols are defined which include VSM-L-OL, VSM-VL, VSM-VPUM, and VSM-VL-VUM, wherein the letters V, O, SM, P, and UM represent, respectively, Verified, Locking Round, Open, Shuffle-Masking Round, Partial, and Unmasking Round.

Abstract: A method and system for providing data anonymously is provided. The method involves receiving an encrypted operator match ID by a client device from a first entity, where the encrypted operator match ID is encrypted using a first encryption key; decrypting the encrypted operator match ID using a first decryption key, associated with the first encryption key, by the client device to obtain a decrypted operator match ID; encrypting the decrypted operator match ID using a second encryption key by the client device to obtain a re-encrypted operator match ID; and sending the client device usage information with the re-encrypted operator match ID by the client device to a second entity through an anonymous channel, where the second entity decrypts the re-encrypted operator match ID using a second decryption key, associated with the second encryption key, to obtain the operator match ID.

Abstract: A device and a method for protecting a cryptographic module of which the method includes: estimating a functionality of a circuit that is adapted to malfunction when a physical parameter has a first value different from a nominal parameter value at which the cryptographic module functions correctly. The cryptographic module malfunctions when the physical parameter has a second value different from the nominal parameter value and a difference between the first value and the nominal parameter value being smaller than a difference between the second value and the nominal parameter value. A cryptographic module protective measure is applied if estimating that the circuit malfunctions.

Abstract: A computer-implemented method for controlling access to digital media involves receiving a URL at a computer server system, decoding the URL, extracting a user ID of a user who submitted the URL and an image ID of an image that is accessible by the server system, using the user ID to determine whether the user who submitted the URL is authorized to access the image, and controlling access to the image by the user based on the determination of whether the user who submitted the URL is authorized to access the image.

Abstract: Methods and systems for maintaining user privacy preferences based on one or more user identifications across a plurality of applications are provided. Two or more user identifications are received with associated user privacy preferences. The received user identification is compared against other user identifications to determine if the user identifications relate to the same user. It may be determined that two user identifications are related if they have at least one browser property in common. A consolidated data stream of the user privacy preferences for the related user identifications is created. The consolidated data stream is communicated to one or more applications and propagated to maintain the user privacy preferences across the applications relating to the user identification.

Abstract: Methods, devices, and computer program products facilitate the application of a content use policy based on watermarks that are embedded in a content. Watermark extraction and content screening operations, which can include the application of content usage enforcement actions, may be organized such that some or all of the operations can be conducted at different times by different devices. The watermark extraction results can be stored in a secure location and accessed by other devices at different times. These operations can be conducted by one or more trusted devices that reside in a home network. The home network can also include a gateway device that can coordinate the operations of the various network devices and/or delegate the various watermark extraction and content screening operations.

Abstract: The Internet is becoming an essential part of our lives. This trend is even stronger with the rise of cell phones having Internet access that almost the entire population carries with them at all times. Security is a huge problem on the Internet, however, and new authentication methods are needed specifically for cell phones. Presented here is a method of identifying a mobile electronic device by its configuration settings, potentially including contact list information. This invention, in particular, fills a crucial need to secure access to the Internet from mobile phones.

Abstract: The present invention relates to digital rights management (DRM) for content that downloaded and saved to a storage device. The storage may be a disk drive, or network attached storage. In addition, the storage device performs cryptographic operations and provides a root of trust. The DRM employs a binding key, a content key, and an access key. The binding key binds the content to a specific storage and is based on a key that is concealed on the storage. The binding key is not stored on the storage device with the content. The content key is a key that has been assigned to the content. The access key is determined based on a cryptographic combination of the content key and the binding key. In one embodiment, the content is provisioned based on the access key and stored in encrypted form in the storage device.

Abstract: A processor including instruction support for implementing hash algorithms may issue, for execution, programmer-selectable hash instructions from a defined instruction set architecture (ISA). The processor may include a cryptographic unit that may receive instructions for execution. The instructions include hash instructions defined within the ISA. In addition, the hash instructions may be executable by the cryptographic unit to implement a hash that is compliant with one or more respective hash algorithm specifications. In response to receiving a particular hash instruction defined within the ISA, the cryptographic unit may retrieve a set of input data blocks from a predetermined set of architectural registers of the processor, and generate a hash value of the set of input data blocks according to a hash algorithm that corresponds to the particular hash instruction.

Abstract: A method and associated systems for enhanced isolation and security hardening among multi-tenant workloads. An agent running on a processor of a networked computer system on which multicast and broadcast communications have been disabled captures an address-resolution query message from a querying tenant, converts the query message to a unicast message, and forwards the converted unicast query message to a switch. The switch forwards the converted unicast message to a redirection device and in response receives an address-resolution response message only after the redirection device verifies that the query and response messages comply with security policies. The switch forwards the address-resolution response to the querying tenant in conformance with security policies.

Abstract: Methods for generating data for describing scalable media are disclosed. Data is associated with the scalable media that identifies portions of the scalable media to combine in order to produce media that is scaled to possess a desired scalable attribute without decoding. Portions of the scalable media are encrypted. Data is associated with the portions of the scalable media that identifies protection attributes of the encryption scheme used to encrypt the portions of the scalable media.