Abstract: A data processing apparatus including circuitry for performing data processing, a plurality of registers; and a data store including regions having different secure levels, at least one secure region (for storing sensitive data accessible by the data processing circuitry operating in the secure domain and not accessible by the data processing circuitry operating in a less secure domain) and a less secure region (for storing less secure data). The circuitry is configured to determine which stack to store data to, or load data from, in response to the storage location of the program code being executed. In response to program code calling a function to be executed, the function code being stored in a second region, the second region having a different secure level to the first region, the data processing circuitry is configured to determine which of the first and second region have a lower secure level.

Abstract: The invention is directed to systems, methods and apparatus for securing documents. The system comprises a server having a processor and a data storage device for storing documents, at least one document provider connected to the server, the at least one document provider operable to provide user documents to the server for storage in the data storage device, the user documents containing at least one object of security concern, and at least one document consumer connected to the server, the at least one document consumer operable to receive the user documents containing the at least one object of security concern from the server.

Abstract: A method and apparatus of access control in an electronic apparatus implementing the method are provided. The method of operating an electronic apparatus includes detecting an access request to a resource from an application included in a first area of a memory by a processor of the electronic apparatus, in response to the access request, executing an access control module included in a second area of the memory to calculate a hash value of the application by the processor, determining whether a record exists in the memory, the record corresponding to the hash value and identification information of the application, by executing the access control module by the processor, and allowing access to the resource by the processor when the record exists in the memory.

Abstract: Plural modes of operation, each associated with a class attribute, may be established on a mobile device. The present application discloses a method of handling an application launch request, a computing device for carrying out the method and a computer readable medium for adapting a processor to carry out the method. The method includes receiving a launch request identifying an application that is to be launched, acquiring an identity for the application, acquiring a class for the application, labeling the application with the identity and the class and launching the application.

Abstract: A one-time certificate is provided that enables an initial two-way secured communication session between a user computing device and a trusted server. An initial secured communication session is established by the trusted server with the user computing device after receiving the one-time certificate. The trusted server receives identification information associated with the user of the user computing device, wherein the identification information includes a representation of the user's identity that has been confirmed as a function of biometrics and further includes a representation of the user computing device. Moreover, the trusted server generates a replacement certificate that is unique to the combination of the user and the user computing device, and transmits the replacement certificate to the user computing device.

Abstract: A system includes a security device, configured for cryptographic processing, coupled to receive incoming data from a plurality of data sources (e.g., data from different customers), wherein the incoming data includes first data from a first data source; a controller (e.g., an external key manager) configured to select a first set of keys from a plurality of key sets, each of the key sets corresponding to one of the plurality of data sources, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device.

Abstract: A security gateway includes packet routing policies, each including a host network address, an application network address, and a forwarding interface. In routing data packets of an application session, the security gateway: recognizes the application session between a network and an application; determines a user identity from an application session record for the application session; determines packet routing policies applicable to the application session based on the user identity; receives a data packet for the application session, including a source network address and a destination network address; compares the source network address with the host network address, and the destination network address with the application network address; and in response to finding a match between the source network address and the host network address, and between the destination network address and the application network address, processes the data packet using the forwarding interface of the packet routing policy.

Abstract: A policy framework is maintained on the computing device, and the computing device communicates with a policy server of an enterprise network over a network to receive a set of policy instructions. The policy instructions are executed through the policy framework in order to implement one or more policies that control the mobile computing device's access to resources of the enterprise network.

Abstract: The subject matter of this specification can be embodied in, among other things, a method that includes emulating a user web browsing session including directing a web browser installed on a computer system to visit one or more websites. The method also includes logging network traffic delivered to the computer system in response to the web browser visiting the one or more websites. In addition, the method includes identifying network traffic requested by an application installed on the computer system and delivered to the web browser in response to the web browser visiting the one or more websites.

Abstract: A method for applying a security policy to an application session, includes recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.

Abstract: A system and method for providing authenticated access to an initiating terminal in relation to the services provided by a terminating terminal via a communications network are disclosed. In one aspect, a global server comprises a communications module, which receives and processes a key exchange initiation message from the initiating terminal so as to establish an encrypted communications channel with the terminating terminal. The communications module, responsive to a received key exchange initiation message, performs an encrypted communication establishment process in respect of the received key exchange initiation message. The encrypted communication establishment process comprises authenticating the initiating terminal, and in the event that the initiating terminal is successfully authenticated, transmitting keying data corresponding to the received key exchange initiation message to the terminating terminal. The keying data is identified on the basis of data associated with the initiating terminal.

Abstract: A computer-implemented method for searching shared encrypted files on third-party storage systems may include (1) receiving, at a server-side computing system, a request from a user to search at least one encrypted file to which a group of users that includes the user shares access, (2) identifying, in response to the request, at least one encrypted search index compiled for and shared by the group of users that enables the encrypted file to be searched, (3) decrypting the encrypted search index with a key with which each user within the group of users has access, and (4) using the decrypted search index to respond to the request from the user. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present invention refers to a method for reproducing an audio and/or video sequence, as well as a reproducing device and reproducing apparatus that make use of the method; the method reproduces an audio and/or video sequence by means of a decoder (Dav) apt to decode said sequence and a buffer (B) connected upstream to said decoder (Dav) and able to store at least a part of said sequence; the sequence is transmitted by means of a number of data blocks; each of said blocks comprises an audio and/or video information data section and a corresponding error correction data section; such sections are transmitted in different time intervals; the method comprises a transitory operation mode and a steady state operation mode; in the steady state operation mode the correction data of the block (FEC) are applied to the corresponding information data before said information data are supplied to said decoder (Dav), while in the transitory operation mode the information data of a block are directly supplied to said dec

Abstract: The present disclosure generally provides systems and methods of providing identification and access management. The system could include a network security zone having access rules for a network resource object associated with the network. The system could also include a module to collect information related to an attempt to access the network resource object and to generate an alert if the collected information fails to meet certain requirements related to the access rules. The module could change the access rules to prevent possible future unauthorized access attempts based on the collected information.

Abstract: Systems and methods for detecting malicious processes in a non-signature based manner are disclosed. The system and method may include gathering features of processes running on an electronic device, applying a set of rules to the features, and applying a statistical analysis to the results of the rules application to determine whether a process should be classified into one or more of a plurality of process categories.

Abstract: Systems and methods for protecting communications between at least two nodes protect the identity of a node requesting information, provide content of communications being sent and/or obscuring a type of communications being sent. Varying degrees of protection options including encryption, intermediate node termination and direct node communications are provided.

Abstract: Applying a security policy to an application session, includes: recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.

Abstract: An exemplary technique is provided for use in a decentralized electronic transfer system. A first digital code that represents a first transaction is generated from a first user's secure repository to the first user's unsecure repository. The first digital code is sent to a secure storage memory related to the unsecure repository to be stored in an area of the memory. A processor related to the unsecure repository generates a second digital code that represents a second transaction from the unsecure repository to the second user's repository. The processor retrieves the first digital code stored in the secure storage memory and publishes the retrieved digital code to validate the first transaction. In addition, the processor publishes the second digital code to validate the second transaction.

Abstract: A security gateway includes packet routing policies, each including a host network address, an application network address, and a forwarding interface. In routing data packets of an application session, the security gateway: recognizes the application session between a network and an application; determines a user identity from an application session record for the application session; determines packet routing policies applicable to the application session based on the user identity; receives a data packet for the application session, including a source network address and a destination network address; compares the source network address with the host network address, and the destination network address with the application network address; and in response to finding a match between the source network address and the host network address, and between the destination network address and the application network address, processes the data packet using the forwarding interface of the packet routing policy.

Abstract: An electronic device includes a touch screen. When the electronic device wakes up and works in a locked state, a notification interface including a predetermined unlocking area is displayed on the touch screen. A user pattern formed by at least two fingers of a user located within the predetermined unlocking area is detected. The electronic device is unlocked if the user pattern matches a predetermined unlocking pattern.