Abstract: The present invention provides a mechanism to communicate an original object (12S) without requiring the sending of the complete original object. A representative of the original object (12S), a statistical object (14S), is generated by one entity and is communicated to a second entity. The second entity receives the statistical object (14S), and identifies it as being generated from an original object (12S). If the second entity is unable to unambiguously identify the statistical object (14S), the second entity records the partial identity progress and associated communications characteristics information (22). The amount of information communicated during this process is much smaller than the original object (12S), greatly improving the speed and efficiency of communicating an original object (12S).

Abstract: The payload of a set of storage devices is encrypted using a payload key that is stored within the set of storage devices itself. However, the payload key is obtainable only if a user has access to n of the storage devices. A first set of keys can be distributed among a set of n storage devices, such that each key is usable to encrypt and/or decrypt a key stored on a different one of the n storage devices. The first set of keys is usable to encrypt portions of the information needed to regenerate another key (e.g., the payload key or a key used to encrypt the payload key). A different portion of the information needed to regenerate the other key is stored on each of the n storage devices. Accordingly, the other key cannot be obtained unless the user has access to all n storage devices.

Abstract: Techniques for protecting resources of a client from theft or unauthorized access. A BIOS agent stores policy data within a BIOS of the client. The BIOS agent is one or more software modules operating in the BIOS of the client. The policy data describes one or more security policies which the client is to follow. In response to the client following at least one of the one or more security policies, a persistent storage medium of the client is locked by instructing a controller of the persistent storage medium to deny, to any entity, access to data stored on the persistent storage medium unless the entity supplies, to the controller, a recognized authentication credential. In this way, a malicious user without access to the recognized authentication credential cannot access the data stored on the persistent storage medium, even if the persistent storage medium is removed from the client.

Abstract: Systems and methods are included for accessing resource objects in a multi-threaded environment. A request is received from a requester to perform an operation with respect to a resource object, where the requested resource object has multiple associations with other objects. A determination as to whether an authorization cache entry corresponding to the requested resource object contains sufficient permission data for granting or denying the request for access to the requested resource object is made. A grant or deny of access to the requested resource object is returned when the authorization cache entry corresponding to the requested resource object contains sufficient permission data.

Abstract: The present disclosure includes apparatus, systems, digital logic circuitry and techniques relating to data encoding. A method performed by a system on a chip (SOC) includes receiving data to be output to a memory unit external to the SOC. Also a key for scrambling the received data is received. A proper subset of the key is identified and used to scramble the received data. The scrambled data is output to the memory unit external to the SOC.

Abstract: Systems and methods of performing single sign-on authentication from multiple platforms when establishing a connection to a database are described. An application can securely access a database based on user credentials provided during a prior authentication. In an embodiment, single sign-on is accomplished by relying on existing and emerging authentication, security service, security mechanism, and wire protocols, enabling the creation of drivers to accommodate various platforms and databases. In another embodiment, a pure type 4 Java Driver is used, eliminating dependencies on native operating functionality.

Abstract: Systems, methods and products are described that provide secure resume for encrypted drives. One aspect provides a method including: receiving an indication to resume from a suspended state at a computing device; responsive to authenticating a user at one or more input devices, accessing a value in a BIOS derived from authenticating the user at the one or more input devices; responsive to accessing the value, releasing a credential for unlocking one or more encrypted drives; and thereafter proceeding to resume from the suspend state.

Abstract: An automated configuration management system (ACMS) oversees resources of a virtualized ecosystem by establishing a baseline configuration (including, e.g., security controls) for the resources; and, repeatedly, monitoring and collecting data from the resources, analyzing the data collected, making recommendations concerning configuration changes for the resources of the virtualized ecosystem based on the analysis, and either adopting and implementing the recommendations or not, wherein new states of the virtualized ecosystem and reactions to recommended changes are observed and applied in the form of new recommendations, and/or as adjustments to the baseline. The recommendations may be implemented automatically or only upon review by an administrator before being implemented or not.

Abstract: A method for password-protected physical transfer of password-protected devices including at a receiving location, generating at least one security file including an encrypted element generated using a one-way encryption function utilizing at least one secure code, transmitting the at least one security file to a shipping location at which the password-protected devices are located, at the shipping location, using at least one shipping location password, loading the at least one security file into at least one password-protected device, shipping the at least one password-protected device to the receiving location and at the receiving location, employing the at least one secure code to supply an input to the at least one password-protected device and employing the at least one security file to enable establishment of at least one receiving location password for the at least one password-protected device which replaces the at least one shipping location password.

Abstract: A federated identity, established through possession of a single sign-on token, will allow a personal wireless device (PWD) to be used in a commercial environment to purchase goods or services, access a building, access a telephone, wireless, or computer network, or in numerous other instances. The token may be obtained by the user authenticating with the PWD and the PWD authenticating with the network. When the PWD comes within range of a service provider, a session is established using a short range wireless protocol, such as Bluetooth or infrared. The session is secured using a security protocol such as SSL, and the service provider authenticates its identity to the PWD. Policy may be implemented regarding transmission of the token to the service provider. Upon receipt of the token, the service provider will validate the token with the federated identity provider, obtain identifying information, and complete the transaction.

Abstract: A system to prevent audio watermark detection includes content having a video portion and an audio portion, the audio portion having a watermark, an audio/video separator configured to separate the video portion and the audio portion, and a random number generator configured to generate a random number corresponding to a shifted frequency. The system also includes a frequency shift element configured to apply the shifted frequency to the audio portion to alter a spectrum of the watermark so as to prevent detection of the watermark by a device seeking to recover the watermark. The system also includes an audio resampler configured to resample the audio portion to restore the audio portion to an original length, and an audio/video combiner configured to combine the video portion and the audio portion.

Abstract: Method for detecting malicious behavioral patterns which are related to malicious software such as a computer worm in computerized systems that include data exchange channels with other systems over a data network. According to the proposed method, hardware and/or software parameters that can characterize known behavioral patterns in the computerized system are determined. Known malicious code samples are learned by a machine learning process, such as decision trees, Naïve Bayes, Bayesian Networks, and artificial neural networks, and the results of the machine learning process are analyzed in respect to these behavioral patterns. Then, known and unknown malicious code samples are identified according to the results of the machine learning process.

Abstract: Mechanisms for executing a software routine in an application executing as a multi-user single address space subsystem in an operating environment having a trusted mode of operation for trusted routines and a reduced-trust mode of operation for untrusted routines. The application includes a control module for execution as a trusted routine and a trusted routine table including identifiers of trusted routines. The control module performs switches between a trusted mode of operation for execution and a reduced trust mode of operation based on various determinations regarding the nature of a calling routine being trusted or untrusted, a call stack, and whether the calling routine is being restored or not from the call stack.

Abstract: Open federation security techniques with rate limits are described. An apparatus may include a network interface operative to communicate messages, and a secure open federation (SOF) module operative to manage a message rate between multiple federated networks. The SOF module may comprise a peer authentication module operative to determine whether a peer making the message is an untrusted peer. The SOF module may comprise a peer rate tracking module operative to retrieve a message rate value and a message rate limit value associated with the untrusted peer, and compare the message rate value with the message rate limit value to form a threat status indicator value. The SOF module may comprise a peer authorization module operative to authorize communication of the message based on the threat status indicator value. Other embodiments are described and claimed.

Abstract: Method for detecting malicious behavioral patterns which are related to malicious software such as a computer worm in computerized systems that include data exchange channels with other systems over a data network. Accordingly, hardware and/or software parameters are determined in the computerized system that is can characterize known behavioral patterns thereof. Known malicious code samples are learned by a machine learning process, such as decision trees and artificial neural networks, and the results of the machine learning process are analyzed in respect to the behavioral patterns of the computerized system. Then known and unknown malicious code samples are identified according to the results of the machine learning process.

Abstract: Method and apparatus for information transmission are provided. A method for information transmission uses a virtual input layout to encrypt security information. The method uses a server to receive an access request from a user client and to generate a virtual input layout based on information of an actual input layout of the user client. Each key in the virtual input layout has a corresponding relationship with a respective key in the actual input layout, and at least some of the keys in the virtual input layout represent symbols or functions that are different from their corresponding keys in the actual input layout. The server sends the virtual input layout to the user client to be displayed, and subsequently receives from the user client a virtual security information entered by the user according to the virtual input layout displayed. The server then converts the virtual security information to obtain true security information.

Abstract: Embodiments of the invention provide systems and methods for authorizing a request to access a resource based on a context of the request. According to one embodiment, a method of authorizing a request for a resource based on a context of the request can comprise receiving the request from a requester, identifying the context of the request, and determining whether to authorize the request based on the context of the request. In some cases, the request can include context information describing the context of the request. In such cases, identifying the context can be based at least in part on the context information from the request. Additionally or alternatively, context information describing the context can be requested and received in response to the request. In such a case, identifying the context can be based at least in part on the received context information.

Abstract: In one aspect, a method for providing encrypted information includes encrypting a true message to form an encrypted true message. A ciphertext message including the encrypted true message is formed, where multiple messages are decryptable from the ciphertext message. The messages include a true message including true information and at least one decoy message including false information.

Abstract: Conditional access (CA) and digital rights management (DRM) in digital media delivery, processing, and storage systems. Methods and apparatuses are provided for managing digital rights under the protection of multiple CA and/or DRM systems. Some embodiments provide secure and robust methods for bridging multiple DRM systems in the digital media content distribution and playback systems. The present invention simplifies content repurposing, after it has been bridged to a secondary DRM system, but still under the control of the original DRM system.

Abstract: Systems, methods and products are described that provide secure boot with a minimum number of re-boots. One aspect provides a method including receiving an indication to boot from a power off state at a computing device; responsive to authenticating a user at one or more input devices, releasing a value derived from authenticating the user at the one or more input devices; responsive to releasing the value, unlocking one or more encrypted drives with a previously established alternate credential; and thereafter proceeding to boot from the power off state. By not having to call the non-BIOS software each boot, this minimizes the number of reboots for each boot cycle.