Abstract: Security in wireless communication networks that employ relay stations to facilitate communications between base stations and mobile stations is enhanced. In one embodiment, resource information provided to one or more relay stations from a base station or another relay station is encrypted prior to being delivered to the one or more relay stations. Only authorized relay stations are allocated an appropriate key necessary to decrypt the resource information. As such, only appropriate relay stations are able to access and use the resource information to effect communications directly or indirectly between the base stations and the mobile stations. In certain embodiments, the resource information is delivered between the various base and relay stations using either unicast or multicast delivery techniques.

Abstract: A system and method are described for secure data transfer over a network. According to an exemplary embodiment a system for secure data transfer over a network includes memory and a memory controller configured to transfer data received from the network to the memory. The system includes a processor, having logic configured to retrieve a portion of the data from the memory using the memory controller. The processor also includes logic configured to perform security operations on the retrieved portion of the data, and logic configured to store the operated-on portion of the data in the memory using the memory controller. The memory controller is further configured to transfer the operated-on portion of the data from the memory to the network.

Abstract: A method, system, and computer program product for operating a web browser in an open browsing mode and a private browsing mode. The method may include calculating, by a computer processor, a privacy probability that a website contains information sensitive to the user. The privacy probability may be based, at least in part, on historical use of the private browsing mode by the user. The method may also include comparing the privacy probability to a privacy threshold and automatically switching the browser from the open browsing mode to the private browsing mode for the website if the privacy probability is greater than the privacy threshold.

Abstract: Differential uncloneable variability-based cryptography techniques are provided. The differential cryptography includes a hardware based public physically uncloneable function (PPUF) to perform the cryptography. The PPUF includes a first physically uncloneable function (PUF) and a second physically uncloneable function. An arbiter determines the output of the circuit using the outputs of the first and second PUFs. Cryptography can be performed by simulating the PPUF with selected input. The output of the simulation, along with timing information about a set of inputs from where the corresponding input is randomly selected for simulation, is used by the communicating party that has the integrated circuit with the PPUF to search for an input that produces the output. The input can be configured to be the secret key or a part of the secret key.

Abstract: Apparatus, systems, and methods may operate to receive, at an authentication agent in a first local area network (LAN), a virtual proxy authentication identification from a virtual proxy serving as a single point of trust for a second LAN across a wide area network. The virtual proxy authentication identification may be included in a modified session message originated within the second LAN. As a result, the apparatus, systems, and methods can operate to transmit content associated with the modified session message to a first plurality of individual proxy modules in the first LAN. Additional apparatus, systems, and methods are disclosed.

Abstract: Embodiments allow for use of fused files that comprise executable code and content data in a more user-friendly and flexible manner. For example, a fused file can include content data and application logic for editing the content data within the file. Security through the use of digital signatures can be supported, but with at least part of a file recognized as extensible so that the file can be edited without “breaking” the signature. Additionally, a computing device can be configured to utilize a “sandbox” environment so that extensible (and/or other) portions of a fused file do not introduce unacceptable security issues even if the digital signature is valid. In some embodiments, the support of extensibility and sandboxing allows a runtime environment to utilize installer-free operation, which can represent a significant advantage in that fused files can be widely distributed to any device utilizing the runtime environment.

Abstract: A challenge string is sent from a server to an authentication card. The challenge string is encrypted using a private key on the authentication card. Then, the encrypted challenge string is sent as a response from the authentication card to the server. A unique identifier of the authentication card is correlated to a user record residing at the server to obtain an authentication certificate from within the user record. The authentication certificate includes a public key. The public key from the authentication certificate is used to decrypt the response at the server. A determination is then made as to whether the decrypted response matches the challenge string as originally sent from the server to the authentication card. If the decrypted response matches the original challenge string, the authentication is successful. Otherwise, the authentication fails.

Abstract: Scanning is disclosed. A system is monitored to detect object events. A risk level is determined for an object event, and a scan is scheduled for an object associated with the object event according to the risk level. The risk level may be based on the risk level of the object type, and on the risk level of the operation. An immediate on access scan may be scheduled for a first risk range, a differential scan may be scheduled for a second risk range, and an incremental scan may be scheduled for a third risk range. The scheduled scan is performed.

Abstract: An anti-counterfeiting electronic device includes a function component assigned with an identification code ID and a processor. The processor generates a random code K1 and transmits the random code K1 to the function component; the function component encrypts the random code K1 and the identification code ID to generate a key ID1. The processor further obtains the key ID1 from the function component and decrypts the key ID1 to generate an identification code ID2, and determines whether the identification code ID2 is the same as the ID and executes the system login command if the identification code ID2 is the same as the identification code ID. An anti-counterfeiting method is also provided.

Abstract: A method of porting of trust data includes a computer system extracting trust data from the trust module using a manufacturer key. The trust data and the manufacturer key are then stored, encrypted with a control key, on a removable storage medium.

Abstract: Systems and methods are described herein for supporting end users of a mobile device, such as a mobile phone, to reset a secure element associated with the communication device. The reset process may include clearing the secure element, associated memories, and storage devices of any user specific or personalized information associated with the user. The reset process may also include removing or resetting keys or other identifiers within the secure element that associate the mobile device with a particular secure service provider. According to various embodiments, a computer-implemented method for resetting a secure element within a network device may include receiving an encrypted reset request message at the secure element, decrypting the encrypted reset request message using a communication key, verifying authorization for the reset request message, and atomically clearing parameters associated with the secure element.

Abstract: A cipher key is generated by first information shared in secrete between a data transmitting unit 10 and a data receiving unit 20, second information derived from duplication control information of transmit data and third information which is time change information shared between the data transmitting unit and the data receiving unit to cipher data by a CPU 12 by using the above-mentioned cipher key to transmit, from the data transmitting unit 10 to the data receiving unit 20, transmit data in which the duplication control information and the time change information are added to the ciphered data.

Abstract: Policy verification arrangements effecting operations of: modifying address information of system component information for all system components, stored in a system management server, to redirect-address information to a test tool as a substitute destination in order for the test tool to be able to receive a result of system management operations during testing, instead of a corresponding system component; acquiring configuration information of the information processing system from the system management server; generating a test item specifying a test event; transmitting the test event specified by the generated test item to the policy manager and/or said system management server; and recording a result of the system management operations which is requested by the policy manager and/or system management server responsive to the test event specified by the generated test item, but which is redirected back to the test tool via the redirected-address information stored in the system management server.

Abstract: A computer implemented method of reducing central processing unit (CPU) usage of a firewall by safe reordering a current firewall's rule-base exhibiting N rules. The method comprising: receiving rule usage statistics exhibiting usage frequency of each rule on the current firewall's rule-base; calculating a rules matched per packet (RMPP) parameter, being a summation of products of each rule identifier and the corresponding usage frequency for all the N rules; determining an alternative order of the rule base by repositioning rules, wherein the repositioned rules perform the same action on the firewall, or wherein the repositioned rules act on disjoint sets of network connections, and wherein the repositioning results in a reduction of the RMPP of the reordered rule base, thereby reducing the CPU usage of the firewall in implementing the alternative order of rules.

Abstract: In one aspect, a method of classifying a computer object as malware includes receiving at a base computer data about a computer object from each of plural remote computers on which the object or similar objects are stored. The data about the computer object received from the plural computers is compared in the base computer. The computer object is classified as malware on the basis of said comparison. In one embodiment, the data about the computer object includes one or more of: executable instructions contained within or constituted by the object; the size of the object; the name of the object; the logical storage location or path of the object on the respective remote computers; the vendor of the object; the software product and version associated with the object; and, events initiated by or involving the object when the object is created, configured or runs on the respective remote computers.

Abstract: A method of providing web site verification information to a user includes receiving a DNS query including a host name and a seal verification site name, parsing the DNS query, and extracting the host name from the DNS query. The method also includes accessing a DNS zone file including a list of Trust Services customers and determining if the host name is associated with a Trust Services customer in the list of Trust Services customers. The method further includes transmitting a positive identifier to the requester if the host name is associated with a Trust Services customer and transmitting a negative identifier to the requester if the host name is not associated with a Trust Services customer. In a specific embodiment, the Trust Services include issuance of digital certificates.

Abstract: The present invention provides a system and method for maintaining secure information on mobile devices and that balances security and convenience in the provision of mobile data access. Security is maintained by extending the use of industry-accepted two-factor authentication methods, and convenience is enhanced by utilizing a user's existing mobile device accessories as an authentication factor. As a result, the present invention provides a strong authentication system and method without the cost or burden of requiring the user to acquire additional hardware for security purposes.

Abstract: Provided is a communication device which securely registers a slave unit. A secret address generation and setup section generates a secret address generator, and a secret address of the slave unit used temporarily instead of a unique address of the slave unit based on the secret address generator and identification information of the slave unit. A second communication section transmits to the slave unit a registration start notice containing the secret address generator by broadcast.

Abstract: A computer-implemented method is provided for processing access requests in an AAA network. The method includes receiving an access request from a network device, identifying, based upon the access request, an authentication mechanism for facilitating AAA services for the network device and selecting, based on the identified authentication mechanism, a particular server from a plurality of servers that is compatible with the identified authentication mechanism.

Abstract: Methods and apparatus enforce a secure internet connection from a mobiles endpoint computing device. A security policy for the endpoint is defined based on its location. From that location, an internet connection is established and detected. This event triggers the launching of a full VPN tunnel connection including an NDIS firewall forcing packet traffic through a port of the endpoint computing device assigned by the security policy and/or MAC/IP addresses of a VPN concentrator. Thereafter, the packet traffic is monitored for compliance with the security policy. This includes determining whether packet traffic over the assigned port is observed within a given time or packet traffic is attempted over other ports. Monitoring occurs whether or not the protocol of the VPN tunnel connection is known. Other features contemplate quarantining for improper operation of the VPN tunnel, undertaking remediation, and computer program products, to name a few.