Abstract: A system, method, and computer program product are provided for directing predetermined network traffic to a honeypot. In use, predetermined network traffic originating from a node in a local area network and/or a virtual private network is identified. Further, the predetermined network traffic is directed to a honeypot.

Abstract: An implementation method and system of a virtual private network (VPN) are provided in the invention, wherein, the VPN dedicated mapping table of the VPN is stored in the mapping plane in the identity and location separation network, and it is determined whether to achieve the communication between the VPN end host users in the VPN or not according to the VPN dedicated mapping table, thereby the VPN is efficiently achieved in the identity and location separation network, meeting the user requirements for the VPN, eliminating the influence of the identity and location separation technical solution on the traditional VPN service, and reducing the changes on the existing devices and software tools due to the implementation of VPN.

Abstract: An administration system for use within a server system is provided. The server system having a server that provides host management functions and the server system being able to accept computer cards inserted therein. The administration system comprises a computing system that is inserted in the server system, the computing system having a controller that assumes control over the communications bus.

Abstract: A method is disclosed for distributed detection of botnets via a plurality of sensors on a network. According to embodiments, DNS information, including domain names and addresses, is received at a sensor, the number of unique subnets corresponding to a domain name is determined and an alert is sent to other sensors when the number of unique subnets exceeds a first threshold. Other embodiments are also disclosed.

Abstract: Management information for video data and audio data that are created after their recording is started until it is stopped and that are recorded as a stream file on a record medium is more securely stored. When their recording is started, EP entry information contained in management information of the stream file is created. Whenever EP entry information is created, it is written to a nonvolatile memory. After their recording is stopped, fixed value information and so forth that are contained in the management information are created and written to the nonvolatile memory. According to a disc eject operation, the management information written to the nonvolatile memory is written to the disc and the contents stored in the nonvolatile memory are cleared. Likewise, when power is turned off without the eject operation, information stored in the nonvolatile memory is written to the disc.

Abstract: A conventional method of verifying alteration of an image file has a problem of security and may negatively affect user convenience. An image processing apparatus according to the present invention records, as an image file, input image data and a plurality of types of parameters input by the user, and stores, for each of parameter types classified in accordance with the features of the parameters, first security information based on the plurality of types of parameters. When reading out the image file, second security information is decided for each of parameter types based on the plurality of types of parameters included in the image file. If determined that the pieces of security information for any of the parameter types do not coincide, processing for the image file is changed in accordance with information to be used to restrict the processing to be executed for the image file.

Abstract: A method, and associated system and computer program product, of validating site data. The method includes the steps of, in a processing system 200, receiving 100 an indication of site data, performing a comparison 110 of the indication to site data criteria, and validating or invalidating 120 the indication based on a result of the comparison. The indication of site data could be at least part of a webpage, a link to a webpage, a Uniform Resource Locator, an IP address, at least part of an AJAX page, and/or at least part of a document.

Abstract: In some embodiments, the invention involves securing sensitive data from mal-ware on a computing platform and, more specifically, to utilizing virtualization technology and protected audio video path technologies to prohibit a user environment from directly accessing unencrypted sensitive data. In an embodiment a service operating system (SOS) accesses sensitive data requested by an application running in a user environment virtual machine, or a capability operating system (COS). The SOS application encrypts the sensitive data before passing the data to the COS. The COS makes requests directly to a graphics engine which decrypts the data before displaying the sensitive data on a display monitor. Other embodiments are described and claimed.

Abstract: A model restricts un-trusted data/objects from running on a user's machine without permission. The data is received by a protocol layer that reports a MIME type associated with the DATA, and caches the data and related cache file name (CFN). A MIME sniffer is arranged to identify a sniffed MIME type based on the cached data, the CFN, and the reported MIME type. Reconciliation logic evaluates the sniffed MIME type and the CFN to determine a reconciled MIME type, and to update the CFN. A class ID sniffer evaluates the updated CFN, the cached data, and the reconciled MIME type to determine an appropriate class ID. Security logic evaluates the updated CFN, the reported class ID, and other related system parameters to build a security matrix. Parameters from the security matrix are used to intercept data/objects before an un-trusted data/object can create a security breach on the machine.

Abstract: A method/system of determining if one or more entities in a data storage medium of a processing system are malicious, wherein the method comprises recording entity properties of the one or more entities when at least part of the processing system is in a range of operating usage; and determining, using the entity properties, if the one or more entities are malicious.

Abstract: Techniques are described for enabling principals to inject context information into a credential (e.g. session credential). Once the credential has been issued, any arbitrary principal is allowed to inject context information into the existing credential. The injected context is scoped to the principal that made the injection. Subsequently, at authentication time, when the credential is used to request access to a particular resource, the system can verify whether the principal that made the injection is trusted and if the principal is deemed trusted, the context information can be applied to a policy that controls access to one or more resources, or can alternatively be translated into some context residing in a different namespace which can then be applied to the policy. In addition, the system enables arbitrary users to insert additional deny statements into an existing credential, which further restrict the scope of permissions granted by the credential.

Abstract: This cryptographic apparatus executes calculations according to an FI function including a first non-linear function S9 and a second non-linear function S7, and includes a ROM recording a first table including, for each input X of 9 bits, a value obtained by exclusively ORing a first value and an first output from the function S9 with respect to the input X, wherein the first value is generated by shifting lower 7 bits in the first output to left by 9 bits, and a second table including, for each input Y of 7 bits, a value obtained by exclusively ORing a second value and the input Y, wherein the second value is generated by shifting a result of an exclusive OR of the input Y and a second output from the function S7 with respect to the input Y to left by 9 bits.

Abstract: An initialization vector (IV) is employed to decrypt a block of a stream that has been encrypted with Cypher Block Chaining (CBC) encryption, without requiring decryption of previous blocks within the stream. For example, a listener who accesses a distribution point to retrieve encrypted content authenticates himself to an application server that regulates access to encrypted content on the distribution point, and responsively receives a key. The listener then requests access to a reference point within the encrypted content stream somewhere after its beginning (e.g., using preview clips). The distribution point relates the reference point to a corresponding block of the encrypted stream, and identifies an IV previously used for encryption of that block. The distribution point provides the associated encrypted block of content and the IV to the listener to enable mid-stream rendering of the encrypted content, without requiring the listener to decrypt previous blocks within the encrypted stream.

Abstract: A method of providing transparent encryption for a web resource includes a key manager receiving an encryption key policy; receiving user identifiers and resource locators; defining an access control list based the user identifiers; generating an encryption key and a key identifier for a first resource locator; and establishing a secure communication channel between first and second watchdog modules. The method also includes the watchdog sending encryption information using the secure communication channel. The method also includes a transparent encryption module storing the encryption key and the access control list in protected memory; receiving an input comprising a request to access the first resource stored in the web resource; determining that the user identifier is included in the access control list; encrypting data using the encryption key; and decrypting data using the encryption key.

Abstract: An apparatus providing for a secure execution environment. The apparatus includes a microprocessor and a secure non-volatile memory. The microprocessor is configured to execute non-secure application programs and a secure application program, where the non-secure application programs are accessed from a system memory via a system bus. The secure non-volatile memory is coupled to the microprocessor via a private bus. The secure non-volatile memory is configured to store the secure application program, where transactions over the private bus between the microprocessor and the secure non-volatile memory are isolated from the system bus and corresponding system bus resources within the microprocessor.

Abstract: Embodiments herein provide a method, system, etc. for a sovereign information sharing service. More specifically, a method for secure distributed query processing comprises storing data tables from at least one data provider in at least one first computer comprising a sovereign server. Next, encrypted input and output of the data tables is performed between the server and a second computer. Following this, join operations are computed, comprising determining whether arbitrary join predicates yield matches within the data tables; and encrypted results of the join operations are output. The method minimizes possible information leakage from interaction between the server and the second computer by making observations and inferences from patterns of the outputting of the encrypted results.

Abstract: The present invention relates to a data scanning circuit and method. According to the present invention, a memory circuit stores a plurality of codes. Each of the code corresponds to a sub-rule. The memory circuit outputs at least first bit and at least second bit of each code, respectively, according to a first and a second data items. An operational circuit performs logic operations on the first and second bits, and produces an operated result. A decision circuit decides whether the input data satisfies the scanning rule according to the operated result.

Abstract: A method for managing rights of issuing a Rights Object (RO), and a method for moving an RO created by a Local Rights Manager (LRM) between Digital Rights Management (DRM) Agents, are discussed. A Right Issuer (RI) permits an LRM to move an RO created (or issued) by the LRM to move via the RI, and a first DRM Agent moves the RO to a second DRM Agent via the RI.

Abstract: In order to limit use of content, when a source receives a request for transmitting content from a sink, the source performs an authentication process. When the authentication is successful, the source transmits to the sink key information necessary for decrypting the encryption applied to the content. The sink can receive the content by receiving the key information and by decrypting the encryption applied to the content by using the key information.

Abstract: In accordance with certain aspects, bound key operations on ciphertext and/or data are implemented. A bound key operation can receive both data to be signed and a bound key blob that is bound to one or more processors, recover a private key from the bound key blob, and generate a digital signature over the data using the private key. A bound key operation can alternatively receive both ciphertext and a bound key or bound key structure bound to one or more processors, recover or reconstruct a private key based on the bound key or bound key structure, and use the private key to generate plaintext corresponding to the ciphertext.