Abstract: The invention provides a headend system, a receiver, a smartcard and a conditional access system enabling distribution of multiple variants of a part of a digital signal, such as multiple variants of an audio part or a video part of a data stream, without requiring receivers to be updated. The digital signal generated by the headend system enables a receiver to receive and process the digital signal without requiring identification of the copies in the second digital signal. Error handling capabilities of the receiver ensure that only one copy is used in the output of the receiver. The error handling capabilities are triggered by having the receiver use one decryption key for descrambling all copies, resulting in one copy being descrambled correctly and the other copies being descrambled incorrectly.

Abstract: Provided is a certificate issuing system including a client terminal and a server device. The client terminal derives a first hash value from a first random number using a unidirectional function, generates a secret key and a public key of the client terminal, and transmits the first hash value and the public key of the client terminal to the server device. The server device receives the first hash value and the public key of the client terminal from the client terminal, stores the first hash value, authenticates the client terminal on the basis of the stored first hash value and the derived first hash value, generates a client certificate on the basis of the public key of the client terminal and a secret key of the server device when the authentication succeeds, and transmits the client certificate to the client terminal.

Abstract: According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended with a mechanism for identifying connections with clients that have exhibited attack characteristics (for example, characteristics indicating a DoS attack), and for transitioning internal ownership of those connections such that server resources consumed by the connection are reduced, while keeping the connection open. The connection thus moves from a state of relatively high resource use to a state of relatively low server resource use. According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended by enabling the server to determine that any of a client and a connection exhibits one or more attack characteristics (e.g., based on at least one of client attributes, connection attributes, and client behavior during the connection, or otherwise). As a result of the determination, the server changes its treatment of the connection.

Abstract: Various arrangements for providing authentication information to a user are presented. A single-point authentication manager executed by a computer system may receive a request to access a resource from a remote client computer system. The single-point authentication manager may manage access to a plurality of resources including the resource. The single-point authentication manager may perform authentication using an authentication plug-in. In response to performing authentication of the user, the authentication plug-in may generate a parameter having a value that is a message to be transmitted to the remote client computer system. In response to receiving the parameter and the value from the authentication plug-in, the single-point authentication manager may transmit the value of the parameter to the application if the authentication is successful and to a credential collector if the authentication of the user failed.

Abstract: Convenient sharing of information among authorized network users may be facilitated by allowing a user to send information originating from multiple applications in aggregate form to another user, e.g., using a secure messaging service. In scenarios where data access is restricted, a server may check the recipient's access privileges prior to forwarding the information to her.

Abstract: A method of managing communications services begins with a communications platform receiving a request for a communications service to be provided to a communications device by a source other than the communications platform. The communications platform determines an authorization of the communications device to receive the communications service. The authorization comprises a permission of the communications device to receive the communications service during a lifetime of a communications session maintained with the communications device. The communications network authorizes delivery of the communications service to the communications device during the lifetime of the communications session, in accordance with the authorization.

Abstract: A management entity displays a plurality of icons, each icon representing an actor or a resource in a networking environment. The management entity defines security policy by receiving user input in the form of lines drawn between icons representing actors and resources to control abilities between actors and resources.

Abstract: A control apparatus which manages a software defined network including a plurality of switches includes a security management module that authenticates at least one application program, and an application program management module that executes the authenticated application program among the at least one application program in a first process, and executes the application program whose authentication fails in a second process. The application program management module may be executed in the first process, and the first process may be different from the second process.

Abstract: Systems and methods for sanitizing physical storage in cloud computing and virtual environments. When logical storage is decommissioned in a virtual environment, the underlying physical storage is logically disassociated. However, the underlying physical data blocks remain intact until they are overwritten. Since there is no control over when, or even if, the physical data is ever overwritten, the remaining data is susceptible to compromise. The present disclosure provides a secure erase application that securely erases physical storage associated with to-be deleted resources, such as virtual data stores, virtual images, snapshots and raw virtual disks.

Abstract: A method and system for correlating patterns of operating virtual assets with external events includes receiving an identification of one of the external events, from one or more electronic sources, and receiving first patterns from one or more first virtual assets, according to one embodiment. The method and system include populating a database with the first patterns and the identification of the one of the external events to map the one of the external events to the first patterns, according to one embodiment. The method and system include receiving second patterns from one or more second virtual assets, and comparing the second patterns to the first patterns, according to one embodiment. The method and system include distributing the identification of the one of the external events to the one or more second virtual assets, if the second patterns are similar to the first patterns, according to one embodiment.

Abstract: A method, a computer program product, and a computer system for automatically migrating servers into an environment of multiple firewalls. A computer creates a graph representing the servers and connectivity, based on connectivity strengths and resource requirements. The computer groups the servers into multiple groups by using a graph based partitioning algorithm which considers the connectivity strengths and the resource requirements. The computer creates two adjacency matrices, one for local rules and the other for global rules. The computer adds endpoints to a local adjacency list, in response to determining that the endpoints are in a respective one of the multiple groups. The computer adds endpoints to a global adjacency list, in response to determining that the endpoints are not in respective one of the multiple groups. The computer converts the adjacency lists to firewall rules for the respective one of the multiple groups.

Abstract: Organizations maintain and generate large amount of sensitive information that needs to be saved electronically and there is a need to store that data remotely with a data storage service provider. To prevent unauthorized access to the information stored by organizations on storage provided by the service provider special cryptographic devices, such as an Inline Data Encryptor, can be used to ensure that the information remains secret. The Inline Data Encryptor uses a fill device with secret cryptographic information to encrypt data.

Abstract: Embodiments of the present invention relate to generating challenge response sets utilizing semantic web technology. In response to detecting an authentication session for a user, a computing device generates a first challenge question that is semantically related to a second challenge question previously responded to by the user, wherein the authentication session seeks to validate an identification of the user. The computing device determines whether a response to the challenge question by the user is valid. In response to determining that the response to the challenge question by the user was valid, the computing device generates a third challenge question or a notification that the response to the challenge question validates the identification of the user.

Abstract: A processor of an aspect includes a plurality of packed data registers, and a decode unit to decode an instruction. The instruction is to indicate one or more source packed data operands. The one or more source packed data operands are to have four 32-bit results of four prior SM4 cryptographic rounds, and four 32-bit values. The processor also includes an execution unit coupled with the decode unit and the plurality of the packed data registers. The execution unit, in response to the instruction, is to store four 32-bit results of four immediately subsequent and sequential SM4 cryptographic rounds in a destination storage location that is to be indicated by the instruction.

Abstract: A re-programmable wireless cryptographic device can store data securely and use near field communication (NFC) to exchange functionality data and/or program code from a central server system through a mobile device. A user requests a new cryptographic device or a new device function via an application on the mobile device. The central server system transmits program code and a public key used to identify the cryptographic device to the mobile device, which functions as a pass-through conduit for the information, storing it until the devices are synced. A NFC communication channel is created, and the mobile device authenticates the cryptographic device by cross-referencing the public key received from the central server system with the public key transmitted by the cryptographic device once the communication channel is established. Upon authentication, the cryptographic device is synced with the mobile device, and the mobile device passes the program code to the cryptographic device.

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract: A method for parallel authentication comprises receiving a download request from a client computer system to download a document stored in a first storage system. The first storage system is coupled to the client computer system via a network. The first storage system is coupled with a second storage system via the network. The download request includes a first token associated with the first storage system and a second token associated with the second storage system. The first storage system is configured to authenticate the download request based on the first token and the second token. Based on successful authentication, the first storage system is configured to authorize the client computer system to download the document.

Abstract: Systems and methods for identifying content in electronic messages are provided. An electronic message may include certain content. The content is detected and analyzed to identify any metadata. The metadata may include a numerical signature characterizing the content. A thumbprint is generated based on the numerical signature. The thumbprint may then be compared to thumbprints of previously received messages. The comparison allows for classification of the electronic message as spam or not spam.

Abstract: In one embodiment, a computer-implemented method includes, in response to an attempt by a user to perform a transaction using a computing device, accessing a communication device connected to the computing device. A presence of one or more nearby devices, with respect to the computing device, is detected through use of the communication device connected to the computing device. A mapping of nearby devices to trust levels may be applied to the one or more nearby devices. In the mapping, each group of one or more nearby devices maps to a trust level of two or more trust levels. An assigned trust level for the transaction is determined, by a computer processor, based on applying the mapping of nearby devices to trust levels. The mapping of nearby devices to trust levels is modified based on the one or more nearby devices detected. The modified mapping is used for future transactions.

Abstract: A computer-implemented method for content management across multiple server computers includes receiving a request to transfer a file between a central server computer and a client device. A list of two or more local server computers is received, wherein the two or more local server computers transfer the file between the central server computer and the client device. Operational information is received that is associated with each of the two or more local server computers and a duration of connectivity between each of the two or more local server computers and the client device. A strategy is determined for the file across the two or more local server computers based, at least in part, on the operational information associated with each of the two or more local server computers.