Abstract: A content distribution system (300) has access control according to a predefined data access format. The system has organizations (32) for providing content data and related meta data on record carriers (34), and a rendering device (39), and applications for manipulating the content data and related meta data. An access policy for the organization is set according to the predefined data access format, and has access parameters for controlling access to resources of the rendering device and to said content data and related meta data. An organization application (35) complying with the access policy of the organization for accessing said data is executed while accessing the resources of the rendering device according to the access policy of the organization. According to the invention a user access policy is maintained that restricts, for the organization application, access to the resources of the rendering device relative to the access policy of the organization.

Abstract: A method is provided in one example embodiment and includes exchanging a session descriptor associated with a network connection and an application on a host, correlating the session descriptor with a network policy, and applying the network policy to the network connection. In alternative embodiments, the session descriptor may be exchanged through an out-of-band communication channel or an in-band communication channel.

Abstract: Different network segments can have overlapping address spaces. In one embodiment, the present invention includes a distributed agent of a security system receiving a security event from a network device monitored by the agent. In one embodiment, the agent normalizes the security event into an event schema including one or more zone fields. In one embodiment, the agent also determines one or more zones associated with the received security event, the one or more zones each describing a part of a network, and populates the one or more zone fields using the determined one or more zones.

Abstract: A method for profiling network traffic of a network. The method includes obtaining a signature library comprising a plurality of signatures each representing first data characteristics associated with a corresponding application executing in the network, generating, based on a first pre-determined criterion, a group behavioral model associated with the signature library, wherein the group behavioral model represents a common behavior of a plurality of historical flows identified from the network traffic, wherein each of the plurality of signatures correlates to a subset of the plurality of historical flows, selecting a flow in the network traffic for including in a target flow set, wherein the flow matches the group behavioral model without being correlated to any corresponding application of the plurality of signatures, analyzing the target flow set to generate a new signature, and adding the new signature to the signature library.

Abstract: Systems (100) and methods (2100) for identifying, deterring and/or delaying malicious attacks being waged on a Computer Network (“CN”). The methods involve implementing a Mission Plan (“MP”) at a first Network Node (“NN”). MP (1900, 1902) specifies that: a first IDentity Parameter (“IDP”) for a second NN has numerous possible values associated therewith; and at least two possible values are to be used in communications to and from the second NN in different timeslots of a time frame (2020-2026). At the first NN, a value for the first IDP, which is contained in a received packet, is compared with the possible values specified in MP to determine if the value is a “correct” value for a current timeslot. If it is determined that the value is not “correct” for the current timeslot, then the first NN performs actions to identify, deter or delay a possible malicious attack on CN.

Abstract: A portable data carrier (1) includes a non-volatile memory (11), a processor (15) and a watermark application (131) executable by the processor (15) which is also stored on the data carrier (1). The watermark application (131) is configured to check (152) data (110, 140) stored on the data carrier (1) or data intended to be stored on the data carrier (1) as to the presence of a digital watermark, or to mark (151) such data (110, 140) with a digital watermark. The check (152) or marking (151) is carried out on the data carrier (1) and after the check (152) or marking (151) the checked or marked data (110, 140) are stored in the non-volatile memory (11) in order to remain there for an indefinite time.

Abstract: A method begins by a processing module receiving a certificate chain and determining whether at least one of one or more signed certificates of the chain has a valid signature. When the at least one of the one or more signed certificates has a valid signature, the method continues with the processing module identifying one or more certificate authorities (CA) to produce identified CAs, accessing registry information that includes one or more realm identifiers (IDs) and a plurality of trusted CA IDs, determining whether one or more of the identified CAs is a trusted CA, and when the one or more of the identified CAs is a trusted CA, indicating that the certificate chain is valid, identifying a realm ID based on a trusted CA ID, and generating certificate chain validation information to include the realm ID, trusted CAs, and the indication of the validity of the certificate chain.

Abstract: A method is provided in one example embodiment and includes exchanging a session descriptor associated with a network connection and an application on a host, correlating the session descriptor with a network policy, and applying the network policy to the network connection. In alternative embodiments, the session descriptor may be exchanged through an out-of-band communication channel or an in-band communication channel.

Abstract: For file scanning, a division module divides a file into plurality of subfiles. An access module maintains a status of each subfile and scans each subfile with a separate server.

Abstract: A method of formatting data for transmission to another party including the step of incorporating in the data a flag indicative of the absence of data for authentication of the sender. An authentication tag length is also included to permit variable length tags to be used.

Abstract: User validation accuracy is improved without inconveniencing a user. When an authentication request packet is received from a terminal and the authentication is successful based on a user ID and a password, an HTTP header, user-agent information, and access source IP address are extracted from the packet, and user authentication is performed by verifying the IP address and the user-agent information against usage history information where at most two sets of the IP address and the user-agent information extracted from the authentication request packet which is received from the same user previously are registered. When the set of the IP address and the UA information corresponding to the new extracted IP address and the new extracted UA information is registered in the usage history information, the authentication is successful, and the usage history information is overwritten with the new IP address and the new UA information.

Abstract: In some embodiments, techniques for displaying a URL comprise reducing the deceptiveness of electronic communications.

Abstract: A method, system, and computer program product for efficiently comparing multiple columns of a row of a relational database to an incoming record. A computer creates a cryptographic sum for columns of a row of the relational database. The cryptographic sum is stored as a hidden column in the relational database. Logic may compare the cryptographic sum with an incoming cryptographic sum of entries in an incoming record. Logic may then determine if the incoming cryptographic sums differ from the corresponding cryptographic sums of rows of data of the relational database. When the two cryptographic sums are identical, the data of the incoming record is disregarded as an identical record that already exists. An entry of the incoming record may be added to the target table or updated within an existing record of the relational database when the cryptographic sum and the incoming cryptographic sum of that entry differ.

Abstract: A system and method of hosting a user interface of a network device are provided. A particular method includes receiving a request at a server to display a user interface of the network device, authenticating an end user device to validate an identity of a user, and communicating display information of the user interface of the network device to the end user device for display. The server hosted user interface permits monitoring and interactions with the network device by a user of the end user device.

Abstract: Systems, apparatus, methods, and computer program products for using quick response (QR) codes for authenticating users to ATMs and other secure machines for cardless transactions are disclosed. Embodiments of the present disclosure read an image displayed on a display of an external device using a mobile device associated with a user authorized to access a secure resource, decode transaction information encoded in the image, transmit the transaction information and an identifier of the mobile device from the mobile device to an authentication system, and grant access to the secure resource if the transaction information and the identifier satisfy an authentication test performed at the authentication system.

Abstract: Mechanisms are provided for handling client computing device requests with adaptive rule loading and session control. The mechanisms partition a set of rules, into a plurality of filter sets with each filter set having a different subset of the set of rules and being directed to identifying a different type of attack on a backend application or service. A subset of filter sets is selected to be used to validate client computing device requests received from client computing devices. The selected filter sets are applied to requests and/or responses to requests. The mechanisms dynamically modify which filter sets are included in the subset of filter sets based on an adaptive reinforcement learning operation on results of applying the selected filter sets to the requests and/or responses to requests.

Abstract: A communication between an entity and a host is identified. Reputation information associated with a set of other entities that communicate with the host is identified. A reputation score associated with the host is generated based on the reputation information associated with a set of other entities. A reputation score associated with the entity is generated based on the reputation score associated with the host.

Abstract: This paper describes a mechanism for minimizing the exploitation of vulnerabilities on software installed on a computing system. At a transport layer (e.g., transmission communication protocol (TCP) sockets layer), network traffic is monitored using a security component installed on a target computer. When a message destined for the computing system is received, data included in the message is compared with exploit evidence used to identify malicious code. The exploit evidence is provided to the security component by security service that gathers information about the malicious code. Based on the comparison of data in the message with the exploit evidence, rules are identified that instruct the security component to take an appropriate action on the message received.

Abstract: An architecture and techniques to facilitate lending of digital content at an authorized location to an authenticated electronic device.

Abstract: A method of presenting content, in accordance with one embodiment of the present invention, includes receiving a request for an item of content and selectively verifying ownership of the requested content. If verification of ownership is not to be performed for the particular request, the item of content may be served. If ownership is substantiated for the particular request, the content may also be served. If ownership is not substantiated for the particular request, the content may be purged. Ownership verification may be by access to a physical copy of the content (e.g., DVD, CD or the like).