Abstract: Techniques and systems are described for detecting malware's bulk transformation of a user's data before the malware is able to complete the data transformation. Included are methods and systems for enabling malware detection by monitoring the file operations of a computer application or process for particular kinds of suspicious data transformation indicators. Indicators include primary indicators, such as file-type signature changes, notable changes in file data entropy, and out-of-range similarity measurements between the read and write versions of file data, as well as secondary indicators, such as a large number of file deletions and a large reduction in the number of file-types written versus read by a process over time. When indicators are triggered by a process, an adjustment to the process' malware score is made; in the event that the process' malware score reaches a malware detection threshold, the process is marked as malware and appropriate actions are taken.

Abstract: A system for conducting a transaction with privacy on a wide area network, the system including a personal access device (PAD) associated with a subscriber to the system, the PAD storing a profile of the subscriber and generating commands, a privacy service provider (PSP) connected to the wide area network, the PAD being accessible by the PSP under first conditions set by the profile and the PSP being responsive to the commands from the PAD, a registered vendor (RV) connected to the wide area network, and a privacy shield network (PSN) connected to the wide area network, the RV being registered with the PSN and the PSN being structured to carry communications between the PSP and the RV related to the transaction under second conditions set by the profile. Advantageously, the PAD stores private data associated with the subscriber, and the PSP releases any of the private data to the RV only under the first and second conditions.

Abstract: A system, method and computer program product for providing unified authentication services in an Application Service Provider (ASP) setting to a registered end-user of one or more online (or web) applications. The system includes client side components, a user management component coupled to the client side components and server side components coupled to the user management component. The client side components include an authentication control component that manages the process of capturing a user-determined policy for a first account and user credentials. This allows the user to define the level of protection to access the first account. This includes, but is not limited to, accounts/applications that have been configured specifically for used with the system and particular user credentials and accounts that have been subsequently set up but configured to use the same user credentials.

Abstract: A method, apparatus and system is provided for an entity to facilitate secure communication between a client and server even when they do not support the same set of protocols without violating the trust model which requires that only the client and server be privy to the contents of the communication. In an embodiment this is accomplished by embedding at the site of the proxy an application running inside a secure coprocessor which translates between the protocols that the client supports and those that the server understands. The invention is also useful for purposes such as adaptation of content at the site of the proxy without violating the trust model between the client and the proxy. In general, the scheme describes mechanisms to securely delegate to the infrastructure the ability to enforce an arbitrary trust model between a set of clients and servers participating in some computational task.

Abstract: A method that provides access to Privileged Accounts to users with Privileged Account access permission. A message is sent to a Privileged Accounts manager when a user logs into a Privileged Account. The user must enter a reason for access. All keystrokes are logged. At the conclusion of the user session, the log file is closed and another message is sent to the Privileged Accounts manager. The log file may be sent to the manager at this time or saved for a batch transfer periodically.

Abstract: A dynamic computer system security method and system using dynamic encryption and full synchronization between system nodes. A data record from a data stream created by a source user is encrypted with an initial dynamic session key. A new dynamic session key is generated based upon a previous dynamic session key and a selected previously encrypted data record. The new dynamic session key is then used to encrypt the next data record. A central authority is used to synchronize and authenticate both source and destination users with dynamic authentication keys. The central authority and users constantly regenerate new dynamic authentication keys. A child process is forked to ensure synchronization and authentication of dynamic authentication keys of each node upon a request for a secure communication establishment from a user. The central authority generates the initial dynamic session key with the current dynamic authentication key to begin a secure communication session.

Abstract: A method that utilizes software and hardware mechanisms to meet the FCC requirement for a U-NII antenna to be an integral part of the device in which it operates, while providing wireless ready U-NII devices and CRUable U-NII radios. Enhancements are made to the software BIOS, including the inclusion of a table of approved radio-antenna PCI ID pairs to create an authentication scheme that verifies and authenticates the radio and antenna combination as being an FCC-approved unique coupling during boot-up of the system. The BIOS also comprises an OEM field that stores an encrypted secret key utilized to complete a second check of the radio model placed in the device. During boot up of the device, the PCI ID pairs from the BIOS are compared against the PCI ID of the radio and the secret key is checked against the radio model.

Abstract: A system and method are provided for protecting a user computer. An incoming e-mail message is initially received at a remote e-mail server over a network. Further, the incoming e-mail message is blocked if a sender address associated therewith is included in a list of predetermined sender addresses corresponding to a user computer. Moreover, the incoming e-mail message is scanned for a virus to determine that the incoming e-mail message is clean if the scanning fails to detect a virus in the incoming e-mail message and to determine that the incoming e-mail message is infected in the scanning detects a virus in the incoming e-mail message. Still yet, the incoming e-mail message is transmitted from the remote e-mail sever to the user computer over the network, if it is not blocked. An attempt is made to clean the infected incoming e-mail message if the scanning detects a virus in the incoming e-mail message to generate a cleaned e-mail message if the attempt to clean is successful.

Abstract: A device that secures a token from unauthorized use is disclosed. The device comprises a user interface for accepting a personal identifier, a processor, communicatively coupled to the user interface device, and a token interface. The token interface includes a token interface IR emitter that produces an IR signal having information included in the PIN. The token IR emitter is coupled to the processor and is further communicatively coupled to a token IR sensor when the token is physically coupled with the token interface. The token interface also includes a shield, substantially opaque to the IR signal, for substantially confining the reception of the IR signal to the token IR sensor. In one embodiment, the shield substantially circumscribes the IR emitter. In another embodiment, the interface also comprises a token interface IR sensor, which allows communications from the token to the device as well.

Abstract: In a computer resource assignment apparatus, a registration request processing section assigns a computer resource to a user in response to a temporary registration request from the user. A computer resource management section manages the computer resource assigned to the user of the temporary registration request by unit of each user.

Abstract: A “dual” personal key/token is disclosed. The “dual” personal key is useful for installing drivers and other command interfaces which allow the personal key to be coupled to and used with a host computer. In a first embodiment, the personal key operates as a USB hub, and reports two devices, a storage device and a personal key, to the host computer. In a second embodiment presents a single device, and different portions of the personal key are activated as required.

Abstract: A method and apparatus that uses the dynamics of chaotic systems for the remote generation of a digital key, for use in any encryption algorithm. After initialization, the dynamics of a chaotic system are allowed to generate the 0 and 1 bits of a key bitstream. An initialization bitstream is transmitted, using conventional transmission technologies, to an identical chaotic system. This chaotic system is driven into synchrony and allowed to generate a key bitstream, which is identical to the other bitstream because the chaotic systems have been synchronized.

Abstract: An email access control scheme capable of resolving problems of the real email address and enabling a unique identification of the identity of the user while concealing the user identification is disclosed. A personalized access ticket containing a sender's identification and a recipient's identification in correspondence is to be presented by a sender who wishes to send an email to a recipient so as to specify the recipient as an intended destination of the email. Then, accesses between the sender and the recipient by verifying an access right of the sender with respect to the recipient according to the personalized access ticket at a secure communication service.

Abstract: A method for providing textual information in a network environment, the method comprising: receiving a request via a network for text-editable textual information; converting the text-editable textual information into a non-text-editable textual format on line upon receiving the request; and sending the non-text-editable textual information via the network. Network-based systems are also disclosed.

Abstract: A method and apparatus for verifying the integrity of devices on a target network having two components: a subsystem connected to the target network, and a master system, isolated therefrom by a secure link. The topological and hierarchical relationship of the of the devices to each other improves stability of the apparatus. Random testing of target network devices by the subsystem and random testing of the subsystem by the master system provide verification and independent self-checking.

Abstract: A method and apparatus is provided for securely executing access control functions that may be customized by or on behalf of administrators of information access systems. Examples of such functions include changing a password of a user, determining whether or not data specifying a user and a password identifies an authentic user, and displaying a message indicating whether a login attempt was successful. An access control function is mapped to a digital signature. The digital signature is used to verify that an executable element retrieved for executing the access control function is the proper executable element. The access control functions may be invoked upon the occurrence of access control events, such as a user successfully logging onto an information access system or the modification of a user's password. A mapping contains data used to determine what events are tied to what access control functions, and whether the access control function should be executed.