Abstract: A Data Loss Prevention (DLP) system is enhanced according to this disclosure by augmenting the information obtained from OS API hooking with “context” information obtained from other sources, such as by monitoring an endpoint's user interface (UI). In one embodiment, the additional “context” information is obtained from one or more user interface hooks that provide the DLP system with additional information, such as the contents of one or more application windows, the UI elements contained in a particular display window, window activation or deactivation, window resizing, user input, pointer operations, and the like. This UI information defines a “context” of the application, namely, its operating state (including, without limitation, its display state), and associated user actions that define that state. When a particular OS API hook is invoked by the application, the DLP solution uses the context information to make a more accurate enforcement decision, preferably based on the UI context.

Abstract: Systems and methods are disclosed with which queries can be sent to various clients of a trusted query network in a trusted query network message. In one embodiment, each registered client receives the message and determines whether or not it will participate in the query. If so, the client adds to the message in a first data round a true response to the query and obfuscation data, and then forwards the message on to the next client (or back to the client that initiated the query if each client has added its data to the message). In a second round, the message is again sent to each participating client, which this time removes its obfuscation data. Once each client has removed its obfuscation data, a final result is obtained that can be sent to each of the clients.

Abstract: Techniques are disclosed for securely classifying or decoding data. By way of example, a method of determining a most likely sequence for a given data set comprises a computer system associated with a first party performing the following steps. An encrypted model is obtained from a second party. The encrypted model is utilized to determine cost values associated with a particular sequence of observed outputs associated with the given data set. The cost values are sent to the second party. At least one index of a minimum cost value determined by the second party from the cost values sent thereto is obtained from the second party. A minimum cost sequence resulting from the at least one index is determined as the most likely sequence.

Abstract: A data protecting method for a mobile communication device is provided. The data protecting method includes storing first authentication information into a hidden area of a memory storage device coupled to the mobile communication device. The data protecting method also includes receiving a data packet containing a data security instruction and second authentication information via a mobile communication data network or a wireless network and determining whether the second authentication information obtained from the data packet matches the first authentication information stored in the hidden area. The data protecting method further includes, when the second authentication information obtained from the data packet matches the first authentication information stored in the hidden area, performing a data protecting operation on data stored in a storage area to prevent the data from being read. Thereby, the data can be effectively protected when the mobile communication device is lost.

Abstract: Embodiments of the present invention disclose a method and an apparatus for security algorithm selection processing, a network entity, and a communication system. The method includes: receiving a service request message sent by user equipment; and according to a security protection requirement of the service request message, selecting a security algorithm from a security algorithm list supported by both the user equipment and a network entity, where security algorithm lists supported by the user equipment and/or the network entity are set separately based on different security protection requirements, or security algorithm lists supported by the user equipment and the network entity are used for indicating security capability of the user equipment and the network entity respectively.

Abstract: Systems, apparatus and methods for privacy-protecting integrity attestation of a computing platform. An example method for privacy-protecting integrity attestation of a computing platform (P) has a trusted platform module (TPM}, and comprises the following steps. First, the computing platform (P) receives configuration values (PCRI . . . PCRn). Then, by means of the trusted platform module (TPM}, a configuration value (PCRp) is determined which depends on the configuration of the computing platform (P). In a further step the configuration value (PCRp) is signed by means of the trusted platform module. Finally, in the event that the configuration value (PCRp) is one of the received configuration values (PCRI . . . PCRn), the computing platform (P) proves to a verifier (V) that it knows the signature (sign(PCRp}} on one of the received configuration values (PCRI . . . PCRn).

Abstract: An encryption technique in which a transmission device and a reception device use solutions generated such that those generated in the same order are assumed to be the same is improved so as to enhance versatility without undermining security. An initial solution respectively used by two communication devices involved in communication in order to generate solutions is sent from one communicating device to the other. Both communication devices generate a mutually agreed-upon number of solutions from the initial solution and set the last solution among the generated solutions as a new initial solution, and using solutions generated based on the new initial solution, the transmission device performs encryption while the reception device performs decryption.

Abstract: In the computer data security field, a cryptographic hash function process embodied in a computer system and which is typically keyless, but is highly secure. The process is based on the type of chaos introduction exhibited by a game process such as the well known shuffling of a deck of playing cards. Computation of the hash value (digest) is the result of executing in a model (such as computer code or logic circuitry) a game algorithm that models the actual game such as a playing card shuffling algorithm using the message as an input to the algorithm, then executing the card shuffling algorithm on the input. A state (order) of the modeled deck of cards after a shuffle (or multiple shuffles) gives the hash digest value.

Abstract: A network of storage units has a data path which is at least a portion of the network. The network also has a key storage unit and a gateway storage unit. If the key storage unit stores a key value, the key storage unit transmits a key signal to the gateway storage unit. If the gateway storage unit does not store a gateway value or the key signal is not transmitted to the gateway storage unit, the gateway storage unit does not insert a data path segment in the data path. If the gateway storage unit stores a gateway value and the key signal is transmitted to the gateway storage unit, the gateway storage unit inserts the data path segment.

Abstract: The present invention discloses a method for quickly and easily authenticating large computer program. The system operates by first sealing the computer program with digital signature in an incremental manner. Specifically, the computer program is divided into a set of pages and a hash value is calculated for each page. The set of hash values is formed into a hash value array and then the hash value array is then sealed with a digital signature. The computer program is then distributed along with the hash value array and the digital signature. To authenticate the computer program, a recipient first verifies the authenticity of the hash value array with the digital signature and a public key. Once the hash value array has been authenticated, the recipient can then verify the authenticity of each page of the computer program by calculating a hash of a page to be loaded and then comparing with an associated hash value in the authenticated hash value array.

Abstract: A method for conditionally allowing fruition of broadcast contents, broadcast by a contents broadcaster and received by a user by means of a receiving equipment, includes: performing, locally at the receiving equipment of the user, a first fruition entitlement check based on first fruition entitlement data available locally at the receiving equipment; having the receiving equipment provide to the contents broadcaster the first fruition entitlement data exploiting a return communications channel of the receiving equipment; having the contents broadcaster perform a second fruition entitlement check based on a comparison between the received first fruition entitlement data and second fruition entitlement data available locally to the contents broadcaster; and conditioned on a result of the second check, having the contents broadcaster provide to the receiving equipment, exploiting the return communications channel, a fruition entitlement confirmation notification; at the receiving equipment, conditioning the fru

Abstract: A system and a method for managing and sharing, within a computer network, information and contacts related to users, according to which the user (UC), on his personal profile (PF) created on the restricted access web site, can create a certain number of business cards (BV) to be booked to given categories of persons, with the information and/or data he considers to inserted into that card; in this way, the system does not allow to a third party to access user's (UC) personal profile (UC), neither in as merely curios observers, and reserves to each user (UC) places for the insertion of their information which, thus, are made accessible only to whom the user (UC) decides to send them and only during the period for which the user (UC) desires to send them.

Abstract: According to embodiments of the present invention, a computing device provides a security rules subset of a server-side protection element to a pre-validation component deployed at a client side. The computing device validates the user input based on the security rules. The computing device determines, in response to detecting a user input violation and that a violated security rule has/or has not been provided to the pre-validation component, the user as a first or second class of users. The computing device performs different security protection actions to the first and second class of users. The computing device asynchronously performs a dynamic update to the security rule subset provided to the pre-validation component. The security rule subset is screened from the security rules of the server-side protection means. A policy for screening the security rule subset is selected.

Abstract: An information processing apparatus connected to a network via a network interface device and capable of performing encrypted communication with an external apparatus on the network. When the information processing apparatus is operating in a normal power mode, a sleep control module thereof detects whether a condition under which the apparatus shifts to an energy saving mode in which power consumption is smaller than in the normal power mode is satisfied. When the condition is detected to be satisfied, a proxy response registration module of the apparatus instructs an IPSec module of the same to request the external apparatus not to perform encrypted communication.

Abstract: Provided is a radio communication base station device which can prevent damage of ARQ control in an ARQ in which a response signal (ACK/NACK) channel is shared by a plurality of mobile stations. In the device, a repetition unit (106) repeats a response signal inputted from a modulation unit (105) so as to obtain a plurality of identical response signals and outputs the plurality of response signals to a scrambling unit (107). The scrambling unit (107) scrambles the identical response signals by using a scrambling code corresponding to a mobile station ID number inputted from an allocation information generation unit (101) (that is, a scrambling code unique to each of mobile stations) and outputs the scrambled response signals to an S/P unit (108).

Abstract: Solutions for responding to security-related incidents in a computer network, including a security server, and a client-side arrangement. The security server includes an event collection module communicatively coupled to the computer network, an event analysis module operatively coupled to the event collection module, and a solution module operatively coupled to the event analysis module. The event collection module is configured to obtain incident-related information that includes event-level information from at least one client computer of the plurality of client computers, the incident-related information being associated with at least a first incident which was detected by that at least one client computer and provided to the event collection module in response to that detection. The event analysis module is configured to reconstruct at least one chain of events causally related to the first incident and indicative of a root cause of the first incident based on the incident-related information.

Abstract: A method of authorising a user in communication with a workstation is disclosed. According to the method, a system automatically determines a plurality of available user information entry devices in communication with the workstation. The system then determines predetermined user authorization methods each requiring data only from available user information entry devices. The user then selects one of the determined authorization methods for use in user authorization. Optionally, each authorization method is associated with a security level relating to user access to resources. Once the authorization method is selected, the user provides user authorization information in accordance with a determined user authorization method and registration proceeds.

Abstract: A system and method for managing licensing of virtual environment applications. A licensing module of a first installed virtual environment application detects installation of affiliated applications and gives them a group licensing key for passing it to the licensing server. The licensing server derives licensing parameters of the affiliated applications from the group key and gives the licenses to the affiliated applications, in case of successful validation. The licensing system provides protection from un-authorized copying of the applications. If an affiliated virtual environment application is copied (or moved) to another hardware node without its virtual environment, the licensing server will not give the license activation key to this virtual environment application.

Abstract: A method for sharing and updating a key using a watermark is disclosed. The method includes receiving an image to be encoded from an image input device encoding the image, and inserting a master key value as a watermark into the encoded image, for use as an input of a key derivation function.

Abstract: Disclosed herein are techniques for detecting possible security intrusions in a computer network. The security intrusion detection may be based on analyzing patterns of how transactions flow through one or more software applications. For example, patterns of transaction flows are determined for an initial time period to establish a baseline of normal flow patterns. These normal flow patterns may be compared with patterns for transaction flows for a later time period. Deviations in the patterns of transaction flow may indicate a possible security intrusion.