Abstract: Methods, systems, and computer program products for providing function-parallel firewalls are disclosed. According to one aspect, a function-parallel firewall includes a first firewall node for filtering received packets using a first portion of a rule set including a plurality of rules. The first portion includes less than all of the rules in the rule set. At least one second firewall node filters packets using a second portion of the rule set. The second portion includes at least one rule in the rule set that is not present in the first portion. The first and second portions together include all of the rules in the rule set.

Abstract: A method, apparatus and system enable a secure location-aware platform. Specifically, embodiments of the present invention may utilize a secure processing partition on the platform to determine a location of the platform and dynamically apply and/or change security controls accordingly.

Abstract: For each process a stack data structure that includes two stacks, which are joined at their bases, is created. The two stacks include a normal stack, which grows downward, and an inverse stack, which grows upward. Items on the stack data structure are segregated into protected and unprotected classes. Protected items include frame pointers and return addresses, which are stored on the normal stack. Unprotected items are function parameters and local variables. The unprotected items are stored on the inverse stack.

Abstract: To provide a system which allows large volumes of data to be exchanged efficiently through network connections using portable terminals. An example data communications system includes a data terminal which stores certain data; and an operation terminal which controls access rights to the data stored in the data terminal, in which the operation terminal grants another operation terminal access rights to desired data. The data terminal returns the data according to an access request made based on the access rights. On the other hand, the operation terminal passes the acquired access rights to the data terminal, which then accesses the data terminal via a high-speed, stable, wired network and acquires the desired data, based on the access rights.

Abstract: Embodiments of a system and method for providing additional security for data being transmitted across a wireless connection that has been established using a known wireless protocol (e.g. Bluetooth) are described. An encryption key is exchanged between a computing device (e.g. a mobile device) and a wireless peripheral device (e.g. a keyboard, a printer). In exemplary embodiments, the encryption key is generated at one of the two devices. Data associated with the encryption key is output at the one device, which can be input by the user at the other device. The encryption key is then recovered at the other device from the input, thereby completing the key exchange. The encryption key can then be used to encrypt and decrypt data transmitted over the established wireless connection, providing additional security.

Abstract: A data transmission method and apparatus for transmitting data, such as encrypted content data. A device that is to be a destination of transmission is authenticated. If the device has not been authenticated, encrypted data read out from a storage unit is decrypted to give decoded data which then is re-encrypted based on innate key data acquired from the device that is to be the destination of transmission to give re-encrypted data. The re-encrypted data is then transmitted to the device that is to be a destination of transmission.

Abstract: A system for detecting unauthorised use of a network is provided with a pattern matching engine for searching attack signatures into data packets, and with a response analysis engine for detecting response signatures into data packets sent back from an attacked network/computer. When a suspect signature has been detected into a packet, the system enters an alarm status starting a monitoring process on the packets sent back from the potentially attacked network/computer. An alarm is generated only in case the analysis of the response packets produces as well a positive result. Such intrusion detection system is much less prone to false positives and misdiagnosis than a conventional pattern matching intrusion detection system.

Abstract: A security data structure, method and computer program product are provided. In use, computer code is received. Furthermore, functions in the computer code that control a behavior of the computer code when executed are statically identified.

Abstract: An endpoint defense system uses endpoint health indicators and user identity information to provide fine-grain access control over network resources. For example, the endpoint defense system may include a controller, a set of protection devices, and a set of agents. The agents are software applications installed on a set of endpoints to gather the health information that represents security states of the endpoint devices. The agents send updated health information to the controller. In response to a login attempt, the controller processes the health indicators and identity information through a set of administrator-defined policies to generate a set of access rights. The controller transfers the set of access rights to the protection devices. The protection devices then control user access to network resources according to the set of access rights. The controller sends updated sets of access rights to the protection devices whenever the access rights change.

Abstract: Techniques are described for repairing some types of user account problems that interfere with granting a user access to a computer system and doing so during a process to authenticate the user in a way that does not require the user to re-enter authentication information or require the user to restart a communication session with the computer system. In response to a determination that a user's account has a problem during an authentication process, techniques are provided to enable a user to execute an appropriate process or processes to fix the user account, after which the authentication process continues. In this way, the correction to the user account may appear to be seamless to the user.

Abstract: A digital logic circuit comprises a programmable logic device and a programmable security circuit. The programmable security circuit stores a set of authorized configuration security keys. The programmable security circuit compares the authorized configuration security keys with an incoming configuration request, and selectively enables a new configuration for the programmable logic device in response to the configuration request. In another exemplary embodiment, a programmable security circuit also stores a set of authorized operation security keys. The programmable security circuit compares the authorized operation security keys with an incoming operation request from the programmable logic device, and selectively enables an operation within the programmable logic device in response to the operation request.

Abstract: A method, system and computer program product for partitioning the binary image of a software program, and partially removing code bits to create an encrypted software key, to increase software security. The software program's binary image is partitioned along a random segment length or a byte/nibble segment length, and the code bits removed, and stored, along with their positional data in a software key. The software key is encrypted and is separately distributed from the inoperable binary image to the end user. The encrypted key is stored on a secure remote server. When the end user properly authenticates with the developer's remote servers, the encrypted security key is downloaded from the secure remote server and is locally decrypted. The removed code bits are reinserted into the fractioned binary image utilizing the positional location information. The binary image is then operable to complete execution of the software program.

Abstract: Disclosed herein are methods and systems for encoding digital watermarks into content signals. Also disclosed are systems and methods for detecting and/or verifying digital watermarks in content signals. According to one embodiment, a system for encoding of digital watermark information includes: a window identifier for identifying a sample window in the signal; an interval calculator for determining a quantization interval of the sample window; and a sampler for normalizing the sample window to provide normalized samples. According to another embodiment, a system for pre-analyzing a digital signal for encoding at least one digital watermark using a digital filter is disclosed.

Abstract: The present invention is a method and system for providing a user with confirmation of the origin of a Web site and related information including the steps of registering a Web site with an assuring third party, saving the registration on a registration server, entering in a database the Web site's Internet domain name and cross-referencing it to the registration data, retrieving the Web site's domain with an Internet browser, and either (1) using a client application tool to call for registration data for the domain name via a secure SSL connection with the registration server, determining if the domain has been registered, and returning and displaying registration data for the domain name as a confirmed identity, or (2) calling a program on the registration server in response to an HTML tag on the domain via a secure SSL connection and passing it the domain name, determining if the domain has been registered, determining if the domain name has been registered, and returning and displaying registration data

Abstract: It is an object to provide a personal data management system which overcomes a problem of data leakage and a nonvolatile memory card applied to the personal data management system. A personal data management system includes a personal data storage medium including a communication control unit which transmits and receives data to/from a terminal, an encoding unit which encodes the received data, and a nonvolatile memory which stores the encoded data; a terminal including a communication control unit which transmits and receives data to/from the personal data storage medium and a server, a display portion which displays the received data, and an input unit; and the server including a communication control unit which transmits and receives data to/from the terminal, a decoding unit which decodes the encoded data, an identification data storage portion, and a unit which compares the decoded data with data in the identification data storage portion.

Abstract: A storage area network (SAN) license validator manages data collection policies (DCPs) in deployed SAN agents by identifying data collection policies corresponding to unlicensed features, and disabling the DCPs for the unlicensed features. Thus, the agents need not expend computational and memory resources to gather data for unlicensed features that will not be queried. Agents receive a set of data collection policies (DCPs) for licensed features for which the corresponding data will be gathered and reported to the MODB. DCPs for unlicensed features are disabled in the agents that would have executed them, either by removing or canceling from an active DCP list or by omitting the unlicensed DCPs from the startup sequence of the agent. In this manner, agents operate with only the DCPs for licensed products and corresponding features, and need not gather extraneous data.

Abstract: A software protection apparatus and its protection method are disclosed. The software protection apparatus includes a storage unit and a processing unit. The storage unit has a program area and a data area. The program area is used to save an executable. The processing unit generates a reference pointer based on internal information of the executable, and the reference pointer then is saved to the program area or the data area. The processing unit then generates an algorithm based on at least one characteristic of the executable to save the algorithm to a specific position of the program area or the data area through the reference pointer, and employs the algorithm to perform an encoding action for the executable to generate a wrap program that is saved to the program area. When the wrap program is decoded, the reference pointer is obtained through a restore program to take the algorithm out. The wrap program then is restored to become the executable by using the algorithm.

Abstract: In an encryption communication using VPN technologies, a load on a VPN system becomes large if the number of communication terminals increases. When an external terminal accesses via an internal terminal an application server, processes become complicated because it is necessary to perform authentication at VPN and authentication at the application server. A management server is provided for managing external terminals, internal terminals and application servers. The management server authenticates each communication terminal and operates to establish an encryption communication path between communication terminals. Authentication of each terminal by the management server relies upon a validation server. When the external terminal performs encryption communication with the application server via the internal terminal, two encryption communication paths are established and used between the external terminal and internal terminal and between the internal terminal and application server.

Abstract: A method of partially scrambling a data stream (6) including transport stream packets (7), each transport stream packet (7) having a header (8) and a payload (9), wherein a sequence of transport stream packets (7) has payloads carrying encoded data elements, arranged in units (15), includes: selecting transport stream packets (7) forming a subsequence of the sequence, and scrambling at least part of the payloads (9) of each transport stream packet (7) in the subsequence. The method further includes monitoring the payloads (9) of at least some of the transport stream packets (7) in the sequence for the presence of data (22) indicating a boundary between two subsequent units (15), and, for selected units (15), including at least one of the transport stream packets (7) carrying data forming part of the selected unit (15) in the sub-sequence.

Abstract: The present invention relates to a method, a device and a system for preventing unauthorized introduction of content items in a network containing compliant devices and enabling users in the network to be anonymous. A basic idea of the present invention is to provide a CA (206) with a fingerprint of a content item to be introduced in a network at which the CA is arranged. Further, the CA is provided with an identifier of a content introducer (201), which introduces the particular content item in the network. The CA compares the fingerprint to a predetermined set of fingerprints, and content item intro?duction is allowed if the content item fingerprint cannot be found among the fingerprints comprised in the set. On introduction of the content item, the CA generates a pseudonym for the content introducer and creates a signed content ID certificate comprising at least said fingerprint and a unique content identifier for the content item and the pseudonym of the content introducer.