Abstract: Embodiments of the present invention provide for flexible monitoring of content. The content at a client device can be monitored based on the use and actions performed by the client. In order to monitor the content at the client, a dependency is created between any recipient of the content and a monitor installed at the client device. For example, the content may be encrypted and, when the content is accessed by a potential recipient, the recipient may be required to request a key from the monitor. This activates the monitor to begin recording transaction data and events about the content's use, such as the recipient's identity and the type of actions performed. The monitor can be configured to passively monitor and record the use of the content at the client's device. In addition, the monitor can be configured to provide audit data that indicates the transaction data recorded to a server.

Abstract: A method for providing solidified software in a computing environment includes creating a new reference for a function in a function table; copying an address of the function and associating the address with the new reference; replacing the address associated with an old reference of the function with a dummy address; and substituting each old reference in normal code with the new reference, where injected code is not able to execute in the computing environment. The function table entries can be further randomized by reordering the entries, introducing intermediate mappings, or providing non-operative entries. Alternatively, all or part of the code of the function can be copied and moved to a different storage location and associated with the new reference. The copied code can be further randomized by the insertion of dummy code, utilizing reverse peephole techniques, varying the size of the copied portion, or interleaving non-operative code.

Abstract: A system provides an order-invariant fuzzy commitment scheme. In an exemplary embodiment, the scheme includes receiving a first set of elements and selecting a polynomial for encoding an item under the first set of elements to generate an order-invariant fuzzy commitment of the item. The system utilizes an error-correcting code for decommitting the item if a second set of elements has a specified level of overlap with the first set of elements.

Abstract: One aspect of the invention is a vulnerability detection mechanism that can detect a large class of attacks through dynamic dataflow analysis. Another aspect of the invention includes self-certifying alerts as the basis for safely sharing knowledge about worms. Another aspect of the invention is a resilient and self-organizing protocol to propagate alerts to all non-infected nodes in a timely fashion, even when under active attack during a worm outbreak. Another aspect of the invention is a system architecture that enables a large number of mutually untrusting computers to collaborate in the task of stopping a previously unknown worm, even when the worm is spreading rapidly and exploiting unknown vulnerabilities in popular software packages.

Abstract: A method and device are disclosed for identifying an item of equipment previously selected by a user. At the time the user selects the item of equipment a reading of a biometric characteristic of the user is taken to provide first biometric data that is then stored for access only by the user-selected item. Subsequently, a user-associated device is used to contact an item of equipment and determine whether the contacted item is the user-selected item by checking whether the contacted item can provide biometric data that matches second biometric data known to correspond to the user. Preferably, the device also checks whether the contacted item of equipment is trustable. User-selectable equipment facilitating identification using biometrics is also disclosed.

Abstract: Systems and methods for password protection are described. In one aspect, an asymmetric key pair is deterministically formed by combining a password and other data. The public key of the asymmetric key pair is exported to an external device. The private key of the asymmetric key pair is used to effect subsequent authentications to the external device.

Abstract: Disclosed is a method, system and apparatus for transferring protected data having an authorizing entity's outer encryption layer and having a user-fixed inner encryption layer from a first electronic device having a first unique, unalterable identifier to a second electronic device having a second unique, unalterable identifier. A central unit includes a receiver configured to receive from the first electronic device protected data having an authorizing entity's first outer encryption layer corresponding to the first unique, unalterable identifier and having a user-fixed inner encryption layer; a processor configured to decrypt the authorizing entity's first outer encryption layer of the protected data; a processor configured to encrypt an authorizing entity's second outer encryption layer of the protected data corresponding to the second unique, unalterable identifier; and a transmitter configured to transmit protected data to the second electronic device.

Abstract: Systems and methods for cryptographically processing data as a function of a Cartier pairing are described. In one aspect, a Cartier pairing is generated from two different abelian varieties or abelian varieties and an isogeny between them. Data is cryptographically processed based on the Cartier pairing.

Abstract: A system for communicating a message securely between a sender and a receiver. The sender provides a key server with a string specifying the receiver. The key server obtains a message key and a particular envelope encryption key corresponding with a particular envelope decryption key, encrypts the message key with the envelope encryption key (creating the envelope), and provides the envelope to the sender-client. The sender-client encrypts the message with the message key and provides it and the envelope to the receiver. The receiver-client receives these and asks an authentication server for the envelope decryption key. The authentication server obtains the envelope decryption key and provides it to the receiver. The receiver then decrypts the envelope with the envelope decryption key, to get the message key, and decrypts the message.

Abstract: A malicious software detection module (MSDM) detects worms and other malicious software. The MSDM executes on a computer system connected to a network. The MSDM monitors a storage device of the computer system for the arrival of software from a suspicious portal. The MSDM designates such software as suspicious. The MSDM tracks the set of files that are associated with the suspicious software. If the files in the set individually or collectively engage in suspicious behavior, the MSDM declares the suspicious software malicious and prevents file replication and/or other malicious behavior.

Abstract: A method and a related apparatus provide a virtual trusted platform module (TPM). In an example embodiment, a virtual TPM service creates a virtual TPM for use in a processing system that contains a physical TPM. The virtual TPM service may store a key for the virtual TPM in the physical TPM. The virtual TPM service may then use the virtual TPM to provide emulated physical TPM features. In one embodiment, the virtual TPM service may use the virtual TPM to emulate a physical TPM for a virtual machine in the processing system. Other embodiments are described and claimed.

Abstract: A system and method are described for greatly increasing the number of services that can be encrypted with existing conditional access equipment. The method is most useful when many digitally compressed programs are encrypted at the same time. Only the most critical components of each compressed video, audio, or data stream are selected and then sequenced into a single stream. Additional formatting causes this sequence of segments from multiple sources to appear as a single continuous stream to the conditional access system. Once this stream has been encrypted, it is demultiplexed and the components are restored and re-sequenced into their respective programs. Messages such as the Entitlement Control Messages that are inserted into the stream by the encryption system, are also adjusted and included with each of the reconstructed programs.

Abstract: Representing a number of assets on an originating computer begins with selecting the assets to be represented. Cryptographic hash asset identifiers are generated; each of the asset identifiers is computed using the contents of a particular asset. The asset identifier is a content-based or content-addressable asset name for the asset and is location independent. An asset list is generated that includes the asset identifiers computed from the assets. A cryptographic hash asset list identifier is generated that is computed from the asset list. The asset list identifier is stored for later retrieval. The assets selected are also stored for safekeeping either locally or on a computer network. In the event of loss of the files from the originating computer, the asset list identifier is retrieved. Using the asset list identifier, the original asset list is found and retrieved from its safe location.

Abstract: The present invention is directed to, in part, an efficient system and method for providing precise information to a user in response to a user input, as well as facilitating contact with merchants and other third parties. More specifically, a method is disclosed for providing data relating to a geographic location in a particular destination in response to a user input. The method comprises providing a map including the geographic location, receiving an identifier combination comprising a location identifier and a need identifier (609), accessing the data relating to the geographic location in a remote database based on the identifier combination (610), and transmitting the data to a user via a communication device.

Abstract: A conditional activation system distributes a security policy to the computer systems of an enterprise. Upon receiving a security policy at a computer system, the computer system may install the received security policy without activation. When a security policy is installed without activation, it is loaded onto a computer system but is not used to process security enforcement events. The computer system may then determine whether a security policy activation criterion has been satisfied and, if so, activate the security policy.

Abstract: A method and system for securely enrolling personal identity credentials into personal identification devices. The system of the invention comprises the manufacturer of the device and an enrollment authority. The manufacturer is responsible for recording serial numbers or another unique identifier for each device that it produces, along with a self-generated public key for each device. The enrollment authority is recognized by the manufacturer or another suitable institution as capable of validating an individual before enrolling him into the device. The enrollment authority maintains and operates the appropriate equipment for enrollment, and provides its approval of the enrollment. The methods described herein discuss post-manufacturing, enrollment, backup, and recovery processes for the device.

Abstract: Conventional countermeasures to Distributed Denial of Service (DDoS) attacks typically focus on practices and rules for organizing a robust, DDoS-resilient network which anticipates proactive cooperation of users. Such measures involve widespread implementation cooperation and may be difficult or problematic to enforce in a large organization. Configurations of the invention employ the attacker's technique preventatively against the attack to identify sources likely to be employed for DDoS attacks. Crawlers scan web sites for identifying pages likely to be exploited as launch pads by DDoS attackers. A scanner device dispatches robots for sending probe messages from the launch pads which emulate an actual attack. Each of the probe messages are sent to a known, predetermined destination for determining identifying characteristics of such a message. The identifying characteristics define a signature of messages emanating from the launch pad.

Abstract: An apparatus 10 for generating wartermark signals to be embedded as a digital watermark in real-time contents includes: input means 12 for inputting the real-time contents; an input buffer 14 for storing the real-time contents; generation means for generating wartermark signals corresponding to predicted intensities of the real-time contents from divided real-time contents; and an output buffer 18 for storing the generated wartermark signals to be outputted. The generation means is configured by including prediction means 16 for predicting intensities of the wartermark signals; control means 20 for controlling embedding by use of a message to be embedded as the digital watermark in the divided real-time contents; and means 22 for generating the wartermark signals to be outputted.

Abstract: An apparatus for and method of efficiently adding software modules to large scale data processing systems. The customer is supplied all potentially applicable software modules upon system installation. However, each optional software module requires a key for enabling user access. Whenever the user needs an additional key on an emergency basis, it is requested via the Internet. Upon receipt of the request, the software supplier verifies entitlement of the requester to the key including licensing, payment, and configuration concerns. The key is supplied over the Internet upon verification of entitlement.

Abstract: An alert messaging system and method to securely transmit and receive alert messages via secure connection among one or more messaging servers and at least one client user station using a token-based, one-way handshake mechanism.