Abstract: An apparatus and method for preserving image privacy when manipulated by cloud services includes middleware for receiving an original image, splitting the original image into two sub-images, where the RGB pixel values of the sub-images have a bit value that is less than RGB pixel values of the original image. The sub-images are encrypted by adding a keystream to the RGB pixel values of the sub-images. The sub-image data is transmitted to a cloud service such as a social network or photo-sharing site, which manipulate the images by resizing, cropping, filtering, or the like. The sub-image data is received by the middleware and is successfully decrypted irrespective of the manipulations performed by the cloud services. In an alternative embodiment, the blocks of the original image are permutated when encrypted, and then reverse-permutated when decrypted.

Abstract: An apparatus for improving detection performance of an intrusion detection system includes a transformed detected data generation unit for changing original detected data, detected based on current detection rules, to transformed detected data complying with transformed detected data standard. A transformed detected data classification unit classifies the transformed detected data by attack type, classifies transformed detected data for attack types by current detection rule, and classifies transformed detected data for detection rules into true positives/false positives. A transformed keyword tree generation unit generates a true positive transformed keyword tree and a false positive transformed keyword tree. A true positive path identification unit generates a true positive node, and identifies a true positive path connecting a base node to the true positive node in the true positive transformed keyword tree.

Abstract: One approach for authenticating data includes storing a plurality of combinations of representations of public keys and session key IDs in a non-volatile memory. A payload and accompanying public key, session key ID, and signature of the payload are input. The signature is a function of the payload and a private key of a key pair that includes the accompanying public key and the private key. Authenticity of the payload is determined based on the accompanying public key and session key ID and the combinations stored in the non-volatile memory, and from the signature and the payload. In response to determining that the payload is authentic, the payload is processed, and in response to determining that the payload is not authentic, processing of the payload is disabled.

Abstract: Systems and methods for protecting at least one client from becoming part of at least one botnet. The system may comprise virtual machines deliberately infected with malicious content and operable to record botnet communications to and from criminal servers. The virtual machines are in communication with a processing unit configured to index data collected. Data related to the prevalence of cyber threats may be presented to users in response to queries.

Abstract: Embodiments of the present disclosure describe methods, apparatuses, and systems related to using an identity provider (IdP) as a proxy for another IdP. Other embodiments may be described and/or claimed.

Abstract: Techniques for transmitting data to an entity may be provided. In particular, a location of a data file (e.g., image, text, multimedia file, document, blog entry, identifying user information) can be provided to a location of a transitive file storage device for the entity to retrieve, instead of providing the data file directly to the entity. The entity can then provide the data file to users (e.g., via a hosted network page) and/or provide the data file to a service provider along with code to enable the service provider to provide the data file to users.

Abstract: A method and system for authenticating a user. A first server of at least two servers receive input authentication information from the user. The first server ascertains that the user is authorized to access a federated computing environment that comprises at least two servers, which includes the first server determining that the received input authentication information conforms to at least one rule of an authentication policy of a second server having a highest relative priority among servers of the at least two servers whose authentication policy's at least one rule, in an authentication policy table within the first server, is conformed to by the received input authentication information.

Abstract: Segmented media content rights management is described. A media device can receive segments of protected media content from media content streams that each include a different version of the protected media content. A media content file can be generated to include the segments of the protected media content that are sequenced to render the protected media content for viewing. A file header object can be instantiated in a file header of the media content file, where the file header object includes DRM-associated features, such as one or more DRM licenses, properties, and/or attributes that correspond to the media content file to provision all of the segments of the protected media content together.

Abstract: A system for providing a managed virtual point to point communication service having a verified directory and providing secure transmission and controlled delivery of electronic document images may include a memory, an interface, and a processor. The memory may store a verified directory of users. The interface may communicate with devices of sending and receiving users in the verified directory. The processor may be operative to receive a request to deliver an electronic document image from a sending user to a receiving user. The processor may provide secure access to the electronic document image to the receiving user. The processor may provide a delivery confirmation to the sending device of the sending user upon determining that the electronic document image was securely accessed by the receiving user. The delivery confirmation may indicate that the electronic document image was securely transmitted to the receiving user.

Abstract: A method, system, and/or computer program product enables the secure debugging of a software application. A server receives a secure software application from a client. The secure application is designed to execute within the server, and access to data used by the secure software application is protected by a security object, which allows a processor within the server to access the data used by the secure software application without permitting data to exit unprotected from the processor. The server also receives a secure sidecar debugging application from the client. The secure sidecar debugging application is designed to debug the secure application, but cannot be used by the server. If there is an error in execution of the secure software application within the server, the server transmits the secure software application to the client, where it is debugged using the secure sidecar debugging application.

Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: Methods of configuring a different authority for a plurality of users to use at least one application in an electronic device. User inputs are received to set passwords for respective user levels, where each user level is associated with a different authority to access applications. The passwords are registered for the respective user levels. At least one application is associated with one of the user levels.

Abstract: Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

Abstract: A software trusted platform module (sTPM) operates in a hypervisor, receives trust assurances from specialized hardware, and extends this trust such that the hypervisor performs trust attestation. The hypervisor receives a startup sequence validation from a TPM, or Trusted Platform Module. The TPM performs bus monitoring during a boot sequence of the computer system, records the startup sequence from the bus, and performs a hash on the sequence. The TPM performs an authentication exchange with the hypervisor such that the hypervisor authenticates the attestation of the computer system from the TPM, and the hypervisor, now delegated with trust assurances from the TPM, provides assurances to users via an authentication chain. The ATCB then performs the attestation of the computer system according to the attestation protocol much faster than the TPM. In this manner, the hypervisor operates as a software delegate of the TPM for providing user assurances of trust.

Abstract: A first server device may receive, from a user device, a request to authenticate the user device for a first service using authentication credentials for a second service that is different than the first service; provide the authentication credentials to a second server device that provides the second service; receive from the second server device, and when the authentication credentials are valid for the second service, user information relating to a user of the user device; and provide, to the user device, an authentication response, associated with the user information, that provides authentication of the user device for the first service.

Abstract: An apparatus for detecting tampering with a clock of a state-machine, comprising, a master state-machine having master states and driven by a master clock, the master states being switchable responsive to events, and an auxiliary state-machine having auxiliary states and driven by an auxiliary clock synchronous with the master clock, the auxiliary states being switchable responsive to a signal generated based at least on said events, consequently establishing a correspondence between the master states and the auxiliary states, thus ensuing that subsequent to tampering with the master clock the correspondence between the master states and the auxiliary states become discordant, thereby indicating that the master clock has been tampered with.

Abstract: Access to resources in a cloud computing environment having a plurality of computing nodes is described. A group of users is defined within the cloud computing environment. A first name is assigned to the group. At least one subgroup of users is defined from within the group. A second name is assigned to the at least one subgroup. The second name follows a hierarchical naming structure of the form/group/subgroup.

Abstract: A method and system that provides secure modules that can address Java platform weaknesses and protect Java bytecode during execution time. The secure modules are implemented in C/C++ as an example. Because implementation of the security modules is made in C/C++, this enables use of security technology that secures C/C++ software code.

Abstract: A user may access a subscription-based service via a system comprising one or more devices with one or more separate domains where each domain may be owned or controlled by one or more different local or remote owners. Each domain may have a different owner, and a remote owner offering a subscription-based service may have taken ownership of a domain, which may be referred to as a remote owner domain. Further, the user may have taken ownership of a domain, which may be referred to as a user domain. In order for the user to access the subscription-based service, registration and credential roll-out may be needed. An exemplary registration and credential roll-out process may comprise registration of the user, obtaining credentials from the remote owner and storing the credentials.

Abstract: A system for using machine readable code to commission a device application includes a controller, an image capturing device, and at least one processor. The at least one processor is programmed to receive an image acquired from the image capturing device, wherein the image includes a code, the at least one processor is also programmed to access information from the code, and send the information accessed from the code to the controller, wherein the information enables the controller to commission a device application.