Abstract: A method for making secure execution of a computer program includes a set of at least one instruction, characterized in that it includes: a first step which consists in calculating and storing, prior to execution of the computer program, a first signature representing the expected execution of the set of instructions; a second step which consists in calculating and storing, during execution of the set of instructions, a second signature representing the execution of the set of instructions; and a step which consists in detecting an anomaly of execution of the set of instructions from the first and second signatures.

Abstract: Systems and methods are provided for authenticating and authorizing network access requests using directory services in which the directory service authentication and authorization procedures are enhanced using contextual information.

Abstract: In certain embodiments, a system for providing internal services to third party enterprises comprises a memory module operable to store credentials associated with each of a plurality of third party enterprises, an interface module operable to receive a service request associated with a particular third party enterprise, the service request including a token associated with the particular third party enterprise, and a processing module operable to validate the particular third party enterprise, determine a particular internal service offered by an enterprise that is the subject of the service request, the interface module further operable to forward the service request to the particular internal service, receive results corresponding to the service request generated by the particular internal service, and communicate the results corresponding to the service request to the particular third party enterprise, and the memory module further operable to store the results corresponding to the service request.

Abstract: A computer determines, based on a degree of authorization of a user, that a user has authorization to view a type of field. Based on the degree of authorization of the user, the computer generates a modified list of search terms by adding additional search terms to a list of search terms. The computer executes a search using the modified list of search terms. The computer identifies a search result that includes the first type of field which further includes a search term that is included in the modified list of search terms.

Abstract: Systems, methods, and machine-readable media for indicating that a system has booted an untrusted image are provided. The system may be configured to receive instructions to boot up an image and determine whether the image to be booted up is untrusted. If the image is untrusted, the system may set an indicator to indicate that the system has booted from an untrusted image and booting the image.

Abstract: A system, method, and computer program product are provided for conditionally implementing protected content. In use, protected content is identified. Additionally, one or more elements associated with the protected content are verified. Further, the protected content is conditionally implemented, based on the verifying.

Abstract: Systems and methods for generating and using ephemeral identifiers are provided. One example method includes determining, by one or more computing devices, a current time-count. The method includes determining, by the one or more computing devices, a time-modified identifier based at least in part on a static identifier and the current time-count. The method includes determining, by the one or more computing devices, an ephemeral identifier based at least in part on the time-modified identifier and a rotation key. One example system includes a plurality of beacon devices, at least one observing entity, and at least one verifying entity.

Abstract: A mobile device capable of performing a plurality of functions. The mobile device includes a memory for storing a plurality of different security policies; an input device for invoking a function from the plurality of functions by a user; a processor for assigning a first security policy from the stored plurality of security policies to the invoked function; and a security module for requiring the user to satisfy the assigned first security policy, before the invoked function is performed by the mobile device.

Abstract: One feature pertains to a method that includes implementing a Physical Unclonable Function (PUF) circuit, and obtaining a first set of output bits from the PUF circuit by operating the PUF circuit at a first supply voltage level and/or first frequency. Then, at least one of the first supply voltage level is changed to a second supply voltage level and/or the first frequency is changed to a second frequency, where the second supply voltage level and the second frequency are different than the first supply voltage level and the first frequency, respectively. A second set of output bits is then obtained by operating the PUF circuit at the second supply voltage level and/or the second frequency, where the second set of output bits is in part different than the first set. Secure data is generated using the first set of output bits and the second sets of output bits.

Abstract: Provided is a base station for detecting Denial-of-Service (DoS) attacks in a communication system and a method for controlling the same. The base station includes a first estimator for estimating, for a predetermined time, a reception rate of data that is received at the base station from a communication network to be transmitted to at least one wireless terminal; a second estimator for estimating, for a predetermined time, a bandwidth allocated for transmission of data to the at least one wireless terminal, based on at least one of feedback information transmitted from the at least one wireless terminal and channel capacity of the base station; and a controller for calculating a ratio of the bandwidth to the reception rate for the at least one wireless terminal, and determining whether there is a DoS attack, using the calculated ratio.

Abstract: A smart card, system, and method for securely authorizing a user or user device using the smart card is provided. The smart card is configured to provide, upon initialization or a request for authentication, a public key to the user input device such that the PIN or password entered by the user is encrypted before transmission to the smart card via a smart card reader. The smart card then decrypts the PIN or password to authorize the user. Preferably, the smart card is configured to provide both a public key and a nonce to the user input device, which then encrypts a concatenation or other combination of the nonce and the user-input PIN or password before transmission to the smart card. The smart card reader thus never receives a copy of the PIN or password in the clear, allowing the smart card to be used with untrusted smart card readers.

Abstract: According to the present invention, there is provided a data processing system comprising: a dedicated physical device for access by a single client only; a shared physical device for shared access by multiple clients; a partition of a first type associated with the dedicated physical device, the first type partition comprising said single client and a first device driver for accessing the dedicated physical device; a partition of a second type associated with the shared physical device, the second type partition comprising a second device driver for accessing the shared physical device, and a back end driver for accessing the second device driver; and multiple partitions of the third type each comprising a respective one of said multiple clients and a front end driver for accessing the shared physical device via the second type partition.

Abstract: An optical medium containing virtual write protect information can be recorded in drives and systems without first changing the write protection from on to off by receiving valid user input. The virtual write protection may also be enabled or disabled by additional information on the disc.

Abstract: Techniques are provided for adaptive routing of authentication packets in a network, such as a wireless mesh network. At an authenticated device in the network, an authentication packet is received over the network from a device that is seeking authentication. The authentication packet is encapsulated for transmission in Layer 3 packets over an Internet Protocol (IP) tunnel to an authenticator device associated in the network. Similarly, for an authentication packet encapsulated in Layer 3 packets from the authenticator device over the IP tunnel, the authentication packet is decapsulated from the Layer 3 packets and transmitted over the network to the device seeking authentication.

Abstract: A system and method are provided which employs a key agreement scheme, wherein the agreed-upon-shared key is used in a protocol message in the authentication rather than being employed as a session key.

Abstract: A recommendation engine coupled to a server computer in communication with a plurality of hosts is described. The recommendation engine includes computer readable intrusion-protection instructions stored in a memory device, which cause a processor of said server computer to determine a current host-protection configuration for a target host; detect discrepancy between said current host-protection configuration and a prior host-protection configuration; install said current host-protection configuration in said target host upon detecting said discrepancy; record successive host-reconfiguration periods, a host reconfiguration period being a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration; determine a monitoring period according to a value of at least one of said successive host-reconfiguration periods; and a scheduler for activating said intrusion-protection instructions according to said monitoring period.

Abstract: An encryption technique is disclosed for encrypting a plurality of data blocks of a data segment where the encryption selectively switches between a blockwise independent randomized (BIR) encryption mode and a cipher block chaining (CBC) encryption mode based on a configurable feedback stride. A corresponding decryption technique is also disclosed.

Abstract: The present invention is a procedure for a self configuring eNB/E-UTRAN. The eNB/E-UTRAN interacts with the Enhanced Packet Core (EPC) of the LTE network in order to complete the mutual authentication task between the eNB and the EPC and other operating procedures in the eNB self configuration phase.

Abstract: In a computing system environment, an arrangement of computing devices includes multiple layers behind a content flow director, such as an L4 switch in a web service. In a computing device of an outermost layer directly communicating with the content flow director, a communications port is conditionally enabled upon policy being met or exceeded in the computing system environment behind the content flow director. If unmet, the communications port is disabled, if already enabled, or prevented from becoming enabled, if not otherwise already enabled. In this manner, policy establishes port enablement. In certain aspects, policy determinations include determining a time of response, a quality of service check or a pass/fail condition of the one of the computing devices. Policy is also easily implemented as remote or local computer executable instructions on the computing devices. Representative computing devices include switches, such as L4 switches, routers, servers, repeaters, adapters or the like.

Abstract: Embodiments of the invention provide an improved method and an improved receiver for obtaining a control word. Two or more subkeys are obtained in a receiver. Each subkey was encrypted under control of a key received in an entitlement message or transformed under control of a seed received in an entitlement message. After decryption or transformation, the subkeys are combined to obtain the control word. Typically at least one of the entitlement messages is a positive entitlement message and at least one of the entitlement messages is a negative entitlement message. Embodiments of the invention can be used in a conditional access system such as a Pay-TV system.