Abstract: Systems and methods provide security to HTTP applications. Responses sent from a server, such as a web server, are analyzed and a signature is generated for each HTML object in that page. The signature is encrypted and sent to a client along with the contents of the page. When a client later sends a request, the system checks the signature associated with that request with the contents of the request itself. If the values, variables, lengths, and cardinality of the request are validated, then the request is forwarded to the web server. If, on the other hand, the request is invalidated, the request is blocked from reaching the web server, thereby protecting the web server from malicious attacks. The systems and methods offer security without being limited to a session or user.

Abstract: Provided is a data security method and apparatus using a characteristic preserving encryption. The data security apparatus includes an interface communicating with a user terminal or a database server, an input unit receiving information, an output unit outputting information, an encryption unit encrypting data in the data security method, a storage unit storing information, and a control unit controlling functions of the interface, the input unit, the output unit, the encryption unit or the storing unit.

Abstract: Computer systems and methods are provided for authenticating a user seeking to conduct at least one interaction with a secured capability provided by a computer. The method includes receiving a first signal from the computer providing the secured capability. The first signal includes a reusable identifier corresponding to the secured capability. The method further includes receiving a second signal from an electronic device being used by the user. The second signal includes a copy of the reusable identifier and user verification information. The method further includes using a processor to evaluate, based at least on the first signal and the second signal, whether the user is authorized to conduct the at least one interaction with the secured capability.

Abstract: According to various embodiments, a session manager generates, stores, and periodically updates the login credentials for each of a plurality of connected IEDs. An operator, possibly via an access device, may provide unique login credentials to the session manager. The session manager may determine the authorization level of the operator based on the operator's login credentials, defining with which IEDs the operator may communicate. According to various embodiments, the session manager does not facilitate a communication session between the operator and a target IED. Rather, the session manager maintains a first communication session with the operator and initiates a second communication session with the target IED. Accordingly, the session manager may forward commands transmitted by the operator to the target IED. Based on the authorization level of the operator, a session filter may restrict what may be communicated between an operator and an IED.

Abstract: In one embodiment a computing system comprises one or more processors, a display device coupled to the computing system, and a memory module communicatively connected to the one or more processors. The memory module comprises logic to receive, in a connection server, a service request from a user via a remote connection client, wherein the service request comprises at least one of a user credential, a connection client identifier, and a layout identifier, authenticate, in the connection server, the user credential and the connection client identifier, retrieve, in the connection server, a user profile associated with the user, a connection client layout associated with the layout identifier, connection data for at least one remote system, and a policy associated with the user profile, and transmit the user profile, the connection client layout, a remote system and the connection data for a remote system and a policy associated with the user profile from the connection server to the remote connection client.

Abstract: An information management apparatus includes: a registration unit, a condition storage, a determination unit, a transmission unit and a deletion unit. The registration unit registers electronic information in association with access right information representing whether a user has an access right. The condition storage stores a condition for prohibiting an access to the electronic information registered by the registration unit on the basis of an administrator's right for the apparatus. The determination unit determines whether the changed access right information satisfies the condition stored in the condition storage. The transmission unit transmits the electronic information to a transmission destination in a case where the determination unit determines that the access right information of the electronic information satisfies the condition. The deletion unit deletes the electronic information stored in a transmission source after the electronic information is transmitted by the transmission unit.

Abstract: The present invention provides a method, system and program product for modifying content usage conditions during broadcast content distribution. Specifically, the present invention allows protected (e.g., encrypted, secured, etc.) content to be received along with content usage conditions, an encrypted combination of the content usage conditions and a title key (e.g., a MAC), and a key management block. Using the key management block, a key encrypting key can be determined for decrypting the combination. Once the combination is decrypted, the content usage conditions can be modified (e.g., edited, added to, etc.).

Abstract: A system for processing multimedia channels is described comprising: transmitting decryption keys for decrypting the multimedia channels, the keys encrypted in both a first encryption format and a second encryption format; the keys encrypted in the first encryption format being decryptable by a first type of multimedia receiver; and the keys encrypted in the second encryption format being decryptable by a second type of multimedia receiver.

Abstract: An electronic device may include a communications interface, a user prompting device, a biometric sensor, and a controller. The controller may perform biometric spoof detection with the biometric sensor, and receive a request for human presence verification from a remote device via the communications interface. The controller may also prompt the user for a verification action using the sensor based upon receiving the request, and determine that the user has completed the verification action in response to the prompting and based upon the biometric spoof detection. The controller may further send a response to the remote device via the communications interface and based upon determining that the user has completed the verification action. The controller may send a notification to the remote device that there is a biometric sensor.

Abstract: A system for encrypting Secure Volumes using an encryption key which is saved in the open after being encoded inside a hardware token device utilizing a secure secret which is stored inside the device, and which never leaves the device. The encrypted volume can be accessed again only after a hardware token has decoded this encryption key. The system also provides means whereby the holder of a Master token and the holder of a Grand Master token may also have access to the volume as long as the user token was previously registered to the Master token, and the Master Token was previously registered to the Grand master token before the secured volume was encrypted. Also, the system allows members of user groups so designated at the time the volume is encrypted, to be able to have access to the volume as long as their token was previously registered with the same Master Token as the user that encrypted the volume and as long as the token encrypting the volume was also a member of the authorized user group.

Abstract: An owner of media data encrypts the media data using a session key. The session key is encrypted using a public key of a designated recipient of the media data. A key manager provides the encrypted session key to the recipient while the owner is sharing the media data with the recipient. The encrypted media data is published and accessed by the recipient over a public computer network. The encrypted session key and the encrypted media data are received in the recipient's computer, where the encrypted session key is decrypted into the session key using the recipient's private key and the encrypted media data is decrypted into the media data using the session key. When the owner is no longer sharing the media data with the recipient, the recipient is prevented from further receiving the encrypted session key from the key manager.

Abstract: A storage area network management application operates using agents for management of resources. Authenticity is verified in installing an agent on a host computer system in the storage area network. A file is identified for use in installing the agent. The file is signed to produce a digital signature for the file. A certificate is sent to a recipient for use in verifying authenticity of information. The file and digital signature are sent to the recipient. At the recipient, the certificate and the digital signature are used to verify the file. An agent installation operation is performed, using the file, to install the agent on the host computer system.

Abstract: A method for resetting Internet access account passwords can include the step of connecting a user with an interactive voice response system (IVR). At least one access account associated with the user can be determined. The IVR can validate that the user is authorized to access the access account. The IVR can then cause a password associated with the at least one access account to be reset. The IVR can also present the reset password to the user.

Abstract: A machine-actionable memory comprises one or more machine-actionable records arranged according to a data structure. Such a data structure may include links that respectively map between: a RID field, the contents of which denote an identification (ID) of a remediation (RID); at least one TID field, the contents of which denotes an ID of at least two technologies (TIDs), respectively; and at least one ACTID field, the contents of which denotes an ID of an action (ACTID). A method, of selecting a remediation that is appropriate to a technology present on a machine to be remediated, may include: providing such a machine-actionable memory; and indexing into the memory using a given RID value and a given TID value to determine values of the at-least-one ACTID corresponding to the given RID value and appropriate to the given TID value.

Abstract: A system architecture provides a hardware-based root of trust solution for supporting distribution and playback of premium digital content. In an embodiment, hardware root of trust for digital content and services is a solution where the basis of trust for security purposes is rooted in hardware and firmware mechanisms in a client computing system, rather than in software. From this root of trust, the client computing system constructs an entire media processing pipeline that is protected for content authorization and playback. In embodiments of the present invention, the security of the client computing system for content processing is not dependent on the operating system (OS), basic input/output system (BIOS), media player application, or other host software.

Abstract: A method provides data loss protection of sensitive data using digital fingerprinting. The method includes assigning a security level to each document of a plurality of documents associated with a data loss protection server, and storing the plurality of documents in a digital asset management server, wherein only a single copy of each document of plurality of documents is stored in the digital asset management server. The method also includes sending a query to the digital asset management server from the data loss protection server, and receiving a query response by the data loss protection server from the digital asset management server, the query response including at least one document file. The method further includes creating a digital fingerprint of the at least one document file by the data loss protection server.

Abstract: Aspects of a method and system for traffic management via virtual machine migration include detecting an abnormal traffic pattern in traffic communicated by a first virtual machine that utilizes a first set of network resources. Responsive to the detection of the abnormal pattern, a second virtual machine that utilizes a second set of network resources may be initialized. The second virtual machine may take over functions performed by the first virtual machine and initialization of the second virtual machine is based on an analysis of the traffic. The second virtual machine may be initialized utilizing stored virtual machine state information in instances that the abnormal traffic is a result of a malicious attack. The second virtual machine may be initialized utilizing current virtual machine state information in instances that the abnormal traffic is not a result of a malicious attack.

Abstract: An information succession system, which operates in accordance with inputted information to provide access to inputted information, including the personality of the original user, to successors of the original user. An encryption processing unit encrypts inputted information and generates keys used in association with access by users. A character/personality data generation unit generates data indicative of a user's character or personality by analyzing user input information. That character data is stored in a character data memory unit and is associated with the user's identification information. A request information analysis unit analyzes and characterizes requests. Request characteristics are stored in the character data memory unit and associated with the user making the request. A transmitting information generation unit generates transmitting (output) information based on the generated personality data of the user and the characteristic of the request.

Abstract: Techniques for modification of access expiration conditions are presented. A principal supplies a password associated with establishing access to a target resource. In response to the password, characteristics of the password are examined and a custom expiration condition is generated for the password in response to the characteristics and policy. When the custom expiration condition is satisfied, the password and access to the target resource become invalid for use. Moreover, the principal may interactively change a complexity level of any proposed password for purposes of attempting to enhance the expiration condition or for purposes of attempting to degrade the expiration condition.

Abstract: Methods and apparatuses for controlling access to computer systems and for annotating media files. One embodiment includes a method including generating a challenge to a user, wherein the challenge includes a verify part and a read part. The methods also includes prompting the user to solve both the verify part of the challenge and the read part of the challenge; receiving input from the user; determining if the input from the user relative to the verify part of the challenge corresponds with the known answer for the verify part of the challenge; and identifying the input from the user relative to the read part of the challenge as an answer to the read part of the challenge, if the input from the user relative to the verify part of the challenge corresponds with the known answer for the verify part of the challenge.