Abstract: An inventive security framework for supporting kernel-based hypervisors within a computer system. The security framework includes a security master, one or more security modules and a security manager, wherein the security master and security modules execute in kernel space.

Abstract: A method, apparatus, and article of manufacture for maintaining policy compliance on a computer network is provided. The method provides the steps of electronically monitoring network user compliance with a network security policy stored in a database, electronically evaluating network security policy compliance based on network user compliance, and electronically undertaking a network policy compliance action in response to network security policy compliance.

Abstract: An adaptive multi-tier authentication system provides secondary tiers of authentication which are used only when the user attempts a connection from a new environment. The invention accepts user input such as login attempts and responses to the system's questions. User login information such as IP address, originating phone number, or cookies on the user's machine are obtained for evaluation. User/usage profiles are kept for each user and the user login information is compared to the information from the user/usage profile for the specific user which contains all of the user information that the user used to establish the account and also the usage profile detailing the user's access patterns. The trust level of the current user login location is calculated and the invention determines if any additional questions to the user are required. If the trust level is high, then the user is granted access to the system.

Abstract: Method and apparatus for providing Cellular Authentication Voice Encryption (CAVE) messages in an Extensible Authentication Protocol (EAP) format. The CAVE messages are sent via an EAP transport mechanism. The Mobile Station (MS) is able to use a common authentication mechanism for other technologies.

Abstract: The invention generally provides an antivirus network system and method having a virtual scanning processor with plug-in functionalities. A preferred embodiment of the system according to the invention primarily comprises an antivirus scanning module operable with an operating system (OS), an antivirus database comprising a plurality of computer virus signatures, a library of external antivirus instructions wherein an antivirus system external to the network system is operable to update the external instructions, a virtual scanning processor further comprising a processor emulator operable to execute a plurality of internal antivirus instructions in detecting computer viruses based on the virus signatures, and a plug-in module connected to the processor emulator and the library and receiving the external instructions from the library, wherein the processor emulator is operable to execute the external instructions.

Abstract: A first device is used to initiate and direct a rights-management transaction, such as content licensing, acquisition, or activation, on behalf of a second device. The first device may, for example, be a desktop computer, laptop computer, or electronic kiosk at a bricks-and-mortar store. The second device may, for example, be a handheld computer that is cradled to establish communicative connectivity with the first device. A user interacts with the first device to initiate a transaction on behalf of the second device. The first device then obtains the information from the second device that is necessary to perform the transaction on behalf of the second device, communicates with a server, and provides the result of the server communication to the first device. Thus, the first device acts as a proxy for the second device.

Abstract: Method and apparatus for secure transmissions. Each user is provided a registration key. A long-time updated broadcast key is encrypted using the registration key and provided periodically to a user. A short-time updated key is encrypted using the broadcast key and provided periodically to a user. Broadcasts are then encrypted using the short-time key, wherein the user decrypts the broadcast message using the short-time key. One embodiment provides link layer content encryption. Another embodiment provides end-to-end encryption.

Abstract: A shift device for shifting a first place of a data word, which consists of a plurality of places, to a second place so as to obtain a shifted data word, wherein the first place is encrypted using a first encryption parameter and wherein the second place is encrypted using a second encryption parameter, includes a unit for shifting the first place of the data word to the second place of the data word, a unit for re-encrypting the first place from an encryption using the first encryption parameter into an encryption using the second encryption parameter, and a control for controlling the unit for shifting and the unit for re-encryption so that the first place is first shifted to the second place and is then re-encrypted, or that the first place is first re-encrypted and is then shifted to the second place. This ensures that data encrypted either with the first encryption parameter or with the second encryption parameter are always shifted, thus making it harder for attackers to eavesdrop on clear text data.

Abstract: A method and system for secure authentication of a user in a session conducted over an interactive communication channel, such as a two-way telephony communication channel, with an authenticating entity, such as a financial institution, utilizes a session identifier, such as pseudorandom noise to detect and identify attempts to play back authentication information, such as user-spoken phrases, intercepted and recorded by an unauthorized party during a previous session between the user and the authenticating party.

Abstract: The present invention provides a service system using a certificate which is easily portable and difficult to counterfeit. The feature of the invention is to use a contactless IC chip as a portable certificate. An IC chip-attached seal is thin and small, and therefore is easily portable and distributable to a user. By integrating or attaching (or sticking) the IC chip into or on a certificate 3910, the counterfeiting of the certificate 3910 becomes difficult.

Abstract: Operating system upgrades in a trusted operating system environment allow a current trusted core of an operating system installed on a computing device to be upgraded to a new trusted core. The new trusted core is allowed to access application data previously securely stored by the current trusted core only if it can be verified that the new trusted core is the new trusted core expected by the current trusted core. In accordance with one implementation, the new trusted core is allowed to access only selected application data previously securely stored by the current trusted core.

Abstract: A wireless local area network (WLAN) includes mobile devices that are allowed to transfer wireless connections between WLAN subnets or channels having different access points. The access points connect to a central controller or roaming server that supports seamless hand-offs of mobile devices from one access point to another access point. The roaming server supports the reassignment of session data parameters from one access point to another (e.g., access point address spoofing) so that the mobile device can use the same parameters for communicating to a new access point. The roaming server also supports the seamless handoff of a mobile device from one access point to another by using a master-slave switch technique across two piconets. The roaming server also facilitates the control of access points by establishing a host controller interface and wireless protocol stack in the roaming server and another, complementary wireless protocol stack in the access point.

Abstract: A method includes passing a request for data received by a first server process executing in a first server to a detection process that includes packing a subset of the data into an analysis format and passing the subset to an analysis process.

Abstract: A method for embedding and detecting watermark by a quantization of a characteristic value of a signal is disclosed. In order to embed watermark, first, a signal which will be watermarked is segmented in a predetermined time period, and a characteristic value with regard to a signal within the frame obtained therefrom is evaluated in a predetermined manner. Quantized values within a set corresponding to a value of pattern information embedded into the frame among a plurality of sets including one or more quantized value respectively is compared with each characteristic value so as to determine a quantized value closest to the characteristic value. The intensity of insertion used for modifying the signal within the frame in order to make the characteristic value same as the determined quantized value is evaluated, and the signal within the frame is modified based on the evaluated intensity of insertion. The watermark detection is performed in a similar process as the embedment.

Abstract: System, methods and apparatus are applicable to enable owners and vendors of software to protect their intellectual property and other rights in that software. The system also enables vendors or distributors of software to charge per-use for an instance of software. The system produces a unique, unforgeable, tag for every vendor supplied instance (copy) of specific software. Each user device is equipped with a supervising program that ensures, by use of the tag and other information, that no software instance will be used on the device in a manner infringing on the vendor, distributor, or software owner's rights. When installing or using a vendor-supplied software instance, the supervising program verifies the associated tag and stores the tag. When installing or using untagged software, the supervising program fingerprints selected portions of the software and stores the fingerprints. Software is used on a user's device through the supervising program which ensures proper use of the software.

Abstract: A monitoring system for a corporate network includes a client that exchanges information with a target server to establish an SSL communication channel through which cryptographically protected data is exchanged between the client and the target server using an SSL protocol and a monitoring server through which the cryptographically protected data is routed as part of its exchange between the client and the target server. The client sends enabling data to the monitoring server that enables the monitoring server to read the cryptographically protected data received at the monitoring server as decoded cryptographically protected data. The monitoring server also analyzes the decoded cryptographically protected data to determine if it is suspect data, and at times when the monitoring data determines that the decoded cryptographically protected data is suspect data the monitoring server prevents the transmission of the cryptographically protected data between the client and the target server.

Abstract: In a virtual network computing (VNC) system wherein multiple users, or viewers, at different locations share a common desktop computer for the purpose of sharing control of software applications, the VNCSESSION owner exercises dynamic Internet protocol (IP)-based control over access of the viewers to the server associated with the shared desktop. The VNCSESSION owner is defined as the user who initiates the server and the first viewer to connect to the desktop. The session owner is given full access to the desktop, i.e., active access permitting the viewer to exercise control over the application. For the remaining connected viewers, only VNCVIEWERS having their IP address present in a VNC security file containing authorized IP addresses can initiate activity on the desktop, or exercise control over the application. All other connected viewers may only review desktop activity initiated by other viewers, but cannot initiate such activity themselves, i.e., cannot exercise control over the application.

Abstract: A security unit to prevent unauthorized retrieval of data includes an encrypting unit for encrypting data in accordance with commands received by the security unit, and a common register for storing both intermediate results and final results of the data encryption. A switching element operatively coupled to the register selectively outputs the contents of the register. The switching element is controlled to prevent external access to the intermediate results of the encryption. The security unit is particularly useful as part of a memory unit that is attachable to a recording/reproduction device such as a digital audio recorder/player.

Abstract: A receiver sends a first random number to a transmitter. The transmitter generates a sync signal in response to the first random number sent from the receiver. The transmitter embeds the sync signal and key information in a second random number to generate a composite signal. In the composite signal, the sync signal is a position indicator for the key information. The transmitter sends the composite signal to the receiver. The transmitter generates an encryption key from the key information. The receiver detects the sync signal in the composite signal sent from the transmitter. The receiver extracts the key information from the composite signal in response to the detected sync signal. The receiver generates an encryption key from the extracted key information. The encryption key generated by the receiver is equal to that generated by the transmitter. Thus, the transmitter and the receiver hold the same encryption key in common.

Abstract: A system and method are provided to couple tunnel servers to tunnel clients executing host applications for use in a virtual private network (VPN) environment. A receiver receives requests from host applications executing on the tunnel clients. The requests are addressed to the tunnel coupling system to establish a VPN tunnel. A processor processes the requests and an indication of loads on the tunnel servers to establish the VPN tunnels by designating at least one of the tunnel servers to each requested tunnel. A tunnel traffic distributor distributes tunnel traffic to the tunnel servers based at least part on the designations. In additional aspects, an evaluation processor evaluates the tunnel traffic before the tunnel traffic distributor distributes the tunnel traffic to the tunnel servers. For example, the evaluation performed by the evaluation processor includes at least performing security functions on the tunnel traffic.