Abstract: Methods, systems, and computer programs for generating random values for encryption operations are described. In some examples, information from a message to be encrypted can be used to refresh the state of a pseudorandom generator. In some aspects, a state parameter of the pseudorandom generator is modified based on information in the message. Modifying the state parameter changes the state parameter from a prior state to a refreshed state based on the information in the message. A random output value is obtained by the pseudorandom generator in the refreshed state. The message is encrypted based on the random output value.

Abstract: A method includes receiving usage data associated with a user device. The usage data includes information based on at least one usage activity associated with one or more applications on the user device. The method may also include analyzing the usage data based on predetermined criteria and determining a security question and a corresponding answer based on the usage data. The security question and the corresponding answer are stored in an associated database. The method further includes providing the security question and the corresponding answer in response to a request for the security question and the corresponding answer. Access is provided to a system based on an input of the corresponding answer in response to the security question.

Abstract: A method for monitoring for malware includes, during a boot process on an electronic device, determining a portion of memory, determining that the portion of memory is reserved for exclusive access by an entity on the electronic device, and, based on the determination that a portion of memory is reserved for exclusive access during the boot process, determining that the reservation is indicative of malware.

Abstract: Device identification scoring systems and methods may be provided that can increase the reliability and security of communications between devices and service providers. Users may select and configure additional identification factors that are unique and convenient for them. These factors, along with additional environmental variables, feed into a trust score computation that weights the trustworthiness of the device context requesting communication with a service provider. Service providers rely on the trust score rather than enforce a specific identification routine themselves. A combination of identification factors selected by the user can be aggregated together to produce a trust score high enough to gain access to a given online service provider. A threshold of identification risk may be required to access a service or account provided by the online service provider.

Abstract: A management device 200d comprises: a key share generation unit 251d generating a plurality of key shares by decomposing a decryption key, the decryption key being for decrypting an encrypted application program generated as a result of encryption of the application program; and an output unit 252d outputting each of the key shares to a different one of a plurality of detection modules. The detection modules acquire and store therein the key shares. The protection control module 120d comprises: an acquisition unit 381d acquiring the key shares from the detection modules; a reconstruction unit 382d reconstructing the decryption key by composing the key shares; a decryption unit 383d decrypting the encrypted application program with use of the decryption key; and a deletion unit 384d deleting the decryption key, after the decryption by the decryption unit is completed.

Abstract: A method for protecting a volatile memory against a virus, wherein: rights of writing, reading, or execution are assigned to certain areas of the memory; and a first list of opcodes authorized or forbidden as a content of the areas is associated with each of these areas.

Abstract: Technologies are provided for function-targeted virtual machine switching. In some examples, function usage times on a virtual machine (VM) may be profiled by a virtual machine manager (VMM) and used to manage VM switching in order to preferentially switch VMs during specific targeted functions. The targeted functions and/or VM switching preferences may be adjusted over time in order to provide switching unpredictability, for example to frustrate side-channel attackers by forcing the attackers to gather data for much longer periods of time (e.g., weeks or months) if they want to detect or attack.

Abstract: Data security management system and methods are provided. First, a first system having a management authority is provided. The first system displays an input interface on an input device. A switch switches the management authority from the first system to a second system, wherein the second system operates with a secure mechanism. When the management authority is switched to the second system, the first system transmits layout information of the input interface and an input device characteristic of the input device to the second system. The second system receives input data via the input device, and decodes the input data according to the layout information and the input device characteristic.

Abstract: Systems and methods for controlling Quality-of-Service (“QoS”) in a Virtual Private Network (“VPN”) in a transport network providing a plurality of QoS bearers. The methods involve: establishing, between two VPN endpoints, a plurality of VPN tunnels through the transport network, including at least a default VPN tunnel associated with a first QoS bearer and an alternate VPN tunnel associated with a second QoS bearer; receiving and analyzing a data block; applying a VPN policy to assign the data block to either default VPN tunnel or alternate VPN tunnel; and encapsulating the data block in a transport data block including at least one indicator. The indicator specifies whether the transport data block is to be communicated by the transport network using the first QoS bearer or second QoS bearer.

Abstract: A service providing device includes a requesting unit for receiving, from the device operated by a user, a request for a process of using a service providing system having a different authentication base, and making a request to acquire authorization information for using the service providing system; a substitute authentication unit for acquiring authentication information of the service providing system from a second storage when the authorization information associated with the user is not stored in a first storage, and acquiring the authorization information from the service providing system by using the authentication information; and a providing unit for providing the authorization information stored in the first storage when the authorization information associated with the user is stored in the first storage, and providing the authorization information acquired from the service providing system when the authorization information associated with the user is not stored in the first storage.

Abstract: A disclosed system having a first service providing system providing a service to an apparatus and a second service providing system having an authentication infrastructure different from that of the first service providing system includes a connection destination changing unit receiving a permission request, from an apparatus operated by a first user, of requesting that a second user uses the second service providing system, changes a connection destination of the apparatus to the second service providing system, and causes the second service providing system to perform a permission process; an authority information acquiring unit receiving permission information indicating that the permission request is admitted from the apparatus and acquires post-permission authority information by using the permission information; and an authority information providing unit providing the post-permission authority information associated with the second user based on a request for a process received from another apparatus

Abstract: Implementations of the present disclosure are directed to statically checking conformance of a computer-implemented service at a source code level to requirements specified at a process level and include actions of receiving source code of the computer-implemented service, receiving one or more rules, the one or more rules being generated based on a mapping and including a set of technical requirements that can be checked on the source code level, the mapping associating the requirements with the source code, and processing the source code and the one or more rules using static code analysis (SCA) to generate a result, the result indicating whether the computer-implemented service conforms to the requirements.

Abstract: An information processing apparatus is connectable via a network to service providing devices and a collecting apparatus. The information processing apparatus acquires a selection policy for selecting the devices that lay open to public types of providable services and service level information, and acquires service type information and the service level information from the collecting apparatus which detects the devices and collects the service type information including the types of providable services of the devices and the service level information. The devices capable of providing the accepted type of service are selected according to the selection policy.

Abstract: An information processing apparatus includes a memory and a processor coupled to the memory and configured to receive an instruction to transfer a first application to an execution environment, detect a second application that shares a resource with the first application, the resource being information used upon executing the first application and the second application, provide information for causing a user to determine whether to prohibit transferring the second application to the execution environment when the second application is detected, and invalidate a state in which the second application shares the resource with the first application when instruction to prohibit transferring the second application to the execution environment is received.

Abstract: A device and method are provided for a device that authenticates a server over a network. The device and method are operable to contact the server to initiate a handshaking operation. The device receives certificate information and handshaking information from the server. The device completes the handshaking operations to establish the connection with the server. The device downloads the content from the server through the connection before authenticating the server to establish a secure connection. In some aspects, the device may display a portion of the downloaded content before the server is authenticated.

Abstract: In an example embodiment, a test request is sent to a server configured to provide data to the mobile device application. Then a response to the test request is received from the server. The response is analyzed to identify a pattern in the response indicative of a communication sent via a particular communication path. An available communication path between the mobile device application and the server corresponding to the pattern is identified. Then, a mobile device application is registered with the server via the identified communication path.

Abstract: There are disclosed a system and method for preventing the leaking of digital content. The system for preventing the leaking of digital content may include a digital content layer generation unit for generating a digital content layer displaying digital content, a security layer generation unit for generating a security layer including security information based on information about a user terminal, and an information display unit for displaying the security layer generated by the security layer generation unit and the digital content layer generated by the digital content layer generation unit in the display device of the user terminal in an overlapping form so that the security information looks like overlapping with the digital content. Accordingly, the illegal leaking of digital content through photographing or screen capture can be prevented.

Abstract: In one embodiment, a document is marked with an identifier and stored in a memory. Responsive to a request received from a user to perform an operation upon the document or a copy of the document at a requester computer, a database is accessed. The database is a database associating users authorized to access the documents or copies of the documents with operations the users are authorized to perform is accessed. Operation authorization is determined at least in part according to a document threat index. Upon determining the user is an authorized user and determining via the database the requested operation is an authorized operation, an access code is sent to the requester computer to enable the operation.

Abstract: A set of techniques is described for enabling a virtual machine based transcoding system. The system enables any transcoding provider to make their transcoding service available to other users over a network. The system can automate the deployment, execution and delivery of the transcoding service on behalf of the transcoding provider and enable other users to use the transcoding services to transcode content. The system receives a virtual machine image, transfers the image to a location where the media content is stored and creates a virtual private network of resources that will perform the transcoding of the media content. The virtual private network may be firewalled or otherwise restricted from opening connections with external clients when transcoding the content in order to prevent malicious use of the media content.

Abstract: A password-hardening system comprises at least first and second servers. The first server is configured to store a plurality of sets of passwords for respective users with each such set comprising at least one valid password for the corresponding user and a plurality of chaff passwords for that user. The second server is configured to generate valid password indication information indicating for each of the sets which of the passwords in that set is a valid password. The valid password indication information comprises index values computed for respective ones of the password sets by the second server to identify respective valid passwords in the respective password sets. The second server may be further configured to compute the index values utilizing a keyed pseudorandom function, and to send the index values to the first server in association with respective values of a user number counter maintained in the second server.