Abstract: A method and system for use with a public cloud network is disclosed, wherein the public cloud network includes at least one private cloud server and at least one smart client device in communication therewith. The method and system comprise setting up the at least one private cloud server and the at least one smart client device in a client server relationship. The at least one private cloud server includes a message box associated therewith. The first message box is located in the public network. The at least one smart client includes a second message box associated therewith. The second message box is located on the public network. The method includes passing session based message information between the at least one private cloud server and the at least one smart client device via the first message box and the second message box in a secure manner. The session base information is authenticated by the private cloud server and the at least one smart client device.

Abstract: Embodiments of the present invention provide a workload optimization approach that measures workload performance across combinations of hardware (platform, network configuration, storage configuration, etc.) and operating systems, and which provides a workload placement on the platforms where jobs perform most efficiently. This type of placement may be based on performance measurements (e.g., throughput, response, and other such service levels), but it can also be based on other factors such as power consumption or reliability. In a typical embodiment, ideal platforms are identified for handling workloads based on performance measurements and any applicable service level agreement (SLA) terms.

Abstract: Techniques for resource access authorization are described. In one or more implementations, an application identifier is used to control access to user resources by an application. A determination is made whether to allow the application to access the user resources by comparing an application identifier received from an authorization service with a system application identifier for the application obtained from a computing device on which the application is executing.

Abstract: Methods and apparatus are disclosed for securely sharing user-generated content using DRM principles, and for tracking statistics of content viewing. In this way, a user can generate protected content that can still be shared among friends on, e.g., a social network.

Abstract: Improved techniques are provided for processing authorization requests. In some embodiments, an authorization request specifying a hierarchical resource can be processed without having to sequentially process the various security policies configured for a collection of resources.

Abstract: Provided are an application module injection device, a computing device including an application module injection function, and a recording medium that records a program for executing an application module injection method.

Abstract: One or more devices transmit, to a user device, an application for secure mobile streaming, and receive, from the user device, a registration request for the application. The registration request includes a user ID and a unique device identifier (UDID) for the user device. The one or more devices initiate a validation procedure for the user ID or UDID. When the user ID or UDID is validated, the one or more devices generate a device-token for the user device. The device-token includes a hash value based on information in the registration request and an expiration date for the device-token. The one or more devices send the device-token to the user device via a private network. The device-token is required to permit the user device to receive a secure content stream via a public network.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to identify an Internet protocol address blacklist boundary. An example method includes identifying a netblock associated with a malicious Internet protocol address, the netblock having a lower boundary and an upper boundary, collecting netflow data associated with a plurality of Internet protocol addresses in the netblock, establishing a first window associated with a lower portion of Internet protocol addresses numerically lower than a candidate Internet protocol address, establishing a second window associated with an upper portion of Internet protocol addresses numerically higher than a candidate Internet protocol address, calculating a breakpoint score based on a comparison between a behavioral profile of the first window and a behavioral profile of the second window, and identifying a first sub-netblock when the breakpoint score exceeds a threshold value.

Abstract: A message that a user is requesting an access to a resource is received. The access is associated with a requested access level and is granted if an access path exists between the user and the resource for the requested access level. In response to the message reception, a first identifier of the user, a second identifier of the resource, the requested access level, and a first value that represents that the access to the resource was requested is stored in a record. All access paths usable to determine whether the user is authorized to access the resource are identified. Another security object including a flag to represent its usage in authorizing access to the resources is received. A decision is made with respect to whether the received other security object was used within one of the identified access paths as a function of its flag value.

Abstract: Provided are techniques for the creation and storage of an archive for binding IDs corresponding to a cluster of devices that render content protected by a broadcast encryption scheme. When two or more clusters are merged, a binding ID corresponding to one of the clusters is selected and a new management key is generated. Binding IDs associated with the clusters other than the cluster associated with the selected binding ID are encrypted using the new management key and stored on a cluster-authorized device in a binding ID archive. Content stored in conformity with an outdated binding ID is retrieved by decrypting the binding ID archive with the management key, recalculating an old management key and decrypting the stored content.

Abstract: Provided are techniques for the creation and storage of an archive for binding IDs corresponding to a cluster of devices that render content protected by a broadcast encryption scheme. When two or more clusters are merged, a binding ID corresponding to one of the clusters is selected and a new management key is generated. Binding IDs associated with the clusters other than the cluster associated with the selected binding ID are encrypted using the new management key and stored on a cluster-authorized device in a binding ID archive. Content stored in conformity with an outdated binding ID is retrieved by decrypting the binding ID archive with the management key, recalculating an old management key and decrypting the stored content.

Abstract: Provided is a system and method for providing a certificate, and more specifically a certificate for network access upon a second system based on at least one criteria and an established identity with a first system. The method includes receiving criteria, such as at least one predefined attribute. Also received from a user known to a first system is a request for network access to a second system, the request having at least one identifier. The first system is then queried with the identifier for attributes associated with the user. The attributes associated with the user are evaluated to the predefined attribute(s). In response to at least one attribute associated with the user correlating to the predefined attribute(s), providing a certificate with at least one characteristic for network access on the second system to the user. An associated system for providing a Certificate is also provided.

Abstract: Techniques for detecting infected websites are disclosed. In one particular embodiment, the techniques may be realized as a method for detecting an infected website comprising receiving at least one redirection report from at least one security agent, receiving at least one malware report from the at least one security agent, analyzing correlation between the at least one redirection report and the at least one malware report, aggregating information from the at least one redirection report, the at least one malware report, and the correlation analysis, and detecting an infected website based on the aggregated information.

Abstract: A computer-implemented method for providing secure access to a computer is disclosed according to one aspect of the subject technology. The method comprises capturing an image with a camera at the computer, extracting facial features from the image, and comparing the extracted facial features with facial features of a user stored on the computer, wherein the computer is currently logged into a user account belonging to the user. The method also comprises, if the extracted facial features match the stored facial features of the user, then staying logged into the user account, and, if the extracted facial features do not match the stored facial features of the user, then automatically logging out of the user account.

Abstract: Computers can be authenticated using automatically combined images. During an authentication process, a server transmits an image to a client. The transmitted image is combined with a stored image using a randomly selected logical operator to generate a combined image. The combined image is transmitted back to the server. The server has a copy of the transmitted image and the stored image and generates a series of template combined images using different logical operators selected from a set of logical operators to determine whether any of the template combined images match the received combined image. If the received combined image matches one of the template combined images, the user is authenticated.

Abstract: A cryptographic communication technology that is based on predicate encryption and that can operate flexibly is provided. A conversion rule information pair is determined in advance, which has attribute conversion rule information prescribing a conversion rule for converting attribute designation information to attribute information used in a predicate encryption algorithm and predicate conversion rule information prescribing a conversion rule for converting predicate designation information to predicate information used in the predicate encryption algorithm. One kind of conversion rule information included in the conversion rule information pair is used to obtain first attribute information or first predicate information from input information. The first attribute information or the first predicate information is used for encryption.

Abstract: A certification device 101 encrypts a feature vector for registration by using a random number and a public key which is set to correspond to a secret key in a decryption device 103. The encrypted feature vector for registration is registered in an authentication device 102. In authentication, the certification device encrypts a feature vector for authentication by using the public key and a random number. With the two encrypted feature vectors being kept encrypted, the authentication device generates encrypted similarity degree information from which the decryption device can derive the similarity degree between the two feature vectors by a decryption process using the secret key. The decryption device 103 decrypts the encrypted similarity degree information to derive the similarity degree of the plaintext. The authentication device 102, if the similarity degree is equal to or larger than a threshold, determines that the user is the correct user.

Abstract: A device function to be used by an application is specified, a risk level of the specified device function is acquired, and a risk level of the application is calculated based on the acquired risk level of the device function.

Abstract: There is provided a communication device including a determination unit for determining whether authentication information presented to a user of another communication device is consistent with comparison information transmitted from the other communication device capable of obtaining and transmitting the authentication information, and an authentication unit, when it is determined that the authentication information is consistent with the comparison information, for authenticating the other communication device as an opposite communication party.

Abstract: Techniques for encrypting documents in a search index may include: receiving a document for inclusion in a search index of a search system, where the document has an associated access control list (ACL), and the ACL includes data for use in restricting access to the document to users of the search system having credentials that match corresponding data in the ACL; encrypting the document using a first key to produce an encrypted document; generating a wrapped key for the document by encrypting both the first key and the ACL using a second key; and storing, along with the search index, the encrypted document in association with the wrapped key and an identifier for the document.