Abstract: A database management system implements a role-oriented authorization scheme that facilitates operating system (OS) supported encrypted field access for a table in the database. A security model provides for various roles that have varying responsibilities and rights with respect to the database tables and the data supported therein. In this approach, data that is considered sensitive is encrypted. A system administrator role is authorized to create, update, and maintain a table but is not authorized to view sensitive field data, i.e., data stored in encrypted columns of the table. A security administrator role is authorized to define column masks with OS-enforced security access control to the sensitive field data. By separating (fencing) these responsibilities, the security model enforces end-to-end encryption across the entire database management system.

Abstract: Novel tools and techniques are provided for lawfully intercepting communications. In some embodiments, a lawful intercept application might be provided on a cloud computing system. The lawful intercept application might include an application programming interface (“API”) to exchange data with a plurality of different communication building blocks of different types. Communication intercept data associated with a particular communication between a lawful intercept subject and other parties may be received with the lawful intercept application. The communication intercept data may then be provided from a delivery function of the lawful intercept application to a collection function. In some cases, the collection function might be part of the lawful intercept application, might be located at a government facility separate from the cloud computing system, or might be two collection functions, one of which is part of the lawful intercept application and the other of which is located at the government facility.

Abstract: Systems and methods for securing or encrypting data or other information arising from a user's interaction with software and/or hardware, resulting in transformation of original data into ciphertext. Generally, the ciphertext is generated using context-based keys that depend on the environment in which the original data originated and/or accessed. The ciphertext can be stored in a user's storage device or in an enterprise database (e.g., at-rest encryption), or shared with other users (e.g., cryptographic communication). Use of context-based encryption keys enables key association with individual data elements, as opposed to public-private key pairs, or use of conventional user-based or system-based keys. In scenarios wherein data is shared by a sender with other users, the system manages the rights of users who are able to send and/or access the sender's data according to pre-defined policies/roles.

Abstract: A method for encoding high dynamic range (HDR) images involves providing a lower dynamic range (LDR) image, generating a prediction function for estimating the values for pixels in the HDR image based on the values of corresponding pixels in the LDR image, and obtaining a residual frame based on differences between the pixel values of the HDR image and estimated pixel values. The LDR image, prediction function and residual frame can all be encoded in data from which either the LDR image of HDR image can be recreated.

Abstract: A system and method to detect and prevent fraud in a system is provided. The system may uniquely identify physical devices connecting to a network, register unique devices, track end-user logins, associate end-user accounts with specific devices, and share information with multiple network service providers is described.

Abstract: Authenticating devices utilizing Transport Layer Security (TLS) protocol to facilitate exchange of authentication information or other data to permit or otherwise enable access to services requiring authentication credentials, certificates, tokens or other information. The authentication may utilize Digital Transmission Content Protection (DTCP) certificates, Diffie-Hellman (DH) parameters or other information available to the authenticating devices, optionally without requiring device requesting authentication to obtain an X.509 certificate.

Abstract: A system and method for managing electronic devices based on user identity information is presented. An authenticating entity authenticates and provides secure user identity data and a first electronic device. The first electronic device includes memory that stores first secure user identity data provisioned to the first electronic device and a communication module that discovers a second electronic device and initiates a wireless connection with the discovered second electronic device, in which the second electronic device is provisioned with second secure user identity data, logic that has the first and second electronic devices exchange and validate their respective first and second secure user identity data, and a discovery list that stores attributes of the second electronic device. Upon determining that the first and second electronic devices are associated with the same user, the logic adds self-property to the stored attributes of the second electronic device.

Abstract: A secure industrial control system is disclosed herein. The industrial control system includes a plurality of industrial elements (e.g., modules, cables) which are provisioned during manufacture with their own unique security credentials. A key management entity of the secure industrial control system monitors and manages the security credentials of the industrial elements starting from the time they are manufactured up to and during their implementation within the industrial control system for promoting security of the industrial control system. An authentication process, based upon the security credentials, for authenticating the industrial elements being implemented in the industrial control system is performed for promoting security of the industrial control system. In one or more implementations, all industrial elements of the secure industrial control system are provisioned with the security credentials for providing security at multiple (e.g., all) levels of the system.

Abstract: A multicast-capable firewall allows firewall security policies to be applied to multicast traffic. The multicast-capable firewall may be integrated within a routing device, thus allowing a single device to provide both routing functionality, including multicast support, as well as firewall services. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to multicast packets. The user interface supports a syntax that allows the user to define subsets of the plurality of interfaces associated with the zones, and define a single multicast policy to be applied to multicast sessions associated with a multicast group. The multicast policy identifies common services to be applied pre-replication, and exceptions specifying additional services to be applied post-replication to copies of the multicast packets for the one or more zones.

Abstract: A method and system are provided in which a broadband gateway may enable a guest or visitor to access content available to the broadband gateway. The content may be received by the broadband gateway through one or more of a plurality of network access service providers that may provide separate physical layer access to the broadband gateway. After a visitor's device is connected to the broadband gateway, the broadband gateway may classify the device. Based on the classification, the device may be authorized to access a portion of the content received. Once the authorization process is complete, the appropriate content may be made available and transferred to the device. The authorization process may include the authentication of a device identifier and/or a user identifier. The authorized access may be time-limited, but may be renewed or enabled when a request is received within a determined period of time.

Abstract: A system and method of transmitting a DDoS, or distributed denial of service, signature from an intra-network to an internet is presented. The method includes identifying a DDoS signature and employing an inter-domain routing protocol configured to enable-operational information to be exchanged between nodes. The DDoS signature is embedded as payload of the standards-compliant inter-domain routing protocol. The step of embedding occurs within a network. The embedded DDoS signature is then sent from the network to an internet node outside of the network. The method further includes applying the DDoS signature to enable the internet nodes to filter packets matching the DDoS signature.

Abstract: Methods and apparatus are provided providing users with the ability to create and produce multimedia devices. In one aspect of the present invention, users are provided with the capability to easily and seamlessly create slideshows using multiple forms of graphic elements instead of just still pictures. In another aspect of the present invention, users are provided with the capability to create and modify the DVD menu that is required for DVDs to function properly on conventional DVD players. In still another aspect of the present invention, users are provided with an intuitive graphic interface that simply and clearly explains the trade offs the user must make in deciding which mode to record the DVD.

Abstract: One embodiment relates to a computer-implemented method of preemptively scanning targets for malicious codes. Input qualities regarding said targets are received. A first computer-implemented procedure is applied to generate a measure of priority for scanning of said targets. Targets are selected for preemptive scanning using said measure of priority. In addition, resource utilization inputs may be received, and a second computer-implemented procedure may be applied to determine a system resource usage level using the resource utilization inputs. In that case, the malware scanning may be performed opportunistically based on the system resource usage level. Other embodiments, aspects and features may also be disclosed.

Abstract: An apparatus for authorizing a bilateral session between two websites, comprising a processor configured to grant authorization for a first website to access a first resource located on a second website, grant authorization for the second website to access a second resource located on the first website, and establish the bilateral session between the first website and the second website when authorization is granted for the first website to access the first resource and authorization is granted for the second website to access the second resource, wherein the bilateral session supports the transfer of the first resource to the first website and the transfer of the second resource to the second website.

Abstract: A machine-implemented method for detecting scareware includes the steps of accessing one or more landing pages to be evaluated, extracting one or more features from the landing pages, and providing a classifier to compare the features extracted from the landing pages with features of known scareware and non-scareware pages. The classifier determines a likelihood that the landing page is scareware. If determined to be scareware, the landing page is removed from search results generated by a search engine. The features can be URLs, text, image interest points, image descriptors, a number of pop-ups generated, IP addresses, hostnames, domain names, text derived from images, images, metadata, identifiers of executables, and combinations thereof.

Abstract: Technologies for de-duplicating encrypted content include fragmenting a file into blocks on a computing device, encrypting each block, and storing each encrypted block on a content data server with associated keyed hashes and member identifications. The computing device additionally transmits each encrypted block with an associated member encryption key and member identification to a key server. As part of the de-duplication process, the content data server stores only one copy of the encrypted data for a particular associated keyed hash, and the key server similarly associates a single member encryption key with the keyed hash. To retrieve the file, the computing device receives the encrypted blocks with their associated keyed hashes and member identifications from the content data server and receives the corresponding member decryption key from the key server. The computing device decrypts each block using the member decryption keys and combines to blocks to generate the file.

Abstract: Methods for transferring a set of data from a first processing device to a second processing device are provided. Pursuant to these methods a secure shell (“SSH”) authentication is performed to authenticate a first user that is logged onto the first processing device to a second user that is logged onto the second processing device. The set of data is divided into a first data subset and a second data subset. The first data subset is encrypted to provide an encrypted data set. The encrypted data set is transferred from the first processing device to the second processing device. The second data subset is also transferred from the first processing device to the second processing device, but without encrypting the second data subset. Related data transfer systems and computer program products are also provided.

Abstract: Some embodiments enable a user of an electronic device to selectively secure applications and/or content of the electronic device. For instance, certain embodiments enable a user to password protect applications (e.g., email, calendar, contacts, photos) within a single environment. In some embodiments, a user can selectively secure specific content (e.g., work-related email messages, personal emails, work-related calendar entries, corporate contacts) within an application. Further, some embodiments enable a user to specify which applications and/or types of content the user would like to password protect. For instance, a user that has sensitive work-related information stored on or accessible through the user's device may choose to password protect work-related applications (e.g., work email account) and content (e.g., work documents, work-related calendar entries).

Abstract: A method and apparatus for protecting sensitive information from disclosure through virtual machine files is disclosed. In one embodiment, the method includes processing virtual machine files using at least one processor to access data objects in memory that are associated with at least one virtual machine, examining the data objects using the at least one processor in accordance with a data loss prevention policy in the memory to identify, using the at least one processor, sensitive information within at least one data object of the data objects and securing, using the at least one processor, the sensitive information within the virtual machine files in the memory.

Abstract: A method operates, during development of an application program intended to be run on a mobile user device, to perform a computer assisted analysis of the application program to determine at least one user privacy-related aspect of the application program; and to present the determined at least one user privacy-related aspect. The determined at least one user privacy-related aspect may be presented to a developer of the application program An apparatus and system for performing the method are also disclosed.