Abstract: Techniques for generating a private portion of a split private key of an asymmetric key pair are provided. Multiple factors upon which the private portion of the split private key is based are received. Each of these multiple factors is under control of a user associated with the asymmetric key pair. Multiple cryptographic operations are then performed using the received multiple factors to generate the private portion.

Abstract: Techniques are disclosed for detecting manipulations of user-kernel transition registers (such as the SYSENTER/SYSCALL critical registers of Intel/AMD processors, respectively), and other such registers. In one embodiment, a register monitor agent is deployed at system boot-up, and continues monitoring target registers for manipulation during system use. If a manipulation is detected, then exclusions are checked to see if that manipulation is legitimate (e.g., caused by a trusted source). If not a legitimate manipulation, then reporting and/or corrective action can be taken. The techniques can be used in real-time and in any number of behavior blocking, antivirus, and/or intrusion prevention applications.

Abstract: Call to driver load functions, including associated driver objects to be loaded, are stalled and evaluated for indications of a rootkit. When a rootkit is indicated, protective action is taken, and optionally a user or system administrator are notified. Calls not indicative of a rootkit are released and allowed to load. In one embodiment, calls to currently loaded drivers and calls related to installation of new hardware, are excluded from the evaluation for indications of a rootkit. In additional embodiments, sensitive structures and calls to sensitive structures of a computer system are also evaluated for indications of a rootkit.

Abstract: A system comprising a trusted computing platform including one or more logically protected computing environments, each of which is associated with at least one service or process supported by said system, the system being arranged to load onto said trusted computing platform a predetermined security policy including one or more security rules for controlling the operation of each of said logically protected computing environments, the security rules for at least one of said logically protected computing environments including an execution control rule which defines the security attributes to be applied to a service or process associated with said logically protected computing environment when said service or process is started.

Abstract: The present invention is directed to circuitry for detecting and protecting against over-clocking attacks on hardware modules. The circuitry preferably comprises a test signal, a delay path for providing a delayed signal of the test signal, and circuitry for comparing the logical state of the test signal and the delayed signal and issuing an attack indication whenever the signals are different.

Abstract: A mechanism for using a graphic password test while providing the ability for detecting attempts by programs to decipher the password for malicious attack is disclosed. An access module provides a prompt to an entity attempting to access a protected resource. An image-substitution module provides a first or second graphic image to the entity (images display a first and second password, respectively). A programmatic interface that provides access to an image displayed on a computer screen can be modified to periodically provide a second image to a computer program that is different from the first image displayed to a human user. A receiving module receives a password in response to the prompt and a determination module determines if the password is first or second password. When the second password is received, it is likely a malware attempt at bypassing the graphic password test. An analysis module responds e.g., by collecting information about the entity that attempted access.

Abstract: Embodiments of a RootKit detector are directed to identifying a RootKit on a computer that is designed to conceal malware. Aspects of the RootKit detector leverage services provided by kernel debugger facilities to automatically obtain data in specified data structures that are maintained by an operating system. Then the data obtained from the kernel debugger facilities is processed with an integrity checker that determines whether the data contains properties sufficient to declare that a RootKit is resident on the computer.

Abstract: An executable file containing malicious software can be packed using a packer to make the software difficult to detect. The executable file is loaded into the computer's memory and executed as a process. A memory dump module analyzes the address space for the process and identifies an executable file image within it. The memory dump module creates a memory dump file on the computer's storage device containing the file image and modifies the file to make it resemble a normal executable file. A signature scanning module scans the memory dump file for signatures of malicious software. If a signature is found in the file, a reporting module sends the host file for the process and the memory dump file to a security server for analysis.

Abstract: Distributing information, including the steps of watermarking the digital content, distributing the digital content using a multi-source system, and partially fingerprinting digital content at each stage of moving information from a point of origin to the viewer. “Adaptation” of the digital content to the recipient includes maintaining the digital content in encrypted form at each such intermediate device, including decrypting the digital content with a key unique to both the device and the specific movie, selecting a portion of the watermark locations into which to embed information, embedding fingerprinting information into those locations sufficient to identify the recipient, and encrypting the fingerprinted digital content with a new such key.

Abstract: A late binding code manager prevents the unauthorized loading of late binding code into a process. The late binding code manager detects an attempt to load late binding code into a process's address space. Subsequently, the late binding code manager determines whether a detected attempt to load late binding code into a process's address space is permitted. Responsive to the results of a determination as to whether an attempt to load late binding code into a process's address space is permitted, the late binding code manager executes at least one additional step affecting the loading of the late binding code into the process's address space. Such a step can comprise permitting, blocking or modifying the attempt to load the late binding code.

Abstract: Techniques for generating a multi-factor asymmetric key pair having a public key and split private key with multiple private portions, at least one of the multiple portions being a multiple factor private key portion, are provided. First and second asymmetric key pairs are generated, each having a private key and a public key. A text string and the first private key are cryptographically combined to make a first private key portion of the split private key. This first private key portion is a multiple factor private key portion. A second private key portion of the split private key is generated based upon the generated first private key portion and the second private key.

Abstract: Preferred embodiments of the invention relate to a method and device for authenticating a user of a computer and a corresponding system using the method and device. The device is a handheld electronic device having accessible thereto a first authentication code of the user. The handheld electronic device requires a second authentication code for enabling use thereof. In order to authenticate the user to the computer, the handheld electronic device is configured to transmit the first authentication code to the computer over a communication link between the computer and the handheld electronic device.

Abstract: Methods and apparatuses for minimizing co-channel interference in communications systems are disclosed. A method in accordance with the present invention comprises scrambling a first header of the first signal using a first scrambling code, scrambling a second header of the second signal using a second scrambling code, and transmitting the first signal and the second signal with the scrambled first header and the scrambled second header over different channels of the communication system.

Abstract: A method of protecting a microcomputer system against manipulation of data stored in a memory arrangement of the microcomputer system, in particular a control program stored there. Checking mechanisms are executed at preselectable points in times to check for manipulation of the data. To permit effective blocking of manipulated data stored in the memory arrangement, new data is stored at least partially in a volatile memory, in particular in a random access memory, in reprogramming or new programming of the memory arrangement, the checking mechanisms are executed and the portion of the new data stored in the volatile memory is copied to the memory arrangement if no manipulation of the new data has been detected.

Abstract: A system including an application configured to request a key, a keystore configured to provide the key, wherein the keystore comprises a non-application specific directory, and an application-specific subdirectory.

Abstract: A method includes generating new update name lists and providing malicious code protection update information including the new update name lists to host computer systems. In one embodiment, the new update name lists are generated by registering domain names, and only a subset of the registered domain names are used to create an update name list provided to any one of the host computer systems.

Abstract: A network device receives control plane packets and data plane packets from a network. The network device includes a forwarding component that forwards the data plane packets in accordance with routing information maintained by a routing component. The forwarding component directs the control plane packets to a firewall component that processes the control plane packets to apply firewall services and detect network attacks. After processing, the firewall component loops the control plane packets back to the forwarding components for forwarding to the routing component. The firewall component may be a security service card.

Abstract: A system supplies configuration information, via an EAP protocol, to a remote device trying to access the network. An authentication server performs an authentication exchange by receiving, from a remote device, a connection attempt to access the network. The authentication server performs an authentication exchange with the remote device to allow the remote device access to the network. During the authentication exchange, a configuration selection characteristic associated with the remote device is identified. A device configuration to be applied to the remote device, based on the configuration selection characteristic, is determined. The authentication server provides the determined device configuration to the remote device, via an EAP protocol, to allow the remote device to install the determined device configuration prior to being allowed access to the network.

Abstract: Information, e.g., a source address, in packets on a network is processed by a geo-location detector The geo-location detector generates a related location identifier, which, for example, is inclusive of one or more source addresses, known or unknown. The location identifier serves as a less precise indicator than the exact location of the system associated with the particular source address of interest, but a more accurate location indicator than was previously available. One of the addresses in a set of source addresses represented by the location identifier is the source address of interest. Although other source addresses represented by the location identifier may not be attacker sources, the location identifier is an identity that can be used as a variable for correlation, trend analysis, or search keys in accessing a network security threat.

Abstract: A method includes stalling execution of a model specific register write function to write to a model specific register of a processor having a no-execute processor feature enabled, determining that the model specific register is a no-execute model specific register of the processor, and determining whether a no-execute field in the no-execute model specific register is being altered. Upon a determination that the no-execute field is being altered, the method further includes taking protective action to prevent disabling of the no-execute processor feature.