Abstract: A security method in a wireless communication system is provided, which is used for providing a plurality of security associations between a user equipment, a relay node, and a base station node in a wireless communication system. The user equipment authenticates with a serving gateway in the wireless communication system through the relay node, such that a security association between the user equipment and the relay node is established correspondingly. The relay node establishes a second security association between the relay node and the base station node through the base station node.

Abstract: A data delivery apparatus including a storage adapted to store limited-access data which associates user data for specifying a user, with data, access to which is permitted or limited to the user; a function determination unit adapted to determine whether a destination device to which the limited-access data is to be transmitted has an access control function of permitting or limiting access to the limited-access data for each user; an authentication unit adapted to, when the limited-access data destination device is determined not to have the access control function, request input of authentication information and performing an authentication process using the input authentication information; and a transmission control unit adapted to, when the authentication process by said authentication unit is successful, transmitting the limited-access data to the destination device.

Abstract: Methods and apparatuses for minimizing co-channel interference in communications systems are disclosed. A method in accordance with the present invention comprises shifting a characteristic of the first signal with respect to a like characteristic of the second signal to mitigate co-channel interference, and transmitting the first signal and the second signal over different channels of the communication system.

Abstract: The present invention discloses a security management method and a security management system for a WAPI terminal accessing an IMS network. The method comprises: an authentication service unit (ASU) sending, under the circumstance that an access point and the WAPI terminal pass the verification of the ASU, a security information request message to a home subscriber server (HSS) (S302); the HSS setting security information corresponding to the IMS account information of the WAPI terminal as access layer security after receiving the security information request message from the ASU (S304); a proxy-call session control function (P-CSCF) receiving an IMS login request message from the WAPI terminal, inquiring about the security information of the WAPI terminal through the HSS, and allowing the WAPI terminal to execute an IMS service flow under the circumstance that the security information of the WAPI terminal is the access layer security (S306).

Abstract: A streaming media codec may include a collection of media stream processing modules arranged into a processing graph. One or more of the modules may perform a Fourier-related transform, and a significant fraction of media stream processing may occur post-transform. The media stream may be considered as a sequence of processing blocks, and post-transform processing blocks contain transform coefficients. Such transform coefficients are amenable to classification into processing classes. Some processing classes may require significantly less processing effort than others by post-transform processing modules. Such transform coefficient classes may be efficiently specified, for example, with coefficient bounding rectangles, and the specification provided to one or more post-transform streaming media processing modules to enable the modules to allocate their processing resources more effectively.

Abstract: Enabling an unauthenticated user to access content associated with an authenticated user as though the unauthenticated user had a selected user relationship with the authenticated user. The user relationship may comprise a relationship degree, a relationship category, a relationship rating, and/or the like. An invitation to join an electronic service, such as an online social network, is sent to the unauthenticated user at an address known to the authenticated user. The invitation includes a time-limited token, such as a URL, that includes an invitation identifier, which relates the invitation to the authenticated user content. The token may be encrypted in the invitation. The unauthenticated user returns the token as a request to preview the authenticated user content without first becoming an authenticated user of the electronic service. If the token is still valid, access is granted. The unauthenticated user may also request to establish a connection with the authenticated user.

Abstract: A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files.

Abstract: A system, method and computer program product are provided. In use, code is executed in user mode. Further, the execution of the code is intercepted. In response to the interception, operations are performed in kernel mode.

Abstract: A method is disclosed for determining the authentication capabilities of a supplicant before initiating an authentication conversation with a client, for example, using Extensible Authentication Protocol (EAP). In one aspect, the method provides for sending, to a supplicant that is requesting access to a computer network subject to authentication of a user of the supplicant, a list of first authentication methods that are supported by an authentication server; receiving, from the supplicant, a counter-list of second authentication methods that are supported by the supplicant; determining how many second authentication methods in the counter-list match the first authentication methods; and performing an authentication policy action based on how many of the second authentication methods match the first authentication methods. Policy actions can include blocking access, re-directing to sources of acceptable authentication methods, granting one of several levels of network access, etc.

Abstract: A “Media Transmission Optimizer” provides a media transmission optimization framework for lossy or bursty networks such as the Internet. This optimization framework provides a novel form of dynamic Forward Error Correction (FEC) that focuses on the perceived quality of a recovered media signal rather than on the absolute accuracy of the recovered media signal. In general, the Media Transmission Optimizer provides an encoder that optimizes the transmission of redundant frames of electronic media information encoded at different bit rates, and provides optimized playback quality by providing a decoder that automatically selects an optimal path through one or more available representations of each frame as a function of overall rate/distortion criteria.

Abstract: Local motion estimation is described herein. Each picture of a video is partitioned into blocks for the local motion estimation. An extended-block FFT is calculated for each block, where the extended-block denotes that a certain area around the block is also included for applying FFT. Extending the block for FFT helps to account for the motion of objects that are moving into or out of the block. Phase correlation is applied to attain a set of Motion Vector (MV) candidates for the blocks, and a cost function is evaluated for each MV. If no MV candidate produces a cost function below a pre-defined threshold, a hierarchical variable block matching search is applied and the process is repeated with blocks for finer resolution. Also, predictive MV candidates are used during the block matching search along with temporal constraints tracking to select an MV that yields the minimum cost function.

Abstract: A first device in possession of a value is able to determine, without communicating the value and without communicating any information from which the value can be identified, whether a second device is also in possession of the value. The first device accomplishes this with the assistance of a third device that is able to communicate with the first device and with the second device. The second device also does not communicate the value and does not communicate any information from which the value can be identified. The first device may send additional information to the third device which, if passed to the second device, enables the second device to determine that the first device is in possession of the value. The value may be a secret.

Abstract: A machine-readable medium may have stored thereon an instruction, which when executed by a machine causes the machine to perform a method. The method may include combining a first operand of the instruction and a second operand of the instruction to produce a result. The result may be encrypted using a key in accordance with an Advanced Encryption Standard (AES) algorithm to produce an encrypted result. The method may also include placing the encrypted result in a location of the first operand of the instruction.

Abstract: Presented is an anti-tampering method that validates and protects specific sections of a binary file. In one embodiment, this method permits a proxy engine to execute (via emulation by a virtual machine) the protected code on behalf of the binary in kernel mode upon successful completion of an integrity check. The integrity check can optionally check only the specific parts of code that the developer wishes to validate. The integrity check can cross binary boundaries. Moreover, the integrity check can be done on a hard drive or in memory. Furthermore, since the encrypted code is executed by the proxy engine in kernel mode, hackers are further deterred from modifying the code. Additionally, a method of creating a protected binary file is described herein.

Abstract: A system, comprising a network interface, an additional data communications interface, and processor for supporting a control interface communicated through the network interface according to an intermachine markup language protocol, for controlling the network interface and the additional data communications interface.

Abstract: Many storage devices are not aware of file systems while many computer host devices read and write data in the form of files. The host device provides a key reference or ID, while the memory system generates a key value in response which is associated with the key ID, which is used as the handle through which the memory retains complete and exclusive control over the generation and use of the key value for cryptographic processes, while the host retains control of files.

Abstract: A master generates a session key, receives public keys from a plurality of slaves, encrypts the session key using the individual public keys, transmits the encrypted session key to the plurality of slaves, encrypts data using the encrypted session key, and sends it to the plurality of slaves. A plurality of slaves transmit public keys to a master device, receive and decrypt a session key encrypted using individual public keys, receive data encrypted using the session key from the master, and decrypt it using the decrypted session key.

Abstract: Systems, methods and apparatus for tunneling in a cloud based security system. In an aspect, tunnel session data describing authentication and unauthenticated sessions, and location data describing tunnel identifiers for tunnels, locations, and security policies specific to the locations are accessed. Tunnel packets are received, and for each tunnel packet it is determined, from the tunnel identifier associated with the packet, whether a session entry in the session data exists for the tunnel identified by the tunnel identifier. In response to determining that a session entry does not exist in the session data, then a session entry is created for the tunnel identifier, an authentication process to determine a location to be associated with the session entry is performed, and an entry in the location data for the location is associated with the session entry.

Abstract: A method is provided for protecting a computer system, comprising: attaching a security descriptor to a process running on a processor of the computer system; associating with the security descriptor an isolation indicator that indicates the process runs in an isolation mode; calling a system routine by the isolated process that is also callable by a process that is not running in isolation mode; attempting to write to an object of a disk or a registry by the system routine called by the isolated process; determining whether the system routine is requesting the write on behalf of the isolated process or not; if the write is requested on behalf of the isolated process, then performing the write in a pseudo storage area; and if the write is requested on behalf of the non-isolated process, then performing the write in an actual storage area in which the disk or registry resides.

Abstract: An approach is provided for minimizing co-channel interference in a communication system is disclosed. A header of a first frame is scrambled based on a first unique word. A header of a second frame is scrambled based on a second unique word. The first frame including the corresponding scrambled header and the second frame including the corresponding scrambled header are transmitted, respectively, over adjacent co-channels of the communication system. Each of the frames further includes a payload and a pilot block. The payload and the pilot block of the first frame are scrambled based on a first scrambling sequence. The payload and the pilot block of the second frame are scrambled based on a second scrambling sequence. The above arrangement is particularly suited to a digital satellite broadcast and interactive system.