Abstract: Described is a system and method for receiving a data packet including a destination address and a source address, the data packet corresponding to a port number, assigning an address risk value for the data packet based on the source address and a port risk value for the data packet based on the port number. The data packet is categorized into a community based on the source address, wherein the community is predefined by a user corresponding to the destination address, the community includes a utility value. The address risk value and the port risk value are compared to the utility value to yield a benefit coefficient and the data packet is treated based on the benefit coefficient.

Abstract: One embodiment of the present invention provides a system for accessing an encrypted file through a file system. During operation, the system receives a request to access the encrypted file. In response to the request, the system sends an encrypted file key for the encrypted file from the file system to a tamper-resistant module. Next, the tamper-resistant module uses a master secret to decrypt the encrypted file key to restore the file key, wherein the master secret is obtained from an external source by the tamper-resistant module. The system then uses the file key to access the encrypted file.

Abstract: A system includes first and second firewalls and a controller. The first firewall is configured to perform a firewall function on a first redundant input data packet and output the first input packet as a first redundant output data packet according to the firewall function. The second firewall is configured to perform the firewall function on a second redundant input data packet and output the second input packet as a second redundant output data packet according to the firewall function. The output packets are at least substantially similar when the firewall devices function properly. The controller is configured to receive the output packets from the firewalls, transmit at a given time one of the output packets, transmit the first output packet while the second firewall is failed, and transmit the second output packet while the first firewall is failed.

Abstract: A method of recursive filtering of a video image includes storing an image 20 comprising picture elements. Luminance and chrominance weightings are assigned for weighting neighbouring picture elements to a picture element in a current image 10 and for the stored image 20. A sum of differences is calculated between weighted luminance and chrominance values of a picture element and neighbouring picture elements of a current image and of corresponding picture elements of the stored image. The sum of differences is normalized to control sensitivity to motion in the image to obtain a value of a proportional parameter K(x,y) for each picture element. The current image is recursively filtered using the proportional parameter K(x,y) corresponding to each picture element by adding together a proportion K(x,y) of each picture element of the image to a complementary proportion of each corresponding picture element of the previously stored image.

Abstract: A system is disclosed which facilitates authentication processes with web-enabled wireless devices, including those that do not support the use of cookie files. To facilitate such authentication, a web server analyzes an HTTP request file from a communication device for the presence of security token data. Where none is found, a client is directed to a login page for input of authentication data, such as a user name and password information. Upon proper authentication, the client's communication device is issued a security token using standard HTML-INPUT tags. Thereafter, the web server determines if each additional HTTP request file received from the client includes a security token before responding to the request.

Abstract: A device and a method of cryptographically hashing a message M, including the following steps: forming a sequence (M1, . . . , Mi, . . . , Mc) of data m-tuples M1=(a1,1, . . . , a1,m), . . . Mi=(ai,1, . . . , ai,m), . . . , Mc=ac,1, . . . , ac,m), where m is a strictly positive integer, from said message M; iteratively calculating successive output p-tuples V1, . . . , Vi, . . . , Vc, where p is a strictly positive integer, corresponding to said sequence (M1, . . . , Mi, . . . , Mc) of data m-tuples as a function of at least one set of multivariate polynomials defined over a finite field; and determining a hashing value of said message M as a function of the last output p-tuple Vc.

Abstract: An integrated circuit, method of making an integrated circuit and method of addressing peripherals of an integrated circuit are disclosed for preventing copied software from running on unauthorized hardware. A permanent key is embedded in the integrated circuit and used to transform a peripheral access address output by a processor of the integrated circuit. The transformed access address is supplied to a peripheral address decoder f the integrated circuit, which allows the processor to access a corresponding peripheral. A method of supplying integrated circuits to prevent copied software from running on unauthorized hardware is also disclosed.

Abstract: A method for detecting a security breach in a network comprises at one of a plurality of transceivers each having a different media access control address, receiving a signal from an access point, the signal representing one or more packets of data, determining a source media access control address for each of the packets, and alerting the access point when the source media access control address of one of the packets is the media access control address of the transceiver.

Abstract: Each virtualized environment on a computer has its own set of firewall rules. The virtualized environments share a single instance of the operating system image, a filter engine and a single network stack. A virtualized environment may be a compartment or a server silo. A virtualized environment is a network isolation mechanism and may be used to prevent use of a computer to traverse network boundaries by creating a separate virtualized environment for each network, enabling a separate set of rules to be applied to each virtualized environment and the network interfaces within it. Virtualized environments may also be used to assign different trust levels to the same physical network. Firewall rules are applied by virtualized environment identifier (ID), enabling separate filters to be applied to each virtualized environment on a computer. A virtualized environment may include or be associated with one or more network interfaces.

Abstract: In situations, such as disasters, where the physical protection of data may be compromised, algorithmic protection of such data can be increased in anticipation of the disaster. An off-site mechanism can send a disaster preparation script to computing devices expected to be affected, resulting in the deletion of decryption keys from those computing devices. Once the disaster passes, the off-site mechanism, upon receiving confirmation of the physical integrity of the computing devices, can return one or more decryption keys to the computing devices, enabling access algorithmically protected data. The off-site mechanism can also optionally provide access information that can be used to obtain access to the algorithmically protected data via at least one returned decryption key.

Abstract: A data processing apparatus and method for protecting system control registers is provided. Processing logic is providing for executing software routines and a plurality of system control registers are used to store access control information for a plurality of system resources available to the processing logic when executing at least some of those software routines. Additionally, at least one write control register is provided, with each field of that register being associated with one or more of the system control registers. Disable control logic is used to generate a disable signal, and when that disable signal is clear access control information can be written into the system control registers, and write restriction data can be written into each of the fields of the at least one write control register.

Abstract: Embodiments of interferometric communication are disclosed.

Abstract: The “Grid Security Monitor” tracks the security status of resources in a grid computer system. When a client submits a job to the grid scheduler, the Grid Security Monitor creates a security contract. The security contract comprises all the security credentials needed to access the resource executing the job, as well as privacy and security requirements. The Grid Security Monitor compares the security status of the resource to the requirements of the security contract. If the security status of the resource changes or violates the security contract, then the Grid Security Monitor notifies the client. The Grid Security Monitor has a user interface that allows the client to perform a manual security validation by asking the grid management system to verify the security status of the resource.

Abstract: A security gateway is provided to facilitate end-point compliance of connected clients to insure appropriate security levels are maintained. The gateway operates as a policy enforcement point, and, when necessary, is used to apply and/or provide the required level of compliance for a connection on behalf of a requesting client. In one aspect, a specified level of compliance for a given security feature is facilitated, even if the requesting client is not able to meet that level of compliance at the time of the request. An adaptive end-point compliance model measures the requesting client's current level of compliance for one or more software programs on the client and may either require remediation, for example, when knowing that the remediation server is available and responding, or may provide, via a surrogate connection, the necessary level of compliance when remediation is not possible.

Abstract: A technique for film marking includes coding a print identifier into a binary-coded serial number; identifying particular frames (bit frames) that will be used to convey the bits (binary digits) of the binary-coded serial number and marking these bit frames in accordance with the particular bit values of the binary-coded serial number. The presence of a predefined mark on a bit frame is representative of a binary digit having a value of one, while the absence of the predefined mark on a bit frame is representative of a binary digit having a value of zero.

Abstract: A method for operating a wireless communication system including a mobile relay station group, a base station group, and an authentication server, includes: configuring, by the authentication server, group information into the mobile relay station group and the base station group; requesting, by the base station group, group authentication data for the mobile relay station group from the authentication server; and performing authentication between a member of the mobile relay station group and a member of the base station group and generating an authentication key individually by the member of the mobile relay station group and the member of the base station group. Also disclosed is a system for carrying out the method.

Abstract: A password-type security system may be employed using the placement of physical objects as a security pattern that is to be matched before access to secured content is granted. The system may be implemented on a computing system that uses a display that can detect, e.g., via optical circuitry, the visual characteristics of the display surface. The system can visually detect the placement of objects, their orientations, locations, color, printed patterns, etc. The user may define a security pattern as comprising one or more objects placed at locations on the screen, or at a predetermined rotation angle. The outline shape of an object may be treated as a required pattern, such that access to secured content is permitted only if the object having that outline shape is detected on the display surface. Similarly, printed patterns on objects may also be detected and used as part of security patterns.

Abstract: A Session Initiation Protocol (SIP) authentication method, sends a request message without authentication information to a server end from a client to request for access; sends back a response message, which contains authentication exchange information and DH authentication response information of the server end when the server end receives the request message; authenticates the received response message by the client and sending a request message, which contains authentication information of the client, to the server end after the authentication is passed; authenticates a user according to the received request message by the server end, and sends back a response message which contains the authentication information of the server end; authenticates the legality of the server end by the user according to the received response message, which contains the authentication information of the server end.

Abstract: A packetized transport stream for protecting viewing content from unauthorized access and methods for manufacturing and using same. The transport stream includes a plurality of content frames, each having a frame header and a frame payload. Each frame header includes information for handling the content frame; whereas, the frame payload includes selected viewing content for which protection from unauthorized access is desirable. By encrypting only the frame payload, the header remains unencrypted and can be applied to prepare the encrypted frame payload for presentation. The viewing content thereby can be stored in an encrypted format and can be decrypted on-the-fly as the viewing content is needed for presentation. The combination of the unencrypted frame header and the encrypted frame payload advantageously enables the viewing content to be protected against unauthorized use, copying, and dissemination without impairing the presentation of the viewing content.

Abstract: Provided is a device for generating a chaotic signal comprising a PN signal generator that is composed of a digital logic circuit and generates a digital pseudo random signal with a predetermined frequency; a voltage control that generates a clock signal with a predetermined frequency; a mixer that mixes the pseudo random signal and the clock signal so as to generate a chaotic signal to output; and a band-pass filter that filters the chaotic signal, output from the mixer, into a chaotic signal of a desired band and then outputs the filtered signal.