Abstract: Methods, devices, systems, techniques, and computer program products are provided to secure timing synchronization to network nodes connected over an inherently insecure best effort public network with mechanisms to improve accuracy of timing protocols such as a statistically estimated edge timestamp offset encoded into the timing message to account for network jitter and processing latency variances incurred due to the security packet processing and encryption; to ensure slave network nodes shall only accept timing messages from trusted timing sources; to establish a secure tunnel with a trusted timing source for exchange of timing packets; to provide authentication and security for timing packets over the insecure public network; and to enhance message anonymity with variable payload padding.

Abstract: Technologies to facilitate supervision of an online identify include a gateway server to facilitate and monitor access to an online service by a user of a “child” client computer device. The gateway server may include an identity manager to receive a request for access to the online service from the client computing device, retrieve access information to the online service, and facilitate access to the online service for the client computing device using the access information. The access information is kept confidential from the user. The gateway server may also include an activity monitor module to control activity between the client computing device and the online service based on the set of policy rules of a policy database. The gateway server may transmit notifications of such activity to a “parental” client computing device for review and/or approval, which also may be used to update the policy database.

Abstract: Techniques are presented for detecting malware in an executable. The method includes receiving an executable to evaluate for malware, emulating an execution of the executable up to a first count of instructions, determining a number of cache misses that occur while emulating the executable up to the first count of instructions, comparing the number of cache misses to a threshold, and upon determining the number of cache misses exceeds the threshold, identifying the executable as potentially containing malware.

Abstract: A system and method for tracing an electronic document within a publication. A message is associated with the electronic document as an identification thereof. The binary representation of the message is encoded as a mark defining a drawing arrangement of geometrical shapes which encode the message in the glyph of the mark e.g. a simple text, a single character, a geometrical shape etc. or in the glyph of a single character then used as a mark. The mark is added to the electronic document to generate a traceable document having the message as identification within the publication. The mark is provided at a specific location with respect to the borders and/or center of the traceable document. The traceable document thus created is added to the publication. To track the document, the publication is sent to an electronic scanner module implementing a hook. The hook searches for the geometrical shapes representing the message in the mark.

Abstract: A system and method for web filtering, including: generating an institutional policy dashboard that enables an institution that issued a computing device to a minor user to select a set of institutional web access policies sanctioned by the institution; generating a parental policy dashboard that enables a parent of the minor user to select to a set of parental web access policies sanctioned by the parent; filtering web content accessed by the minor user via the computing device by enforcing the parental and the institutional web access policies; and reporting to the parent a set of web accesses undertaken by the minor user via the computing device.

Abstract: Systems and methods are provided for protecting electronic content from the time it is packaged through the time it is experienced by an end user. Protection against content misuse is accomplished using a combination of encryption, watermark screening, detection of invalid content processing software and hardware, and/or detection of invalid content flows. Encryption protects the secrecy of content while it is being transferred or stored. Watermark screening protects against the unauthorized use of content. Watermark screening is provided by invoking a filter module to examine content for the presence of a watermark before the content is delivered to output hardware or software. The filter module is operable to prevent delivery of the content to the output hardware or software if it detects a predefined protection mark. Invalid content processing software is detected by a monitoring mechanism that validates the software involved in processing protected electronic content.

Abstract: A wireless computing device operating as a controller of a peer-to-peer group configured to generate unique master keys for each device joining the group. The wireless computing device may use the unique master keys to selectively remove remote devices from the group such that the remote device cannot later rejoin the group. Other remote devices, each possessing a master key that remains valid, can disconnect from the group and later reconnect to the group without express user action. To support such behavior, the wireless device may provide a user interface through which a user may manage connected remote devices by providing commands to selectively disconnect or remove remote devices from the group.

Abstract: In one embodiment, an apparatus includes a processor and logic integrated with and/or executable by the processor. The logic is configured to communicate with a first physical switch, a second physical switch, and an overlay network that connects the first physical switch to the second physical switch. The logic is also configured to receive a request for a communication path through the overlay network for a packet, the request including at least the packet, first information about a source of the packet, the source of the packet being connected to the first physical switch, and second information about a most closely connected physical switch to a destination of the packet. Moreover, the logic is configured to determine the destination of the packet, the destination of the packet being connected to the second physical switch. Also, the logic is configured to determine whether to apply a security policy to the packet.

Abstract: A method for identifying a threatening network comprises an asymmetric threat signature (AT-SIG) algorithm comprising a network movement before/after algorithm that provides a graphical plot of changes in network transaction activity from before to after a specified time and further comprising one or more of: a network progression algorithm that provides a graphical plot to analyze behavior in small increments of time without specification or emphasis upon a particular time or event; a statistical network anomaly ranking algorithm that provides as output a ranked list of the networks; and an anomaly trend graphs algorithm that analyzes and visualizes the networks' anomaly scores over time. Also disclosed are an AT-SIG system and a software program product.

Abstract: A memory device, a memory system, and an operating method of the memory system is provided. The operating method includes operations of transmitting an authentication request to a memory device using a memory controller; converting the authentication request to a first address using the memory device; processing authentication data that corresponds to the first address and indicates a physical characteristic of the memory device and transmitting the authentication data as an authentication response to the authentication request to the memory controller using the memory device; and verifying whether the authentication response received from the memory device is an authentication response to the authentication request using the memory controller.

Abstract: Methods and systems for managing, storing, and serving data within a virtualized environment are described. In some embodiments, a data management system may manage the extraction and storage of virtual machine snapshots, provide near instantaneous restoration of a virtual machine or one or more files located on the virtual machine, and enable secondary workloads to directly use the data management system as a primary storage target to read or modify past versions of data. The data management system may allow a virtual machine snapshot of a virtual machine stored within the system to be directly mounted to enable substantially instantaneous virtual machine recovery of the virtual machine.

Abstract: A computer-implemented method of pre-permissioning a computer application is disclosed. The method includes receiving a request from a user to install a software application, identifying one or more computing services required for operation of the software application, presenting the one or more computing services to the user for review, determining whether the user approves installation of the computer application, and installing the application on a computing device assigned to the user if the user approves installation of the computer application.

Abstract: Disclosed herein are systems, methods, and software for facilitating application licensing. In at least one implementation, license information for an application is identified based at least in part on a developer profile associated with the application and a state of a license for the application identified from at least a portion of the license information. Presentation of the application in accordance with the state of the license for the application can then be initiated.

Abstract: A system to provide an always-on embedded anti-theft protection for a platform is described. The system in one embodiment comprises an arming logic to move the platform to an armed mode when receiving an arming command, a disarming logic to move the platform to an unarmed mode when receiving a disarming command, the disarming logic active while the platform is in a low power state, and a power transition logic to move the system from the low power state to an ON state in response to a user request, the power transition logic to present a log-in screen when the platform is armed, and to move the platform to the ON state without a log-in screen when the platform is unarmed.

Abstract: A secure messaging system provides a secure messaging exchange service to identified user. In one embodiment, the System comprises a User Record Server (URS) comprising a plurality of Private Electronic Mail (PEM) user accounts. A Secure Mail Delivery Agent (SMDA) provides a storage area for inbound sMail upon authentication via the URS that a Sender ID bundle in a message header of each incoming message matches the Sender ID of at least one of said plurality of PEM user accounts before delivering said incoming message. A first Secure Mail Transfer Agent (SMTA), coupled via a first encrypted connection to said SMDA and via a second connection to a public network, is configured to insert a Sender ID bundle into sMail headers when routing outbound sMail, and further configured to establish encrypted channels for the transmission of sMail over a public network.

Abstract: A computer network is disclosed that includes a first domain and a second domain. The second domain has a higher security classification than the first domain. The computer network also comprises a Temporal Separation Cross Domain Gateway (TSEP-CDG) having a temporal separation hardware interlock. The interlock is configured to physically prevent communication between the first and second domains. It connects with the first domain in a first state to allow the TSEP-CDG to receive data from the first domain. The TSEP-CDG executes an information-invariant data transformation (IIDT) on the received data before it is available to the second domain. The IIDT alters the representation of the data while conveying the same information, disrupting anti-malware present in the received data. The temporal separation hardware interlock is configured for connection with the second domain in a second state to allow the TSEP-CDG to transmit the transformed data to the second domain.

Abstract: Embodiments of the invention broadly described, introduce systems and methods for protecting data at a data protection hub using a data protection policy. One embodiment of the invention discloses a method for protecting unprotected data. The method comprises receiving a data protection request message comprising unprotected data and one or more policy parameters, determining a data protection transformation using the policy parameters, performing the data protection transformation on the unprotected data to generate protected data, and sending the protected data.

Abstract: System(s) and method(s) to provide privacy measurement and privacy quantification of sensor data are disclosed. The sensor data is received from a sensor. The private content associated with the sensor data is used to calculate a privacy measuring factor by using entropy based information theoretic model. A compensation value with respect to distribution dissimilarity is determined. The compensation value compensates a statistical deviation in the privacy measuring factor. The compensation value and the privacy measuring factor are used to determine a privacy quantification factor. The privacy quantification factor is scaled with respect to a predefined finite scale to obtain at least one scaled privacy quantification factor to provide quantification of privacy of the sensor data.

Abstract: A random number generator for generating random numbers using a solid-state memory is proposed. The random number generator includes a determination unit for determining management data stored in the solid-state memory and for managing the solid-state memory during operation. The random number generator also includes a computing unit for calculating a starting value on the basis of the determined management data. The random number generator also includes a generation unit for generating a random number on the basis of the calculated starting value.

Abstract: Systems and methods are provided for managed file transfer. An enterprise server may receive a request from a sender to send a file to a recipient and may determine a location server that is closest to the location of the recipient. A server-to-server transfer can be automatically initiated to move the file to the location server that is closest to the location of the recipient.