Abstract: The present invention provides a method and apparatus for detecting intrusions in a processor-based system. One embodiment of the method includes calculating a first checksum from first bits representative of instructions in a block of a program concurrently with executing the instructions. This embodiment of the method also includes issuing a security exception in response to determining that the first checksum differs from a second checksum calculated prior to execution of the block using second bits representative of instructions in the block when the second checksum is calculated.

Abstract: A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria.

Abstract: A method for encrypting content includes using a plurality of different encryption schemes to produce encrypted content. Encryption information is provided so as to indicate which of the plurality of different encryption schemes is used on portions of the content that was encrypted. Encryption information and the encrypted content are both sent as a content stream to another device. The decryption involves using the encryption information to help control the decryption so that the correct one of a plurality of different decryption schemes is applied to the proper portions of the encrypted content.

Abstract: The embodiments of the present invention relate to controlling interactions between one or more components of a computer system, where each component is assigned a fixed security level and all currently active and newly requested interactions between components of the system are monitored.

Abstract: An authentication platform comprises an authentication unit configured to authenticate the user based on received input data, and a control unit configured to enable communication between a client device and an authentication host as a consequence of successful authentication of the user by the authentication unit.

Abstract: Methods, apparatus, and articles of manufacture to encode auxiliary data into text data and methods, apparatus, and articles of manufacture to obtain encoded data from text data are disclosed. An example method to embed auxiliary data into text data includes selecting a portion of auxiliary data to be encoded into text data, mapping the portion of auxiliary data to a first set of one or more encoded characters representative of the portion of the auxiliary data, mapping a position of the portion of auxiliary data within the auxiliary data to a second set of one or more encoded characters representative of the portion of the auxiliary data, and generating encoded data by including the first set of encoded characters and the second set of encoded characters in the text data.

Abstract: Methods and systems for handling on an electronic device a secure message to be sent to a recipient. Data is accessed about a security key associated with the recipient. The received data is used to perform a validity check related to sending a secure message to the recipient. The validity check may uncover an issue that exists with sending a secure message to the recipient. A reason is determined for the validity check issue and is provided to the mobile device's user.

Abstract: In a method for 802.1X authentication, used in a network which comprises an access device and an access control device, a WLAN security template and a 802.1X client template is enabled at the access device, a 802.1X client template is enabled at the access device, and a 802.1X device template is enabled at a tunnel port of the access control device. The access control device establishes a 802.1X authentication tunnel with the access device, receive a packet transmitted by a client at the access control device through the 802.1X authentication tunnel, authenticates the client after receiving the packet, and assists the access device through the 802.1X authentication tunnel to obtain a session key.

Abstract: A customer server receives a client request to access protected resources over the Internet. First factor authentication is performed and if it is successful a vendor authentication engine is invoked to undertake second factor authentication. The results of the second factor authentication are returned to the customer server, which grants access only if both first and second factor authentication succeeds.

Abstract: The present invention provides for an electronic device having cryptographic computation means arranged to generate cryptographic data within the device for enhancing security of communications therewith, the device including an onboard power supplying means arranged to provide for the driving of the said cryptographic computational means, and so as to provide a device by way of a manufacturing phase and a post manufacturing phase arranged for distribution and/or marketing of the device, and wherein the step of generating the cryptographic data occurs during the post manufacturing phase.

Abstract: Detection of an encryption or compression application program may be based on similarity between read files read by a process of the application program and write files written by the process. Read fingerprints of the read files and write fingerprints of the write files are generated. A listing of the read fingerprints is searched for presence of matching write fingerprints to find matched fingerprints. The similarity is calculated based on the read fingerprints and matched fingerprints.

Abstract: Security measures for tokens comprise storing security rules associated with a generated token in a memory. A processor, communicatively coupled to the memory, accesses the security rules associated with the generated token and determines whether to encrypt the generated token by applying at least a portion of the security rules to the generated token. The processor encrypts the generated token. An interface, communicatively coupled to the processor, communicates the encrypted token to a mobile device associated with a user.

Abstract: A first network device receives an authentication request, from a second network device, to authenticate a user device and a first over-the-top application, stored on the user device, to determine whether to apply a level of quality of service to the first over-the-top application. The first network device authenticates the user device, based on the authentication requested. The first network device authenticates the first over-the-top application, based on the authentication request. The first network device sends an authentication result, based on the authentication of the user device and the first over-the-top application, to the second network device; and the second network device initiates, based on the authentication result, a process to apply a level of quality of service to information sent between the first over-the-top application and a provider associated with the first over-the-top application.

Abstract: Disclosed are system, method and computer program product for assessing security danger of software. The system collects information about a suspicious, high-danger software objects, including one or more malicious characteristics of the software object, security rating of the software object, and information about one or more security rating rules used in assessing the security rating of the software object. The system then determines whether the suspicious object is a clean (i.e., harmless). When the suspicious object is determined to be clean, the system identifies one or more unique, non-malicious characteristics of the software object and generates a new security rating rule that identifies the software object as clean based on the one or more selected non-malicious characteristics. The system then assigns high priority ranking to the new security rating rule to ensure that the rule precedes all other rules.

Abstract: A method and system for analyzing source code is disclosed. A computer identifies a call in a first source code to an application programming interface in a second source code. Responsive to identifying the call in the first source code to the application programming interface in the second source code, the computer determines whether a set of policies for calls to application programming interfaces includes a policy for calls to the application programming interface. Responsive to a determination that the set of policies for calls to application programming interfaces does not include the policy for calls to the application programming interface, the computer generates the policy for calls to the application programming interface and adds the generated policy to the set of policies for calls to application programming interfaces.

Abstract: A computer-implemented method for executing a workflow is described, wherein the workflow comprises a set of individual activities, the method comprising the operations of deriving a global workflow access type and receiving a request to execute a workflow. Execution of access control based on the global workflow access type is performed. If access is allowable, the user is authorized to execute all activities belonging to the workflow. If access is not allowable, the user is rejected before executing the workflow.

Abstract: Security information such as fixed or dynamically received camera location information, laser signature information, timestamp information, and network information, may be used to secure the transport and storage of surveillance video. Where the surveillance video is to be transported on a communication network, the round trip time from a video data storage server to the surveillance camera and back to the video data storage server may be monitored and periodically added to the secured video data. By checking to see whether the round trip time has changed, it may be possible to determine whether the video has been tampered with. The secured video data may also be transported over two or more paths on the network to two or more video data storage servers so that redundant copies may be stored at different primary locations. By comparing copies of the data, alteration of one of the copies may be detected.

Abstract: Aspects of the subject matter described herein relate to a mechanism for assessing security. In aspects, an analytics engine is provided that manages execution, information storage, and data passing between various components of a security system. When data is available for analysis, the analytics engine determines which security components to execute and the order in which to execute the security components, where in some instances two or more components may be executed in parallel. The analytics engine then executes the components in the order determined and passes output from component to component as dictated by dependencies between the components. This is repeated until a security assessment is generated or updated. The analytics engine simplifies the work of creating and integrating various security components.

Abstract: A storage device includes a storage unit and a controller that controls the storage unit in accordance with a request provided from an upstream-side device. The storage unit includes a storage medium that stores data, an authentication processing unit that performs an authentication process, and a storage region managing unit that sets either a first region or a second region in a storage region. The first region is accessible and useable to perform data reading and data writing between the upstream-side device and the storage unit when the access authentication is successfully performed on the basis of a first password. The second region may be released when the access authentication is successfully performed on the basis of a second password. When the storage unit needs to be disconnected, the controller sets the second region in the storage region in which the first region has been previously set.

Abstract: The embodiments provide a runtime validation apparatus including a runtime interceptor configured to intercept a server request for a requested web resource and a response including response data, and an output validation policy identifier configured to identify an output validation policy from a database storing a plurality of output validation policies based on the requested web resource. The identified output validation policy may represent a template that encompasses allowed responses for the requested web resource. The runtime validation apparatus may further include a validation evaluator configured to compare the response data with the template, and a validation controller configured to permit the response to be transmitted if the response data complies with the template and block the response if at least a portion of the response data does not comply with the template.