Abstract: The present invention provides a system, method, and computer-readable medium for quarantining a file. Embodiments of the present invention are included in antivirus software that maintains a user interface. From the user interface, a user may issue a command to quarantine a file or the quarantine process may be initiated automatically by the antivirus software after malware is identified. When a file is marked for quarantine, aspects of the present invention encode file data with a function that is reversible. Then a set of metadata is identified that describes attributes of the file including any heightened security features that are used to limit access to the file. The metadata is moved to a quarantine folder, while the encoded file remains at the same location in the file system. As a result, the encoded file maintains the same file attributes as the original, non-quarantined file, including any heightened security features.

Abstract: A method and system that may include two or more authentication devices configured to authenticate a user via an authentication session. The method and system may also include a device operably coupled to the two or more authentication devices and being configured to manage the authentication session.

Abstract: A firewall configured to be interfaced between an internal and an external networks. The firewall includes a VoIP processor for detecting an outgoing VoIP packet sent from the internal network, for changing data in a header of the VoIP packet and also changing data contents in the VoIP packet corresponding to data changed in the header to enable bi-directional VoIP communication. In one embodiment, the VoIP processor changes a source IP address and a port number in the header of the VoIP packet and also changes the data contents in the VoIP packet corresponding to the source IP address and the port number changed in the header to enable bi-directional VoIP communication. In another embodiment, the firewall further includes an external VoIP interface comprising multiple VoIP ports for receiving multiple incoming VoIP packets each designated with one of the VoIP ports.

Abstract: A method and system for performing garbage collection involving sensitive information on a mobile device. Secure information is received at a mobile device over a wireless network. The sensitive information is extracted from the secure information. A software program operating on the mobile device uses an object to access the sensitive information. Secure garbage collection is performed upon the object after the object becomes unreachable.

Abstract: In a method and system for printing of sensitive data, encrypted sensitive data to be printed is transferred to a printing device having a printing unit. This sensitive data to be printed is decrypted to create decrypted sensitive data. The decrypted sensitive data is converted into control signals for activation of the printing unit. The decrypted sensitive data is stored in a non-volatile memory such that the decrypted sensitive data are distributed in a plurality of memory segments of the non-volatile memory where a relationship of the memory segments is stored as relationship data independently of the stored decrypted sensitive data. The decrypted sensitive data is printed with the printing unit on a recording medium.

Abstract: Supporting statements are provided to help safely and efficiently construct and verify proofs necessary for deciding whether to grant a request from one entity for accessing a resource owned or administered by another entity.

Abstract: To control access to target data whilst relieving the data provider of policing obligations, the data provider provides the target data in encrypted form to a requesting party as part of a data set with which first and second trusted authorities are associated in a non-subvertible manner. Recovery of the target data in clear by the party requires the first trusted authority to verify that a specific individual is a professional accredited with it, the second trusted authority to verify that a particular organisation is accredited with it, the particular organisation to verify that the specific individual is engaged by it, and at least one of the particular organisation and the first trusted authority to verify that the party is the specific individual. Various ways of encrypting the target data are provided, the preferred ways being based on Identifier-Based Encryption schemas.

Abstract: In an integrated-circuit chip having intercommunicating modular functional units of electrical circuits, wired transmission of sensitive information signals between the functional units of the electrical circuits involves generating a reference signal and coding the sensitive information signals, after being emitted by a generating functional unit in the chip, with the reference signal to disguise the sensitive information represented by the sensitive information signals. The coded sensitive information signals are decoded with the reference signal before the sensitive information signals are received by a processing functional unit in the chip. At least one signal of the reference signal and the decoded sensitive information signals are monitored, and a hacker attack is identified in response to a determination that the decoded sensitive information signal is other than a plausible signal.

Abstract: A method, system and computer-readable medium for deterring software piracy in a volume license environment. A volume license key embedded within a volume license file is received. The volume license key has first data derived from at least one machine attribute of the environment. The volume license file is authenticated using second data derived from at least one machine attribute of the environment. A software package associated with the volume license key is then activated on at least one computing device in the environment.

Abstract: A method and system for preventing undesired behaviors by executable code modules in a peer-to-peer computer system are provided. When a code module is received, an assembly inspection module queries a blacklist for the received code module. When the received code module is found on the blacklist, the computer system prevents execution of the received code module. Each peer includes an assembly inspection module. When the received code module is not found on the blacklist, the assembly inspection module inspects the received executable code module, prior to execution, to determine whether the code module can perform any undesired behaviors. If so, the received code module is added to the blacklist and prevented from executing.

Abstract: Systems and methods for processing data and communicating encrypted data are provided. A method of processing data and communicating encrypted data may include receiving input traffic data at a first interface of a channel service unit/data service unit (CSU/DSU). The method may also include determining management data associated with the input traffic data. The method may also include encrypting the management data at the CSU/DSU to produce encrypted management data. The method may further include sending the encrypted management data via a second interface of the CSU/DSU to a remote terminal of a local area network for viewing by user via a data router coupled to the CSU/DSU.

Abstract: The invention provides apparatus and methods for defending against attacks in a distributed computing environment, including (1) distinguishing attack traffic patterns from legitimate traffic patterns, (2) responsive to nature of message patterns; (3) attack traffic has few origination points, and does not divide further from target device; (4) detectors of illegitimate traffic can cooperate to confirm the suspected attack, with the effect of providing more information to each other.

Abstract: A method and system for obfuscating computer code of a program to protect it from the adverse effects of malware is provided. The obfuscation system retrieves an executable form of the computer code. The obfuscation system then selects various obfuscation techniques to use in obfuscating the computer code. The obfuscation system applies the selected obfuscation techniques to the computer code. The obfuscation system then causes the obfuscated computer code to execute.

Abstract: A secure switching system that utilizes radio frequency identification (RFID) technology to allow only authorized users to access a remote management or keyboard, video, mouse (KVM) switching system. The system includes a plurality of user workstations that allow a user to select, monitor, and operate remote devices using a local keyboard, video monitor, and cursor control device. Coupled to or integrated with the system is an RFID transceiver that detects the presence of RFID tags that are within range of communications. A user workstation is only operable if the RFID transceiver detects a valid RFID tag.

Abstract: A method of communicating information in a system having multi-level security requirements includes receiving a packet having unencrypted data, routing the packet to a host, and processing the packet at the host such that data from the packet is maintained in the protected address space associated with the host. The host includes a number of virtual hosts, each having a unique internet protocol (IP) address, a protected address space, and a protocol stack.

Abstract: A method and system for securely enrolling personal identity credentials into personal identification devices. The system of the invention comprises the manufacturer of the device and an enrollment authority. The manufacturer is responsible for recording serial numbers or another unique identifier for each device that it produces, along with a self-generated public key for each device. The enrollment authority is recognized by the manufacturer or another suitable institution as capable of validating an individual before enrolling him into the device. The enrollment authority maintains and operates the appropriate equipment for enrollment, and provides its approval of the enrollment. The methods described herein discuss post-manufacturing, enrollment, backup, and recovery processes for the device.

Abstract: A moving image watermarking method, which forms a global masking map by combining frequency masking, spatial masking and motion masking values together and inserts a watermark according to the formed global masking map through the use of a human visual system is provided. In the moving image watermarking method, a watermark value is obtained by exclusive-ORing a random key value and a binary value of a logo image. A plurality of masking operations are separately performed. A global masking value is obtained through the separate masking operations. A watermarked frame value is obtained by adding a watermark value weighted by the global masking value and a control variable to an original frame value.

Abstract: One embodiment of the present invention provides a system that protects data from unauthorized modification in a table, wherein the table contains one or more rows, and wherein each row contains one or more columns. During operation, the system chooses in a row one or more columns to be protected. The system then produces an encrypted value for the row based on the data stored in the chosen columns. Next, the system stores the encrypted value in a column which cannot be easily modified. In this way, a later-produced encrypted value generated from the values in the protected columns can be compared against the previously stored encrypted value to verify the integrity of the data stored in the protected columns.

Abstract: A method and system for auto discovery of authenticator for network login is described. The system includes an authenticator discovery controller of a packet forwarding device that helps a user discover the IP address of the packet forwarding device and directs the user to a network login page. The method includes intercepting a request for a web page from a user who is connected to a packet forwarding device that prevents the user from accessing a network, directing the user to a network login page, authenticating the user, and allowing the user to access the network when the user is authenticated.

Abstract: Methods and apparatus are provided for decoupling a cryptography accelerator interface from cryptographic processing cores. A shared resource is provided at the cryptography accelerator interface having multiple input ports. References to data in the shared resource are provided to allow processing and ordering of data in preparation for processing by cryptographic processing cores without substantial numbers of separate buffers in the cryptographic processing data paths.