Abstract: Malicious message detection and processing systems and methods are provided herein. According to various embodiments, a method includes detecting, via an intermediary node, a link included in a message, the link being associated with an unknown resource, hashing a unique identifier for a recipient of the message, coupling the hashed identifier with the link, creating an updated link and updated message, and forwarding the updated message to the recipient.

Abstract: A hashed value is computed from an encrypted password value and a displayed code value from a hardware token at a client. The encrypted password value is based on a username, a context identifier, and a password. The client provides the username and the hashed value to a server. The encrypted password value associated with the username is retrieved at the server. An expected hashed value is computed at the server. The client is validated based on a comparison of the hashed value and the expected hashed value.

Abstract: A global motion vector for a first video frame identifies a shift that, when applied to second video frame, increases the similarity between the two frames. A method comprises: selecting picture elements from the first frame; comparing the selected picture elements with correspondingly positioned picture elements of the second video frame to produce a measure of similarity corresponding to zero shift; comparing, for each of a plurality of trial shifts, the selected picture elements with picture elements of the second video frame that have the same mutual positions but shifted by the respective trial shift, to produce a measure of similarity in respect of that trial shift; identifying the trial or zero shift which gives rise to the highest measure of similarity; and estimating a global motion vector from the identified shift. The selected picture elements are less than 5% of the total number of lines in the frame.

Abstract: Data can be protected in a centralized tokenization environment. A request to tokenize sensitive data is received by an endpoint. A token for use in tokenizing the sensitive data is identified. A token certificate store is queried for a token certificate associated with the identified token. The token certificate can include a token status and use rules describing a permitted use of the token. Responsive to the token certificate store storing the queried token certificate, the endpoint tokenizes the sensitive data using the identified token if the token status indicates the token is available, and subject to the use rules included in the token certificate being satisfied. The token certificate is updated based on the tokenization of the sensitive data with the identified token and stored at the token certificate store.

Abstract: A method and apparatus for configuring identity federation configuration. The method includes: acquiring a set of identity federation configuration properties of a first computing system and a set of identity federation configuration properties of a second computing system; identifying one or more pairs of associated properties in the first and the second sets, where the pairs of associated properties include one property from each set of identity federation configuration; displaying, properties that need to be configured manually from the each sets of identity federation configuration properties, where the properties that need to be configured manually do not include the property in any pair of associated properties for which the value can be derived from the value of another property in the pair; automatically assigning a property that can be derived from the value of another property; and providing each computing systems with each set of identity federation properties.

Abstract: An approach is provided for detecting unauthorized wireless devices in a network. A platform retrieves an identifier of a device from a log of devices connected to a network, determines whether the device is a wireless device by applying a plurality of criteria to the identifier, retrieving a list of wireless devices authorized to connect to the network if the device is determined to be a wireless device, and compares the identifier with the list to determine whether the device is authorized to connect to the network.

Abstract: An application management agent running on a wireless communications device restricts access to device functionality (e.g., applications and device features) unless the application management agent has determined that a particular configuration profile has been installed on the device (after which the application management agent permits access to device functionality, and an operating system of the device enforces policy settings specified in the configuration profile). The application management agent confirms the presence of the configuration profile by initiating an SSL handshake with a client certificate request for a client SSL certificate embedded in the configuration profile. Validation against the embedded client SSL certificate implicitly confirms the presence of the configuration profile and validates the content of the configuration profile.

Abstract: For a particular request to access a resource, both a user associated with the request and a service through which the request is made are identified. Whether requested access to a resource is permitted is determined based on a user associated with the requested access and a service through which the access is requested. This determination can be made based on an access control entry of an access control list corresponding to the resource, the access control entry identifying access to the resource that is permitted to the user when accessing the resource through the service.

Abstract: A system may include a host that may include a processor coupled to a non-volatile memory over a secure communication protocol. As a result, prior to release for manufacturing, a binding code may be established between the host and the non-volatile memory. In some embodiments, this binding code may be stored on the non-volatile memory and not on the host. Then during a boot up of the system, the boot up process may be initiated by the host using code associated with the host, followed by secure booting using the secure protocol using code stored on the non-volatile memory.

Abstract: Various example embodiments are disclosed herein. According to an example embodiment, a method may include receiving by a second computer a customization application, the customization application including a control panel to establish user preferences for a user account of the cloud-based service and/or system settings for the first computer; receiving by the second computer an input to the customization application to establish one or more user preferences for the user account and/or one or more system settings for the first computer; and transmitting from the second computer to a server associated with the cloud-based service the one or more user preferences and a username for the user account and/or the system settings for the first computer.

Abstract: The disclosure provides an anchor authenticator relocation method and system. The method includes: after an old authenticator accepts an anchor authenticator relocation request of a Mobile Station (MS), a new authenticator sends an authenticator relocation request to an AAA server; when the AAA server's verification on the new authenticator is passed and the old authenticator confirms that the new authenticator is trusted, the anchor authenticator is relocated to the new authenticator. The disclosure provides a detailed solution to perform anchor authenticator relocation without re-authentication.

Abstract: A first user may provide protected content to a second user. The user accesses the rights required by the protected content and the rights held by the second user. If the rights of the second user are equal or greater to those required by the protected content, the first user may then provide the protected content to the second user. Additionally, methods and systems for presenting information regarding multiple categories of content are provided. In addition, methods and systems that suggest activities by a user in relation to content and determined affinity for content in relation to user contacts are provided. A user interface application is provided that operates to display status and/or historical information regarding content, suggested activities, and suggested contacts. The user can interact with the interface to access detailed information and to act on suggestions.

Abstract: Disclosed is a method for implementing an encryption engine, which includes: when an engine binding interface is called, a hardware encryption engine establishes a connection with a hardware encryption equipment, acquires an algorithm list of said equipment, and fills a first data structure; when a key initialization interface is called, said engine, according to the transmitted first data structure, sets an encryption/decryption algorithm to be used by said equipment, and retrieves a corresponding algorithm key; and if no algorithm key is retrieved, said engine controls said equipment to create said algorithm key; when a data encryption/decryption interface is called, said engine, according to the currently set encryption/decryption algorithm and said algorithm key, controls said equipment to perform an encryption/decryption operation on the transmitted data. The present invention can add or extend the encryption/decryption algorithm that can only be implemented in hardware to a software algorithm library.

Abstract: Mechanisms for controlling traffic on a communication network are described. The mechanisms can be implemented, for example, using signaling messages. For example, a receiver can send a permission message to allow the sender to send a given amount of data along a particular path. As another example, a sender can send a query message indicating a volume of data that has been sent since the sender received a permission message. Upon receiving the query message, a receiver (or another device such as a router, etc.) can detect an attack by comparing the volume of data in the query message with the volume of data that has been received by the receiver. Upon detecting an attack, the receiver can drop unauthorized packets or request the sender to use a security protocol (e.g., IPsec AH) when transmitting data packets and/or change the path of the data flow (e.g., using multi-homing).

Abstract: A method for device driver self authentication is provided. The method includes accessing a device driver having encrypted authentication parameters therein including, for instance, a vendor identification, a device identification, a serial number, an expiration date and a filename. The method includes executing an authentication portion of the device driver to generate a message digest of these parameters and comparing the message digest to a stored digest for a match thereof. The method further includes loading the device driver only if the authentication portion successfully authenticates the device driver, e.g., there is a match. The method can be applied to USB device drivers and peripherals.

Abstract: Systems, methods, and program products are provided for selectively restricting the transmission of copy protected digital media content from a computer system, over a network, and to a remote display. In one embodiment, a method includes the steps of capturing digital media content rendered on the local display by a media player application executed by the computer system; determining whether the media player application is accessing copy protected digital media content; and, if the media player application is not accessing copy protected digital media content, converting the captured digital media content to a media stream and transmitting the media stream over a network for presentation on a remote display.

Abstract: There are provided a method and apparatus for defending a Distributed Denial-of-Service (DDoS) attack through abnormally terminated sessions. The DDoS attack defending apparatus includes: a session tracing unit configured to parse collected packets, to extract header information from the collected packets, to trace one or more abnormally terminated sessions corresponding to one of pre-defined abnormally terminated session cases, based on the header information, and then to count the number of the abnormally terminated sessions; and an attack detector configured to compare the number of the abnormally terminated sessions to a predetermined threshold value, and to determine whether a DDoS attack has occurred, according to the results of the comparison. Therefore, it is possible to significantly reduce a false-positive rate of detection of a DDoS attack and the amount of computation for detection of a DDoS attack.

Abstract: A processing module encodes data into a plurality of sets of encoded data slices in accordance with first error coding dispersal storage function parameters optimized for data recovery speed and non-optimal for data recovery reliability. The processing module encodes priority data segments of the data in accordance with second error coding dispersal storage function parameters to produce a plurality of sets of priority encoded data slices optimized for data recovery reliability and non-optimal for data recovery speed. The module outputs the plurality of sets of encoded data slices and the plurality of sets of priority encoded data slices to a dispersed storage network memory for storage therein.

Abstract: A mobile terminal supporting dual operating systems and an authentication method thereof. The mobile terminal includes a memory configured to store at least two different operating systems configured to act in at least two different modes, respectively, and a controller configured to perform an authentication procedure for authenticating that one mode can be switched to the other mode, and to display a type identifier only in one group identifier corresponding to a currently activated mode among the at least two different operating systems.

Abstract: Systems, methods, and machine-readable and executable instructions are provided for encryption key storage. Encryption key storage may include associating each of a plurality of identifiers with a different one of a plurality of key fragment stores, determining a plurality of indexes, where each of the plurality of indexes is based upon a handle provided by a customer, an authorization token provided by the customer, and a different one of the plurality of identifiers, partitioning an encryption key provided by the customer into a number of encryption key fragments, and distributing the plurality of indexes and the number of encryption key fragments to the plurality of key fragment stores. The handle can be a uniform resource identifier, for instance.