Abstract: Markup language security messages are processed. A template corresponding to a markup language security message is identified. The markup language security message is parsed for variable values using the template. A transition sequence is generated that represents the entire markup language security message. Each transition in the transition sequence is associated with a portion of the markup language security message. A lightweight data model of the markup language security message is populated using the transition sequence. The lightweight data model includes nodes for the variable values and a set of selected constant values.

Abstract: Systems and methods for virtualization and emulation assisted malware detection are described.

Abstract: The invention relates to a system and method for fixing application vulnerabilities through a correlated remediation approach. This invention involves identifying application vulnerabilities through dynamic and static assessment of an application. The vulnerability instances reported in the static assessment are fixed using standard code fixes. The assessment results obtained from the static and the dynamic assessment are then correlated to identify how many vulnerability instances reported in the static assessment are fixed by the standard code fixes. If a vulnerability instance reported in the dynamic assessment corresponds to more than one vulnerability instance reported in the static assessment then the shortest and most cost effective path to fix the vulnerability instance is determined. These results are stored in a graph database and based on the graph database the application vulnerabilities are fixed. An inference engine can be used to identify the correct fix for an application vulnerability.

Abstract: A security information technology element (ITE) is disclosed for secure application and data processing, the security ITE including a physical enclosure defining a protection envelope and a secure computing device disposed within the protection envelope. The security ITE provides security services to applications and a secure processing environment for hosting applications, and includes cryptographic services and hardware acceleration. A security manager within the security ITE is configured to erase data within the protection envelope upon detecting physical tampering.

Abstract: A location provider manages dissemination of location data of a user to one or more third-party services, so that the user can take advantage of services offered by the third parties, without the associated burden of continuously granting or denying requests by the third party services to obtain location data of the user. A third-party service can obtain location information of a user from the location provider. Users may control circumstances in which the location provider is to share location data of the user with the one or more third-party services.

Abstract: Login credentials for at least one website, such as a social networking website, are received from a user purporting to act on behalf of an entity, for example, in the context of registering the entity with a system for electronic bill payment. Social data relating to the entity is retrieved from the websites using the login credentials. The social data comprises a plurality of social connections, each reflecting a respective relationship between the entity and a respective third party. A plurality of relevant social connections comprising at least a subset of the plurality of social connections is determined, each social connection of the plurality of relevant social connections reflecting a relationship to a respective third party that is deemed to be reliable. A reliability rating of the entity is then determined based on the plurality of relevant social connections.

Abstract: A method for assembling authorization certificate chains among an authorizer, a client, and a third party allows the client to retain control over third party access. The client stores a first certificate from the authorizer providing access to a protected resource and delegates some or all of the privileges in the first certificate to the third party in a second certificate. The client stores a universal resource identifier (URI) associated with both the first certificate and the third party and provides the second certificate and the URI to the third party. The third party requests access to the protected resource by providing the second certificate and the URI, without knowledge or possession of the first certificate. When the authorizer accesses the URI, the client provides the first certificate to the authorizer, so that the client retains control over the third party's access.

Abstract: A system, method and computer program product for identifying malicious code running on a computer, including an operating system running on the computer with a data storage device; and a trusted software component running simultaneously with the operating system. An online snapshot process of a current state of the data storage device copies data blocks from the storage device to intermediate storage. Processes running under the control of the operating system have access to the data storage device. A scanning procedure runs under control of the trusted software component that has access to data representing the snapshot of the data storage device from the trusted software component. The scanning procedure analyzes the snapshot of the data storage device for the malicious code, and, in response to a “write” directed to a data block in the snapshot area of the storage device, that data block is written to the intermediate storage.

Abstract: An administrator may set restrictions related to the operation of a virtual machine (VM), and virtualization software enforces such restrictions. There may be restrictions related to the general use of the VM, such as who may use the VM, when the VM may be used, and on what physical computers the VM may be used. There may be similar restrictions related to a general ability to modify a VM, such as who may modify the VM. There may also be restrictions related to what modifications may be made to a VM, such as whether the VM may be modified to enable access to various devices or other resources. There may also be restrictions related to how the VM may be used and what may be done with the VM. Information related to the VM and any restrictions placed on the operation of the VM may be encrypted to inhibit a user from circumventing the restrictions.

Abstract: Access to some aspect of a service may be limited until a user has invested in performing some amount of computation. Legitimate users typically have excess cycles on their machines, which can be used to perform computation at little or no cost to the user. By contrast, computation is expensive for for-profit internet abusers (e.g., spammers). These abusers typically use all of their computing resources to run “bots” that carry out their schemes, so computation increases the abuser's cost by forcing him or her to acquire new computing resources or to rent computer time. Thus, the providers of free services (e.g., web mail services, blogging sites, etc.), can allow newly registered users to use some limited form of the service upon registration. However, in order to make more extensive use of the service, the user can be asked to prove his legitimacy by investing in some amount of computation.

Abstract: Systems and methods are disclosed for embedding information in software and/or other electronic content such that the information is difficult for an unauthorized party to detect, remove, insert, forge, and/or corrupt. The embedded information can be used to protect electronic content by identifying the content's source, thus enabling unauthorized copies or derivatives to be reliably traced, and thus facilitating effective legal recourse by the content owner. Systems and methods are also disclosed for protecting, detecting, removing, and decoding information embedded in electronic content, and for using the embedded information to protect software or other media from unauthorized analysis, attack, and/or modification.

Abstract: Disclosed is an electronic device and an authentication method performing therein. The authentication method includes transmitting a first address to a service providing node, receiving a first response to the transmission of the first address from the service providing node, transmitting a second address to the service providing node, receiving a second response to the transmission of the second address from the service providing node, and determining whether it is necessary to perform authentication for accessing a data network as a result of comparing the first response with the second response.

Abstract: A system and method are provided for identity management of applications on computing devices. A set of applications is registered at an identity management system. Each application allows a different level of access permission to the application based on a user role associated with a user accessing the application. A set of user profiles associated with users are received. Each user profile includes a login credential for allowing access to the applications and a user role for defining a user level of access permission to the applications. An access request to access an application is received at the identity management system and responsive to the access request, a user associated with the access request is authenticated. Upon successful authentication, the user role associated with the authenticated user is determined and the user is allowed to access functions of the application corresponding to the determined user role.

Abstract: An apparatus capable of hosting a secure module, which secure module comprises at least one secure module application. The apparatus is configured to provide connectivity to the secure module. A processing module is configured to obtain from the secure module information concerning the at least one secure module application. The processing module is, based on the obtained information, configured to check whether a compatible counterpart application is present in the apparatus. A communication module is configured to obtain the compatible counterpart application from an outside source in case no compatible counterpart application is present in the apparatus.

Abstract: Methods and apparatus, including computer program products, related to relationship-based authorization. In general, data characterizing a request for authorization to a computer-based resource is received, and the authorization may be provided based on one or more relationships of a requesting principal. A determination may be made as to whether a requesting principal is authorized, which may include determining whether the requesting user has a relationship with a principal that has management rights of the computer-based resource and determining whether the relationship allows for an access, such as a use of the computer-based resource, if the requesting principal has a relationship with the other principal. If there is no such relationship, a determination may be made as to whether an organization of the requesting principal has a relationship with the other principal that allows for the access.

Abstract: An anonymous entity authentication method includes the steps of: an entity B sending RB and IGB; an entity A sending RB, R?A, IGA and IGB to a trusted third party TP, the trusted third party TP checking a group GA and a group GB against IGA and IGB for legality; the trusted third party TP returning ResGA, ResGB and a token TokenTA or returning ResGA, ResGB, TokenTA1 and TokenTA2 to the entity A; the entity A sending TokenAB and IGA to the entity B for authentication by the entity B; and the entity B sending TokenBA to the entity A for authentication by the entity A. In this solution, anonymous entity authentication can be performed without passing identity information of the authenticated entity itself to the opposite entity. Furthermore this solution further relates to an anonymous entity authentication apparatus and a trusted third party.

Abstract: Methods and systems for risk rating and pro-actively detecting malicious online ads are described. In one example embodiment, a system for risk rating and pro-actively detecting malicious online ads includes an extraction module, an analysis engine, and a filter module. The extraction module is configured to extract a SWF file from a web page downloaded by the system. The analysis engine is communicatively coupled to the extraction module. The analysis engine is configured to determine a risk rating for the SWF file and send the risk rating to a web application for display. In an example, determining the risk rating includes locating an embedded redirection URL and determining a risk rating for the embedded redirection URL. The filter module is configured to determine, based on the risk rating, whether to block the SWF file and send a warning to the web application for display.

Abstract: Techniques for preventing unauthorized access to protected network resources include accessing, from a client appliance connected in a distributed network, a computing appliance through the world wide web, the computing appliance including a DNS server addressed by a particular domain name; receiving, from the computing appliance, a portion of code at the client appliance through a web browser of the client appliance, receiving, to a server appliance connected in the distributed network, a request to access secure content stored on the server appliance by the portion of code; comparing the domain name of the DNS server with a server-origin of the secure content; and based on the domain name of the DNS server being exclusive of a set of server-origin values that includes the server-origin, denying access to the request.

Abstract: A framework, device and method are disclosed for providing broadcast communication security over Ethernet within an automation system, wherein a security plug provides secure working of the automation system. The security plug can be implemented using ASIC/FPGA technology to provide compatibility with existing systems and an intuitive plug-and-play model. An exemplary system can address jitter-sensitivity by providing a real-time architecture, with minimal transmission latencies. The security plug can have separate security and communication modules that make provisions for protocol independent working of the security plug, within these networks. The method can include bootstrapping, secret key establishment and secure communication, for providing real-time guarantees.

Abstract: In particular embodiments, a method includes intercepting a remote desktop connection request and connecting to a network gateway based on the remote desktop connection request. A first connection with a server is initiated via the network gateway using a first communication protocol. A plurality of cryptographic contexts are exchanged with the server. A token encrypted using one of the plurality of cryptographic contexts is received from the server. The token is sent from a client device to the server or a proxy to authenticate the client device, and a second connection is initiated with the server, via the proxy, using a second communication protocol.