Abstract: A network node in an information centric network (ICN), comprising a receiver configured to receive a request for content from a user, wherein the request comprises a name, wherein the name uniquely identifies the content associated with the name, wherein the name provides persistently locatable routing to the content, wherein the name provides meaning to an application, and wherein the name comprises a security verifier, a processor coupled to the receiver and configured to determine a next hop to which to forward the request based on the name, and a transmitter coupled to the processor and configured to forward the request to the next hop.

Abstract: A content router, comprising a plurality of physical links to other nodes in an information centric network, a receiver coupled to the plurality of physical links configured to receive messages, a transmitter coupled to the plurality of physical links configured to transmit messages, and a service publishing and discovery (SPD) module comprising a processor and memory device coupled to the receiver and to the transmitter, wherein the SPD is configured to store status updates of the physical links, wherein the SPD is configured to determine a next hop and a number of hops to forward a received message based on a prefix in a name-based service discovery protocol name of a received message.

Abstract: One embodiment of the present invention provides a system for performing secure multiparty cloud computation. During operation, the system receives multiple encrypted datasets from multiple clients. An encrypted dataset associated with a client is encrypted from a corresponding plaintext dataset using a unique, client-specific encryption key. The system re-encrypts the multiple encrypted datasets to a target format, evaluates a function based on the re-encrypted multiple datasets to produce an evaluation outcome, and sends the evaluation outcome to the multiple clients, which are configured to cooperatively decrypt the evaluation outcome to obtain a plaintext evaluation outcome.

Abstract: Techniques for allocating individually executable portions of executable code for execution in an Elastic computing environment are disclosed. In an Elastic computing environment, scalable and dynamic external computing resources can be used in order to effectively extend the computing capabilities beyond that which can be provided by internal computing resources of a computing system or environment. Machine learning can be used to automatically determine whether to allocate each individual portion of executable code (e.g., a Weblet) for execution to either internal computing resources of a computing system (e.g., a computing device) or external resources of an dynamically scalable computing resource (e.g., a Cloud). By way of example, status and preference data can be used to train a supervised learning mechanism to allow a computing device to automatically allocate executable code to internal and external computing resources of an Elastic computing environment.

Abstract: Improved techniques for controlling access to accessible components of computing environments are disclosed. The techniques, among other things, can be used to provide Mandatory Access Control (MAC) mechanisms for mobile and embedded systems. One or more accessible components (e.g., accessible resources) which a component may attempt to access are determined so that one or more access permissions can be stored in a manner that they can be obtained if the component attempts to access the one or more accessible components, thereby allowing access to the one or more accessible components to be determined based on access permissions that are readily available. Generally, access permissions can be identified and stored in anticipation of need. Access permissions can be identified, for example, based on the likelihood of use, or all possible access permissions can be determined and stored. A safe (e.g.

Abstract: A user device comprising a processor configured to enable a mnemonic based digital signature scheme for user authentication that is based on a combination of one or more secrets and one or more actions implemented on the user device and associated with the secrets, and a device input system coupled to the processor and configured to detect the actions implemented on the user device. Also disclosed is an apparatus comprising a processor configured to implement a mnemonic based digital signature for authenticating a user, a device input system configured to enable the mnemonic based digital signature, and a memory unit configured to store input data that is used to recognize the mnemonic based digital signature, wherein the mnemonic based digital signature comprises a secret, an action associated with the secret and implemented using the device input system, and a cue associated with the action.

Abstract: A networking system comprising a content router for an information-centric network (ICN) comprising a content store (CS), a pending interest table (PIT), a forwarding information base (FIB), and a plurality of interfaces, and configured to receive and forward interest from one or more users and data from one or more applications via the interfaces using a dual-mode data forwarding plane, and a plurality of next hop nodes of the ICN coupled to the content router and configured to forward the interest and data to the content router via the interfaces, wherein the dual-mode forwarding plane forwards the interest and data using the FIB without the CS and PIT for conversational traffic and using the CS, PIT, and FIB for content dissemination traffic.

Abstract: A content-centric-network (CCN)/named-data networking (NDN) system to support seamless mobility for a mobile node (MN) comprising a first point of attachment (PoA) configured to indicate to the MN that attaches to the first PoA one or more neighbor PoAs and to multicast an interest for content from the MN to the neighbor PoAs in a CCN or NDN when the MN starts a handoff procedure, and a second PoA from the one or more neighbor PoAs of the first PoA configured to receive the multicast interest from the first PoA, forward the interest to the CCN or NDN, receive content data from the CCN or NDN, and forward the content data to the MN.

Abstract: A networking system for a content-centric-network (CCN)/named-data networking (NDN) comprising a first point of attachment (PoA) configured to communicate with a mobile node (MN) and maintain a forwarding state for the MN to support seamless mobility for the MN, and a second PoA configured to communicate with the MN and obtain the forwarding state for the MN from the first PoA after a handoff of the MN from the first PoA to the second PoA, wherein the forwarding state is used to exchange a plurality of interests and a plurality of data responses between the MN and the CCN/NDN.

Abstract: A networking system comprising an application service that runs on a cloud infrastructure and is configured to receive dual encrypted content from a content provider and re-encrypt the dual encrypted content to enable dynamic user group control for group-based user authorization, and a cloud storage service coupled to the application service and configured to store the dual encrypted content from the content provider and the re-encrypted dual encrypted content from the application service, wherein the application service and the storage service are configured to communicate and operate with a content delivery service that uses a content delivery network (CDN) to deliver the re-encrypted content to one or more users in a group authorized by the content provider.

Abstract: A network component comprising a receiver configured to receive an advertisement for a content name for content associated with a list of secured router identifiers (SRIDs) that indicates a plurality of content routers authorized for routing and caching the content, a processor configured to determine whether to flood the advertisement to a plurality of neighboring nodes if a locally assigned SRID is included in the list of SRIDs received in the advertisement or to drop the advertisement otherwise, a transmitter configured to flood the advertisement on a plurality of ports coupled to the neighboring nodes, and a storage configured to cache received content if the received content is associated with the locally assigned SRID.

Abstract: Techniques for assessing the cost of allocation of execution and affecting the allocation of execution are disclosed. The cost of allocation of execution between a first computing device (e.g., mobile device) and one or more computing resource providers (e.g., Clouds) can be determined during runtime of the code. A computing system can operate independently of the first computing device and a computing resource provider and provide execution allocation cost assessment. Execution allocation cost can be assessed based on execution allocation data pertaining to the first computing device and computing resource providers. Power consumption of a mobile device can be used as a factor in determining how to allocate individual components of an application program between a mobile phone and a Cloud. In an Elastic computing environment, external computing resources can be used to extend the computing capabilities beyond that which can be provided by internal computing resources.

Abstract: A networking system comprising a virtual group controller in an information centric network configured to enable mobility and security for a plurality of users groups of the information centric network, a plurality of user groups coupled to the virtual group controller and associated with the users, a plurality of agents that are each associated with one of the user groups, and a database for trusted service profile coupled to the virtual group controller, wherein the virtual group controller is configured to interact with the agents to enable mobility for the user groups using a server-less domain-based naming scheme.

Abstract: Techniques for assessing the cost of allocation of execution and affecting the allocation of execution are disclosed. The cost of allocation of execution to or between a first computing device (e.g., a mobile device) and one or more computing resource providers (e.g., one or more Clouds) can be determined during runtime of the executable code. It will be appreciated that a computing system can operate independently of the first computing device and one or more computing resource providers and provide execution allocation cost assessment as a service to the first computing device and/or one or more computing resource providers. Execution allocation cost can be assessed (or determined) based on execution allocation data pertaining to the first computing device and/or one or more computing resource providers. By way of example, power consumption of a mobile device can be used as a factor in determining how to allocate individual components of an application program (e.g.

Abstract: A probable computing attack detector monitors electrical power consumption of a computing device. Task data may be acquired for at least one task operating on the computing device. A predicted electrical power consumption may be calculated for the computing device employing a user-centric power model and the task data. A probable attack may be detected when the electrical power consumption disagrees with the predicted electrical power consumption by a determined margin.

Abstract: In one embodiment, a method for establishing a secure multicast channel between a service provider and a terminal is provided. A request is received from the service provider for a configuration of the terminal. A configuration of the terminal at a first time is sent to the service provider. A security key is obtained, wherein the security is bound to the configuration of the terminal at the first time. Then the security key is decrypted using a configuration of the terminal at a second time, wherein the decryption fails if the configuration of the terminal at the second time is not identical to the configuration of the terminal at the first time. A secure multicast channel is then established with the service provider using the security key.

Abstract: A method and system for enforcing trusted computing (TC) policies in a security module architecture for a hypervisor. Upon receiving a request from a subject for access to an object, TC-related attribute values are obtained for the subject and the object based on a virtualized trusted platform module (vTPM). Access control decisions are the made based at least on the TC-related attribute values and TC-related policies.

Abstract: A network component comprising a receiver configured to receive a signed content item and an associated security information from a publisher, wherein the security information indicates which group from a plurality of groups is allowed to access the signed content item, a storage unit configured to cache the content item and the associated security information, a processor to implement procedures to enforce security policies defined by the security information, and a transmitter configured to send the signed content item from the cache to a subscriber when the subscriber is a member of a group indicated by the security information as authorized to access the signed content item.

Abstract: A content router comprising storage configured to cache, in a content oriented network (CON), a content object with a signature signed by a publisher based on a known identity to a subscriber; and a transmitter coupled to the storage and configured to forward the content object with the signature upon request to the subscriber, wherein the subscriber uses the signature to verify one of the content object's integrity and the content object's authenticity based on the known identity without verifying a trust of a publisher key for the publisher, and wherein the known identity is trusted by the publisher and does not require verifying trust from the publisher.

Abstract: Improved techniques for obtaining authentication identifiers, authentication, and receiving services are disclosed. Multiple devices can be used for receiving service from a servicing entity (e.g., Service Providers). More particularly, a first device can be used to authenticate a first entity (e.g., one or more persons) for receiving services from the servicing entity, but the services can be received by a second device. Generally, the first device can be a device better suited, more preferred and/or more secure for authentication related activates including “Identity Management.” The second device can be generally more preferred for receiving and/or using the services. In addition, a device can be designated for authentication of an entity. The device releases an authentication identifier only if the entity has effectively authorized its release, thereby allowing “User Centric” approaches to “Identity Management.