Abstract: An in-vehicle recording/reproduction device (121) records in a recording device a program which the user starts watching, and reads and reproduces the data when watching is permitted, such as, for example, when a vehicle is stopped. The in-vehicle recording/reproduction device (121) transmits recording information about recording, such as a program, a time, and the like, to an in-home recording/reproduction device (303). The in-home recording/reproduction device (303) records the same program as that recorded by the in-vehicle recording/reproduction device (121) based on the recording information. The in-vehicle recording/reproduction device (121) transmits to the in-home recording/reproduction device (303) reproduction information indicating which scene was last reproduced in the in-vehicle recording/reproduction device (121). The in-home recording/reproduction device (303) performs reproduction based on the reproduction information.

Abstract: A first user's trust level with regard to a second user can be determined by providing questions to the second user, with the questions based on a previously-collected knowledge base including information about the first user. The information about the first user may be partitioned into levels of trust, and the second user's responses to the questions may be evaluated to determine which level of trust the second user is entitled to. The knowledge base may be assembled by prompting the first user for information and/or by scanning or otherwise collecting already-existing data about the first user. The knowledge base and/or trust assessment may be distributed across a network, and in some embodiments the knowledge base or parts thereof is distributed to other users according to the trust level of those users.

Abstract: In general, techniques are described for managing multiple access policies in a network access control system. An endpoint device may send, to a policy decision point (“PDP”), a request to communicate on a network. When the PDP receives such an access request, the PDP typically identifies a set of access policies to be enforced with regard to the endpoint device and causes the identified access policies to be enforced with regard to the endpoint device. These access policies may specify rights to communicate on networks and/or rights to communicate with server resources and/or endpoint configuration requirements. However, because the endpoint device may issue multiple access requests, conflicting sets of access policies may potentially be enforced with regard to the endpoint device. The techniques described herein ensure that only a consistent set of access policies are enforced with regard to the endpoint device when accessing the network.

Abstract: A method for initiating a security procedure within a building whereby a virtual key is generated by a certain event and transmitted to a selected person. If the selected person identifies himself by means of the virtual key, a security procedure, for example making an elevator available, is initiated within the building.

Abstract: Method and apparatus for protecting image content. In an embodiment, tags are used to identify how to alter image content. A graphics processor is configured to process the tags and to alter the image responsive to the tags. In another embodiment, a graphics processor is configured to alter image content unless a key is provided to the graphics processor.

Abstract: A system and method are provided for controlling access to local electronic devices in an automation network while maintaining failover capability. The method can include the operation of setting a state of a networked device to an online state. Another operation is sending a communication from the networked device to a controller requesting permission to change state of the networked device. The networked device may wait a predetermined amount of time to receive permission to change state. The state of the network device can change without permission from the controller after the predetermined amount of time has passed.

Abstract: A computer implemented method, apparatus, and computer program product for authenticating a user to a network. In response to receiving a request from a user to access a protected resource, the process sends a unique bit sequence into a network connection utilized by the user. Next, the process authenticates the user to access the protected resource in response to receiving a verification that the unique bit sequence was received by an access point that authenticated the user when the user logged on to the network.

Abstract: A computer network management system with an embedded processor, an analog communication means and a digital interface for network management provides a system for remotely and securely managing a network. Backup power in the form of an uninterrupted power supply, or other power means as appropriate, allows the modem to provide power outage notification to a remote site. The system further provides authentication and authorization capabilities for security purposes.

Abstract: A system and method for authenticating users against an external directory service. A client device issues an LDAP (Lightweight Directory Access Protocol) request (e.g., a login request) to a local or native directory server (e.g., an Oracle Internet Directory server) configured to authenticate users for access to a resource (e.g., an Oracle database, an Oracle application server). The native directory server does not maintain or synchronize user passwords, and forwards the request (or details of the request) to a plug-in residing in the resource. The plug-in forwards or issues the request to an external or third-party directory server or service, which attempts to authenticate the user and returns a result indicating success or failure. The plug-in returns the result to the local server, which responds to the client.

Abstract: A computer implemented web based access control facility for a distributed environment, which allows users to request for access, take the request through appropriate approval work flow and finally make it available to the users and applications. This program also performs an automatic task of verifying the health of data, access control data as well as the entitlements, to avoid malicious user access. The system also provides an active interface to setup a backup, to delegate the duty in absence. Thus this system provides a comprehensive facility to grant, re-certify and control the entitlements and users in a distributed environment.

Abstract: Authenticating a third party client system prior to providing Internet access via an Internet access point. In a distributed computing system including an Internet access point, an authentication service, and a third party client system, an authentication service receives an authorization request from a third party client system. The authorization request is initiated in response to a single action being performed by a user of the third party client system. The user is not required to manually submit any identification information. The authorization request includes a unique client identifier for identifying the third party client system. The method also includes verifying that the third party client system associated with the unique client identifier is authorized to access the Internet via the Internet access point. If the third party client system is authorized to access the Internet, Internet access is provided to the third party client system.

Abstract: A network device may provide secure fallback operations. The device includes a port allowing the device to communicate with a network and a processor to generate a security credential, provide the security credential to a call manager during initialization, and provide the security credential to a secondary device during fallback operations. The network device may include a memory to store the security credential and routing information for fallback operations.

Abstract: A method of protecting a password being used to establish interaction between a user and an application includes detecting a request for the password from the application by receiving a notification from the user indicating the request. The method further includes combining the password with information identifying the application, so as to produce a protected password, and authenticating to the application using the protected password. The method may also include a mutual authentication capability between user and the application.

Abstract: To authenticate a user of a communications network, credentials from the user are centrally receiving. An authentication sequence is retrieved from a plurality of retrievable authentication sequences, and the retrieved authentication sequence is performed to authenticate the user based on the received credentials.

Abstract: A tool kit for accessing data stored on an electronic SMART card is provided, the kit comprising a SMART card reader and recorder, at least one storage card, and a control card. The card reader and recorder is operative to read and copy the electronic SMART card onto the storage card, and to read the control card, the storage card comprising a storage card security key. The control card comprises code generation means operative to generate a control card security key, copying of the electronic SMART card onto the storage card being prevented unless the control card security key is verified against the storage card security key.

Abstract: A test method for Internet-Protocol packet networks that verifies the proper functioning of a dynamic pinhole filtering implementation as well as quantifying network vulnerability statistically, as pinholes are opened and closed is described.

Abstract: The described embodiments include a system for controlling communications between a first network and a second network including a plurality of in-line security devices, the in-line security devices being configured to manage communication between the first network and the second network, and including a state server connected to the plurality of in-line security devices, the state server being configured to receive state information about the state of the connections established by a first one of the in-line security devices and to communicate the state information to at least a second one of said in-line security devices. In one embodiment, the in-line security devices are firewalls. In another embodiment, state server communicates the state information received from the first one of the firewall devices and communicates the state information to every other one of the plurality of firewall devices.

Abstract: Testing of Internet-Protocol packet network perimeter protection devices, e.g., Border Gateways such as Session Border Controllers, including dynamic pinhole capable firewalls are discussed. Analysis and testing of these network perimeter protection devices is performed to evaluate the ability of such device to perform at carrier class levels while being subjected to many different protocol test cases. The efficiency of state look table functions as well as call signaling processing capacity, implemented in a particular perimeter protection device, are determined and evaluated. Proper performance and efficiency of such perimeter protection devices are evaluated as a function of: incoming call rate, total pre-existing active calls, and different protocol test cases. Various different network perimeter protection devices, e.g.

Abstract: A system and method for a network aware firewall is disclosed. The method includes accessing a first network connection from a client computer system and determining whether the first network connection is public or private. The method further includes dynamically modifying security parameters associated with a firewall local to the client computer system in response to determining whether the network connection is public or private.

Abstract: A reverse proxy server can provide access to web applications. The reverse proxy system can produce interstitial pages not generated with the web application code and optionally block access to the web application until the interstitial pages have been processed.

Abstract: Systems and methods for enabling trusted software to monitor and control USB traffic associated with a security extension of a host controller and devices in a USB topology is disclosed. A host controller proxy receives USB-related data from a host controller driver, determines whether the data is of a security interest, and if so, sends the data to a driver for a security extension executing in the trusted execution environment. Likewise, after software executing in the trusted execution environment evaluates and appropriately addresses data sent by the HCD proxy or data retrieved from a hardware security extension, the HCD proxy receives data from the trusted execution environment for further dissemination.

Abstract: A mechanism for segregating traffic amongst STAs that are associated with a bridge, referred to herein as the personal virtual bridged local area network (personal VLAN), is based upon the use of a VLAN to segregate traffic. The IEEE 802.1Q-1998 (virtual bridged LANs) protocol provides a mechanism that is extended by the invention to partition a LAN segment logically into multiple VLANs. In the preferred embodiment, a VLAN bridge forwards unicast and group frames only to those ports that serve the VLAN to which the frames belong. One embodiment of the invention extends the standard VLAN bridge model to provide a mechanism that is suitable for use within an AP.

Abstract: A method for controlling subsidy locking of a handset device includes storing, in a handset device, an asymmetrically digitally signed subsidy unlock data block that has been modified based on a password after signing (505); modifying the stored unlock data block based on a received subsidy unlock password (510); and granting subsidy unlock status if the asymmetric digital signature of the modified, stored unlock data block properly verifies (510). A method (110) for controlling subsidy locking of a handset device includes storing, in the handset device, an asymmetrically digitally signed subsidy unlock data block that comprises a password portion that has been modified after signing (112); replacing the contents of the modified password portion with a received subsidy unlock password to produce an updated subsidy unlock data block (116); and granting subsidy unlock status if the asymmetric digital signature of the updated subsidy unlock data block properly verifies (118).

Abstract: A method may include receiving untrusted digital media; converting the untrusted digital media into an analog signal; converting the analog signal into trusted digital media; and storing the trusted digital media.

Abstract: According to one embodiment of the invention, a method for reducing the false alarm rate of network intrusion detection systems includes receiving an alarm indicating a network intrusion may have occurred, identifying characteristics of the alarm, including at least an attack type and a target address, querying a target host associated with the target address for an operating system fingerprint, receiving the operating system fingerprint that includes the operating system type from the target host, comparing the attack type to the operating system type, and indicating whether the target host is vulnerable to the attack based on the comparison.

Abstract: A port profiling system detects unauthorized network usage. The port profiling system analyzes network communications to determine the service ports being used. The system collects flow data from packet headers between two hosts or Internet Protocol (IP) addresses. The collected flow data is analyzed to determine the associated network service provided. A host data structure is maintained containing a profile of the network services normally associated with the host. If the observed network service is not one of the normal network services performed as defined by the port profile for that host, an alarm signal is generated and action can be taken based upon the detection of an Out of Profile network service. An Out of Profile operation can indicate the operation of a Trojan Horse program on the host, or the existence of a non-approved network application that has been installed.

Abstract: A method and apparatus for reporting policy violations in messages is described. In one embodiment, a violation is identified by detecting fragments in a message that match information from any one or more rows within a tabular structure of source data. The fragments that match this information are then specified as part of reporting the violation.

Abstract: The invention relates to a security device for data carriers which may be or is secured onto or within a data carrier or its housing, and in which data may be exchanged, especially bidirectionally, with the security device, by means of a read/write device especially provided for the data carrier. The invention furthermore relates to a data carrier, especially optical data carriers with such a security device, as well as a process for securing data carriers against unauthorized copying, wherein data recorded on an electronic security device installed upon or in a data carrier, are processed by the security device and the outcome of such processing is read out from the security device.

Abstract: Rental business of content data is adequately performed while preventing a improper use of rights or the like by a user. Rental user key data Kuren1-3, and rental content key data Kuren1-3 includes management metadata M1-M3 and M1?-M3?, respectively. The management metadata includes data use termination date/time indicating an expiration date or the like.

Abstract: An optical disc is authenticated by measuring physical attributes of the disc. A challenge is presented to the drive comprising the disc. The challenge includes locations on the disc to be used for authentication. The locations are determined each time the disc is to be authenticated. No restriction is placed on the locations on the medium, and no restriction is placed on the number of locations. Locations on the disc are accessed and an answer to the challenge is calculated in accordance with a physical attribute pertaining to the locations. The answer can include an angle between the locations, the physical separation between the locations, an amount of time elapsed between detection of the locations, an amount of time taken to read data between written between the locations, or a number of rotations occurring between detection of the locations. The answer is analyzed to determine the validity of the disc.

Abstract: A method and system is introduced for implementing a virtual memory mechanism that works internally to computer languages that prevent direct memory access. Virtual memory mechanism is implemented in a manner that is independent of executing environment. Virtual memory mechanism may include security features preventing program code and execution environment from being altered, viewed or copied.

Abstract: A file that has been encrypted using a symmetric key and that has a corresponding access control entry with the symmetric key encrypted using the public key of a public/private key pair can be accessed. An encrypted key cache is also accessed to determine whether an access control entry to symmetric key mapping exists in the cache for the access control entry corresponding to the file. If such a mapping exists in the cache, then the mapped-to symmetric key is obtained form the cache, otherwise the encrypted symmetric key is decrypted using the private key of the public/private key pair. The encrypted key cache itself can also be encrypted and stored as an encrypted file.

Abstract: In a content-log analyzing system, content includes additional information indicating, according to a property of the content, whether or not to record communication of the content in a content-log. When transmitting content to a TV or a PC, a data-communication controlling device judges whether or not to record the communication in a content-log based upon additional information of the content, and when judging affirmatively, generates and stores content-log information. A content-log analyzing server obtains the content-log stored in the data-communication controlling device, and analyzes the obtained content-log.

Abstract: The amplitude control of a cantilever based on the van der Pol model is performed through feedback using measurement data on a deflection of the cantilever. A self-oscillating circuit integrates a deflection angle signal of a cantilever detected by a deflection angle measuring mechanism using an integrator, multiplies a resulting integral value by linear feedback gain generated by a gain generator, and an output corresponding to the linear feedback signal is generated. Also, the self-oscillating circuit cubes the deflection angle signal using analog multipliers, integrates the resulting values using integrators, multiplies the resulting integral values by a nonlinear feedback gain generated by a gain generator, and an output corresponding to the nonlinear feedback signal is generated. Furthermore, the self-oscillating circuit adds the outputs together using an adder, and a voltage signal for a piezo element is generated.