Abstract: A password security system, hosted by a server, sends a web page over a network to a client, that includes a CAPTCHA challenge, a request for a CAPTCHA answer, a graphical user interface for receiving a user identifier and a password, and a security script. The security script is to be executed by the client to generate a client hash value from password data and a CAPTCHA answer that is received from a user. The system receives the client hash value and computes a server hash value for password data for the user and a CAPTCHA answer that is stored in a data store that is coupled to the server. The system determines whether the server hash value matches the client hash value, and grants data access to the user when the values match and denies data access to the user when the values do not match.

Abstract: A system and method for automatic authentication includes automatically calculating a security code on a computer running a security program. The security program resides on the same computer as a web browser. In response to a user signing into a web based account on a web site accessed by the web browser, automatically verifying that the security program is registered with the web based account. In response to a second factor security code entry request on the web based account, automatically entering the security code into the web based account. The security code is transmitted to the web site transparently to the user for login.

Abstract: A system and method for distributing symmetric keys in a system including an end-user computer operated by an end-user, a service provider server of a service provider having a service provider identifier, and a manufacturer backend server operated by the manufacturer of the OTP token. The manufacturer backend server operates to verify one-time passwords generated by the OTP tokens and upon verifying the authenticity of the OTP token based on the generated passwords, transmitting the symmetric key to a service provider server or an authentication server. Other systems and methods are disclosed.

Abstract: A secure web hosting system is provided. In various embodiments, the secure web hosting system identifies an application that is to be loaded, creates a security token that is unique to the computer system and based on a name of the identified application, receives a request to load the identified application, and creates a process in which to load the identified application, the process having security attributes associated with the created security token. In various embodiments, the secure web hosting system includes an isolation service component that creates a security token based on an application name of an application identified by the configuration file.

Abstract: The present solution described herein is directed towards systems and methods to prevent cross-site request forgeries based on web form verification using unique identifiers. The present solution tags each form from a server that is served out in the response with a unique and unpredictable identifier. When the form is posted, the present solution enforces that the identifier being returned is the same as the one that was served out to the user. This prevents malicious unauthorized third party users from submitting a form on a user's behalf since they cannot guess the value of this unique identifier that was inserted.

Abstract: Aspects of a method and system for improved communication network setup utilizing extended terminals are presented. Aspects of the method may comprise configuring a wireless Ethernet terminal functioning as a client station by a configurator via a network. The configured wireless Ethernet terminal may wirelessly receives information from a wireless station, and communicate the wirelessly received information to at least one of a plurality of wired stations via at least one of a plurality of corresponding wired interfaces. Aspects of the system may comprise a collocated device functioning as a configurator that configures a wireless Ethernet terminal functioning as a client station via a network. The configured wireless Ethernet terminal may wirelessly receives information from a wireless station, and communicate the wirelessly received information to at least one of a plurality of wired stations via at least one of a plurality of corresponding wired interfaces.

Abstract: Computer system, method and program for managing a firewall. First program instructions identify a first rule of the firewall. The first rule specifies a permitted message flow through the firewall to or from an IP address of a computer. The computer resides on a network. Second program instructions identify a second rule of the firewall. The second rule specifies a permitted message flow through the firewall to or from an IP address corresponding to the network. Message flows through the firewall to all computers on the network are permitted pursuant to the second rule. Third program instructions delete the first rule from the firewall based on the identification of the second rule and the computer residing on the network. Other program instructions identify and delete stale rules which are not needed. Other program instructions automatically identify rules for a new server added to a cluster.

Abstract: A method for enabling access to digital rights managed (DRM) content from a server to a portable playback device using a device that functions as a proxy for enabling communication between the server and the portable playback device. The method provides for establishing a connection with a device capable of operating as a gateway device for passing data between the portable playback device and the server, requesting that the device establish a connection with the server and operate as a proxy for enabling data exchange between the portable playback device and the server, sending to the server, upon establishing the connection with the server via the device operating as a proxy, data indicating DRM solutions supported by the portable playback device, and a list comprising requested DRM content to be downloaded to the portable playback device, and receiving from the server, via the device operating as a proxy, the requested DRM content and DRM rules associated with the received content.

Abstract: Secure networking processes, such as packet encapsulation and decapsulation, can be executed upstream of a user or guest operating system provisioned on a host machine, where the user has substantially full access to that machine. The processing can be performed on a device such as a network interface card (NIC), which can have a separate network port for communicating with mapping systems or other devices across a cloud or secure network. A virtual image of the NIC can be provided to the user such that the user can still utilize at least some of the NIC functionality. In some embodiments, the NIC can work with a standalone processor or control host in order to offload much of the processing to the control host. The NIC can further handle headers and payload separately where possible, in order to improve the efficiency of processing the various packets.

Abstract: A method is provided that transmits network packets through a network security device. The method receives a request to send a network packet from a first computing device to a second computing device over a network that includes the network security device. The network packet includes a first network interface identifier for identifying the first computing device and a second network interface identifier for identifying the second computing device. The method identifies third and fourth network interface identifiers that cause the network packet to be transmitted through the network security device when the network packet is transmitted using the third and fourth network interface identifiers. The method transmits the network packet over the network through the network security device using the third and fourth network interface identifiers. The method transmits the network packet to the second computing device using the first and second network interface identifiers.

Abstract: The present disclosure describes a method for protecting real-time data exchanged between a mobile electronic device and a VPN gateway over a communications link. The method comprises: establishing a first VPN connection between the mobile electronic device and the VPN gateway through the communications link; establishing, while the first VPN connection is established, a second VPN connection between the mobile electronic device and the VPN gateway through the communications link; providing key information to at least one of the mobile electronic device or VPN gateway through the first VPN connection; and exchanging real-time data packets between the mobile electronic device and the VPN gateway through the second VPN connection, wherein the key information is for encrypting and decrypting the real-time data packets exchanged through the second VPN connection.

Abstract: The present invention provides an auxiliary display system, device and method. The auxiliary display system includes a client and a server. The client includes an auxiliary display unit which further includes a security module. The server generates information to be shown in the auxiliary display unit, and uses a shared encryption key of the auxiliary display unit to encrypt the information. The security module uses the shared encryption key to verify validity of encrypted information from the server, and decrypts the encrypted information so that the decrypted information will be shown in the auxiliary display unit. The present invention can prevent from forging the auxiliary display information by malicious programs and provide users with reliable information display, and improve experience of the users.

Abstract: A browser is requested to display a text file having a description of a screen structure. The state information on a current state of the embedded device is acquired. An access request for requesting the browser to update, with the acquired state information, a value of at least one node in a document object model (DOM) tree generated from the text file by the browser, is submitted by a state display control program. The at least one node is recorded in an access history list. At a subsequent time, it is determined whether to permit a subsequent access request. If the source of the subsequent access request is not the state display control program, and the at least one node is recorded in the access history list, the subsequent access request is denied.

Abstract: An approach is provided for requesting access to content associated with a resource identifier. A system receives a first request to access content associated with a resource identifier. The system then determines to generate a second request for validating the content based, at least in part, on the resource identifier and to transmit the second request to a validation service. The system receives validation information based, at least in part, on the second request. In one embodiment, the validation information includes a preview of the content.

Abstract: Mechanisms to secure data on a hard reset of a device are provided. A hard reset request is detected on a handheld device. Before the hard reset is permitted to process an additional security compliance check is made. Assuming, the additional security compliance check is successful and before the hard reset is processed, the data of the handheld device is backed up to a configurable location.

Abstract: Apparatus, systems and methods are provided for facilitating user authentication in a computing system based on pictorial discernment of images displayed to a user. Multiple images are displayed to a user, with each image having one or more distinguishing characteristics. Each symbol of the user's password is associated with a particular characteristic included in one of the displayed images. The user is properly authenticated if they select the images having the characteristics corresponding with the symbols of the user's password.

Abstract: A system for managing a user's access rights to avionic information, loaded on board an aircraft, that includes at least one identification device able to read the user's identity information contained on a personal card, and an avionic computer having means of managing access rights able to authenticate the user and determine access rights to avionic information based on the user's identity.

Abstract: Systems and methods of token-based protection for links to media streams are disclosed. For example, a web server may generate a first token based on a private key and an encryption algorithm. The first token may be inserted into a link to a media stream, where the link is included in a web page and the media stream is hosted by a media server. When the link is selected at a client device, a media request including the first token may be sent to the media server. The media server may generate a second token based on the private key and the encryption algorithm. The media server may selectively grant or deny the media request based on whether the first token matches the second token.

Abstract: A circuit arrangement and method utilize a process context translation data structure in connection with an on-chip network of a processor chip to implement secure inter-thread communication between hardware threads in the processor chip. The process context translation data structure maps processes to inter-thread communication hardware resources, e.g., the inbox and/or outbox buffers of a NOC processor, such that a user process is only allowed to access the inter-thread communication hardware resources that it has been granted access to, and typically with only certain types of authorized access types. Moreover, a hypervisor or supervisor may manage the process context translation data structure to grant or deny access rights to user processes such that, once those rights are established in the data structure, user processes are permitted to perform inter-thread communications without requiring context switches to a hypervisor or supervisor in order to handle the communications.

Abstract: A phishing detection client component and method is provided. The component can be employed as part of a system to detect and, optionally, prevent phishing attacks. The phishing detection client component can provide password reuse event report(s), for example, to a phishing detection server component. The client component can further include a credential component that can track use of credentials by a user and determine whether a specific security credential is being used or presented. Due to the malicious nature of phishing in general, the client component can be susceptible to attacks by phishers. For example, phishers can generate false logins in an attempt to flood the client component with information resulting in induced false positives and/or induced false negatives. The client component can perform one or more checks to determine whether false login(s) have been attempted.

Abstract: Automated file system event tracking and reporting techniques are described in which file system events requested by a user application are intercepted and recorded prior to the request being permitted to pass to the file system for execution. Similarly, file system responses to a prior captured file system event are also intercepted and recorded. Predefined patterns of file system event may be aggregated and reported as a single event.

Abstract: A method and system for detecting whether a computer program, sent to a first computer having an operating environment including a plurality of files, includes malware is provided. A second computer lists in a file a plurality of environment details of the operating environment of the first computer. The second computer simulates in the second computer the presence of the plurality of files in the operating environment by exhibiting the plurality of environment details without installing the plurality of files in the second computer. The second computer executes the computer program in the second computer with the simulation and determines whether the computer program attempts to access or utilize the plurality of files in a manner indicative of malware. If not, the second computer records and generates a notification that the computer program is not malware.

Abstract: A method of managing network usage by defining a set of linguistic patterns, where each linguistic pattern is associated with a condition that is to be monitored. Network packets are captured during transmission and analyzed to identify linguistic patterns. Captured network packets are scored based on similarity of at least one linguistic pattern to one or more of the defined set of linguistic patterns. When a packet that is scored above a specified threshold value is identified, at least one responsive action is implemented. In this manner, a system implementing the method is able to identify network traffic that is associated with prospective malicious activity and thereby provide an early warning before damage has occurred.

Abstract: A method/system of determining if one or more entities in a data storage medium of a processing system are malicious, wherein the method comprises recording entity properties of the one or more entities when at least part of the processing system is in a range of operating usage; and determining, using the entity properties, if the one or more entities are malicious.

Abstract: In certain embodiments, performing a defensive procedure involves receiving at a first speaker of a first autonomous system a path advertisement from a second speaker of a second autonomous system. The path advertisement advertises a path from the second speaker of the second autonomous system. It is determined whether the second autonomous system is a stub autonomous system and whether a path length of the path is greater than one. If the second autonomous system is a stub and the path length is greater than one, a defensive measure is performed for the path. Otherwise, a default procedure is performed for the path.

Abstract: A system, method and computer program product are provided including a router and a security sub-system coupled to the router. Such security sub-system includes a plurality of virtual firewalls, a plurality of virtual intrusion prevention systems (IPSs), and a plurality of virtual virus scanners. Further, each of the virtual firewalls, IPSs, and virus scanners is assigned to at least one of a plurality of user and is configured in a user-specific.

Abstract: A survivable network is described in which one or more network device includes enhanced functionality to fight through cyber attacks. A Fight-Through Node (FTN) is described, which may be a combined hardware/software system that enhances existing networks with survivability properties. A network node comprises a hardware-based processing system having a set of one or more processing units, and a hypervisor executing on each one of the processing units; and a plurality of virtual machines executing on each of the hypervisor. The network node includes an application-level dispatcher to receive a plurality of transaction requests from a plurality of network communication session with a plurality of clients and distribute a copy of each of the transaction requests to the plurality of virtual machines executing on the network node over a plurality of time steps to form a processing pipeline of the virtual machines.

Abstract: A network intrusion detection system (NIDS) works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. The NIDS accesses network information from the distributed virtual switch fabric, which gives the NIDS access to a virtual view that includes hardware information for all networking devices in the network. This allows the NIDS to automatically determine network topology, update itself as hardware in the network is added or changed, and promptly take automated service actions in response to detected network intrusions. The result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security.

Abstract: A device for using information on malicious application behaviors is provided. The device includes a capability-monitoring unit that monitors application capabilities, a behavior-monitoring unit that monitors application behaviors, an mBDL-generating unit that generates a document in a formal language specifying the application capabilities and the application behaviors, and a controlling unit that controls execution of application using the formal language.

Abstract: Disclosed is a method of operating a data storage system. The method comprises identifying changed segments of a primary storage volume, receiving a data request for a plurality of data items in a secondary storage volume, identifying changed data items of the plurality of data items in the secondary storage volume based on a correspondence between the plurality of data items in the secondary storage volume and the changed segments of the primary storage volume, and transferring the changed data items in response to the data request.

Abstract: A method for preventing malware attacks includes detecting an attempt on an electronic device to modify a print service registry, determining an entity associated with the attempt to modify the print service registry, determining a malware status of the entity, and, based on the malware status of the entity, allowing or denying the modification to the print service registry. The print service registry is configured to store configuration information about mechanisms to be used when printing from the electronic device.

Abstract: A computer program includes one or more computer program instructions, each computer program instruction being of one or more instruction types. Prior to execution of the computer program instructions, the computer determines respective counts for the instruction type(s) of the computer program instructions. At a time during execution of the computer program instructions, the computer determines respective counts for the instruction type(s) of the computer program instructions. The computer, in response to determining that the count for one of the instruction types determined prior to execution differs a predetermined amount from the count for the same instruction type determined during execution, makes a record that the computer program has an indicia of maliciousness.

Abstract: A declared origin policy may be provided. First a plurality of records comprising addresses that an application is allowed to access may be received. The received plurality of records may be placed in a manifest. Then, a request containing an address may be received and compared to the plurality of records in the manifest. Access to the address may be allowed when one of the plurality of records in the manifest matches the address or when an ambiguity is encountered as to whether the one of the plurality of records in the manifest matches the address. Access to the address may be denied when none of the plurality of records in the manifest matches the address. Moreover, any request to change any of the plurality of records in the manifest may be denied when the application is updated, uninstalled, or reinstalled.

Abstract: A system, method and computer program product for optimization of execution of anti-malware (AV) applications. A number of false-positive determinations by an AV system are reduced by correcting malware detection rules using correction coefficients. A number of malware objects detected by the AV system are increased by correction of ratings determined by the rules using correction coefficients. An automated testing of new detection rules used by the AV system is provided. The new rules having zero correction coefficients are added to the rules database and results of application of the new rules are analyzed and the rules are corrected or modified for further testing.

Abstract: According to one embodiment, a computer-implemented method includes accessing, using one or more processing units, a first file of a plurality of files requested to be analyzed for malware. Each of the plurality of files corresponds to a respective remote client of a plurality of remote clients. Further, the method includes: processing, using the one or more processing units, an analysis of the first file for malware; and generating an output comprising an indication of whether the first file comprises malware. The method also includes accessing, using the one or more processing units, an address for a first remote client of the plurality of remote clients. The first remote client is the respective remote client corresponding to the first file. In addition, the method includes: sending, using the one or more processing units, the output in a communication addressed to the first remote client corresponding to the first file.

Abstract: Embodiments include a system, a computer program product, an apparatus, a device, and a method. An embodiment provides a method. The method includes a tripwire file into a protected set of files that includes at least one normal file. The method facilitates a communication to a second party of at least a portion of the protected set of files. The method also receives a signal indicating an occurrence of an activity related to the tripwire file.

Abstract: Embodiments include a method, a computing device, and a computer program product. An embodiment provides a method implemented in a computing environment. The method includes receiving a designation of an individualized digital identifier. The method also includes associating a human-perceptible form of the designated individualized digital identifier with each element of a group of human-perceivable elements displayed by the computing environment.

Abstract: Provided is a digital broadcasting conditional access system and method, including a digital broadcasting transmitter and a digital broadcasting receiver. The transmitter scrambles a broadcasting signal using a control key, generates broadcasting viewing restriction information and broadcasting viewing entitlement information, and transmits the scrambled broadcasting signal after incorporating the broadcasting viewing restriction information and broadcasting viewing entitlement information into the scrambled broadcasting signal. The receiver extracts the broadcasting viewing restriction information and the broadcasting viewing entitlement information included in the scrambled broadcasting signal to generate the control key, descrambles the broadcasting signal using the control key, and reproduces the descrambled broadcasting signal. Thus, the system and method can be provided for a digital broadcasting receiver including a smart card.

Abstract: A system and method for automating the creation, optimization and deployment of multimedia, interactive, mentoring communication modules (“MIPs”) is provided. Simplified interfaces allow superiors to generate MIPs and asynchronously deploy them to subordinates' mobile devices or personal computers. The completed MIP are automatically coded for optimal performance on specific mobile operating systems to which they are deployed. Automatic notifications are sent to registered subordinates upon deployment of a completed MIP. User configurable and system updatable management portals and subordinate portals are automatically generated to provide a user interface to enable mentoring interactions between the superior and subordinates. The MIPs allow custom tailoring of educational and developmental exercises. Performance of the exercises can be monitored by a superior for each of a plurality of subordinates.

Abstract: Files of computer documents are classified into confidential levels without extracting and analyzing contents of the files. Files created by particular users may be clustered into groups of files based on file characteristics, such as file type (e.g., file extension) and file naming convention. A prediction confidential score may be generated for each group of files. A log of a file retention resource may be consulted to identify files created by users. A file created by a user may be assigned a prediction confidential score of a group of files having the same file characteristic as the file and created by the same user. The prediction confidential score may be used to determine a confidential level of the file when the file is found to be inaccessible.

Abstract: A method, system, and computer program product for obfuscating entry of information are provided in the illustrative embodiments. A set of additional aspects to be applied to a part of an input is communicated to a provider of the input. The set of additional aspects is distinct from a second set of additional aspects to be applied to another input. An obfuscated input corresponding to the part of the input is received. A subset of the set of additional aspects is present in the obfuscated input. The part of the input from the obfuscated input is recovered by removing, using a processor and a memory, the subset of the set of additional aspects from the obfuscated input. An entry field input corresponding to the input is generated. The entry field input is sent to an application executing in a data processing system.

Abstract: A method of communicating in a secure communication system, comprises the steps of assembling as message at a sender, then determining a security level, and including an indication of the security level in a header of the message. The message is then sent to a recipient.

Abstract: A process execution apparatus includes a first input unit that receives an instruction from a user, an execution unit that executes a process according to the instruction, a transmitting unit that makes a call to a terminal device having a phone number corresponding to the user, a judging unit that judges whether connection to the terminal device is made, a first authentication unit that determines whether user authentication is successful when the judging unit judges that the connection to the terminal device is made, and a controller that permits execution of the process by the execution unit when the first authentication unit determines that the user authentication is successful.

Abstract: An authorization device for authorizing operations of a remote server requested from user computers via a data communications network includes a computer interface configured to connect to a local user computer for facilitating communication with the remote server via a data communications network, a user interface configured to present information to a user, and control logic. The control logic is adapted to use security data accessible to the control logic to establish, via the local user computer, a mutually-authenticated connection for encrypted end-to-end communications with the server; collect from the server, via the connection, information indicative of any operation requested via a different connection to the server and requiring authorization by the user; and present the information to the user via the user interface to prompt for authorization of the operation.

Abstract: A file system is configured for use with files protected by digital rights management (DRM) content controls and to interact both with applications that are, and are not, DRM aware. The file system may be configured for use by two applications, in a manner that may provide the second application with protected files if the first application was previously allowed access. In one example, a user context cache of DRM-protected files is created. The files in the cache may have been decrypted in response to a request(s) from the first application. Subsequent requests from the second application may be received for files within the user context cache of DRM-protected files. At least one of the files within the user context cache of DRM-protected files may be provided to the second application if the second application has a joint user context with the first application.

Abstract: In one embodiment, a method for enabling user privacy for content on a network includes receiving input from a first user instructing at least one change in user access to shared content provided by a network system. The change modifies the user access from an existing set of one or more users of the network system to a different set of one or more users of the network system. The method checks a privacy setting associated with each of one or more referred users of the network system who are referred to by the shared content. The privacy setting indicates whether the associated referred user is to be sent a notification indicating that the at least one change in user access has been instructed.

Abstract: To expand the after-sales services offered for a product purchased by a user, a service server that provides services accesses a specified navigation system, which is the product purchased by the user, using a device ID that is uniquely assigned to the navigation system, and then transmits service information to the specified navigation system. In other words, the service server actively accesses a navigation system, which is fundamentally one of countless terminal apparatuses on a communication network, and provides service information to that navigation system. By operating in this way, a great variety of services can be provided whenever appropriate.

Abstract: A system and method helps to control “read” and/or “write” access to electronic paper (e-paper). Informational data may be on a restricted portion of e-paper material that is protected by a security methodology accessible to authorized entities. Some embodiments maintain a record of access activity regarding the restricted portion, and a record of access activity regarding use of an item or product or service related to the e-paper informational data. Some implementations include an authorization listing of a party having a particular access privilege or authorization to make modifications to various restricted portions including an authentication region and a protected region. One possible aspect includes performing a verification analysis of data indicia in a restricted portion of the e-paper media. Additional possible system and process components may determine an authenticity status of the data indicia, and provide an output result.

Abstract: Methods, systems, and products distribute digital content based on digital rights license. A digital file may be fragmented into a plurality of unusable fragments. Each unusable fragment is separately unusable. Each unusable fragment may be tagged with a tag to generate tagged unusable fragments. The digital rights license is generated based on the tag, such that the tagged unusable fragments may be reassembled into the digital file.

Abstract: A method and apparatus are provided for controlling use of content protected with a digital rights management license which contains conditions for the use. When a request to use the content is received by a client agent controlling the use of the content, the conditions of use are checked. Within this check, a determination is made that the use of the content is conditional upon an obligation to perform a parental control operation on the content. A request for authorization to use the content is then transmitted from the controlling client agent to a parental control management module. After a parental control operation has been performed on the content by the parental control management module, the agent receives a result of the parental control operation. If the result is negative, a denial of use of the content is notified in response to the request to use the content.