Abstract: An audio/video network system for distributing satellite broadcast services includes an antenna unit for receiving audio/video broadcast services. The antenna unit is in communication with a master receiver, which receives the audio/video broadcast services and displays them on a first television associated with the master receiver. The master receiver is in communication with a plurality of slave clients, which receive audio/video broadcast services from the master receiver and display them on a respective television associated with each of the slave clients.

Abstract: A method of receiving a broadcast signal including a Non-Real-Time (NRT) Receiver Targeting service is disclosed herein. A method of receiving a broadcast signal including a Non-Real-Time (NRT) Receiver Targeting service, the method comprises receiving broadcast signal including first signaling information and second signaling information, identifying an NRT service based on the first signaling information, parsing a Receiver Targeting Descriptor from the second signaling information, determining validity of the NRT service or an NRT content based on a targeting_criterion_type_code included in the Receiver Targeting Descriptor, and downloading the NRT service or the NRT content when a receiver determines the NRT service or the NRT content to be valid.

Abstract: An improved user experience is provided for passengers on a vessel such as an airplane, train or ship. Passengers can customize their travel experience ahead of time by accessing a web-based server system to indicate preferences with respect to a number of in-flight entertainment options. The passenger's experience is also enhanced by allowing passengers to share preferences such as media playlists with others. Meals can be ordered on-demand once on board, and seat-to-seat chat as well as group chatting is also made available through an in-seat or other proximate entertainment device.

Abstract: One embodiment of the present invention sets forth a technique for adapting playback bit rate in a content delivery system based on scene complexity of the video content as well as network conditions and other performance factors. A scene complexity map of the video content indicates the complexity levels of different scenes within the video content. Using the scene complexity map, a content player may download scenes of lower scene complexity levels from video streams encoded to lower bit rates to manage the bandwidth consumed to download the video content and allow for the downloading of scenes of higher complexity levels from video streams encoded to higher bit rates.

Abstract: Systems and methods of providing enhanced digital media playback through application enhancement tracks are described. Application enhancement tracks are derived from the main content that they are associated with and are encoded to aid the performance of one or more functions related to the content, such as visual-search using a video application enhancement track, or trick-play track. In several embodiments, a method of decoding a media file for play back includes obtaining a media file containing compressed content and an accompanying application enhancement track which is a subset of the compressed content, playing back the compressed content, and decoding frames of the application enhancement track at a rate proportional to a visual-search speed and from a location determined by the portion of the compressed content most recently played back.

Abstract: A video on demand system has a video server (200) for outputting video streams requested by users, via a core network (620) and access networks (630, 640, 650). A resource manager (600) determines occupation information concerning how much of the previously allocated capacity is occupied by previously authorized video streams is determined before authorizing transmitting a new requested video stream. By checking there is sufficient core network capacity, a risk of disrupting existing video streams or causing other problems by overloading the allocated capacity, is reduced or avoided. Thus less capacity in the core network is needed, and so costs of such capacity can be reduced and there is increased confidence that demand peaks will be handled more gracefully. By checking without obtaining occupation information from the core network, the system can be more independent of the core network, to reduce costs of a real time interface to the core network.

Abstract: Method, system and computer-readable medium to distribute VOD content are disclosed. A method of displaying video content includes accessing an association table for video-on-demand (VOD) content. The association table includes a first segment entry associated with a first video segment of a first length and a second segment entry associated with a second video segment of a second length that is longer than the first length. The first segment entry includes a first multicast group ID and the second segment entry includes a second multicast group ID. The method further includes receiving the first video segment via the first multicast group ID, displaying the received first video segment, and receiving the second video segment via the second multicast group ID within a period of time of displaying the first video segment.

Abstract: Methods and systems to authorize devices and/or perform other actions based on identifying content distributors are described. In some example embodiments, the methods and systems access video content playing at a client device, calculate fingerprints of a portion of the video content, identify a distributor of the video content based on the fingerprints, and perform an action in response to the identification of the distributor of the video content, such as actions to authorize the client device or other associated devices (e.g., second screens) to receive content from the distributor, actions to present sponsored content to the client device or associated devices, and so on.

Abstract: A media converter is to be coupled to an optical line terminal via an optical link and to a plurality of coax network units via coax links in a cable plant. The media converter includes an optical physical-layer device to receive and transmit optical signals via the optical link and a coax physical-layer device to receive and transmit electrical signals via the coax links. The media converter also includes an implementation of an optical-coax convergence layer to schedule transmissions of electrical signals from the plurality of coax network units by allocating coax resources among the plurality of coax network units in accordance with resource allocation for the optical link.

Abstract: An AV system composed of an HD recorder and a display unit uses a communication interface of the HDMI. An HDMI source of the HD recorder transmits image data (image signal) in the form of differential signals to an HDMI sink of the display unit through three TMDS channels. The HDMI source inserts content identification information for the identification of the type of a content of image data to be transmitted into an AVI InfoFrame packet placed in a blanking period. A control section of the display unit controls operation of a display processing section which carries out a process for displaying for the image data based on the content identification information received by the HDMI sink and a display section for displaying an image.

Abstract: A live streaming video sharing system. Implementations may include a video camera, portable computing device, video streaming server, database, application server, web server, and a portable computing device associated with a user operatively coupled together. The video camera sends a live stream of video data wirelessly to the portable computing device. The computing device associated with a user receives a live stream of video data from the web server, processes the live stream of video data, and generates a computer interface. The computer interface may include a public computer interface including a public channel and an invisible computer interface including an invisible shares channel associated with the user including an icon corresponding with one or more invisible shares, each invisible share corresponding with a live stream of video data and each invisible share not retrievable using a search form in the computer interface, the application server, and the database.

Abstract: According to one embodiment, a video server apparatus includes a memory, a recorder, a decoder, a controller, a synchronizer, a sync signal transmitter and a time manager. The synchronizer generates sync signals in frame unit. The sync signal transmitter distributes the sync signals generated by the synchronizer in frame unit, to the memory, the recorder, the decoder and the controller. Each of the memory, recorder, decoder and controller includes a time manager. The time manager manages the sync signals distributed.

Abstract: Systems and methods for synchronizing the playback of network media across multiple content playback devices, termed herein as “playback devices”, “clients”, or “client devices”. In one implementation, client devices are controlled to parse and buffer media content separately. Once all clients are ready, a controller may cause the client devices to start in a synchronized fashion based on signals sent by the controller. The controller adjusts the timing of the signal so that the outputs are displayed in synchronization on each client device. In other implementations, device lag times may be measured. In still other implementations, a master device may synchronize playback of media content on slave devices. In yet other implementations, devices may buffer and join playback of media content occurring on other devices. In further implementations, the systems and methods may be expanded to include steps of processing authentication for service providers prior to arranging synchronized playback.

Abstract: A device is disclosed that includes software components for executing actions and for controlling the device in order to conform to specified policies. The device includes a controller to deny or permit execution of actions. The controller monitors and interrupts execution of device's actions in order to determine whether an action violates a policy, policy rules, or if the action is prohibited by a policy. The controller also manages policies defined for the device. Each policy is translated into a language understandable by the controller and stored on the device. Each policy can be updated or changed dynamically. Additionally, each policy can securely be updated or changed remotely.

Abstract: In accordance with one or more aspects, an application that is to be suspended on a computing device is identified based on a policy. The policy indicates that applications that are not being used are to be suspended. The application is automatically suspended, and is allowed to remain in memory but not execute while suspended. Additionally, when memory is to be freed one or more suspended applications to terminate are automatically selected based on the policy, and these one or more selected applications are terminated.

Abstract: Various aspects as described herein are directed to systems, method, apparatuses, and software for intercepting requests to copy content, paste content, clip content, cut content, or perform a print screen operation, and either allowing the requested operation to occur or preventing the operation depending upon whether the content is sourced from a streamed application or a non-streamed application, and/or depending upon a streamed application-based policy. This may be performed by, for instance, hooking an appropriate function call to the operating system.

Abstract: A method includes receiving at a similarity arbitrator information about a security policy of a candidate virtual machine that is proposed to be included in a cluster of virtual machines, comparing the security policy of the candidate virtual machine to the security policies of a plurality of virtual machines in the cluster, and in response to the comparison, recommending that a virtualization environment manager exclude the candidate virtual machine from the cluster or include the candidate virtual machine in the cluster. Related systems and computer program products are also disclosed.

Abstract: Systems and methods for configuring browser policy settings on client computing devices are provided. In some aspects, a method includes receiving login credentials from a client computing device. The client computing device includes a browser. The method also includes transmitting browser policy data associated with the login credentials to the client computing device. The browser policy data identifies browser policy settings to be installed on the browser. The browser policy settings identified by the browser policy data include four or more of: compliance settings, behavioral settings, browser/software applications, permission to access one or more websites, restrictions on accessing one or more websites, read permission in a remote document storage unit accessible via the browser, or write permission in a remote document storage unit accessible via the browser.

Abstract: A wireless LAN communication terminal and its communication control method are provided that make it possible to configure desired security between the terminal and an other-end terminal, without increasing power consumption of the terminals. The wireless LAN communication terminal (103) in a wireless LAN system including an access point (102), if the other-end terminal (101) has connected to the access point 102, acquires from the other-end terminal information about security functions the other-end terminal has and information about a current connection with the access point; compares the security function information and the connection information on the other-end terminal with its own security policy; selects, based on results of the comparisons, either a direct connection (106) with the other-end terminal or a relay connection (105) via the access point so that the security policy is met; and performs communication with the other-end terminal by using the selected connection.

Abstract: Some embodiments include a method of generating an event-based device ID based on an operating environment of a computing device. The method includes binding an event-based identifier and an events profile ID to a policy-related record that is associated with an externally controlled policy. The binding ensures that the policy is applied to the operating environment identified by the event-based identifier. The method includes generating the device ID based on event logs of the computing device.

Abstract: The present invention provides an image-based encryption and decryption technique where the user uses pre-chosen image categories to create an encryption/decryption key. The encryption key can be used to encrypt alphanumeric strings such as a confirmation code or other information. The user uses the decryption key, i.e., knowledge of the chosen image categories) to decrypt and recover the original message. For example, upon presentation of a grid of images, the user selects certain images contained therein that match the pre-chosen image categories to recover the original message.

Abstract: A method and system for securing hosting web pages from malicious third party modules. The method includes uploading a third party module to a hosting web page; validating a proxy API call received from the third party module, wherein the proxy API call includes at least a payload parameter provided by the third party module; generating an engine API call including at least the payload parameter; validating the engine API call; and executing the payload parameter if the engine API call is validated.

Abstract: Technologies related to shared secret identification for secure communication are generally described. In some examples, devices may exchange hashes, such as file deduplication hashes, to identify a matching hash. The identified matching hash represents a shared data item which may be used as a shared secret to encrypt and/or decrypt subsequent secure communications between the devices. Each device retrieves the shared data item from its respective secure memory and may use the shared data item to encrypt and/or decrypt subsequent secure communications. An eavesdropper may observe the hash exchange, but will not be able to decrypt the secure communications without access to the shared data item, because hashes may be effectively non-invertible.

Abstract: Methods and systems provide embeddable user interface widgets to third-party applications so that the widgets can be securely embedded in, and securely used from within, the third-party applications. An embeddable widget may be authorized to access a first-party cloud storage system from a third-party application based on the cloud storage system authenticating a request received from the widget. The authentication may be based on an application identifier, an origin identifier, and/or one or more document identifiers received from the third-party application through the embedded widget. The disclosed methods and systems may significantly mitigate security concerns caused by embedding software in third-party sites, such as clickjacking.

Abstract: Methods for assessing the current security state of a mobile communications device. A security component installed in either the server or the mobile communications device is configured to assess the current security state by processing security data generated by the mobile communications device. If the security data is not current, then security events on the mobile communications device are evaluated to determine a severity level for the security events, and this determination is used to assess the current security state of the mobile communications device.

Abstract: A method of registering a legacy device, a method of transferring data, and a method of authenticating a legacy device are provided. The method of registering a legacy device by using a virtual client, which allows the legacy device to access a domain, includes: receiving unique information on the legacy device from the legacy device which requests the domain to register the legacy device; searching a registrable legacy device list including the unique information on the legacy device which can be registered in the domain for the unique information on the legacy device; and requesting a domain manager, which manages the domain, to register the legacy device, when the unique information on the legacy device is included in the registrable legacy device list, and not allowing the legacy device to be registered in the domain when the unique information on the legacy device is not included in the registrable legacy device list.

Abstract: To allow inspecting whether a security check of a planned outgoing email is finished in an outgoing email check system, a check data providing apparatus 2 of an outgoing email check system 100 stores check information distributed from a check information management apparatus 1, appends check data generated based on the check information to a header of a checked planned outgoing email, and transmits the email to an email transmitting apparatus 9. A check data inspecting apparatus 3 stores the check information distributed from the check information management apparatus 1, inspects the check data extracted from the planned outgoing email received from the email transmitting apparatus 9 based on the check information, determines that the transmission is permitted when the check data of the planned outgoing email matches the check information, and determines that the transmission is rejected when the check data does not match the check information.

Abstract: Systems and methods for presenting a request are disclosed. The systems and methods may include one or more steps, such as receiving, by an electronic device, request information from an entity. The request information may include a request for approval by a user. The steps may further include transmitting, by the electronic device, data containing the request information to a computing device, receiving, by the electronic device, a symbology corresponding to the request information from the computing device and presenting, by the electronic device, the symbology to the user.

Abstract: An encryption sentinel system and method protects sensitive data stored on a storage device and includes sentinel software that runs on a client machine, sentinel software that runs on a server machine, and a data storage device. When a client machine requests sensitive data from the data storage device, the data storage device interrogates the sentinel software on the server machine to determine if this client machine has previously been deemed to have proper encryption procedures and authentication. If the sentinel server software has this information stored, it provides an approval or denial to the storage device that releases the data if appropriate. If the sentinel server software does not have this information at hand or the previous information is too old, the sentinel server interrogates the sentinel software that resides on the client machine which scans the client machine and provides an encryption update to the sentinel server software, following which data will be released if appropriate.

Abstract: A system including a controller having a data repository configured to store a first mapping associating a user to an Application Certificate and a second mapping associating the user to a user privilege. The system further includes an OPC Unified Architecture (UA) server configured to provide server access based on receiving the Application Certificate from an OPC UA client and enforcing the user privilege, in which the user privilege is retrievable based on the first and the second mappings.

Abstract: A computer-readable medium encoded with software for execution. When executed, the software may be operable to send to a remote server, from an agent application, a request for a first access credential. The software may also be operable to receive from the remote server, the first access credential. The software may further be operable to determine, by the agent application monitoring a managed application, that the managed application requires a second access credential. The software may additionally be operable to, in response to the determination that the managed application requires the second access credential, sending to the managed application, from the agent application, the second access credential.

Abstract: A Smart Device (102) securely validates an incoming message emanating from an external source (906). A method embodiment comprises the steps of a SPARC Internet Security Corporation (SISC 900) verifying (912) that the incoming message contains a pre-stored validity identifier (901). When the incoming message contains the correct validity identifier (901), SSC (900) appends (914) a SSD Unsolicited Transaction Identifier (SSD UT ID) to the message. The SSD UT ID comprises a unique security device (104) identifier and an optional message count. SISC (900) then sends (915) the message and the SSD UT ID to the Smart Device 102. The invention does not require encryption, PINs, or passwords. In an embodiment of the invention, Smart Device (102) is not allowed to communicate directly with external networks (506), but rather must do so via SSD (104). This removes the security burden from Smart Device (102), speeding and simplifying transactions.

Abstract: Embodiments of multi-user web service sign-in client side components are presented herein. In an implementation, the currently authenticated user account of a first application of a client is transferred to another application of a client. In another implementation, a common credential store is used to share data for a plurality of user accounts associated with a client between a plurality of applications of the client, and for the applications to output multi-user interfaces having portions corresponding to the plurality of accounts.

Abstract: To prevent gaming of a reputation system, a security token is generated for a security module using metadata about the client observed during the registration of the security module. The registration server selects metadata for use in generating the security token. The generated security token is provided to identify the client in later transactions. A security server may conduct a transaction with the client and observe metadata about the client during the transaction. The security server also extracts metadata from the security token. The security server correlates the observed metadata during the transaction with the extracted metadata from the security token. Based on the result of the correlation, a security policy is applied. As a result, the metadata in the security token enables stateless verification of the client.

Abstract: Embodiments of the invention relate to collecting keystroke timing data of samples of a phrase input by a user on an input device during different user sessions, and creating a biometric user template based on the timing data collected during the different sessions. Once a sufficient number of samples are collected, the template may be used to authenticate the user.

Abstract: A secure processor such as a TPM generates one-time-passwords used to authenticate a communication device to a service provider. In some embodiments the TPM maintains one-time-password data and performs the one-time-password algorithm within a secure boundary associated with the TPM. In some embodiments the TPM generates one-time-password data structures and associated parent keys and manages the parent keys in the same manner it manages standard TPM keys.

Abstract: A system includes authentication of a user with a first server, reception of a request from the user to authenticate the user with a second server, requesting, from the first server, in response to receiving the request, user credentials to access the second server, reception of the user credentials from the first server, and transmission of the user credentials to the second server.

Abstract: An system for authenticating users of an application program executing at a front-end computer using the security features built into the operating system of a logon computer is provided. Initially, an administrator establishes user accounts for each user with an operating system executing at the logon computer with access to application resources. When the application program starts executing at the front-end computer, the application program prompts the user for credentials. The application program attempts to access resources managed by the logon computer using the received credentials. When access to a resource is successful, the application program knows that the logon computer has authenticated the user and the user is authorized to access the resource. In this manner, the application program can take advantage of the security features built into the operating system executing at the logon computer to authenticate users of the application program and authorize access to application resources.

Abstract: In an example computer-implemented method, a password management (PM) server receives an access request message from a login computer at which a resource requiring vaulted credentials has been requested. The access request message identifies the requested resource and the login computer. A session identifier (ID) is generated that is linked to the login computer and to the requested resource, and is transmitted to the login computer. The PM server receives, from a mobile computing device, a user ID and a value indicative of the session ID. If the user ID is not authorized to access the requested resource, the PM server transmits the vaulted credentials to the login computer or the mobile computing device only if an approval message indicative of a confirmation code is received from a manager computing device authorizing release of the vaulted credentials for the user ID.

Abstract: Systems, methods and apparatus for accessing at least one resource hosted by at least one server of a cloud service provider. In some embodiments, a client computer sends authentication information associated with a user of the client computer and a statement of health regarding the client computer to an access control gateway deployed in an enterprise's managed network. The access control gateway authenticates the user and determines whether the user is authorized to access the at least one resource hosted in the cloud. If the user authentication and authorization succeeds, the access control gateway requests a security token from a security token service trusted by an access control component in the cloud and forwards the security token to the client computer. The client computer sends the security token to the access component in the cloud to access the at least one resource from the at least one server.

Abstract: Encryption-based data access management may include a variety of processes. In one example, a device may transmit a user authentication request for decrypting encrypted data to a data storage server storing the encrypted data. The computing device may then receive a validation token associated with the user's authentication request, the validation token indicating that the user is authenticated to a domain. Subsequently, the computing device may transmit the validation token to a first key server different from the data storage server. Then, in response to transmitting the validation token the computing device may receive, from the first key server, a key required for decrypting the encrypted data. The device may then decrypt at least a portion of the encrypted data using the key.

Abstract: A method is performed by a data server of a plurality of data servers connected to a network, the data server including data storage managed by a remote metadata server, the metadata server managing storage of data across the plurality of data servers. The method includes (a) receiving, via the network, an access request from a client, the access request requesting access to a portion of the data storage of the data server, (b) testing whether the access request includes a data server specific token authenticating that the client has been authorized by the metadata server to access the portion of data storage, and (c) in response to testing, providing the client with access to the portion of data storage on condition that the access request includes the token authenticating that the client has been authorized by the metadata server to access the portion of data storage.

Abstract: Systems and methods of token-based protection for links to media streams are disclosed. For example, a computing device may generate a first token based on a private key and an encryption algorithm. The first token may be inserted into a link to a media stream. When the link is selected at a client device, a media request including the first token may be sent to a server. The server may generate a second token based on the private key and the encryption algorithm. The server may grant or deny the media request based on a comparison of the first token and the second token.

Abstract: An electronic device for communication in a data network including a communication circuit adapted for performing the network communication, which communication includes controlling a plurality of network layers, the layers including a physical layer, a link layer and at least one higher order layer, the communication circuit includes a protective circuit for identifying unwanted data. The electronic device is characterized in that the protective circuit is arranged to monitor data during transmission of data from the electronic device, and identify unwanted data, and the communication circuit is adapted to avoid transmission of the unwanted data identified by the protective circuit. In this way the network is protected against excessive traffic, for example during a Denial of Service attack.

Abstract: In one embodiment, a method includes initiating integrity monitoring at a network device, continuously monitoring the network device to detect changes at the network device over a period of time, and transmitting information collected during said integrity monitoring to a security device for use in determining if the network device is allowed access to a trusted network. An apparatus and logic are also disclosed.

Abstract: A system for securely transferring information from an industrial control system network, including, within the secure domain, one or more remote terminal units coupled by a first network, one or more client computers coupled by a second network, and a send server coupled to the first and second networks. The send server acts as a proxy for communications between the client computers and the remote terminals and transmits first information from such communications on an output. The send server also transmits a poll request to a remote terminal unit via the first network and transmits second information received in response to the poll on the output. The system also includes, outside the secure domain, a receive server having an input coupled to the output of the send server via a one-way data link. The receive server receives and stores the first and second information provided via the input.

Abstract: In some implementations, a method for routing communication includes determining a binding interface for a communication session based on a forwarding information base (FIB) and a destination for the communication session. The communication session is from an application running on user equipment (UE), and the binding interface is included in a virtual private network (VPN) tunnel established through an Internet Protocol (IP) security (IPsec) interface. Whether to filter the communication session is determined based on which perimeter of the UE includes the binding interface and which perimeter of the UE includes the IPsec interface.

Abstract: Techniques for modifying packet filters in a wireless communication network are described. In one scheme, packet filters may be performed with multiple operations, if needed. The operation(s) to be performed and the order of performing the operation(s) may be dependent on the number of existing packet filters to be replaced (N) and the number of new packet filters (M). If N=M, then N packet filters in a traffic filter template may be replaced with a single operation. If N>M, then M packet filters in the traffic filter template may be replaced first, and N?M packet filters may be deleted from the traffic filter template next. If N<M, then M?N new packet filters may be added to the traffic filter template first, and N packet filters in the traffic filter template may be replaced next. In another scheme, packet filters are modified with a single operation using dummy packet filters, if needed.

Abstract: A method and apparatus for providing a secure domain name services by utilizing a hypervisor to provide an isolated execution environment in which a secure browser session can be instantiated. The secure browser session utilizes a secure DNS server to provide domain name services.

Abstract: The present invention provides a new network topology. More specifically, a peer-to-peer network is defined on a virtual private network. The peer-to-peer network comprises a set of specified users within a virtual private network that are allowed to communicate according to predetermined rules enforced by the peer-to-peer network itself. This affords secure communication between the specified users of the peer-to-peer network independent of the virtual private network.