Abstract: A system and method for automatically establishing a wireless network between multiple units in a locomotive consist. A leading locomotive may transmit through the MU cable a ping signal to a remote unit that is directly or indirectly connected to the leading locomotive. When the remote unit replies to the ping, the leading locomotive may transmit through the MU cable network setup information to the remote unit. The remote unit may automatically setup its network controls using the data provided by the leading locomotive to communicate with the leading locomotive through a wireless network.

Abstract: An object of the present invention is to more appropriately filter a packet from an external device. This object is achieved by: obtaining address information of the external device from the packet; judging whether or not the address information of the external device has been registered as filter information; extracting, when it is judged that the address information has not been registered, device discrimination information of the external device from the address information of the external device; judging whether or not address information having the same device discrimination information as the extracted device discrimination information has been registered as the filter information; and registering, when it is judged that the address information having the same device discrimination information has been registered, the address information of the external device as the filter information.

Abstract: In one embodiment, a proxy receives, from a client node, a file to be stored by a cloud storage server, where the proxy and the client node are part of a private network that does not include the cloud storage server. The proxy retrieves an encryption key associated with a user of the client node and encrypts the file using the encryption key. The proxy then transmits the encrypted file to the cloud storage server.

Abstract: Example embodiments relate to elephant flow detection in a computing device. In example embodiments, a computing device may monitor a socket for a given flow. The computing device may then determine whether the flow is an elephant flow based on the monitoring of the socket. If so, the computing device may signal the network that transmits the flow that the flow is an elephant flow.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for obfuscating data using instructions as a source of pseudorandom values. Obfuscation is performed by receiving instructions and data and compiling the instructions and the data into an executable file having a text section and a data section. The text section can include instructions and the data section can include data segments. The system obfuscates the data section iteratively by generating a hash of an address for a respective data segment, and based on the hash, identifying a corresponding address in the text section that includes at least one instruction. The system retrieves a mask key from the corresponding address and applies the mask key to the respective data segment, yielding a masked data segment. In one embodiment, integrity verification of obfuscated data is performed without exposing the data in an unprotected state by utilizing multiple mask keys.

Abstract: A sender may generate a primary email including a primary header and a primary body, the primary header including a sender address associated with the sender computing system and the recipient address associated with a recipient client, encrypt at least a part of the primary body to generate a primary encrypted email, encrypt the primary encrypted email to generate an encrypted sender-to-recipient pseudo-body, add a trusted party-to-recipient header to the encrypted sender-to-recipient pseudo-body including a trusted party address of a trusted party and the recipient address associated with the recipient client to generate a trusted party-to-recipient email, encrypt the trusted party-to-recipient email to generate an encrypted trusted party-to-recipient pseudo-body, add a sender-to-trusted party header to the encrypted trusted party-to-recipient pseudo-body including the sender address and the address of the trusted party to generate a sender-to-trusted party email, and send the sender-to-trusted party email

Abstract: An access control device can be communicationally coupled to a storage device and can control access thereto. The access control device can comprise information, such as identities of authorized entities, to enable the access control device to independently determine whether to provide access to an associated storage device. Alternatively, the access control device can comprise information to establish a secure connection to an authorization computing device and the access control device can implement the decisions of the authorization computing device. The access control device can control access by instructing a storage device to execute specific firmware instructions to prevent meaningful responses to data storage related requests. The access control device can also comprise storage-related cryptographic information utilized by the storage device to encrypt and decrypt data.

Abstract: In one embodiment, a method includes accessing one or more document object model (DOM) representations of one or more pages of a Web application that comprises one or more instances of a web-application artifact. For each of one or more of the instances, the method also includes identifying a first set of one or more DOM elements in one of the DOM representations of one of the pages that collectively correspond to the instance. The method additionally includes identifying a second set of one or more particular values of one or more particular attributes of one or more particular ones of the DOM elements in the first sets. The second set may then be mapped to the web-application artifact to provide a DOM definition of the web-application artifact.

Abstract: The invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, and a security system. The network interface offloads IPsec processing from the host processor. According to the invention, the security system includes two processors for encrypting and authenticating the outgoing data. Outgoing data packets are sent alternately to one or the other processor, whereby transmission processing can be accelerated relative to receive processing.

Abstract: An access platform or other network elements can include multiple line cards configured to encrypt data. The platform and/or each of the line cards may receive encryption management data that conforms to a predefined encryption management data interface. The encryption management data received by a particular line card may be generated by a conditional access system device and converted to conform to the encryption management data interface by an encryption manager. Line cards may alternatively be configured for connection to separate encryption hardware components. Line cards may include a block of field programmable gate arrays or other type of programmable hardware that can be configured to execute an encryption module.

Abstract: A method for forming a digital certificate includes receiving contact information associated with the digital certificate. The contact information includes at least a name, a mailing address, and an email address. The method also includes receiving billing information associated with the digital certificate and receiving a Certificate Signing Request (CSR) for the digital certificate. The method further includes receiving a first name for use in forming the digital certificate and receiving a second name for use in forming the digital certificate. Moreover, the method includes receiving an indication of a vendor of web server software, receiving an indication of a service period for the digital certificate, and forming the digital certificate. The first name is stored in a Subject field of the digital certificate and the second name is stored in the SubjectAltName extension of the digital certificate.

Abstract: Secondary content in encrypted for distribution to client terminals by selecting at least a portion of raw encrypted audio-video data (REAVD) that is provided on a media article as an encryption key, encrypting secondary content using the encryption key, and storing encrypted secondary content at a remotely located host. The media article can then be used for providing access to the encrypted secondary content to client terminals by receiving encrypted secondary content at a client terminal, extracting a decryption key from a media article encoded with REAVD, the decryption key being determined by at least a portion of the REAVD, using the decryption key to decrypt the secondary content, and outputting the decrypted secondary content from the client terminal.

Abstract: Methods and systems for handling on an electronic device a secure message to be sent to a recipient. Data is accessed about a security key associated with the recipient. The received data is used to perform a validity check related to sending a secure message to the recipient. The validity check may uncover an issue that exists with sending a secure message to the recipient. A reason is determined for the validity check issue and is provided to the mobile device's user.

Abstract: A system and method provides seamless switchover of a user device (UE) between a mobile data network and a wireless network while providing policy and charging control (PCC) of the data session in the mobile data network. A mobile core network component is made ASF aware to process user data traffic related to an auto switching function (ASF) server from a UE client located on the UE using a special access point name (APN). The mobile core network component then uses a dedicated deep packet inspection (ASF DPI) for all data transfers to the special APN. The core network component is then able to process the UE data traffic seamlessly as the traffic is toggled between the ASF tunnel the WiFi tunnel. By monitoring the data traffic on the ASF tunnel, the core component (GGSN/PGW) is able to provide PCC for the data session.

Abstract: In accordance with an example embodiment of the invention there is provided a method, comprising: associating an International Mobile Equipment Identity (IMSI) with a mobile telecommunication device, the IMSI configured to identify the device to a mobile telephone network; storing a software program in memory associated with the device; storing a licence, necessary for allowing the operation of the software program on the device, in memory associated with the device; and locking the licence to said IMSI such that the software application cannot be operated on the device without said IMSI being associated with the device; wherein, the licence and the IMSI are stored on the same memory medium such that they are transportable from the device together.

Abstract: A system and method provides seamless switchover of a user device (UE) between a mobile data network and a wireless network while providing policy and charging control (PCC) of the data session in the mobile data network. A mobile core network component is made ASF aware to process user data traffic related to an auto switching function (ASF) server from a UE client located on the UE using a special access point name (APN). The mobile core network component then uses a dedicated deep packet inspection (ASF DPI) for all data transfers to the special APN. The core network component is then able to process the UE data traffic seamlessly as the traffic is toggled between the ASF tunnel the WiFi tunnel. By monitoring the data traffic on the ASF tunnel, the core component (GGSN/PGW) is able to provide PCC for the data session.

Abstract: A method of combining digital certificates at a prescheduled time is provided. The method includes receiving, by a processor, data from a first certificate and data from a second certificate and determining a certificate combination date. The certificate combination date directs a combining of the first certificate and the second certificate to form a combined certificate. The method further includes detecting the occurrence of the certificate combination date and combining the first certificate and the second certificate to form the combined certificate in response to detecting the occurrence of the certificate combination date.

Abstract: Media content is delivered to a variety of mobile devices in a protected manner based on client-server architecture with a symmetric (private-key) encryption scheme. A media preparation server (MPS) encrypts media content and publishes and stores it on a content delivery server (CDS), such as a server in a content distribution network (CDN). Client devices can freely obtain the media content from the CDS and can also freely distribute the media content further. They cannot, however, play the content without first obtaining a decryption key and license. Access to decryption keys is via a centralized rights manager, providing a desired level of DRM control.

Abstract: A router receives from a host service a message which is intended for delivery to a mobile device via a wireless network. The message includes an indication field which includes a return packet indication on whether to send a return packet to the host, an identifier field which includes an identifier which identifies the device, and a payload field which includes a payload of the message. When the indication is set to a first, setting and the message is not being delivered to the device, the router sends to the host a return packet which indicates that the message is not being delivered to the device. When the indication is set to a second setting and the message is not being delivered to the device, the router does not send to the host the return packet which indicates that the message is not being delivered to the device.

Abstract: This disclosure is directed to techniques for providing communication between devices in different networks wherein the communication must first pass through an encryption mechanism and the devices do not have the stand-alone capability to encrypt or decrypt the communication. According to these techniques, an adapter may determine certain fields in a data packet that remain unencrypted when the data packet passes through the encryption mechanism. The adapter may then process those fields in such a way that, when the data packets are received by a second adapter, the second adapter may read those fields and obtain information.

Abstract: This invention is aimed at a method for the anonymisation of data that could help identify the user while a profile of said user is collected by a targeting data collection server. To implement such anonymisation, an anonymisation server is placed between a user terminal and the collections server. The profile data collected are encrypted by the terminal using a secret key shared with the data collection server. Those profile data supplemented with data that could help identify the user are then sent to the anonymisation server. The anonymisation server encrypts the data that could help identify the user with an anonymisation key of said anonymisation server before sending on the encrypted collected data and the anonymised identification data to said collection server.

Abstract: An endpoint computer in an enterprise network is configured to detect computer security threat events, such as presence of a computer virus. Upon detection of a threat event, the endpoint computer generates computer security threat data for the threat event. The threat data may include user identifiable data that can be used to identify a user in the enterprise network. The endpoint computer encrypts the user identifiable data prior to sending the threat data to a smart protection network or to an enterprise server where threat data from various enterprise networks are collected for analysis. The endpoint computer may also encrypt an identifier for the threat data and provide the encrypted identifier to the smart protection network and to an enterprise server in the enterprise network. The enterprise server may use the encrypted identifier to retrieve the threat data from the smart protection network to generate user-specific reports.

Abstract: Various embodiments provide a method and apparatus of providing accelerated encrypted connections in a cloud network supporting transmission of data including per-user encrypted data. Transmission of encrypted data from an application server uses an encryption scheme that encrypts static data using a first encryption scheme that derives keys from the content itself and encrypts dynamic data, such as dynamic website content with personalized user data, using a second encryption scheme.

Abstract: A method and apparatus is provided for maintaining inventory levels of identity data to be provisioned in electronic devices. The method includes monitoring over a communications network inventory levels of identity data records stored on a plurality of identity data personalization servers that each provision electronic devices with an identity data record. Additionally, if the inventory level on at least one of the identity data personalization servers falls below a minimum specified level, a refill request is sent to an identity data management authority requesting that additional identity data records be uploaded to the identity data personalization server.

Abstract: Methods and apparatus to generate and use content-aware watermarks are disclosed herein. In a disclosed example method, media composition data is received and at least one word present in an audio track of the media composition data is selected. The word is then located in a watermark.

Abstract: One aspect of the invention is a method for providing restricted access to confidential services without impacting the security of a network. The method includes using a gateway to isolate one or more components providing confidential services from one or more other portions of an enterprise network. A first communication directed to a selected one of the one or more components may be received at the gateway. A determination may be made as to whether the first communication is user traffic or management traffic. The first communication may then be authenticated. If the first communication is user traffic, the first communication is forwarded to a component providing the confidential services. If the first communication is management traffic, the first communication is encrypted and forwarded to a component providing the confidential services. Additionally, components of the sub-network may be monitored to identify malicious changes.

Abstract: Systems and methods for implementing a Transport I/O system are described. Network encrypted content may be received by a device. The device may provide the network encrypted content to a secure processor, such as, for example, a smart card. The secure processor obtains a network control word that may be used to decrypt the network encrypted content. The secure processor may decrypt the network encrypted content to produce clear content. In embodiments, the secure processor may then use a local control word to generate locally encrypted content specific to the device. The device may then receive the locally encrypted content from the secure processor and proceed to decrypt the locally encrypted content using a shared local encryption key. The secure processor may connect to the device via a standard connection, such as via a USB 3.0 connector.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for allowing parties exchanging digital objects and members of social networks to catalog certain data objects as favorites in a cataloged interface and which allow the parties to access and interact with the catalog of favorited content.

Abstract: An apparatus includes a memory; and a processor coupled to the memory and configured to generate a first common key whose key value varies based on a first elapsed time when a notification of the first elapsed time after a start-up of another apparatus to which a data frame to be encrypted is to be transmitted has been made, generate a second common key whose key value varies based on a second elapsed time after a start-up of the apparatus when a notification of the first elapsed time has not been made, and encrypt the data frame by any one of the first common key and the second common key as a common key and transmit the encrypted data frame to the another apparatus.

Abstract: A communication apparatus may include a reception portion, a decision portion, and a transmission portion. The reception portion may receive a first data request transmitted through a first security level communication, and a second data request transmitted through a second security level communication, the second security level being more secure than the first security level. The decision portion may decide whether a specific data request is the first data request or the second data request. The transmission portion may transmit a specific data to an apparatus that is a transmission source of the specific data request if the specific data request is the second data request, and may transmit different data to the apparatus if the specific data request is the first data request. The different data contains display information for causing the apparatus to retransmit the specific data request through the second security level communication.

Abstract: A system is disclosed that logs access system events. When an access system event occurs, a log entry is created for the access system event. Information from an identity profile is stored in the log entry. The identity profile pertains to a first user. The first user is the entity who caused or was involved with the access system event. In one embodiment, the access system includes identity management and access management functionality.

Abstract: A method and system for facilitating interaction between an electronic device and a plurality of content provider websites are disclosed. In one embodiment, the method includes receiving at a server a plurality of information portions provided from the websites, where each of the information portions is associated with a respective copy of information that is available at each of the websites. The method also includes aggregating at the server the information portions so that they are combined into an overall grouping, with the respective information portions being maintained respectively as distinct subportions within the grouping. Further, the method includes sending from the server a message for receipt by a part of the electronic device, the primary message including the grouping. The grouping is sent together with an additional copy of the information or with an indication of that information to which the overall grouping relates.

Abstract: Malware beaconing activity detection is disclosed, including: monitoring a plurality of conversations between an internal device and one or more external destinations; extracting feature sets based at least in part on the plurality of conversations; and determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.

Abstract: A system that incorporates the subject disclosure may include, for example, instructions which when executed cause a device processor to perform operations comprising sending a service request to a remote management server; receiving from the management server an authentication management function and an encryption key generator for execution by a secure element and an encryption engine for execution by a secure device processor, sending a request to establish a communication session with a remote device; and communicating with the remote device via a channel established using an application server. The secure element and the secure device processor authenticate each other using a mutual authentication keyset. The secure element, the secure device processor and the device processor each have a security level associated therewith; the security level associated with the secure device processor is intermediate between that of the secure element and that of the device processor. Other embodiments are disclosed.

Abstract: Systems and methods for updating status of digital certificate subkeys. A request is made to a key server to verify if a given key is revoked. If it is not, then the key with its subkeys is acquired from the key server. If one or more subkeys or signatures of the subkeys are different in the acquired key, then the key is replaced.

Abstract: An infrastructure for securely communicating with electronic meters is described, which enables secure communication between a utility and a meter located at a customer, over a communication link or connection such as via a network. This enables messages to be sent from the utility to the meter and vice versa in a secure manner. The network provides a communication medium for communicating via the C12.22 protocol for secure metering. A cryptographic backend is used to cryptographically process messages to be sent to the meter and to similarly cryptographically process messages sent from the meter. By providing appropriate cryptographic measures such as key management, confidentiality and authentication, the meter can only interpret and process messages from a legitimate utility and the utility can ensure that the messages it receives are from a legitimate meter and contain legitimate information.

Abstract: An encrypted database management system includes: a client terminal which includes a column encrypting unit that uses an encrypting key and a group generator to encrypt data of columns indicated by specific labels of externally input tables, and output it, an intra-label projection request unit that generates an intra-label key from encrypting key and label, and outputs it, and an inter-label projection request unit that generates an inter-label projection key from encrypted key, label, and intra-label key; and a database server which includes an intra-label projection unit that generates an intra-label comparison value by the action of label and intra-label key on data of columns of specific labels of encrypted tables, an inter-label projection unit that generates an inter-label comparison value by the action of the inter-label projection key on intra-label comparison value, and an encrypted table natural join unit that conducts natural joining using intra-label comparison value.

Abstract: Methods for processing a media content are disclosed. For example, a method captures the media content, determines a direction from which the media content is captured, encrypts the media content, and sends the media content that is encrypted toward a receiving device in the direction from which the media content was captured. Another method captures the media content, determines a direction from which the media content is captured, encrypts the media content and uploads the media content that is encrypted to a data store. The method then sends a notification toward a receiving device in the direction from which the media content was captured. The notification identifies that the media content that is encrypted has been uploaded to the data store.

Abstract: A key setting method executed by a node within communication ranges of multiple ad-hoc networks, includes receiving encrypted packets encrypted by respective keys specific to gateways and broadcasted from the gateways in the ad-hoc networks; detecting connection with a mobile terminal communicable with a server retaining the keys specific to the gateways in each ad-hoc network among the ad-hoc networks; transmitting to the server when connection with the mobile terminal is detected, the encrypted packets via the mobile terminal; receiving from the server via the mobile terminal, the keys that are specific to the gateways in the ad-hoc networks and that are for decrypting each encrypted packet among the encrypted packets; and setting each of the received keys as a key to encrypt data that is to be encrypted in the node and decrypt data that is to be decrypted in the node.

Abstract: A system administrator of a wireless LAN 100 manipulates a personal computer PC1 to change a WEP key. The personal computer PC1 authenticates a memory card MC as genuine under management of the system administrator. In the case of the authenticated memory card MC, changed setting information, as well as a previous WEP key before the change of the setting information, is written into the memory card MC. The system administrator then inserts this memory card MC into a memory card slot of a printer PRT1. The printer PRT1 authenticates the memory card MC as genuine under management of the system administrator. In the case of the authenticated memory card MC, the setting information is updated. This arrangement effectively relieves the user's workload in setting wireless communication devices, while ensuring the sufficiently high security.

Abstract: Methods and apparatus for reducing security vulnerabilities in a client/server speech recognition system including one or more client computers and one or more server computers connected via a network. Decryption of sensitive information, such as medical dictation information, is performed on designated servers to limit the attack surface of unencrypted data. Management of encryption and decryption keys to restrict the storage and/or use of decryption keys on the server side of the client/server speech recognition system, while maintaining encrypted data on the server side is also described.

Abstract: Systems, methods, and instrumentalities are disclosed that allow a user to initiate migration of a credential from one domain to another domain. A request to initiate a migration of credentials from a first domain to a second domain may be initiated by a user (1a.). A remote owner may receive a message indicating that the migration has been requested. The message received by the remote owner may be an indication that the source and destination devices have performed internal checks and determined that a migration could proceed. The remote owner may evaluate source information received from the source device and destination information received from the destination device (6), (6a.), (6b.). Based on the evaluation of the source information and the destination information, the remote owner may determine that the migration is acceptable. The remote owner may send an indication to proceed with the migration (7), (7a).

Abstract: A server receives from a client at least one interest pseudonym produced by a double application of a pseudo random function to at least one interest of the client. The server encrypts an item. The server computes at least one intermediate topic pseudonym for at least one topic associated with the item by applying the function to each of the at least one topic associated with the item. The server transmits the at least one intermediate topic pseudonym, the at least one interest pseudonym, and the encrypted item to a third party. The third party may apply the function to the at least one intermediate topic pseudonym to produce at least one topic pseudonym associated with the item and transmit the encrypted item to the client for decryption when one of the at least one masked topic pseudonym is equal to one of the at least one interest pseudonym of the client.

Abstract: Logging into a remote computer by way of a management processor to initiate a remote console session and switching between a default remote console session and a non-default remote console session.

Abstract: Techniques for secure message offloading are presented. An intermediary is transparently situated between a user's local messaging client and an external and remote messaging client. The user authenticates to the local client for access and the intermediary authenticates the user for access to the remote client using different credentials unknown to the user. Messages sent from the local client are transparently encrypted by the intermediary before being passed to the remote client and messages received from the remote client are transparently decrypted before being delivered to the local client.

Abstract: A content delivery platform is provided that includes generating a first content package of content that is encrypted with a unique symmetric key, and a second content package including a link encrypted with the key to the first content package. The first content package is stored in a repository, and a request including the key is transmitted to a first computing device associated with a mail exchange for an encryption key file. An encryption key file is generated using the unique symmetric key and together with a authorizing token is received. A third content package is generated that is encrypted using the encryption key file and includes the encrypted link. The third content package is transmitted to a distributor gateway and the encrypted link is accessible in response to the consumer decrypting the third content package. The link is available to provide to access to the content for the consumer.

Abstract: A method and system for modifying an authenticated and/or encrypted message by a modifying party exchanged between a sending party and a receiving party based on a secure communication protocol, the method includes the steps of a) dividing a clear message into non-modifiable parts and modifiable parts by the sending party; b) including modifiable part information into the message by the sending party; c) authenticating and/or encrypting the message by the sending party; d) providing en- and decryptability and/or authenticability of the message to the modifying party in such a way that the modifying party can only modify the modifiable parts of the message; e) modifying one or more modifiable parts by the modifying party; and f) providing an authenticated and/or encrypted modified message according to the secure communication protocol to the receiving party.

Abstract: A quarantine method and system for allowing a client terminal to connect to a user network. An authentication apparatus recognizes that a communication means of the client terminal has been activated. The authentication apparatus confirms a common certificate for the client terminal. An Internet Protocol (IP) address is provided to the client terminal to enable the client terminal to log in to the quarantine network. A first authentication server security checks the client terminal to determine whether each check item of at least two check items has a violation. The client terminal is allowed to connect to the user network, via a second authentication server confirming a user certificate for the client terminal followed by the second authentication server storing the user certificate in the client terminal. The security measure server, the first authentication server, and the second authentication server are physically distinct hardware servers.

Abstract: Network activity detectors, such as firewalls, communicate with one another to form a Unified Threat Management System. A first network activity detector sends a request for configuration settings to a second network activity detector. The second network activity detector sends a set of configuration settings in response to the request. The configuration settings include information for detecting digital security threats and/or for responding to detected digital security threats. In this way, configuration settings are propagated from one network activity detector to another so that network activity detectors within a UTMS system are configured consistently, e.g., have up-to-date information for detecting and/or responding to digital security threats.

Abstract: A communication network is operated by receiving traffic from a user device at a gateway device associated with a gateway service provider, which manages gateways to both secure and insecure networks. The gateway uses security policies to determine if traffic is destined to the secure or insecure network and applies appropriate policies which cause the traffic to be routed, dropped, or analyzed.