Abstract: System and method for securing a personal device that includes a device core and a peripheral device from unauthorized access or operation. The system comprises an isolated switch, included fully or partially within an envelope of the personal device. The isolated switch cannot be affected in its operation by either the device core or the peripheral device. The switch may be operated by an authorized user of the personal device either preemptively or in response to a detected threat. In some embodiments, the isolated switch includes an isolated controller which can send one or more signals to the peripheral device and/or part of peripheral device. In some embodiments, the isolated switch includes an isolated internal component and an isolated external component, both required to work together to trigger the isolated switch operation. In some embodiments, the isolated switch includes an isolated disconnector for connecting and disconnecting the device core from part of the peripheral device.

Abstract: Methods and apparatus for control of data and content protection mechanisms across a network using a download delivery paradigm. In one embodiment, conditional access (CA), digital rights management (DRM), and trusted domain (TD) security policies are delivered, configured and enforced with respect to consumer premises equipment (CPE) within a cable television network. A trusted domain is established within the user's premises within which content access, distribution, and reproduction can be controlled remotely by the network operator. The content may be distributed to secure or non-secure “output” domains consistent with the security policies enforced by secure CA, DRM, and TD clients running within the trusted domain. Legacy and retail CPE models are also supported.

Abstract: Presented is an anti-tampering method that validates and protects specific sections of a binary file. In one embodiment, this method permits a proxy engine to execute (via emulation by a virtual machine) the protected code on behalf of the binary in kernel mode upon successful completion of an integrity check. The integrity check can optionally check only the specific parts of code that the developer wishes to validate. The integrity check can cross binary boundaries. Moreover, the integrity check can be done on a hard drive or in memory. Furthermore, since the encrypted code is executed by the proxy engine in kernel mode, hackers are further deterred from modifying the code. Additionally, a method of creating a protected binary file is described herein.

Abstract: A method for implementing a mobile trusted platform module includes establishing a connection with a first remote host device via a remote interface. The method also includes authenticating the connection. The method further includes, upon authenticating the connection, allowing the first remote host device to access a securely stored first application within a mobile trusted platform module.

Abstract: A virtual file management system provides user access to managed content on mobile devices. The system comprises storage domains storing the managed content distributively using file systems, and a data infrastructure that organizes the managed content into a virtual file system that maintains information of storage domain specific file system primitives for accessing corresponding portions of the managed content. The data infrastructure, which maintains metadata of the storage domains and the mobile devices, comprises a policy definition and decision component that maintains policies defining controls for permissible operations on the managed content, the permissible operations including the file system primitives.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for encryption and key management. The method includes encrypting each file on a computing device with a unique file encryption key, encrypting each unique file encryption key with a corresponding class encryption key, and encrypting each class encryption key with an additional encryption key. Further disclosed are systems, methods, and non-transitory computer-readable storage media for encrypting a credential key chain. The method includes encrypting each credential on a computing device with a unique credential encryption key, encrypting each unique credential encryption key with a corresponding credential class encryption key, and encrypting each class encryption key with an additional encryption key.

Abstract: A method and apparatus for detecting scans are described. In one example, a plurality of flows is allocated into a plurality of bins associated with different source Internet protocol (SIP) addresses. A set of bin characteristics for at least one bin of the plurality of bins is generated if the at least one bin reaches a predefined flow capacity. Afterwards, the set of bin characteristics is compared to a scan characteristics list to determine if a potential scan exists.

Abstract: A method includes identifying at a gateway device of a network a plurality of devices connected to the network. The method includes monitoring network traffic at the gateway device and determining that a particular traffic flow associated with one of the plurality of devices violates a privacy constraint. The method also includes providing a risk assessment associated with the privacy constraint violation. The risk assessment is at least partially based on terms and conditions associated with a particular device of the plurality of devices.

Abstract: The present disclosure provides systems and methods for accessing secure and certified electronic messages using a combination of biometric security, a separate and secure network and email infrastructure, email management processes, and the addition of text, audio and visual format options to sending emails messages. In an exemplary embodiment, a secure message and file delivery method includes biometrically authenticating a sender of an electronic message; receiving the electronic message through a secure connection to the sender; storing the electronic message, wherein the electronic message is encrypted prior to storing; notifying a recipient of the electronic message; and delivering the electronic message through a secure connection to the recipient.

Abstract: There is a system and method for storing data of others using a processor and a memory device. The system includes an account module configured to manage a plurality of accounts, each account associated with an entity. The system includes an avatar module configured to permit entities to generate avatars for their accounts, wherein an avatar associates data with an account that is not required to be consistent with the account and not required to be consistent with data in other avatars of that same account. The system includes a transaction module configured to facilitate a plurality of transactions using trusted entity data. The system includes an encryption module configured to encrypt, using a processor, the transaction data with a plurality of paired half-keys.

Abstract: Provided is a method of protecting a content consumer's privacy. The method includes classifying contents into content groups, encrypting the contents using different encryption keys, generating a plurality of decryption keys each of which can decrypt all contents in each of the content groups, and provides the generated decryption keys to authorized clients, wherein each client is provided with a different decryption key.

Abstract: A system for securely storing data is provided. The system includes a transformation component operable to scramble or encrypt the data, a dissection component operable to divide the data into a plurality of segments, and a storage component operable to store the plurality of segments in a plurality of memory locations. These components can operate various schemes identified by encoded identifiers and new schemes can be added to the system at any time. A user device can use a combination of a transformation scheme, a dissection scheme, and a storage scheme to protect stored private data at any point in time. The combination can be changed quickly by the user device autonomously or upon receiving an instruction to do so.

Abstract: A communication device receives secure communication frames on which a security transform has been performed to permit authentication. The communication device maintains an authentication history and a local time varying parameter. In multi-hop communication, the communication device provisionally verifies the freshness of a received secure communication frame by verifying that identifying information extracted from the frame is not already present in the authentication history and that a received time varying parameter extracted from the frame is not older than the local time varying parameter by more than a certain margin. If these freshness tests both pass, the frame is authenticated. If authentication succeeds, the frame is transmitted on the next hop without performance of a new security transform.

Abstract: A method and system for securely communicating information via a low bandwidth channel uses encryption that adds comparatively little overhead to the size of the transmission. This method and system efficiently take advantage of the properties of public key cryptography, a shared secret, a traffic key from the shared secret, an abbreviated initialization vector, and an abbreviated whole message signature. The information and the whole message signature are encrypted using the traffic key with a stream cipher.

Abstract: The invention, related to information security field, discloses a method for improving network application security and a system thereof.

Abstract: A file policy is created for each confidential file in a server computer including a list of events and a corresponding action. The file policies for the confidential files are sent to each client computer in the computer network. A software agent on each client computer detects when an activity occurs that affects one of the confidential files having a file policy. The activity is reported to the server computer and, if the activity matches an event in the policy, the corresponding action is taken. Events include: copying a file, printing, accessing, sending via e-mail, renaming, etc. Actions include: alerting an administrator, temporary blocking the activity or preventing the activity. If the activity is temporarily blocked from occurring, the agent queries the user as to whether the user wishes to request approval, and forwards that requests on to the server computer.

Abstract: A controller of a data processing apparatus recognizes connection of a USB memory to a USB terminal. The controller reads designation information stored in the USB memory. The designation information specifies a process to be executed by the data processing apparatus. The controller outputs an instruction for executing a process specified by the designation information to each portion of the data processing apparatus, such as a scanner portion or a printer portion, based on the designation information.

Abstract: A method for preserving privacy of a reputation inquiry in a peer-to-peer communication environment. The method allows peers using their own personal agents to obtain reputation information of each other through a pair of trustworthy mediator proxies. A mediator proxy is considered trustworthy if even when it is compromised it can guarantee three conditions: (1) the anonymity of the identity of the responders and the target being inquired; (2) the privacy of the content in an inquiry and a response; and (3) the boundary limit of the reputation summary with no possibility of combining the response of multiple inquiries to reverse engineer the reputation rating of an individual responder.

Abstract: A computer has a storage device that is infected with malicious software (malware). The malware uses stealth or rootkit techniques to hide itself in the storage device. A security module within the storage device detects the malware by comparing the files read from the storage device to those reported by the operating system. Upon detecting the malware, the security module prepares the computer for malware obfuscation by storing information describing the location of the malware, deploying an executable file, and configuring it to run on reboot. The executable file executes upon reboot and locates the data on the storage device associated with the malware. The executable file obfuscates the data so that the malware no longer loads at boot time, thereby disabling the rootkit technique. The computer reboots and the security module remediates the malware infection.

Abstract: Embodiments of the invention relate to finding coalitions of receivers who collude to produce pirated protected content, then evaluates the confidence that particular members of each identified coalition are traitors versus innocent receivers incriminated by chance. Typically, each file in a group of original files is modified to include variations of critical file segments. The group of files is then broadcast with individualized codes that enable particular authorized receivers to properly process the modified files. The modifications in a pirated version of a file can identify which traitorous receivers contributed to its piracy. Candidate coalitions of differing size are first evaluated to determine if they cover observed file variations with greater than a predetermined likelihood that an innocent coalition is falsely incriminated by chance. Individual members of satisfactory coalitions are then evaluated. Traitors may be cryptographically revoked.

Abstract: A system to implement user-level filesystem related calls instead of an operating system kernel may include data processing applications executing via a computer processor. The system may also include a plurality of user-level filesystems, each one of which is associated with at least one of the data processing applications. The system may further include a user-level library in communication with the data processing applications, the user-level library configured to implement user-level filesystem related calls instead of an operating system kernel executing via the computer processor.

Abstract: A file server receives a request from a client to mount an encrypted file system. The file server informs the client that the requested file system is encrypted and, in turn, receives a session ticket from the client that includes a security protocol mounting selection. The file server decrypts the client's user's encrypted private key, and then decrypts the requested encrypted file system using the private key. In turn, the file server sends the decrypted file system to the client over a secure channel, which is based upon the security protocol mounting selection. In one embodiment, a key distribution center server receives a request from the client for the client's user to access the encrypted file system at the file server. The key distribution center server retrieves an intermediate key; includes the intermediate key in a session ticket; and sends the session ticket to the client.

Abstract: A method for data integrity protection includes arranging data in a plurality of data blocks. A respective block signature is computed over each of the data blocks, thereby generating multiple block signatures. The data blocks and the block signatures in an integrity hierarchy are stored in a storage medium, the hierarchy comprising multiple levels of signature blocks containing signatures computed over lower levels in the hierarchy, culminating in a top-level block containing a top-level signature computed over all of the hierarchy. A modification is made in the data stored in a given data block within the hierarchy. The respective block signature of the given data block is recomputed in response to the modification, and the recomputed block signature is stored in the top-level block for use in verifying a subsequent requests to read data from the given data block.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for a delayed secure deletion of files from a copy-on-write file system. A system configured to practice the method receives a change to a file, writes a copy of the file in a first block of a storage device, the copy including the change, determines whether the change meets a predetermined condition, adds an entry into a delayed secure deletion list when the change triggers the predetermined condition, the entry storing an address associated with the first block, and deletes the first block when another change to the file is received, wherein the another change triggers another predetermined event.

Abstract: In a method for secure cloud computing, a virtual machine (VM) associated with a client is executed at a computer within a trusted computing cloud. An image including state information of the VM is obtained; storage of the image is arranged; a freshness hash of the image is determined; and the freshness hash is sent to the client. Subsequently, at the same computer or at a different computer within the trusted computing cloud, the stored image may be retrieved; a freshness hash of the retrieved image may be determined; the freshness hash of the retrieved image may be sent to the client; and an indication may be received from the client verifying the integrity of the freshness hash of the stored image.

Abstract: A computing device receives a command to restrict access to encrypted data. The computing device generates a new record that can access the encrypted data. The computing device encrypts the record information for the new record using a public key of a trusted entity. The computing device prevents access to the encrypted data for a previously generated record or records.

Abstract: A system includes a controlling module for controlling a mobile device remotely A system includes a controlling module for controlling a mobile device remotely, wherein the controlling module includes a parental control module for controlling a mobile device used by a child. A system includes a controlling module for controlling a mobile device remotely, wherein the controlling module includes a parental control module for controlling a mobile device used by a child, wherein the parental control module includes a monitoring module for monitoring a use of the mobile device, and a filtering module for filtering an inappropriate content.

Abstract: A client terminal is provided with a column encryption unit that, from an encryption key, a table identifier, and a column identifier, generates a column private key, a column public key, and a comparison value, from which the unit generates a concealed comparison value and a ciphertext, encrypting a particular column; and an encrypted table natural joining request unit that issues a natural joining request text that requests natural joining with regards to columns encrypted from the encryption key, the table identifier, and the column identifier. The natural joining request text contains as a table joining key the column private key generated by a group of generating elements and the encryption key from the table identifier of a first and second table and the column identifier of an a-th column and a b-th column. An encrypted database server executes natural joining using the table joining key, and returns the results.

Abstract: A method, system and computer program product for controlling an access to a data resource are disclosed. According to an embodiment, a method for controlling an access to a data resource comprises: communicating a request for the access to the data resource from a requester to an owner of the data resource for validation, the communicating being implemented by a network server; and generating information required by an access implementation server to implement a validated access and updating a data storage device with the generated information.

Abstract: A method and devices for providing secure data backup from a mobile communication device to an external computing device is described. In accordance with one example embodiment, there is provided a method of backing up data from a mobile communication device to an external computing device, the mobile communication device being connected to the external computing device for exchanging data with each other, the method comprising: receiving a request to backup one or more data items in a plurality of data items stored on the mobile communication device; encrypting a data item using an encryption key stored in memory of the mobile communication device; transferring the encrypted data item to the external computing device; and storing a backup file comprising the encrypted data item in the memory of the external computing device.

Abstract: The present invention relates to a system for distributed data storage that ensures the safety of the user data. In particular, the system of the present invention provides that the data stored in a cloud storage service are encrypted and their cryptographic keys are created from a remote device. In the context of the present invention, cloud is a set of servers that form an online service over the Internet, these servers are invisible to the user of the service pretending they form only a single server, thus forming a “cloud servers”. These keys will be divided and stored in cloud storage part and part on other devices.

Abstract: Embodiments of the invention provide systems and methods for authorizing a request to access a resource based on a context of the request. According to one embodiment, a method of authorizing a request for a resource based on a context of the request can comprise receiving the request from a requester, identifying the context of the request, and determining whether to authorize the request based on the context of the request. In some cases, the request can include context information describing the context of the request. In such cases, identifying the context can be based at least in part on the context information from the request. Additionally or alternatively, context information describing the context can be requested and received in response to the request. In such a case, identifying the context can be based at least in part on the received context information.

Abstract: A method of encrypting and transferring data between a sender and a receiver using a network thereby transferring data in a secure manner includes the steps of a server receiving from the sender an identifier of the receiver; generating a transfer specific encryption key specific to the transfer; encrypting the data using the generated transfer specific encryption key; the server retrieving information specific to the receiver that is accessed according to the identifier of the receiver received from the sender, and using the retrieved information specific to the receiver to encrypt the transfer specific encryption key; transferring the encrypted data and the encrypted transfer specific encryption key over the network for receipt by the receiver; the server receiving from the receiver the encrypted transfer specific encryption key and identifier of the receiver; the server retrieving information specific to the receiver that is accessed according to the identifier of the receiver received from the receiver, a

Abstract: A file server receives a request from a client to mount an encrypted file system. The file server informs the client that the requested file system is encrypted and, in turn, receives a session ticket from the client that includes a security protocol mounting selection. The file server decrypts the client's user's encrypted private key, and then decrypts the requested encrypted file system using the private key. In turn, the file server sends the decrypted file system to the client over a secure channel, which is based upon the security protocol mounting selection. In one embodiment, a key distribution center server receives a request from the client for the client's user to access the encrypted file system at the file server. The key distribution center server retrieves an intermediate key; includes the intermediate key in a session ticket; and sends the session ticket to the client.

Abstract: A system and method of protecting data on a communication device are provided. Data received when the communication device is in a first operational state is encrypted using a first cryptographic key and algorithm. When the communication device is in a second operational state, received data is encrypted using a second cryptographic key and algorithm. Received data is stored on the communication device in encrypted form.

Abstract: An interactive multimedia presentation playable by a presentation system includes a media content component and an interactive content component. The interactive content component includes one or more applications, which provide instructions for organizing, formatting, and synchronizing the presentation of interactive objects to a user. Prior to playing the interactive multimedia presentation, an entity responsible for authoring or publishing one or more of the applications is digitally identified and authenticated, or it is determined that the applications are unsigned. Prior to and/or during play of the interactive multimedia presentation, authorization for performing certain actions (such as executing certain application instructions, especially those that access functionality of the presentation system, computer-readable media, or external networks) is granted via a permission-based model.

Abstract: A method of controlling access to computing resources, comprising providing a first computing device with access to a database containing data indicative of computing resources access to which is controlled by the first computing device and a minimum security capability that a second computing device must possess to access the respective resources, assigning the second computing device a security capability, providing the second computing device with data indicative of the security capability, configuring the first computing device to respond to data indicative of the security capability and data indicative of a desired access from the second computing device by ascertaining the minimum required security capability corresponding to the desired access and by comparing the minimum required security capability with the security capability of the second computing device, and providing the desired access if the security capability of the second computing device meets the minimum security capability for the desired

Abstract: A method for enabling the storage, distribution, and use of associated text and media files comprises a webpage interface coupled to an information and support system, an account creation and login system, a user media storage system, a solicitation assistance and user matching system, a solicitation and collaboration agreement system, a media collaboration and project creation system, and a product gallery and sales system. Means are provided for a user to gain access to the inventive systems through an Internet connection on a local user computing device. In accordance with the invention, information is input into a database storage medium coupled to an operator system computing device which then combines the information into an augmented text-media file output. The inventive systems also distribute augmented text-media file output products to users of the inventive systems through a webpage interface system.

Abstract: Multiple security domains can be created and associated with various scopes within the cell allowing security configurations of each scope to be managed collectively. Examples of scopes include the entire cell, one or more application servers, one or more applications, one or more clusters, one or more service integration buses, one or more nodes, etc. Security configurations associated with the security domains can be applied to the scopes based on a hierarchy of the security domains. In addition, new security domains may be created automatically based on security requirements of newly installed applications.

Abstract: A computer system includes a DRM client system in which a plurality of DRM clients are installed, comprising: a virtual OS managing unit that separates a kernel of an actual operating system installed in the DRM client system to generate and manage a virtual operating system; a branch process information managing unit that manages branch process information according to a type of a document that a user attempts to read; and an application program branching unit that analyzes the branch process information and executes DRM client agent for managing the DRM client in an actual OS region or a virtual OS region according to the type of a document that the user attempts to read to allow the user to read the document.

Abstract: A digital escrow pattern and trustworthy platform is provided for data services including mathematical transformation techniques, such as searchable encryption techniques, for obscuring data stored at remote site or in a cloud service, distributing trust across multiple entities to avoid a single point of data compromise. Using the techniques of a trustworthy platform, data (and associated metadata) is decoupled from the containers that hold the data (e.g., file systems, databases, etc.) enabling the data to act as its own custodian through imposition of a shroud of mathematical complexity that is pierced with presented capabilities, such as keys granted by a cryptographic key generator of a trust platform. Sharing of, or access to, the data or a subset of that data is facilitated in a manner that preserves and extends trust without the need for particular containers for enforcement.

Abstract: According to an embodiment, a system may comprise a mass storage device that is operable to be coupled to one or more processors. The mass storage device may comprise a base operating system that is operable to be executed by the one or more processors. The base operating system may be operable to implement a single security level. The mass storage device may also comprise a virtual operating system that is operable to be executed by the one or more processors. The virtual operating system may be executed using a virtualization tool that is executed by the base operating system. The virtual operating system may be operable to process information according to a plurality of security levels and communicate the information to one or more computing systems. The information may be communicated according to the plurality of security levels of the information.

Abstract: Novel tools and techniques to provide an online file locker system. Some such tools can employ a USB memory drive, a residential gateway, and/or a data server over a network. In some cases, when the USB memory drive is inserted into a USB port of the RG, data stored on the USB memory drive is automatically uploaded to, and/or synchronized with data stored on, the data server, which is in communication with the RG over the network. In other cases, data deletion is accomplished in a similar manner, for example, upon removal of the USB drive and/or upon detection of files deleted from the USB drive.

Abstract: A system to verify user identity on a computer uses a server with a set of stored or created images. An image is selected and transmitted over a computer network to the computer whose user identity is to be verified. The user captures the image on a mobile communication device using, by way of example, a built-in camera. The captured image is transmitted via a public mobile network back to the server where the captured image is compared with the stored image. If the images match, the user identity is verified. In another embodiment, multiple images may be displayed and user-selectable options are selected by capturing one of the multiple images.

Abstract: An image container file has at least first and second multimedia streams (MSs). The first MS includes first image data representing an image. The second MS includes arbitrary data, which can for example, correspond to: a different representation of the same image; annotations to the first image data; second image data that together with the first image data form a new image with greater dynamic range, resolution, field of view or other attributes that can be derived from processing two or more independent images; or an executable file related to the first MS. The image container file can also include an extensible metadata to hold information describing one or more multimedia streams of the image container file. Further, the image container file may include DRM information to provide information related to obtaining a license to access encrypted data or verifying the authenticity of encrypted or unencrypted data.

Abstract: Systems and methods for selective authorization of dependent code modules are provided. According to one embodiment, a kernel mode driver of a computer system intercepts file system or operating system activity, by a running process, relating to a dependent code module. Loading of the dependent code module is selectively authorized by authenticating a cryptographic hash value of the dependent code module with reference to a multi-level whitelist. The multi-level whitelist includes a global whitelist database remote from the computer system, maintained by a trusted service provider and which contains cryptographic hash values of approved code modules known not to contain viruses or malicious code; and a local whitelist database that includes cryptographic hash values of a subset of the approved code modules. The running process is allowed to load the dependent code module when the cryptographic hash value matches one of the cryptographic hash values of the approved code modules.

Abstract: The invention concerns a method enabling a server manager to prove subsequently that the server was authorized to read a user's personal data in a terminal station (ST), comprising: transmitting server policy data (PS) to the station; comparing the server policy data with private policy data (PP) pre-stored in the station; determining a signature (SGST) of server policy data received in the station; and transmitting the signature with the personal data (DP) read in the station to the server when the compared policy data (PS, PP) are compatible.

Abstract: A system of accessing a copy-prevented encrypted data file transmitted over a network includes a server apparatus having data files; and a client apparatus comprising a read apparatus and a temporary storage. A data file in a server apparatus is accessed through the network from the client apparatus and cached in the temporary storage, and the data file cached in the temporary storage is obtainable by the read apparatus for human recognition of the content of the data file. The read apparatus is not capable of at least one of printing and saving as. The present invention also provides a method of accessing a copy-prevented encrypted data file from a server apparatus. The system and method improve data file transmission security and decrease the possibility of copying and decrypting the data file.

Abstract: Provided is a software update apparatus including an install module group (130) composed of a plurality of install modules. Each of the install modules receives, from an external server (200), a replacement protection control module (121) for updating a protection control module (120) having a function of verifying whether a predetermined application has been tampered with. Each of the install modules simultaneously running is verified, by at least another one of the install modules simultaneously running, as to whether the install module has a possibility of performing malicious operations.

Abstract: A hardware and/or software facility for durably and securely storing data within a shared community storage network. A user may have a storage device that they intend to share with others in the network. All or a portion of the storage device is registered with the community storage network as a storage node. Once registered with the network, third party data may be stored on the storage node and remotely accessed by third parties. In addition, data stored on the storage device by the user may be stored in the shared community storage network by encrypting the data, adding redundancy, and distributing it to other storage nodes within the storage network. Data that is stored in the storage network is accessible to the user even if their storage device is inaccessible or fails.