Abstract: A computer-implemented method for creating a rights management system (RMS) with superior layers and subordinate layers is described. A separate trust network for one or more layers of the RMS is established. The trust network includes one or more computing nodes within the one or more layers. A data object is created on a computing node that is a member of trust network in a superior layer. The data object is encrypted to a ciphertext data object. A publishing license is created for each of the one or more layers of the RMS. Access rights and attributes associated with the ciphertext data object are controlled within each layer based on the publishing license of each of the one or more layers of the RMS.

Abstract: A cloud computing system includes a native client; and a platform system providing distributed resources and dynamic resource allocation, for receiving raw data uploaded by the native client and returning computed results, including: a data extracting module for receiving the raw data; an encrypting and decrypting module, wherein only a single user is permitted to simultaneously invoke the data extracting module and the encrypting and decrypting module and process the raw data; the encrypting and decrypting module generates a key during encrypting and returns the key to the user for keeping and the computed results to the native client after receiving the key inputted by the user; and a data computing module, for computing raw data encrypted by the encrypting and decrypting module and returning results to the encrypting and decrypting module, wherein the data computing module is shared by all users and can be invoked simultaneously by several users.

Abstract: This invention provides a method and system for data encryption and decryption in data transmission through the web. The method includes: a browser sends a cryptographic information acquisition request to a cryptographic information providing equipment; the cryptographic information providing equipment sends cryptographic information back to the browser via an HTTPS channel; the cryptographic information includes a cryptographic algorithm and a cryptographic index; the browser uses the cryptographic algorithm to encrypt the data to be transmitted, and sends the encrypted data and the cryptographic index to the web server via an HTTP channel; the web server obtains the cryptographic algorithm corresponding to the cryptographic index from the cryptographic information providing equipment, then decrypts the encrypted data. Embodiments of the present invention can alleviate the load in the HTTPS channel, and improve the overall performance.

Abstract: A method is provided for transferring data linked to an application installed on a security module associated with a mobile terminal, the data being stored in a first secure memory area of the security module, suitable for receiving a request to access the data, to read the data, and to transmit or store the data after encryption. A method is also provided for accessing these data suitable for transmitting a request to access, to receive and to decrypt the encrypted data. A security module, a management server, and a system implementing the transfer and access methods are also provided.

Abstract: A system, method and machine readable medium for automated policy building in a policy module of a network traffic management device is disclosed. Parsed network traffic data is received at a policy builder of a network traffic management device. The received network traffic data is analyzed in accordance with one or more threshold conditions specified by a user, via a user interface, for an existing policy. The existing policy is modified by the policy builder if the one or more threshold conditions for the network traffic have been met.

Abstract: A method and system for segmented architecture for managing access to electronic documents having private data and public data is disclosed herein. A request for an electronic document is sent to a segmentation server, and the request becomes two queries: one for the public or non-confidential data of the electronic document and one for the private or confidential data of the electronic document. The segmentation server determines if the request is made over a private network or a public network to determine whether private data should be sent in response to the request.

Abstract: Method, apparatus, and system for qualifying CPU transactions with security attributes. Immutable security attributes are generated for transactions initiator by a CPU or processor core that identifying the execution mode of the CPU/core being trusted or untrusted. The transactions may be targeted to an Input/Output (I/O) device or system memory via which a protected asset may be accessed. Policy enforcement logic blocks are implemented at various points in the apparatus or system that allow or deny transactions access to protected assets based on the immutable security attributes generated for the transactions. In one aspect, a multiple-level security scheme is implemented under which a mode register is updated via a first transaction to indicate the CPU/core is operating in a trusted execution mode, and security attributes are generated for a second transaction using execution mode indicia in the mode register to verify the transaction is from a trusted initiator.

Abstract: A method is used in validating association of client devices with sessions. Information of a client device executing a user agent is gathered by a server for creating a device identifier for the client device upon receiving a request from the user agent for establishing a session between the user agent and the server. The device identifier includes information identifying the client device. The device identifier is associated with the session. The client device is validated by the server upon receiving subsequent requests from the client device during the session. Validating the client device includes gathering information of the client device sending each subsequent request for creating a device identifier for the client device and comparing the device identifier created from the information gathered during each subsequent request with the device identifier associated with the session.

Abstract: Systems and methods for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object comprises creating in the storage device an encrypted logical data object comprising a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into said encrypted sections in accordance with an order said chunks received, wherein said encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: A terminal to assign permission to an application includes a storage device to store an application list including information of applications authorized to receive manager permission, and an application processor to receive a request for the manager permission from the application and to determine to allow the manager permission to the application in response to a determination that the application is included in the application list. A method that uses a processor to assign permission to an application includes receiving a request for manager permission from the application, determining, using the processor, whether the application is included in an application list including information of applications authorized to receive manager permission, and determining whether to allow the manager permission to the application if the application is included in the application list.

Abstract: A host system integrity monitor for monitoring memory, operating systems, applications, domain manager, and other host system's structures of interest is isolated and independent of the CPU and operating system of commodity systems. The system requires no modifications to the protected (monitored) host's software, and operates correctly even when the host system is compromised. Either arranged as a stand-alone computer on the add-in card which communicates with the monitored host system through the PCI bus, or as the co-processor based monitor located on the motherboard of the host system, or residing on one of the virtual CPU while the monitored system resides on another virtual CPU, or residing within the domain manager of the host system, the monitor monitors the integrity of the examined structure by calculating hash values of the structure, comparing them with expected hash values, and sending error reports once the discrepancy between these values is detected.

Abstract: A location-trace comparison system can perform privacy-preserving computations on locations traces for two or more users, for example, to determine a location-visit overlap for these users. During operation, the system obtains location-event descriptions for locations that a local user has visited and/or is likely to visit, such that a respective location-event description indicates a location identifier and a time-interval identifier. The system encrypts the location-event descriptions to generate a corresponding set of encrypted local-user events, and receives encrypted remote-user events from a remote device, for at least one remote user. The system compares the encrypted location events to determine an overlap between the set of encrypted local-user events and the set of encrypted remote-user events.

Abstract: Systems and methods for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object includes creating in the storage device an encrypted logical data object including a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into the encrypted sections in accordance with an order the chunks are received, wherein the encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: A method for authentication of a high-security client and a low-security client in a high-security mobile radio network includes: transmitting a request for authentication from a base station to the high-security client, wherein the request for authentication comprises a random number as a challenge; receiving a response from the high-security client at the base station, wherein the response from the high-security client comprises a generated number generated by performing a keyed cryptographic function on the challenge; providing a fixed number to the low-security client; and receiving a response from the low-security client at the base station, wherein the response from the low-security client comprises the fixed number. Limited access to the mobile radio network is granted for the low-security client relative to an access of the high-security client.

Abstract: The present invention relates to an apparatus and a method for managing digital rights using virtualization technique, and more particularly to an apparatus and a method for enabling a user to access a desired text file in an independent area through a virtual machine corresponding to a licensed right for accessing the text file. The present invention comprises a virtual machine (VM) management unit for controlling a user access authorization function for accessing the text file in the area to which the virtualization technique is applied.

Abstract: Adware and viruses are examples of objects that may be embedded in a web page or linked to a web page. When such an object is detected to be associated with a web page loading on a browser, an analysis may be performed to determine a trust level for the object. The object is suppressed based on the trust level. A prompt is displayed to advise a user that the object has been suppressed, and to provide an opportunity to interactively accept or decline activation of an action for the object.

Abstract: A method, system, and medium are provided for operating a computing device and a mobile device to access computer software with a secure access and to access a packet network, and for operating a computer software on a mobile device with different computing devices. A mobile device is used to authenticate a user's access to computer software. The computer software may reside on the mobile device, the user's computing device, or another computing device. A unique identifier is stored in the mobile device associated with the computer software to enable the authentication.

Abstract: A method to identify a child process to a parent process in an operating system includes obtaining a token and login identifier from the operating system. The parent process creates a remote procedure call communications endpoint to communicate with the child process. Thereafter, a child process is spawned by the parent process. A child-initiated request to communicate with the parent process is then received by the parent process. In order to verify the identity of the child-initiated request, the parent process impersonates the child process and receives as identifier that identifies the requestor child process. The requestor process identifier and the spawned child identifier are compared. Based on the comparison, the parent process responds to the child-initiated request. In another embodiment, process identifiers are used by the parent process to verify the identity of a child process the requests communication with the parent process.

Abstract: Preventing attacks on a computer at run-time. Content that is configured to access at least one function of a computer is received by the computer. Protections corresponding to the function are added to the content, wherein the protections override the function. The content and the protections are then transmitted to the computer. The function may expose a vulnerability of the computer, and arguments passed to the function may exploit that vulnerability. The protections are executed when the content is executed, and determine whether the arguments the content passed into the function represent a threat. In response to determining that the arguments represent a threat, execution of the content is terminated without executing the function.

Abstract: A system and method for using a declarative approach to enforce instance based security in a distributed environment is presented. The invention described herein includes security logic in declarative specifications that, in turn, decouples the security logic from distributed object administration logic. An access manager identifies access requirements by combining object name property keys included in a distributed object with property key specifications included in a declarative specification. In turn, the access manager compares a caller's access attributes with the access requirements to determine whether to create a distributed object instance and allow the caller to invoke a method on the distributed object instance. The access requirements may also include role specifications and method parameter specifications.

Abstract: The present invention relates to a method for transferring content to a device, the method including the steps of: receiving a request for content from the device; delivering a uniquely identifiable, ephemeral player to the device; and transferring content to the device, for presentation on the device by the player. The invention has particular application to digital rights management in respect of the distribution of audiovisual content such as film and television programs, advertisements and live event broadcasts over communication networks such as the Internet.

Abstract: A security model restricts binary behaviors on a machine based on identified security zones. Binary behaviors can be attached to an element of a document, web-page, or email message. The binary behavior potentially threatens security on the local machine. A security manager intercepts download requests and/or execution requests, identifies a security zone for the requested binary behavior, and restricts access based on the security zone. The binary behavior can identify a security zone according to the related URL. In one example, all binary behaviors associated with a security zone are handled identically. In another example, a list of permissible binary behaviors is associated with a security zone such that only specified binary behaviors are granted access. In still another example, a list of impermissible binary behaviors is associated with a security zone such that binary behaviors that are found in the list cannot initiate access.

Abstract: A method, device, and system for securely migrating and provisioning a virtual machine image to a host device of a cloud service provider environment (CSPE) is disclosed. A customer device encrypts a virtual machine image (VMI) and stores the VMI in the CSPE. The host device retrieves the encrypted VMI from the object store and sends host trust data (including a symmetric key extracted from the encrypted VMI, the symmetric key being encrypted with the customer public key) to a key management server for trust attestation. If the key management server successfully attests the host device, the key management server decrypts the encrypted symmetric key using the customer private key and re-encrypts the symmetric key using the host public key. The host device receives the re-encrypted symmetric key from the key management server, decrypts it using the host private key, and decrypts the encrypted VMI using the symmetric key.

Abstract: The present disclosure is directed to a collaborative streaming system for protected media. A presentation device may interact with a group of trusted devices over a network to stream multimedia content. The presentation device may obtain a presentation content encryption key for presenting the content. Each trusted device in a group of trusted devices may obtain a download content encryption key allowing for download without presentation. A leader may be selected for managing the operation of the trusted devices. The leader may determine trusted device condition and assign one or more of the trusted devices to download portions of the content based on the condition. The leader may then consolidate the portions of the content and provide them to the presentation device. If the presentation device is the leader, the presentation device may perform similar operations and collect the portions of the content directly from the group of trusted devices.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device that was presenting one or more portions of one or more items and that was in possession of a first user has been transferred from the first user to a second user; and marking, in response to said determining, the one or more portions of the one or more items to facilitate the computing device in returning to the one or more portions upon the computing device being at least transferred back to the first user. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: A location-trace comparison system can perform privacy-preserving computations on locations traces for two or more users, for example, to determine a location-visit overlap for these users. During operation, the system obtains location-event descriptions for locations that a local user has visited and/or is likely to visit, such that a respective location-event description indicates a location identifier and a time-interval identifier. The system encrypts the location-event descriptions to generate a corresponding set of encrypted local-user events, and receives encrypted remote-user events from a remote device, for at least one remote user. The system compares the encrypted location events to determine an overlap between the set of encrypted local-user events and the set of encrypted remote-user events.

Abstract: Methods and systems for managing access to stored data resources assign one or more wrapped (encrypted) encryption keys to each data resource. The resources are encrypted, and the keys may be stored in an access control list (ACL) in association with the encrypted data resources. The keys may be wrapped with metadata that indicates who or what is authorized to use the resource and what role the user or users may have with respect to the resource. The keys may be unwrapped upon receipt of access requests from authorized users, and may be used to decrypt the data resources.

Abstract: Techniques for encrypting documents in a search index may include: receiving a document for inclusion in a search index of a search system, where the document has an associated access control list (ACL), and the ACL includes data for use in restricting access to the document to users of the search system having credentials that match corresponding data in the ACL; encrypting the document using a first key to produce an encrypted document; generating a wrapped key for the document by encrypting both the first key and the ACL using a second key; and storing, along with the search index, the encrypted document in association with the wrapped key and an identifier for the document.

Abstract: A technique for secure computation obfuscates program execution such that observers cannot detect what instructions are being run at any given time. Rather, program execution and memory access patterns are made to appear uniform. A processor operates based on encrypted inputs and produces encrypted outputs. In various examples, obfuscation is achieved by exercising computational circuits in a similar way for a wide range of instructions, such that all such instructions, regardless of their operational differences, affect the processor's power dissipation and processing time substantially uniformly. Obfuscation is further achieved by limiting memory accesses to predetermined time intervals, with memory interface circuits exercised regardless of whether a running program requires a memory access or not. The resulting processor thus reduces leakage of any meaningful information relating to the program or its inputs, which could otherwise be detectable to observers.

Abstract: A security initialization system obtains load data that identifies a first database storing security data to be opened. The initialization system determines that a PKCS-based module for opening the first database is already initialized, where the PKCS-based module is already initialized from previously opening a second database. The initialization system causes the PKCS-based module to create a slot to open the first database, without shutting down the PKCS-based module, in response to determining that the PKCS-based module is already initialized.

Abstract: A contact management method, apparatus and system for a third-party application are described. The contact management method includes: detecting an instruction to obtain a contact, wherein the instruction is input by a user operating the third-patty application; reading contact data in an address book in responsive to the instruction to obtain the contact; encrypting the contact data and obtaining an encrypted contact data; importing the encrypted contact data into a contact data table of the third-party application; and uploading the encrypted contact data in the contact data table to a cloud server, so that a mapping relationship between account information of the user and the encrypted contact data is established at the cloud server, wherein the account information of the user is used for logging in the third-party application. In the method, the apparatus and the system, safety and reliability of the contact data can be improved.

Abstract: A data object is encoded in a redundant code. The redundant code defines a decoding scheme for reconstructing the data object from a sub-set of the encoded data parts. At least the sub-set of the encoded data parts is encrypted using a homomorphic encryption scheme, which allows equivalents of the arithmetic operations of a reconstruction process to be performed on encrypted encoded data parts. The data parts are stored distributed over a plurality of source terminals of a communication network, for use by a target terminal of the communication network. Upon a retrieval command from the target terminal, an upload management module determines which source terminals are available and the upload management module determines causes a selected set of terminals to transmit the encrypted encoded data parts each via its own connection to the network to a decoder server.

Abstract: Cross-site request forgeries (“XSRF”) can be prevented using a client-side plugin on a client computer. The client computer accesses a content provided by a third party host via a network and generates a request to a web application as directed by the content. The client-side plugin determines whether the request is associated with suspicious activities based on the content, a source of the request and a list of approved hosts associated with the target host. In response to a determination that the request is associated with suspicious activities, the plugin removes authentication credentials from the request and sends the request to the web application.

Abstract: A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data that may be communicated using multiple communications paths.

Abstract: An information processing device includes an external connection unit which connects to an external device; and a communication control unit which obtains data from a first virtual machine, transmits the data to a second virtual machine, and transmits, to the external connection unit, transmission completion information indicating that the data is already transmitted to the second virtual machine. The external connection unit (i) determines, based on the transmission completion information, whether or not a virtual machine is the second virtual machine to which the data is already transmitted, when the external connection unit receives, from the virtual machine, a request for a connection to the external device, and (ii) permits a connection between the virtual machine and the external device, when the external connection unit determines that the virtual machine is not the second virtual machine to which the data is already transmitted.

Abstract: A method and apparatus for detecting scans are described. In one example, a plurality of flows is allocated into a plurality of bins associated with different source internet protocol (SIP) addresses. A set of bin characteristics for at least one bin of the plurality of bins is generated if the at least one bin reaches a predefined flow capacity. Afterwards, the set of bin characteristics is compared to a scan characteristics list to determine if a potential scan exists.

Abstract: A method and apparatus is disclosed herein for secure search and retrieval. In one embodiment, the method comprises receiving an encrypted, permuted search tree with nodes that have been permuted and encrypted, the encrypted permuted search tree having been encrypted with a first private encryption key; receiving, at a server, a query from a client, the query comprising a set of keywords, wherein each query term is encrypted with the first private encryption key; performing a search using the query, including performing an oblivious matching keyword test in which an evaluation occurs at each node of the tree to determine if one or more matches exist; and returning results based on a match of keywords for each document, the results including one or more encrypted leaf nodes of the tree, the encrypted leaf nodes encrypted with the first private encryption key.

Abstract: A method enables selected features of a software product residing on an end user electronic device with a license delivered from a licensing provider to a service provider of the end user electronic device. The method includes requesting at least one license to authorize a first service provider. An encrypted installation key uniquely associated with the first service provider is received as well as an authorization agent module for installation on one or more authorization agent devices associated with the first service provider. The encrypted installation key and the authorization agent module are installed on the authorization agent devices. A device-unique identifier (DUID) is generated for each authorization agent device based on hardware characteristics of the respective authorization agent devices. The DUID and the encrypted installation key are sent from the authorization agent device to a licensing provider to obtain the requested license.

Abstract: Sensitive information is hashed using a hash key, salting key and additional logic. Upon receiving a credit card authorization request with a credit card number (or other sensitive information), the present technology may select a hash key. The credit card number may then be hashed using the hash key. A cryptographic salting key may be selected and salting modification logic may be accessed. The selected salting key may then be applied to the hashed credit card number. After the salting, the salting modification logic may be applied to the salted hash string. The resulting hash output may be used as an index to store encrypted credit card information with authorization information, settlement information, and other data within one or more tables.

Abstract: Content is encoded with a watermark that associates it with a particular consumer. When presented for playback, the rendering equipment examines the watermark to confirm that the consumer with whom the content is associated, is also the consumer with whom the equipment is associated. If there is no watermark—or if the watermark is associated with a different consumer, then playback is refused. The equipment also desirably checks whether the content has a second watermark (or even a very feeble remnant thereof), indicating that the content has been derived from content earlier provided to a different consumer. If so, playback is again refused. Thus, this embodiment will refuse to play if there is no watermark; if there is one watermark not associated with the proprietor of the equipment; or if there are two or more watermarks.

Abstract: In one embodiment, the present invention provides techniques for managing activities of processes using a fine grained privilege model in an operating system environment partitioned into a global zone and one or more non-global zones for isolating processes from processes executing in association with other non-global zones under control of a single operating kernel instance.

Abstract: A method and a device are provided for accessing data files of a secure file server, wherein a user or a process is authenticated; wherein access to the data files of the secure file server takes place by way of an encryption module of the secure file server; wherein the encryption module comprises an encryption agreement of a centralized security application; and wherein the access of the authenticated user or process to the secure file server takes place by way of an encrypted protocol taking into consideration the encryption agreement. Such a device may be included in a corresponding computer network.

Abstract: A system and a method select an encrypted element in an encrypted vector according to an order of the encrypted element in the encrypted vector. The selecting is performed in a privacy-preserving manner. Values of the elements of the encrypted vector are scaled, such that the order of the elements in the encrypted vector is preserved, and then permuted to produce a scaled permuted vector. Information in the encrypted domain indicative of an order of elements in the scaled permuted vector is provided to a second processor having a private key. The second processor decrypts the information to determine the index of the encrypted element based on the order of the elements. The encrypted element is obliviously selected based on the index.

Abstract: The present disclosure is directed to systems and methods related to hardware-enforced access protection. An example device may comprise a login agent module (LAM), an operating system login authentication module (OSLAM) and a secure user authentication module (SUAM). The LAM may be configured to cause a prompt requesting login information to be presented by the device. The LAM may then provide the login information to the OSLAM, which may be configured to authenticate the login information using known user information. If authenticated, the OSLAM may generate and transmit a signed login success message to the SUAM using a private key. The SUAM may be secure/trusted software loaded by device firmware, and may be configured to authenticate the signed login success message. If authenticated, the SUAM may transmit an encrypted authentication message to the OSLAM. If the encrypted authentication message is authenticated, the OSLAM may grant access to the device.

Abstract: Systems and methods for secure control of a wireless mobile communication device are disclosed. Each of a plurality of domains includes at least one wireless mobile communication device asset. When a request to perform an operation affecting at least one of the assets is received, it is determined whether the request is permitted by the domain that includes the at least one affected asset, by determining whether the entity with which the request originated has a trust relationship with the domain, for example. The operation is completed where it is permitted by the domain. Wireless mobile communication device assets include software applications, persistent data, communication pipes, and configuration data, properties or user or subscriber profiles.

Abstract: A method, system and computer program product for securing and tracking restricted files stored in a data processing system is provided. The data processing system is connected to a server for sharing information. An entity requesting to access a restricted file is authenticated, based on certain policies defined by a system administrator. Further, the system maintains a log of operations executed on the restricted file, and sends a record of the log to the server.

Abstract: In one embodiment, a processor includes a microcode storage including processor instructions to create and execute a hidden resource manager (HRM) to execute in a hidden environment that is not visible to system software. The processor may further include an extend register to store security information including a measurement of at least one kernel code module of the hidden environment and a status of a verification of the at least one kernel code module. Other embodiments are described and claimed.

Abstract: A method for administering object-based multi-level security in a service oriented architecture includes: (a) defining a plurality of multi-level security attributes for each of selected respective life-cycle states of a plurality of life-cycle states of a service object; (b) receiving a request from a requestor for the service object; (c) determining permitted actions for the service object based upon at least one selected multi-level security attribute of the plurality of multi-level security attributes, and based upon at least one life-cycle state of the plurality of life-cycle states of the service object; and (d) generating a quality of service security contract based upon the determination of permitted actions.

Abstract: A computer receives an electronic document that includes a group of terms. The computer sends the electronic document to an information extraction program that extracts specific terms from the group of terms. Each of the specific terms that match to a certain extent with one of the attribute values in an electronic dictionary is identified. A value associated with the electronic document is generated based on the specific terms that match, and on an end-user that is attempting to access the electronic document.

Abstract: In an information management system, policies are deployed to targets and targets can evaluate the policies whether they are connected or disconnected to the system. The policies may be transferred to the target, which may be a device or user. Relevant policies may be transferred while not relevant policies are not. The policies may have policy abstractions.