Abstract: A cloud computing system includes a native client; and a platform system providing distributed resources and dynamic resource allocation, for receiving raw data uploaded by the native client and returning computed results, including: a data extracting module for receiving the raw data; an encrypting and decrypting module, wherein only a single user is permitted to simultaneously invoke the data extracting module and the encrypting and decrypting module and process the raw data; the encrypting and decrypting module generates a key during encrypting and returns the key to the user for keeping and the computed results to the native client after receiving the key inputted by the user; and a data computing module, for computing raw data encrypted by the encrypting and decrypting module and returning results to the encrypting and decrypting module, wherein the data computing module is shared by all users and can be invoked simultaneously by several users.

Abstract: At least one embodiment of the present invention relates to a method for ensuring authenticity of an electronic transaction performed during a transaction session. The method includes receiving, over a first network, a request from a user for the completion of an electronic transaction; receiving, over the first network, an authentication code from the user which has been provided to the user over a second network separated from the first network, thereby authenticating the user, completing the electronic transaction; and storing information associated with the electronic transaction and the transaction session. The method further includes generating a one-way hash value based on information comprised in the electronic transaction and information associated with the transaction session, and providing the one-way hash value to the user, wherein the one-way hash value is usable for ensuring the authenticity of the electronic transaction.

Abstract: A secure secret sharing system is implemented. Shares SH(?, h(?)) are generated by secret sharing of secret information separately for each subset SUB(?); each of share management apparatuses PA(?, h(?)) generates a shared secret value DSH(?, h(?)) by performing a common operation to a corresponding share SH(?, h(?)) and common information containing a common value ?(?) shared in each subset SUB(?); and an acquisition apparatus generates a reconstructed secret value SUBSK(?) by reconstruction processing for each subset SUB(?), using a plurality of shared secret values DSH(?, h(?)) corresponding to the same subset SUB(?), and generates generation information SK by using the reconstructed secret values SUBSK(?).

Abstract: A system and method for securing information associates a party with a node that communicates messages over one or more channels based on a channel access privilege. One or more authorities sign a cryptographic authorization permit (CAP) to authorize the channel access privilege, which can be a write privilege or a read privilege. In one embodiment, the authorization for the channel access privilege is based on a public key issued by an authority and the CAP comprises a cryptographic certificate digitally signed by the authority.

Abstract: Computer-implemented methods and apparatus to perform a valid transfer of an electronic mobile ticket on a mobile device by a ticketing application system of a ticket processing center. One method includes: receiving a first electronic message from a first user, where the first message includes an encrypted electronic mobile ticket and a mobile device number of a second user, and where the electronic mobile ticket is encrypted with a key shared between the first user and the ticketing application system; decrypting the encrypted electronic mobile ticket; generating an electronic mobile ticket encrypted with a key shared by the ticketing application system and the second user; and transmitting a second electronic message that includes the electronic mobile ticket encrypted with the key shared between the ticketing application system and the second user to a mobile device of the second user.

Abstract: A method for authenticating a first party with a second party, the first and second parties having means for communicating with each other, the first party having secret information and supporting a plurality of authentication modes for authenticating the first party with another party, using said secret information, the authentication modes of said plurality being arranged for protecting the first party's privacy with respective degrees. A degree with which the first party's privacy must be protected when authenticating the first party with the second party is negotiated between the first party and the second party. If the negotiation is successful, the first party is authenticated with the second party according to the authentication mode of said plurality having the negotiated degree of protection of the first party's privacy.

Abstract: In a system for providing access control management to electronic data, techniques to secure the electronic data and keep the electronic data secured at all times are disclosed. According to one embodiment, a secured file or secured document includes two parts: an attachment, referred to as a header, and an encrypted document or data portion. The header includes security information that points to or includes the access rules and a file key. The access rules facilitate restrictive access to the secured document and essentially determine who/when/how/where the secured document can be accessed. The file key is used to encrypt/decrypt the encrypted data portion. Only those who have the proper access privileges are permitted to retrieve the file key to encrypt/decrypt the encrypted data portion.

Abstract: Systems and methods for secure control of a wireless mobile communication device are disclosed. Each of a plurality of domains includes at least one wireless mobile communication device asset. When a request to perform an operation affecting at least one of the assets is received, it is determined whether the request is permitted by the domain that includes the at least one affected asset, by determining whether the entity with which the request originated has a trust relationship with the domain, for example. The operation is completed where it is permitted by the domain. Wireless mobile communication device assets include software applications, persistent data, communication pipes, and configuration data, properties or user or subscriber profiles.

Abstract: A method and apparatus for authenticating to a third party service provider from a personal computer. The method includes authenticating, with a mobile terminal, to the service provider with a universal subscriber identity module associated with the mobile terminal to obtain credentials specific to the service provider, transferring the credentials specific to the service provider from the mobile terminal to the personal computer, and accessing the service provider with the personal computer using the credentials transferred from the mobile terminal. The apparatus includes a mobile terminal, a computing device, a bootstrapping security module, and a network application function that cooperatively work to allow the computing device to access the network application function using a security credential from the mobile terminal.

Abstract: A data structure has within it the following elements: an identification of a data structure type; and a proof that two or more instances of the data structure type are as trustworthy as each other. Methods and devices using such data structures are described.

Abstract: An information processing apparatus includes a memory that stores command execution right information including execution right information indicating whether a command is executable, and a command determination unit that determines whether an entered command is a target of a command execution determination where it is determined that whether a command is executable based on whether the entered command is invoked by a user command or a system command, and determines whether the entered command is executable with reference to the command execution right information stored in the memory when the entered command is determined as the target of the command execution determination.

Abstract: Secure information is managed for each host or machine in an electronic environment using a series of key identifiers that each represent one or more secure keys, passwords, or other secure information. Applications and services needing access to the secure information can specify the key identifier, for example, and the secure information currently associated with that identifier can be determined without any change to the code or manual input or exposure of the secure information on the respective device. Functionality such as encryption key management and rotation are inaccessible and transparent to the user. In a networked or distributed environment, the key identifiers can be associated with host classes such that at startup any host in a class can obtain the necessary secure information. Updates and key rotation can be performed in a similar fashion by pushing updates to host classes transparent to a user, application, or service.

Abstract: An image forming apparatus communicates with an external device via a communication medium. A storage unit stores program modules, each of which provides a function that can be executed on the image forming apparatus. A license confirmation unit confirms license information associated with each of the program modules. A program control unit controls operation of each of the program modules in response to a confirmation by the license confirmation unit. When a launch of one of the program modules is instructed, the program control unit executes a corresponding program module.

Abstract: A Searchable Symmetric Encryption (SSE) mechanism is described which allows efficient dynamic updating of encrypted index information. The encrypted index information includes pointer information that is encrypted using a malleable encryption scheme. The SSE mechanism updates the encrypted index information by modifying at least one instance of the pointer information without decrypting the pointer information, and thereby without revealing the nature of the changes being made. In one implementation, the SSE mechanism includes a main indexing structure and a deletion indexing structure. An updating operation involves patching applied to both the main indexing structure and deletion indexing structure.

Abstract: A method for securely sharing electronic documents on a document storage system. The method includes receiving an electronic document from a creating user, generating an encryption key unique to the electronic document, encrypting the electronic document using the encryption key to create an encrypted electronic document, and communicating the encrypted electronic document to a document repository for storage/ The method also includes identifying a resource locator for uniquely identifying the storage location of the encrypted electronic document and communicating the encryption key and the resource locator to the creating user. The method also includes receiving the encryption key and the resource locator from a requesting user, retrieving the encrypted electronic document from the document repository using the resource locator, decrypting the encrypted electronic document using the encryption key, and communicating the decrypted electronic document to the requesting user.

Abstract: Disclosed are systems and methods which examine information communication streams to identify and/or eliminate malicious code, while allowing the good code to pass unaffected. Embodiments operate to provide spam filtering, e.g., filtering of unsolicited and/or unwanted communications. Embodiments provide network based or inline devices that scan and scrub information communication in its traffic pattern. Embodiments are adapted to accommodate various information communication protocols, such as simple mail transfer protocol (SMTP), post office protocol (POP), hypertext transfer protocol (HTTP), Internet message access protocol (IMAP), file transfer protocol (FTP), domain name service (DNS), and/or the like, and/or routing protocols, such as hot standby router protocol (HSRP), border gateway protocol (BGP), open shortest path first (OSPF), enhanced interior gateway routing protocol (EIGRP), and/or the like.

Abstract: Data to be screened for undesired content can be quickly downloaded into a non-volatile storage of a system, stored in a manner so as to be unavailable to the system for general use, and then screened later at a convenient time regardless of whether the data source is still available. At the time of screening, a screening module retrieves the data objects stored in the non-volatile storage and indicates whether they comply with screening criteria. Data objects not complying with the screening criteria are either deleted or otherwise made unavailable for general use by the system. By retaining the data objects that do not comply with the screening criteria, the downloaded content remains available for a different system having less restrictive or otherwise different screening criteria.

Abstract: Described are methods and apparatus, including computer program products for masking data. The inventions involves receiving a mapping scheme with a number of segments and a different cryptographic algorithm for each segment and then receiving a target value to be masked. The target value is then split into a number of segments based on the number of segments of the mapping scheme and the cryptographic algorithm is applied for each segment in the mapping scheme to each segment of the target value to generate an encrypted segment for each segment in the target value. Then, the encrypted segments are concatenated to create a masked value.

Abstract: A method for protection of a computer program source code comprising the following steps: translating said source code into a target code, generating an object code starting from said target code, applying an obfuscation program to protect said source code. The obfuscation step is executed after the source code has been translated into target code and before the generation of said object code.

Abstract: An encryption key distribution method for service and content protection in a mobile broadcasting system, and a system for the same which includes generating, by a network, a first encryption key when the broadcast service is first provided; transmitting a generalized rights object message, which includes identification information for identifying the generated first encryption key, to the terminal; generating a second encryption key before the lifetime of the first encryption key expires; and transmitting the generalized rights object message, which includes identification information for identifying the generated second encryption key, to the terminal.

Abstract: The present disclosure is directed to determining a unique content instance identifier (CIID) for each content item handled in a content management system. The content item has been received from one of a plurality of content providers and/or content delivery channels and has been identified by said one of a plurality of content providers with an original content identifier within an original identification scheme. A data structure of the CIID is defined depending on the original identification scheme, the data structure including a first, a second and third part, wherein the size of at least one of the second and third parts depends on the original identification scheme; stores a code in the first part.

Abstract: A system, apparatus, computer program product and method for authorizing information flows between devices of a data processing system are provided. In one illustrative embodiment, an information flow request is received from a first device to authorize an information flow from the first device to a second device. The information flow request includes an identifier of the second device. Based on an identifier of the first device and the second device, security information identifying an authorization level of the first device and second device is retrieved. A sensitivity of an information object that is to be transferred in the information flow is determined and the information flow is authorized or denied based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.

Abstract: Systems, methods and apparatuses (i.e., utilities) for use in managing access to and use of artifacts (e.g., word or pdf documents, jpegs, and the like) and any copies thereof in an enterprise/cross-enterprise environment. The utility may include a content management system for storing the artifacts and managing use of the artifacts and an information rights management system for use in sealing the artifacts, validating users and granting licenses for use of the artifacts at the directive of the content management system.

Abstract: A licensing system is disclosed for performing synchronous encryption with a client over an IP-compliant network. In disclosed embodiments, the system includes a licensing agent configured to pass a data structure unencrypted in an initial communication between the licensing agent/client pair and pass a first key to said client responsive to an initial communication. The licensing agent then receives the data structure from the client having designated fields encrypted according to the first key. The licensing agent then sends a second key to the client for use in subsequent communications.

Abstract: Preventing attacks on a computer at run-time. Content that is configured to access at least one function of a computer is received by the computer. Protections corresponding to the function are added to the content, wherein the protections override the function. The content and the protections are then transmitted to the computer. The function may expose a vulnerability of the computer, and arguments passed to the function may exploit that vulnerability. The protections are executed when the content is executed, and determine whether the arguments the content passed into the function represent a threat. In response to determining that the arguments represent a threat, execution of the content is terminated without executing the function.

Abstract: Described are methods, systems, and apparatus, including computer program products for securing data of a production server. The invention, in one implementation, includes reading a data value on the production server, obfuscating the data value in the memory of the server to create a masked value, transmitting the masked value to a non-production server, and storing the masked value on the non-production server.

Abstract: A method and system for unlocking diagnostic functions in a hardware device for a user. The method obtains a signed permission object for the hardware device, and validates the signed permission object. A memory of the hardware device stores a device identifier and a last recorded sequence number. The signed permission object includes a sequence number and is associated with an expiration counter having an initial value that indicates a lifetime for the signed permission object. When the signed permission object is valid, the method updates the expiration counter to decrease the lifetime of the signed permission object, stores the sequence number associated with the signed permission object as the last recorded sequence number in the hardware device, and unlocks the diagnostic functions for the user based on the signed permission object.

Abstract: A system, comprising a network interface, an additional data communications interface, and processor for supporting a control interface communicated through the network interface according to an intermachine markup language protocol, for controlling the network interface and the additional data communications interface.

Abstract: A method including receiving a service registration request to register a service with a multi-tenant, multi-service cloud network from a user; registering object types that pertain to the service, wherein the object types include at least one service object type that is not an object type offered by the cloud network to the user; and registering objects based on the object types, wherein the objects include at least one object associated with the at least one service object type.

Abstract: A method and apparatus for detecting scans are described. In one example, a plurality of flows is allocated into a plurality of bins associated with different source Internet protocol (SIP) addresses. A set of bin characteristics for at least one bin of the plurality of bins is generated if the at least one bin reaches a predefined flow capacity. Afterwards, the set of bin characteristics is compared to a scan characteristics list to determine if a potential scan exists.

Abstract: A method of providing telecommunication services includes generating fictitious contact information univocally associated with a telephone number assigned to a subscriber; and storing the fictitious contact information in a database, like an ENUM database. Responsive to a request, received from a requester, of a contact information corresponding to the telephone number and adapted to allow contacting over the Internet the subscriber assignee of the telephone number, the method includes having the database providing the fictitious contact information; and conditioning a resolution of the fictitious contact information for the provisioning of the contact information to the satisfaction of at least one security rule adapted to assess properties of at least one among the requester and the request. In a case that the request from the requester satisfies the at least one security rule, the method resolves the fictitious contact information and provides the requester with the contact information.

Abstract: A method and apparatus for recovering a content signal from media stream protected by a digital rights management (DRM) system. A content access device includes a network interface configured to receive the protected media stream from a remote content provider via a network and a plurality of distinct DRM components corresponding to DRM systems supported by the content access device. A content extraction unit is operable to select a DRM component of the plurality of DRM components and execute the selected DRM component to recover a content signal from the protected media stream. When a search engine is used to discover available content, a list of references to available content is presented to the user, the presentation being dependent upon whether or not the content is protected by a DRM system supported by the content access device.

Abstract: The invention, related to information security field, discloses a method for improving network application security and a system thereof.

Abstract: Provided is a method of protecting a content consumer's privacy. The method includes classifying contents into content groups, encrypting the contents using different encryption keys, generating a plurality of decryption keys each of which can decrypt all contents in each of the content groups, and provides the generated decryption keys to authorized clients, wherein each client is provided with a different decryption key.

Abstract: A communication device receives secure communication frames on which a security transform has been performed to permit authentication. The communication device maintains an authentication history and a local time varying parameter. In multi-hop communication, the communication device provisionally verifies the freshness of a received secure communication frame by verifying that identifying information extracted from the frame is not already present in the authentication history and that a received time varying parameter extracted from the frame is not older than the local time varying parameter by more than a certain margin. If these freshness tests both pass, the frame is authenticated. If authentication succeeds, the frame is transmitted on the next hop without performance of a new security transform.

Abstract: A method of storing a document on a server, including: extracting document content from a document stored on the server, using a processor on the server; dividing the document content into a plurality of document content sections; generating a parallel data structure for the plurality of document content sections based on a viewing size, where the parallel data structure includes a plurality of selectors, and the plurality of selectors includes pagination selectors; and storing the plurality of document content sections in a plurality of locations on the server. The method may further include storing the parallel data structure in a location on the server separate the plurality of document content sections; generating a table of contents based on the pagination; and rendering the plurality of document content sections into a plurality of document pages based on the plurality of selectors in the parallel data structure.

Abstract: A method for preserving privacy of a reputation inquiry in a peer-to-peer communication environment. The method allows peers using their own personal agents to obtain reputation information of each other through a pair of trustworthy mediator proxies. A mediator proxy is considered trustworthy if even when it is compromised it can guarantee three conditions: (1) the anonymity of the identity of the responders and the target being inquired; (2) the privacy of the content in an inquiry and a response; and (3) the boundary limit of the reputation summary with no possibility of combining the response of multiple inquiries to reverse engineer the reputation rating of an individual responder.

Abstract: Content to be scanned for confidential information may be identified. A determination is made if the content includes confidential information. The determination may be based on at least one data loss prevention policy. When the content includes confidential information, a content management recommendation is created. The content management recommendation may comprise at least one of a recommendation pertaining to a storage of the content and a recommendation pertaining to a backup of the content. The content management recommendation may be provided to a content management system.

Abstract: A system, method, computer program product, and carrier are described for obtaining a resource authorization dependent upon apparent compliance with a policy of causing an emulation environment to isolate a first software object type from a second software object type and signaling a decision whether to comply with the policy of causing the emulation environment to isolate the first software object type from the second software object type.

Abstract: A method for data integrity protection includes arranging data in a plurality of data blocks. A respective block signature is computed over each of the data blocks, thereby generating multiple block signatures. The data blocks and the block signatures in an integrity hierarchy are stored in a storage medium, the hierarchy comprising multiple levels of signature blocks containing signatures computed over lower levels in the hierarchy, culminating in a top-level block containing a top-level signature computed over all of the hierarchy. A modification is made in the data stored in a given data block within the hierarchy. The respective block signature of the given data block is recomputed in response to the modification, and the recomputed block signature is stored in the top-level block for use in verifying a subsequent requests to read data from the given data block.

Abstract: An entitlement management system is described herein that models each entitlement as a resource within a resource management system. In a resource management system that applies policy to all requests to create, update, and delete a resource, this approach allows rich application of policy to the creation, delegation, renewal, expiration, and deletion of entitlements. A resource management system that can synchronize data to connected systems can thereby grant or revoke these permissions in those systems. This approach also facilitates role mining, attestation, and compliance reporting. Entitlements stored as resources may also include properties, such as workflows and policies related to the entitlements. Thus, the entitlement management system provides a more formal and automated facility for managing entitlements in organizations.

Abstract: A method, system and computer program product for controlling an access to a data resource are disclosed. According to an embodiment, a method for controlling an access to a data resource comprises: communicating a request for the access to the data resource from a requester to an owner of the data resource for validation, the communicating being implemented by a network server; and generating information required by an access implementation server to implement a validated access and updating a data storage device with the generated information.

Abstract: Methods and systems for sharing a security model with heterogeneous virtual machines (VMs) are provided. A method for sharing a security model with heterogeneous VMs may include making a direct function call to an object model from each of two or more heterogeneous VMs using a direct binding generated for the respective VM based on the respective VM and a security policy. The direct bindings of the two or more heterogeneous VMs share the security policy. The method may also include ensuring only one of the two or more heterogeneous VMs interacts with the object model at a time. A system for sharing a security model with heterogeneous VMs may include a heterogeneous VM manager and a heterogeneous VM scheduler. The system may further include a principal tracker and a proxy component.

Abstract: A method and apparatus is disclosed herein for secure search and retrieval. In one embodiment, the method comprises receiving an encrypted, permuted search tree with nodes that have been permuted and encrypted, the encrypted permuted search tree having been encrypted with a first private encryption key; receiving, at a server, a query from a client, the query comprising a set of keywords, wherein each query term is encrypted with the first private encryption key; performing a search using the query, including performing an oblivious matching keyword test in which an evaluation occurs at each node of the tree to determine if one or more matches exist; and returning results based on a match of keywords for each document, the results including one or more encrypted leaf nodes of the tree, the encrypted leaf nodes encrypted with the first private encryption key.

Abstract: A data exchange adaptor that synchronizes data between an enterprise system operated by a company and a cloud-based system operated by a third party other than the company. The data exchange adaptor enables exchange of data between the enterprise system and the cloud-based system and controls storage and retrieval of data at the enterprise system and the cloud-based system. The data exchange adaptor also performs transport level security for communications that exchange data between the enterprise system and the cloud-based system and access level security for data stored to the enterprise system and the cloud-based system. The data exchange adaptor further schedules synchronization of data between the enterprise system and the cloud-based system and allows the enterprise system to retain control over the synchronization of data between the enterprise system and the cloud-based system.

Abstract: Methods, articles, and systems for enabling the return of a misplaced device to a rightful user of the misplaced device are described herein. The misplaced device is configured to communicate with a misplaced device server, indicating to the misplaced device server that the misplaced device has been found. The misplaced device server is configured to provide the misplaced device and a returning user currently in possession of the misplaced device with information describing how to return the misplaced device to the rightful user. The misplaced device server is also configured to communicate with the rightful user, indicating to the rightful user that the misplaced device has been found.

Abstract: A system and method for encrypting/decrypting a document is provided. The encryption method includes encrypting portions within the document containing structural information with an asymmetric public key, encrypting portions within the document containing content information with a symmetric private key, and outputting the document, whereby a service provider provided with a public key is able to access and process only the structural information.

Abstract: Autonomous diagnosis and mitigation of network anomalies may include creating a plurality of sketch matrices wherein each sketch matrix corresponds to an individual hashing function and each row in each sketch matrix corresponds to an array of hashed parameters of interest from multiple network devices for a given period of time, the parameters of interest being configurable by an administrator. A principal components analysis (PCA) input matrix is created for each of the sketch matrices by computing an entropy value for each element in the sketch matrices, and principal components analysis (PCA) is performed on each of the PCA input matrices to heuristically detect a network anomaly in real time.

Abstract: An interactive multimedia presentation playable by a presentation system includes a media content component and an interactive content component. The interactive content component includes one or more applications, which provide instructions for organizing, formatting, and synchronizing the presentation of interactive objects to a user. Prior to playing the interactive multimedia presentation, an entity responsible for authoring or publishing one or more of the applications is digitally identified and authenticated, or it is determined that the applications are unsigned. Prior to and/or during play of the interactive multimedia presentation, authorization for performing certain actions (such as executing certain application instructions, especially those that access functionality of the presentation system, computer-readable media, or external networks) is granted via a permission-based model.

Abstract: Adware and viruses are examples of objects that may be embedded in a web page or linked to a web page. When such an object is detected to be associated with a web page loading on a browser, an analysis may be performed to determine a trust level for the object. The object is suppressed based on the trust level. A prompt is displayed to advise a user that the object has been suppressed, and to provide an opportunity to interactively accept or decline activation of an action for the object.