Abstract: Determining if a computer program is malicious. The program is loaded for execution into the memory of the computer. A list of program instructions of interest is received. Prior to execution of the computer program, and at a time during execution of the computer program, computer program instructions of each of the different types in the computer program that are contained in a program instructions of interest list are counted. If it is determined that the count of the computer program instructions of one of the types determined prior to execution of the computer program differs by at least an associated threshold value from the count of the computer program instructions of the one type determined at the time during execution of the computer program, a record is made that the computer program has an indicia of maliciousness and execution of the program is terminated.

Abstract: In some examples, a method includes inserting monitoring instructions to be executed with a set of conditional operations and data type operations in an application and executing the application with a benign value. The method can also include storing at least one of result values and path constraints from the monitoring instructions, the result values comprising values generated by each conditional operation and each data type operation executed with the benign value. Furthermore, the method can include generating a prohibited value corresponding to a security vulnerability that satisfies the set of conditional operations and data type operations in the application based on the result values and the path constraints and modifying the application to prevent execution of the prohibited value.

Abstract: According to one embodiment, a computerized method for detecting malware is described. The method includes receiving configuration information that identifies (i) at least one type of lure data and (ii) one or more locations of a system operating within a virtual machine for placement of the lure data into the system. The lure data is configured to entice interaction of the lure data by malware associated with an object under analysis. Thereafter, the lure data is placed within the system according to the configuration information and lure data information is selectively modified. The information may include a name or content within a directory including the lure data. During processing of an object within the virtual machine, a determination is made whether the object exhibits file altering behavior based on a comparison of actions performed that are associated with the lure data and one more known file activity patterns.

Abstract: Systems and methods may provide for identifying unencrypted data including a plurality of bits, wherein the unencrypted data may be encrypted and stored in memory. In addition, a determination may be made as to whether the unencrypted data includes a random distribution of the plurality of bits. An integrity action may be implemented, for example, when the unencrypted data includes a random distribution of the plurality of bits.

Abstract: Systems, methods, and computer program products to perform an operation comprising receiving digital content associated with an account identifier, parsing the digital content and extracting a set of attributes from the digital content, receiving via a network connection, from each of a plurality of online identity services, a set of identities matching at least one attribute of the set of attributes, intersecting the sets of identities to create a set of candidate identities, computing a score for each identity in the set of candidate identities, wherein each score reflects a likelihood that the respective candidate identity is associated with the account identifier; and returning a ranked list of the scored candidate identities and an indication of at least one item of evidence linking the respective candidate identity to the account identifier.

Abstract: The methods and systems for organizing and managing a file system on top of a content addressable object store are provided. User content is associated with a record including a content hash associated with an address in the content addressable object store. The content hash is a function of user content and determined by dividing the file into data objects, generating a pointer tree of hashes on top of the data objects, and calculating a hash of the root of the pointer tree. The record, the pointer tree, and the file are stored in the object store. Reading user content from the object store includes reading the record, fetching the content hash to find a root of the pointer tree, descending leaves of the pointer tree to read the hashes of the data objects associated with user content, and reassembling the data objects in sequential file data.

Abstract: A trusted processor is pre-booted using a secure pre-boot loader integrated with the trusted processor. The trusted processor verifies whether an external boot loader is valid, and when valid, the trusted processor is booted using the external boot loader, thereby enabling trusted operation of the trusted processor. The trusted processor verifies whether a firmware image for a field programmable device is valid, and when valid, a firmware image loading process for the field programmable device is triggered. When the firmware image loading process is triggered, the firmware image is loaded into the field programmable device and the field programmable device is released to execute of the firmware image. The field programmable device verifies whether an external boot loader for an untrusted processor is valid, and when valid, the untrusted processor is booted using the external boot loader for the untrusted processor, thereby enabling trusted operation of the untrusted processor.

Abstract: Techniques for protecting the contents of a computing device are provided. The techniques include associating security level information with each of a plurality of content items to be protected, the security level information including an integrity check action and a resultant behavior to be performed for each respective content item. The security level information can be built into an image comprising the content items to be protected and the image can be installed on a computing device. The techniques include accessing security level information associated with a content item responsive to a request to perform an action on the content, performing the integrity check action associated with the content item, and performing the resultant behavior associated with the content item responsive to the integrity check action indicating that the action requested cannot be performed.

Abstract: Disclosed are a method and apparatus for recognizing advertisement plug-ins, relating to the field of computer technologies. The method comprises: searching for files related to application plug-ins; based on feature vectors of feature dimensions in a feature vector set of a predetermined advertisement, scanning the files related to the application plug-ins, and calculating feature vector similarity between data in each file and the feature vector in each feature dimension; calculating an advertisement similarity of a current application plug-in according to the feature vector similarity of each feature dimension and a feature recognition weight of the feature dimension; comparing the advertisement similarity with a threshold, and determining whether the application plug-in is an advertisement plug-in according to the comparison result.

Abstract: A method and system is provided to automatically propagate dependencies from one part of a software application to another previously unrelated part. Propagation of essential code functionality and data to other parts of the program serves to augment common arithmetic functions with Mixed Boolean Arithmetic (MBA) formulae that are bound to pre-existing parts of the program. A software application is first analyzed on a compiler level to determine the program properties which hold in the program. Thereafter, conditions are constructed based on these properties and encoded in formulae that encode the condition in data and operations. Real dependencies throughout the application are therefore created such that if a dependency is broken the program will no longer function correctly.

Abstract: A virtual machine host server includes a virtual machine in which a guest operating system is installed and operated, a cache manager for processing at least one of an open request, a close request, and an input/output request for a disk image file of the virtual machine, which is stored in a storage system, and managing a boot workload map and a boot segment, a cache device for caching the boot segment, and a prefetch manager for prefetching the boot segment from the cache device.

Abstract: A current selection of previously identified malicious files is identified. The selection includes identified malicious files in multiple formats that are tested by a malware analysis environment. Each specific malicious file is opened multiple times, using multiple versions of one or more corresponding program(s). The behavior of each malicious file is analyzed as it is opened with each version of the corresponding program(s). Based on observed behavior of malicious files as they are opened, the exploitability of each version of each program is determined and ranked. The malware analysis environment uses a specific number of versions of each program to test submitted files for maliciousness, in order from more exploitable to less so, based on the ranking. The specific number of versions of a given program to use is generally less than the total available number of versions, thereby reducing the time and computing resources spent per file.

Abstract: A server system with one or more processors and memory sends a verification request, to a client device, to verify that the client device is storing a data block, where the verification request includes verification parameters. In response, the server system obtains from the client device a first verification value for the data block. The server system compares the first verification value with a second verification value for the data block, where the second verification value was previously computed, in accordance with the data block and the verification parameters, and stored by the server system. In accordance with a determination that the first verification value matches the second verification value, the server system confirms that the client device is storing the data block.

Abstract: Systems and methods for virtualized malware enabled detection are described. In some embodiments, a method comprises intercepting an object provided from a first digital device, determining one or more resources the object requires, instantiating a virtual environment with the one or more resources, processing the object within the virtual environment, tainting operations of the object within the virtual environment, monitoring the operations of the object, identifying an additional resource of the object while processing that is not provided in the virtual environment, re-instantiating the virtual environment with the additional resource, monitoring the operations of the object while processing within the re-instantiated virtual environment, identifying untrusted actions from the monitored operations, and generating a report identifying the operations and the untrusted actions of the object.

Abstract: The present invention discloses a method, an apparatus, and a system for triggering virtual machine introspection, so as to provide a timely and effective security check triggering mechanism. In the present invention, data that needs to be protected is determined; the data that needs to be protected is monitored; and when it is determined that the data that needs to be protected is modified, virtual machine introspection is triggered. The present invention avoids a performance loss and a security problem that are brought about by regularly starting a virtual machine introspection system to perform a security check, and therefore, the present invention is more applicable.

Abstract: Embodiments of the present disclosure disclose a method and a device for evaluating security assessment of an application. The method comprises receiving application entry data associated with a plurality of entry points of the application. Also, the method comprises identifying at least one security threat entry point based on the application entry data. Further, the method comprises computing a coverage index value based on the application entry data and the at least one security threat entry point and generating a recommendation report indicating security coverage of the application based on the coverage index value.

Abstract: Data is received that includes a plurality of samples that each characterize interception of data traffic to a computing device over a network. Thereafter, the plurality of samples characterizing the interception of data traffic are grouped into a plurality of clusters. At least a portion of the samples are labeled to characterize a likelihood of each such sample as relating to an unauthorized interception of data traffic. Each cluster is assigned with a label corresponding to a majority of samples within such cluster. At least one machine learning model is trained using the assigned labeled clusters such that, once trained, the at least one machine learning model determines a likelihood of future samples as relating to an unauthorized interception of data traffic to a corresponding computing device.

Abstract: Technology is disclosed for accessing data fragments of data objects. The method receives a request for storing a data fragment of a data object in the storage server. The request includes an object identifier of the data object. The method further extracts a first string from the object identifier. The method then determines whether there is an existing file system object having a file system name that matches the first string. If there is no file system object that has a file system name that matches the first string, the method stores the data fragment as a fragment file with a file system name matching the first string.

Abstract: A first node of a networked computing environment initiates each of a plurality of different types of man-in-the middle (MITM) detection tests to determine whether communications between first and second nodes of a computing network are likely to have been subject to an interception or an attempted interception by a third node. Thereafter, it is determined, by the first node, that at least one of the tests indicate that the communications are likely to have been intercepted by a third node. Data is then provided, by the first node, data that characterizes the determination. In some cases, one or more of the MITM detection tests utilizes a machine learning model. Related apparatus, systems, techniques and articles are also described.

Abstract: A repackaged mobile app that has been unpacked and repackaged back is detected based on similarity of app labels of a target mobile app being evaluated and a reference mobile app. The similarity of the sound of the app label of the target mobile app to the sound of the app label of the reference mobile app may be determined. The similarity of the appearance of the app label of the target mobile app to the appearance of the app label of the reference mobile app may also be determined. The target mobile app may be deemed to be a repackaged mobile app when the app labels of the target and reference mobile apps are deemed to be similar (which may include being the same) but the target and reference mobile apps have different identifiers.

Abstract: A method and a user device for processing virus files. First information of at least one category of virus files and second information of a manner for processing each of the at least one category of virus files are provided. A category of a virus file when the virus file is identified. A manner of processing viruses of the category from the first information and the second information is obtained and the virus file is processed by using the manner without information about the virus file being presented to a user.

Abstract: Threat detection is improved by monitoring variations in observable events and correlating these variations to malicious activity. The disclosed techniques can be usefully employed with any attribute or other metric that can be instrumented on an endpoint and tracked over time including observable events such as changes to files, data, software configurations, operating systems, and so forth. Correlations may be based on historical data for a particular machine, or a group of machines such as similarly configured endpoints. Similar inferences of malicious activity can be based on the nature of a variation, including specific patterns of variation known to be associated with malware and any other unexpected patterns that deviate from normal behavior. Embodiments described herein use variations in, e.g., server software updates or URL cache hits on an endpoint, but the techniques are more generally applicable to any endpoint attribute that varies in a manner correlated with malicious activity.

Abstract: A shadow network, which can be a virtual reproduction of a real, physical, base computer network, is described. Shadow networks duplicate the topology, services, host, and network traffic of the base network using shadow hosts, which are low interaction, minimal-resource-using host emulators. The shadow networks are connected to the base network through virtual switches, etc. in order to form a large obfuscated network. When a hacker probes into a host emulator, a more resource-intensive virtual machine can be swapped in to take its place. When a connection is attempted from a host emulator to a physical computer, the a host emulator can step in to take the place of the physical computer, and software defined networking (SDN) can prevent collisions between the duplicated IP addresses. Replicating the shadow networks within the network introduces problems for hackers and allows a system administrator easier ways to identify intrusions.

Abstract: Systems and methods, including computer software adapted to perform certain operations, can be implemented for remotely defining security data for authorizing access to data on a client device. Permission indicators are associated with a sequence of instructions, and a protected activity is associated with one or more of the permission indicators and with an instruction within the sequence of instructions. The one or more permission indicators and the sequence of instructions are provided to a remote device. The remote device determines whether execution of the instruction is permitted based, at least in part, on the one or more permission indicators, and the remote device performs the protected activity if execution of the instruction is permitted.

Abstract: Systems and methods for checking for redirection of a content item are provided. A first web page identified by a first uniform resource locator (URL), the first web page comprising a content item. The first URL is stored in a memory element. After a predetermined period of time elapses, a second URL associated with a second web page rendered by the browser is identified. A discrepancy between the first URL and the second URL is detected. Responsive to the discrepancy detection, the content item is identified as ineligible for participation in an online auction system.

Abstract: A virus detecting method and device are provided, where the method includes that the virus detecting device receives a network data stream carrying a portable execute (PE) file; calculates first identification information according to structure information of the PE file; matches the first identification information with virus identification information prestored in an antivirus database, and determines whether the PE file is an Archive file; if the PE file is an Archive file, calculates second identification information according to a data packet that carries a data part of the Archive file; and matches the second identification information with the virus identification information prestored in the antivirus database, and if the matching succeeds, determines that the Archive file is an Archive virus file. The present invention can effectively determine whether an Archive-type PE file is a virus file.

Abstract: In certain embodiments, virtualization mechanisms used to defend against spying can also be used by attackers as a means to execute spying attacks more effectively. In certain embodiments, attack methods may use the virtualization mechanisms to surreptitiously activate input peripherals without the user's knowledge or authorization. In certain embodiments, a virtualized network interface may be employed in which all network traffic transiting a portable wireless system is routed through a remote control component within a peripheral control domain. The remote control component may be used by an attacker to communicate remotely with the portable device to send it peripheral activation commands. The remote control component can then activate peripherals via the peripheral access module without the user's or general-purpose operating system's knowledge or authorization. All other network traffic may be passed through as normal and expected to the general-purpose operating system.

Abstract: A method in a portable electronic device for providing a user with an improved user interface is described. The electronic device includes one or more processors and memory including instructions which when executed by the one or more processors cause the electronic device to perform the method. While content in a user interface of a first application is displayed, a first user input is detected. In response to the first user input, at least a preview for a second application is displayed. In some instances, the second application is selected automatically at least partly in dependence on the content displayed in the user interface of the first application.

Abstract: Provided are an electronic system, an integrity verification device, and a method of performing an integrity verification operation.

Abstract: Embodiments relate generally to access control, and more particularly to systems and methods for providing access control based on user intent. An intent-based access control method is provided comprising: receiving, from a user, a request to gain access to a protected resource; presenting stimuli to the user to evoke a physiological or behavioral response at one or more time points or time periods; receiving a signal of the physiological or behavioral response, the one or more physiological signals associated with one or more time codes that correspond to the one or more time points or time periods for the presenting of the stimuli; processing the received signal to assess an intention of the user; and in response to the processing, selectively granting the user access to the protected resource. Various systems, methods, and non-transitory computer-readable media are also described.

Abstract: A security control platform receives a virtual machine starting request message that is from user equipment and forwarded by a management platform, where the virtual machine starting request message includes an identifier of a virtual machine that needs to be enabled and user information; invokes a third-party trusted platform to determine that the virtual machine starting request message is initiated by the user equipment according to an instruction of an authorized user; and performs authentication on the user information, and based on successful authentication, invokes the third-party trusted platform to decapsulate the virtual machine that needs to be enabled. It is ensured that other user equipment (including the management platform) cannot obtain a key of the third-party trusted platform, which enhances security of management control on the virtual machine, and thereby enhances security of a cloud computing platform.

Abstract: A method includes associating, in a graph including graph nodes connected via of edges, a respective node weight with each of the graph nodes, and organizing the graph nodes into ancestor nodes, each of the ancestor nodes having one or more descendent nodes so that the ancestor and the descendent nodes include all the graph nodes. For a given descendent node, a respective path to one or more of the ancestor nodes is identified, each of the respective paths including one or more edges, and a given ancestor node having a shortest of the identified paths is determined. A respective edge weight is assigned to each of the one or more edges in the shortest path, and, for the given descendent node, a node loss value is calculated based on the node weight and the respective edge weight of the each of the one or more edges.

Abstract: Disclosed are systems and methods for controlling opening of computer files by vulnerable applications. An example method includes: detecting a request from a software application to open a computer file on the user computer; determining one or more parameters of the file; determining a file access policy based on the parameters of the file, wherein the file access policy specifies at least access rights of the software application to the resources of the user computer; identifying vulnerabilities of the software application; determining an application launching policy for the software application based at least on the determined vulnerabilities, wherein the application launching policy specifies at least whether opening of the file is permitted or prohibited; and controlling opening of the file on the user computer and accessing of the computer resources by the software application working with the opened file based on the file access policy and application launching policy.

Abstract: The disclosed embodiments provide systems, methods, and apparatus for efficient detection of fingerprinted content and relate generally to the field of information (or data) leak prevention. Particularly, a compact and efficient repository of fingerprint ingredients is used to analyze content and determine the content's similarity to previously fingerprinted content. Some embodiments employ probabilistic indications regarding the existence of fingerprint ingredients in the repository.

Abstract: There is described a chip comprising a one-time programmable (OTP) memory programmable to store chip configuration data, and a verification module operable to access the OTP memory. The verification module is operable to receive a verification request relating to a specified portion of the OTP memory, the verification request comprising mask data defining the specified portion of the OTP memory. In response to the verification request, the verification module is operable to use the mask data and the OTP memory to generate verification data relating to the specified portion of the OTP memory, the verification data further being generated based on a secret key of the chip. There is also described a chip-implemented method of generating verification data relating to a specified portion of a one-time programmable (OTP) memory of the chip. There are also described methods for primary or secondary verification systems to verify a configuration of a specified portion of the OTP memory the above mentioned-chip.

Abstract: A Basic Input/Output System (BIOS) of a device is modified to: obtain a first value from a medium interfaced to the device, produce a second value from boot data resident on the medium, compare the first value to the second value, and boot from the boot data of the medium when the first value is equal to the second value.

Abstract: A method and circuit for implementing Electronic Fuse (eFuse) visual security of stored data using embedded dynamic random access memory (EDRAM), and a design structure on which the subject circuit resides are provided. The circuit includes EDRAM and eFuse circuitry having an initial state of a logical 0. The outputs of the eFuse and an EDRAM are connected through an exclusive OR (XOR) gate, enabling EDRAM random data to be known at wafer test and programming of the eFuse to provide any desired logical value out of the XORed data combination.

Abstract: The present disclosure describes methods and apparatus for implementing a signature-based sleep recovery operation flow for booting a system-on-chip (SoC). When the SoC begins its normal boot flow, a controller retrieves a sleep recovery signature from a register and compares the retrieved sleep recovery signature to a default signature. If the sleep recovery signature matches the default signature, the SoC enters a ROM checksum fail debug flow and, upon satisfying the requirements of the ROM checksum fail debug flow, enters a sleep recovery boot flow, which restores the SoC to the operational state it was in prior to entering the sleep mode. If the sleep recovery signature does not match the default signature, the SoC continues with the normal boot flow or, by use of external pins, can be forced into a normal debug mode flow so that the boot code can be debugged.

Abstract: Methods, apparatus and system of detecting data security are provided herein. Data for detection are acquired. Whether the data for detection are to be updated for a first time is determined. When the data for detection are to be updated for the first time, the data for detection can be updated, encrypted, and stored as first encrypted data. When the data for detection are not to be updated for the first time, the data for detection can be acquired and encrypted to provide second encrypted data. The second encrypted data are compared with the stored first encrypted data to determine whether the second encrypted data having been unauthorizedly modified. The present disclosure is simple to be implemented without relying on specific logical of a certain application. Development costs, maintenance costs and occupancy of server resources can be reduced. System performance and user experience can be improved.

Abstract: An apparatus and method for searching for similar malicious code based on malicious code feature information. The apparatus includes a malicious code registration unit for registering input new malicious code as a new malicious code sample, and extracting and registering detailed information of the new malicious code sample, a malicious code analysis unit for analyzing the detailed information of the new malicious code sample, a malicious code DNA extraction unit for extracting malicious code DNA information including malicious code feature information, a malicious code DNA comparison unit for comparing the extracted malicious code DNA information with malicious code DNA information of prestored malicious code samples, and calculating similarities therebetween, and a similar malicious code search unit for calculating, based on the calculated similarities, all similarities between the new malicious code sample and prestored malicious code samples, and extracting a specific number of malicious code samples.

Abstract: The present invention provides methods and systems to protect an organization's secure information from unauthorized disclosure. The present system uses protect agents installed across various egress points (e.g., email server, user's computer, etc.) to monitor information disclosed by a user. The present system also provides the use of fingerprint servers to remotely maintain a database of fingerprints associated with the organization's secure data. In one embodiment, the protect agents transmit fingerprints associated with the user's information to the fingerprint server utilizing a local network or the public internet. The protect agents then receive a comparison analysis from the fingerprint servers and execute appropriate security action based on the analysis. In one embodiment, a combination of the local network and public internet is utilized to achieve remote agent lookups.

Abstract: Several embodiments of systems incorporating nonvolatile memory devices are disclosed herein. In one embodiment, a system can include a central processor (CPU) and a nonvolatile memory device operably coupled to the CPU. The nonvolatile memory device can include a memory that stores pre-measurement instructions that are executable by the nonvolatile memory upon startup, but not executable by the CPU upon startup. In operation, the pre-measurement instructions direct the nonvolatile memory to take a measurement of at least a portion of its contents and to cryptographically sign the measurement to indicate that the measurement was taken by the nonvolatile memory device. In one embodiment, the CPU can use the measurement to determine whether the nonvolatile memory device is trustworthy.

Abstract: A device may receive a digital voucher, a customer certificate, and configuration information for automatically configuring the device. The digital voucher may include a first customer identifier that identifies a customer associated with the device and a device identifier that identifies the device. The customer certificate may include a second customer identifier that identifies the customer and a customer public key associated with the customer. The configuration information may include information that identifies a configuration for automatically configuring the device. The device may validate at least one of the digital voucher, the customer certificate, or the configuration information. The device may configure the device, using the configuration, based on validating at least one of the digital voucher, the customer certificate, or the configuration information.

Abstract: Disclosed are a method and a device for extracting a characteristic code of an APK virus. The method comprises: scanning a designated file in an Android installation package APK; extracting an operation instruction in the designated file, and judging whether the operation instruction contains virus information; and if yes, generating a characteristic code of the virus according to the operation instruction. In the application, the characteristic code of the virus APK can be accurately and effectively extracted, so as to facilitate improvement of efficiency and accuracy of identification of the virus APK and a variation thereof, thereby improving the security of an APK application.

Abstract: A method for assessing security risks associated with a cloud application to which one or more connected applications are coupled begins by configuring a security risk assessment application to function as a connected application. The security risk assessment application collects “first” data associated with one or more accounts, and “second” data associated with the one or more connected applications coupled to the cloud application. After receiving the first and second data, the security risk assessment application instantiates that data into a generic “data object” that the system uses to represent each account and each of the connected applications. Each such data object thus is populated either with the first data or the second data, depending on whether the data object represents an account or a connected application. A risk assessment is then applied to the generic data object to assess a security risk associated with the cloud application.

Abstract: Systems and methods for cryptographic suite management are described. A system for cryptographic suite management has a cryptographic suite management unit comprising a series of APIs enabling diverse applications to call cryptographic functions. The system enables: multiple applications on an interface to access shared cryptographic resources; applications across multiple devices to share and license cryptographic resources between devices; encryption, decryption and sharing of data between devices having different cryptographic implementations; the definition, distribution and enforcement of policies governing the terms of use for cryptographic implementations, systems and methods to secure and protect shared and dynamically loaded cryptographic providers; use by an application of multiple cryptographic resources and the management of cryptographic provider bundles and associated policies across one or many cryptographic suite management unit instances.

Abstract: A download security system (100) includes a server (102) and an information processing apparatus (10). The information processing apparatus (10) includes a flash memory (64) for storing data downloaded from the server (102) and a memory controller (62). A transition command for a transition to a writable mode to the flash memory (64) is transmitted from the server (102), and in response to the transition command, a memory controller (62) makes a transition to the writable mode. The data downloaded from the server (102) is written to the flash memory (64) by the memory controller (62) in the writable mode.

Abstract: A device, system, and method for providing processor-based data protection on a mobile computing device includes accessing data stored in memory with a central processing unit of the mobile computing device and determining that the accessed data is encrypted data based on a data included in one or more control registers of the central processing unit. If the data is determined to be encrypted data, the central processing unit is to decrypt the encrypted data using a cryptographic key stored in the central processing unit. The encrypted data may also be stored on a drive of the mobile computing device. The encryption state of the data stored on the drive is maintained in a drive encryption table, which is used to update a memory page tables and the one or more control registers.

Abstract: A method and apparatus to securely distribute embedded firmware to a module in an industrial control system is disclosed. A security certificate corresponding to the firmware is generated utilizing a proprietary algorithm. The certificate includes an identifier corresponding to the module on which the firmware is to be loaded and an identifier corresponding to a removable medium on which the firmware is distributed. The removable medium is inserted into the module in the industrial control system on which the firmware is to be loaded. The module reads the security certificate and verifies that the firmware is intended for the module and verifies that the security certificate includes the identifier for the removable medium which was inserted into the module. If the firmware is intended for the module and the security certificate includes the identifier for the removable medium, the module loads the firmware from the removable medium.

Abstract: A server determines whether a the stored on a computing device matches a file stored on the server by comparing hash values for a first portion of the files. Based on the comparing, the server determines whether to upload the first portion of the file. The server uploads second portion of the file. The server generates the file for download by appending the first portion of the file stored on the server to the second portion of the file uploaded from the computing device.