Abstract: The invention discloses a secure bus system and a bus system security method. The secure bus system includes a bus interconnect structure, a bus master, a bus device and a security control module. The security control module determines a device security attribute for the bus device. When the master security attribute of the bus master or the device security attribute of the bus device has changed, the security control module determines a security permission flag related to the bus master. When the security control module receives a bus transaction from the bus master, the security control module determines whether a security violation condition happens between the bus master and the bus device according to the security permission flag. If the security violation condition happens, the security control module triggers a security violation handling process to further restrict accessibility of the bus master to the bus device.

Abstract: A storage device protection system including a protection control unit, a detection unit, an account/password input unit, an ID acquiring unit, and an encryption unit is provided. The detection unit determines whether a storage device and a key storage device are both coupled to a host. The account/password input unit receives an administrator ID and an administrator password. The ID acquiring unit obtains IDs of the storage device and the key storage device. The encryption unit encrypts the administrator ID, the administrator password, and the IDs of the storage device and the key storage device into encryption data. The protection control unit stores the encryption data into the key storage device and sets an access mode of the storage device as a protection status according to the administrator ID and the administrator password. Thereby, the storage device can be effectively unlocked by using the key storage device.

Abstract: An image processing apparatus which is capable of realizing security improvements without degrading the usability. A user is authenticated, and an operation screen accepting an operation input from the user is displayed. A job is executed according to an instruction of the user authenticated by the user authenticating unit. It is determined whether or not the job of which execution is instructed by the user, is being executed when the user authenticating unit authenticates the user. A first operation screen through which the user inputs an instruction for the job in execution is displayed when the job executing unit is executing the job, of which execution is instructed by the user, whereas another operation screen through which another user inputs an instruction for another job is displayed when not.

Abstract: Cross-site request forgeries (“XSRF”) can be prevented using a client-side plugin on a client computer. The client computer accesses a content provided by a third party host via a network and generates a request to a web application as directed by the content. The client-side plugin determines whether the request is associated with suspicious activities based on the content, a source of the request and a list of approved hosts associated with the target host. In response to a determination that the request is associated with suspicious activities, the plugin removes authentication credentials from the request and sends the request to the web application.

Abstract: A system and process for identifying a client, comprising a client device having a video camera and a voice transmitting and receiving device capable of transmitting a client's image and voice via a communication carrier system and a communications network to a user terminal, whereby the user terminal permits an authentication of the client's image and voice in real time. Another aspect of the present invention includes a method of identifying a fraudster, comprising the steps of using a client device having a video camera and voice transmitting and receiving device to initiate an authentication of a client's identity, transmitting the fraudster's image and voice over a communication carrier system and a communications network to a user terminal, comparing the fraudster's image and voice to client data, and storing the fraudster data.

Abstract: A computer process is disclosed for assessing the risk of theft or loss of electronic devices in particular locations. The risk assessments may be based on data regarding reported theft and/or loss events, and based on data regarding current locations of user devices. The risk assessments may be used to generate location-based alerts.

Abstract: The invention is directed to a security module deployed in a host device, which provides a secondary agent that operates in coordination with the host agent in the host device, but operates independent of the host operating system of the host device to independently access an existing communication network interface in the host device or a separate dedicated network interface, if available. In one aspect, the present invention enables robust theft recovery and asset tracking services. The system comprises a monitoring center; one or more monitored devices; a security module in the monitored devices; and one or more active communications networks. Monitored devices may be stand alone devices, such as computers (e.g., portable or desktop computers), or a device or a subsystem included in a system. A monitored device comprises a security module, a host agent and software to support the host agent that runs in the monitored device's OS.

Abstract: Various arrangements for controlling access to a set of media items accessible via multiple channels are presented. An indication of a media item may be stored. Multiple sets of rules may be received, including a first and second set of rules. Requests for access to the media item may be received from a first and second application. The first request may be determined to be is associated with a first channel, wherein the first channel is associated with the first set of rules. Access to the media item may be provide in accordance with the first set of rules. The second request may be determined to be associated with a second channel. Access to the media item may be provided in accordance with the second set of rules.

Abstract: A method and apparatus for accessing contact records in an electronic device with multiple operation perimeters is provided. When accessing contact records from within one operation perimeter, only contact information accessible from that operation perimeter is retrieved. An option is provided to also access contact records of an alternative operation perimeter. If the alternative operation perimeter has a higher security level than the current operation perimeter, a password or other authorization may be required. The contact records may be accessed, for example, to find information for an outgoing communication, to identify information associated with an incoming communication, or to edit a contact record.

Abstract: Methods and structure are provided for implementing security features in SCSI Enclosure Services (SES) systems. The system comprises an SES device server, which includes a frontend interface, control unit, and backend interface. The frontend interface is operable to receive SES commands generated by Small Computer System Interface (SCSI) devices, and the backend interface is operable to manage operations of at least one peripheral device communicatively coupled with the SES device server based on received SES commands. The control unit is operable to determine whether a SCSI initiator that generated an SES command is an authorized device. The control unit is further operable to perform the SES command in response to determining that the SCSI initiator is an authorized device, and is further operable to reject the SES command in response to determining that the SCSI initiator is not an authorized device.

Abstract: A method and a device are provided for accessing data files of a secure file server, wherein a user or a process is authenticated; wherein access to the data files of the secure file server takes place by way of an encryption module of the secure file server; wherein the encryption module comprises an encryption agreement of a centralized security application; and wherein the access of the authenticated user or process to the secure file server takes place by way of an encrypted protocol taking into consideration the encryption agreement. Such a device may be included in a corresponding computer network.

Abstract: Methods and systems for preventing permission re-delegation among applications are disclosed herein. The method includes accepting a message requesting access to a user-controlled resource from a requester application at a deputy application and reducing a first permissions list of the deputy application to a second permissions list. The second permissions list includes an overlap of permissions between the deputy application and the requester application. Moreover, the method also includes sending the message from the deputy application to a computing system via an application programming interface (API), wherein the computing system is configured to reject the message if the second permissions list of the deputy application does not permit access to the user-controlled resource.

Abstract: In a system-on-chip (SoC), a method is provided for partitioning access to resources. A plurality of processors is provided, including a configuration master (CM) processor, a memory, a plurality of OSs, and accessible resources. The method creates a mapping table with a plurality of entries, each entry cross-referencing a range of destination addresses with a domain ID, where each domain ID is associated with a corresponding processor. Access requests to the resource are accepted from the plurality of processors. Each access request includes a domain ID and a destination address. A mapping table is consulted to determine the range of destination addresses associated with the access request domain IDs. The accesses are authorized in response to the access request destination addresses matching the range of destination addresses in the mapping table, and the authorized access requests are sent to the destination addresses of the requested resources.

Abstract: Embodiments of the invention are directed to automatically populating a database of names and secrets in an authentication server by sending one or more lists of one or more names and secrets by a network management software to an authentication server. Furthermore, some embodiments provide that the lists being sent are encrypted and/or embedded in otherwise inconspicuous files.

Abstract: This disclosure relates to a method, article of manufacture, and apparatus of importing authorities for backup systems. In some embodiments, this includes having a directory service engine retrieve authorities from an external directory service, obtain users and groups from the authorities, map the users and the groups to roles of internal authorities, and distribute the mapping to the internal authorities. The directory service engine may also export authorities to the external directory service and may be used for communication with the external directory service for authentication and access control.

Abstract: An app is made secure using an app wrapping security technique and a network linker that creates an executable binary file of the wrapped app that does not use custom dynamic libraries. The network linker includes a client-side linker component and a server-side linker component. When the app is created and the developer decides to have it security wrapped, an extra parameter is inserted in the client-side linker component for invoking the network linker of the present invention. If a call is being made from app security wrapping code, then the invocation resolves to normal system libraries and the call is not shimmed. Once all the symbols have been resolved on the server-side linker, the executable binary is transmitted back to the client-side linker component where it is digitally signed by the app developer and put in a suitable form for uploading to an app store or marketplace.

Abstract: A nonlinear feedback shift register for creating a signature for cryptographic applications includes a sequence of series-connected flip-flops which are connected to each other for forming at least one polynomial, with the aid of at least one signal feedback having at least one operator. The flip-flops are connected to at least one switching operator for forming at least two different polynomials, the switching operator switching between the polynomials as a function of an input signal. A method for nonlinear signature formation is also provided.

Abstract: Generally described, the present disclosure is directed to managing request routing functionality corresponding to resource requests for one or more resources associated with a content provider. A service provider may assign an alias resource records that point to another alias resource record or to an IP address. A DNS server of the service provider may receive a request to resolve a DNS query for a domain for which the DNS server is authoritative. The DNS sever determine that the DNS query corresponds to an alias record and may resolve the DNS query according to the data of the alias record.

Abstract: A medical device customization system and method comprising medical device that receives signals from a biological probe having an operational parameter and that stores data based on the signals in a memory. The medical device receives a custom application and establishes a virtual machine to run the custom application.

Abstract: A method and system for validating a form, that includes providing, to a client, the form comprising a primary token, receiving, in response to the client loading the page form, a request for a secondary token, providing the secondary token in response to receiving the request, and receiving the form comprising the primary token and a secondary token from a client. The method further includes validating the form, where validating the form includes obtaining a first primary token hash from the secondary token, applying a first hash function to the primary token to obtain a second primary token hash, and determining that the first primary token hash and the second primary token hash match. The method further includes accepting the form upon validating the form.

Abstract: In one embodiment the present invention includes a computer-implemented method comprising receiving a request from a user to perform an action on a first object in a software application, accessing a predefined hierarchy of a plurality of different object definitions, accessing user authorization data, and granting the user permission to perform the action on said first object, wherein the permission is determined from the predefined hierarchy and the user authorization data, wherein determining the permission includes traversing the predefined hierarchy.

Abstract: A method, system and non-transitory computer-readable medium product are provided for functionality watermarking and management. In the context of a method, a method is provided that includes identifying a request to establish an association between a watermark template and a function of at least one user device and determining whether the request to establish the association between the watermark template and the function of the at least one user device is authorized. The method further includes authorizing the request to establish the association between the watermark template and the function of the at least one user device in response to a determination that the request to establish the association between the watermark template and the function of the at least one user device is authorized.

Abstract: Devices, methods, systems and a computer readable medium for the provision of alerts to electronic devices in response to real-time, location based analysis of the risk of theft or loss of such devices are provided. A continually updated database of locations of thefts, losses and/or stolen or lost electronic devices is accessed in order to provide the alerts to the electronic devices.

Abstract: An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and/or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy.

Abstract: A system for selectively enabling a microprocessor-based system is disclosed. State information that describes the operating conditions or circumstances under which a user intends to operate the system is obtained. In the preferred embodiment of the invention, a valid hash value is determined, preferably based on the state information and preferably by locating the valid hash value within a table of valid hash values indexed by the state information. Candidate authorization information is obtained from the user, and a candidate hash value is generated by applying a hashing algorithm to the candidate authorization information, the state information, or a combination of the candidate authorization information and state information. The candidate hash value and the valid hash value are then compared, and the microprocessor-based system is enabled if the candidate hash value matches the valid hash value.

Abstract: An authentication apparatus receives an authority delegating request from an apparatus, acquires information of authorities possessed by the user from a storage unit, presents information of the acquired authorities to the user, and receives an instruction indicating which of the authorities possessed by the user is delegated to the apparatus. A storage unit stores, when the instruction to delegate the authority to the apparatus is received, an identifier required to uniquely identify the instruction and the authority instructed by the user to delegate, in association with each other. Authentication information indicating delegation of the authority is transmitted to the apparatus based on the instruction from the user.

Abstract: This document describes tools that constrain a login to a subset of access rights. In one embodiment, the tools generate a constrained password by executing a cryptographic algorithm on a user ID, general password, and one or more desired constraints. The constrained password is used in place of the general password to gain access rights that are a subset of the access rights that would be granted if the general password were used instead.

Abstract: An embodiment of the invention provides a method for controlling access to a system, wherein a request to access the system and metadata of the request are received from a user, the request including a user identification. The metadata includes: information obtained from a history of prior accesses to an application access system, information obtained from a history of prior accesses to a wireless authentication system, and/or confirmation of the user identification by an entity physically proximate to the user. A database is queried with the user identification and the metadata to identify relationship data. The relationship data indicates the relationship between the individual assigned the user identification and an entity owning the system, an entity leasing the system, and/or an entity operating the system. The relationship data is input into a rules engine; and, security measure(s) are selected with the rules engine based on the relationship data.

Abstract: A process for centrally managing a large number of computers from a central location when technical expertise is not available at each end point nor can other remote management techniques be employed such as remote desktop or direct connection to an agent. This process consists of the generation of processing instructions at a central point which can then be distributed to any number of endpoints in an asynchronous manner where they will be automatically applied and, if requested, response returned to the central management point asynchronously. The communication mechanisms are secure, verifiable, and require no special expertise at the endpoint to employ. Asynchronous refers to the ability for processing instructions and responses to be transferred by a variety of methods but not solely dependent on direct communications, such as via a store-and-forward mechanism, and can also include server-side push directly to the endpoint and client-side pull from a predetermined rendezvous point.

Abstract: Access of a client device to a protected resource is controlled by issuing an authentication information request for a dynamic sub-set of client-side storage values previously stored on the client device by one or more servers. Authentication information is received from the client device based on the dynamic sub-set of client-side storage values. The client device is authenticated based upon verification of the received authentication information. The received authentication information from the client device is optionally encrypted. The client-side storage values comprise any value stored by one or more servers on the client device. The client-side storage values are substantially specific to the client device. The client-side storage values are optionally stored as a matrix. The requested dynamic sub-set of the client-side storage values may comprise one or more cells from a plurality of records in the matrix.

Abstract: Asset management systems and methods are presented. In one embodiment, a system includes a computing resource associated with a project member. A project container is stored on the computing resource, wherein the project container comprises encrypted objects related to a project. The encrypted objects includes project metadata and one or more working objects associated with one or more sub-projects of which the project member is granted permissioned access. An encryption/decryption engine is included for encrypting and decrypting the encrypted objects. The system includes an archive file system for storing the encrypted objects and previous versions of the objects, and a façade file system for viewing and accessing and interacting with the one or more working objects. Other computing resources associated with other project members are similarly configured, wherein a plurality of project containers store distributed objects that are grouped within the project.

Abstract: A host controller associates each virtual machine with at least one label from a hierarchy of labels, where each label represents a distinct virtual machine parameter. The host controller also associates a user with one or more roles and with one or more labels from the hierarchy of labels, where each role defines at least one action permitted to be performed with respect to virtual machines. The host controller further facilitates control over user actions pertaining to virtual machines based on the roles and the labels associated with the user.

Abstract: Embodiments provide systems and methods to optimize signature verification time for a cryptographic cache. Time is reduced by eliminating at least some of the duplicative application of cryptographic primitives. In some embodiments, systems and methods for signature verification comprise obtaining a signature which was previously generated using an asymmetrical cryptographic scheme, and determining whether an identical signature has previously been stored in a signature cache. If an identical signature has been previously stored in the signature cache, retrieving previously generated results corresponding to the previously stored identical signature, the results a consequence of application of cryptographic primitives of the asymmetrical cryptographic scheme corresponding to the identical signature. The results are forwarded to a signature verifier. In at least some embodiments, at least one of these functions occurs in a secure execution environment.

Abstract: An authentication server manages traffic data with respect to each connection device, the traffic data representing a traffic amount, with respect to the connection device, that is contained in a charging information notification signal that provides notification of charging information transmitted from the connection device, compares the traffic data with respect to each connection device with a preset threshold, and assigns one of a plurality of connection devices as a connection device that connects a communication terminal and a network based on the compared result.

Abstract: A vehicular data communication system is disclosed. The vehicular data communication system includes an authentication device for authenticating an external tool connected to a bus, an authentication control device for determining whether an external tool is authenticated by the authentication device and for setting an authenticated state to permit a data communication between the external tool and an access target ECU on the bus upon determining that the external tool is authenticated by the authentication device, and an authentication maintain device for maintaining the authenticated state within a predetermined period after the authenticated state is set by the authentication control device.

Abstract: A 3D object is protected by a first device that receives the 3D object, generates translation vectors that are added to the points of the 3D object to obtain a protected 3D object, and outputs the protected 3D object. The protected 3D object is unprotected by a second device by receiving the protected 3D object, generating translation vectors that are subtracted from the points of the protected 3D object to obtain an unprotected 3D object, and outputting the unprotected 3D object. Also provided are the first device, the second device and computer readable storage media.

Abstract: A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.

Abstract: Embodiments may comprise logic such as hardware and/or code to provide a secure device area network. Many embodiments comprise a gateway node or enterprise enhanced node with a services distribution frame installed on a customer's premises. The gateway node or enterprise enhanced node may interconnect the secure wireless device area network at the customer's premises with a cellular network. In many embodiments, the cellular network core may provision authentication credentials and security keys, and manage access polies to facilitate access by Application Service Providers to devices on premises including smart devices via a security and policy enforcement function of a services distribution frame of the gateway node or enterprise enhanced node, Authorized members of the secure wireless device area network may connect to the Wide Area Network (WAN) through the gateway node and the cellular network core.

Abstract: Disclosed herein is a fast data call connection method capable of reducing a connection time and increasing the probability of connection success in a CDMA 2000 network. In the fast data call connection method of the present invention, the PDSN transmits a data call connection request message, including an authentication type and a challenge value, to the MS. The MS transmits a data call connection response message, including a response to the challenge value, to the PDSN. The PDSN performs authentication with reference to the data call connection response message, and transmits a data call connection complete message to the MS if authentication succeeds. Accordingly, the present invention is advantageous in that it can reduce connection time, can increase the probability of connection success, and can guarantee compatibility by checking the MS version before a data call connection process is executed.

Abstract: The present invention is directed towards methods and systems for redirecting an access request to an unsecure virtual machine. A computing device may execute a hypervisor hosting a secure virtual machine and an unsecure virtual machine. A control virtual machine, hosted by a hypervisor executing on the computing device, may intercept a request to access an unsecure resource. The unsecure resource may include one of: a file, an application and an uniform resource locator (URL). The control virtual machine may further determine that the request originates from a secure virtual machine executing on the computing device. The control virtual machine may redirect, responsive to the determination, the request to an unsecure virtual machine executing on the computing device, whereupon the unsecure virtual machine may provide access to the requested unsecure resource.

Abstract: Approaches for using the historical party reputation data to calculate an access decision rating are provided. Specifically, one or more approaches provide a method, including: collecting reputation information of a first user that is requesting access to one or more assets, the reputation information based on at least an association of the first user with an organization and an association of the first user with one or more other users associated with one or more other organizations; storing the requester's reputation information; determining a change in the requester's reputation information, wherein the change comprises at least one of: the first user forming a new association with another organization, and the first user forming a new association with a second user, wherein the second user is affiliated with another organization; and causing an access decision rating to be calculated based upon the determined change in the requester's reputation information.

Abstract: In a file-access control system according to an embodiment of this invention, control data in accordance with actions made is imparted, as an obligation-type policy, to a document file. Next, a policy evaluation control unit evaluates and executes the obligation-type policy imparted to the document file in accordance with the action to the document file. The execution of the obligation-type policy includes the controlling of a document application on the basis of an obligation fulfillment action. Therefore, an active control can be performed in accordance with any manipulation made to the document, and the access to the document can be changed.

Abstract: Disclosed are various embodiments of generating a user signature associated with a user and authenticating a user. At least one behavior associated with at least one sensor in a computing device is identified. A timestamp is generated and associated with the behavior. A user signature corresponding to a user based at least in part upon the behavior and the timestamp is generated and stored.

Abstract: An energy management apparatus includes: a communicator capable of communicating with at least a meter apparatus among the meter apparatus and a server apparatus that collects measurement information from the meter apparatus; a device registration processor configured to determine whether the direct communicator to the server apparatus can communicate with the server apparatus; if the direct communication is possible, transmit to the server apparatus a device registration message that requests to register a device identifier of the meter apparatus and a device identifier of the energy management apparatus; and, if the direct communication to the server apparatus is not possible, transmit the device registration message for the server apparatus to the meter apparatus; a communication processor configured to obtain energy control information of the device transmitted from the server apparatus; and a control executor configured to control the used energy amount of the device based on the energy control informati

Abstract: A method for authenticating the identity of a handset user is provided. The method includes: obtaining, a login account and a password from the user; judging whether the login account and the password are correct; if the login account or the password is incorrect, refusing the user to access an operating system of the handset; if the login account and the password are correct, sending the login account and the password to a cloud server, wherein the login account and the password correspond to a face sample image library of the user stored on the cloud server; acquiring an input face image of the user; sending the input face image to the cloud server; authenticating, by the cloud server, the identity of the user according to the login account, the password and the input face image.

Abstract: A control unit for controlling a card reader. The control unit includes an authentication management unit for transmitting/receiving information to/from a host and each of a first encryption magnetic head device and a second encryption magnetic head device to mutually authenticate each other. The authentication management unit includes (1) a commanding means for commanding one of the first encryption magnetic head device and the second encryption magnetic head device to create lower-level information for authentication, according to a request on authentication from the host, (2) a sharing means for transmitting the lower-level information for authentication received from the above-mentioned one device to the other device for the purpose of sharing it and (3) a transmission means for transmitting the lower-level information for authentication, having been shared in all of the first encryption magnetic head device and the second encryption magnetic head device, to the host.

Abstract: An embodiment of the invention is associated with a system having a role for controlling user access, the role comprising users, permissions, and a set of rules. The embodiment records each of a succession of access events in an access log, each event comprising an instance of the system being accessed by a user. The embodiment further analyzes recorded access events in the access log at selected time intervals, to detect a condition or violation of rules of the set of rules. Responsive to detecting a condition or violation, the embodiment selectively determines whether any change to the users or permissions of a specified role is needed. Each needed change is then implemented.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device used by a first user has been transferred from the first user to a second user; and restricting access via the computing device to one or more items in response to said determining. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: An image forming apparatus capable of restricting use of a hard disc drive and a method of restricting the use of the hard disc drive of the image forming apparatus. The image forming apparatus includes an interface unit to detect whether a hard disc drive is installed, and a control unit to execute an authentication procedure for the installed hard disc drive and to control whether data stored into the installed hard disc drive is printable by the image forming apparatus based on a result of the authentication procedure. Thus, even if the hard disc drive is maliciously taken, the use of the hard disc drive is not allowed if information about specifications of the hard disc drive does not match with stored information about reference specifications during the authentication procedure. Accordingly, the data stored in the hard disc drive are protected from any malicious purpose, thereby providing users with enhanced security and convenience.

Abstract: A computer readable storage medium including a set of instructions executable by a processor, the set of instructions operable to determine if a network location included in a request to connect to the network location, is included in a first list of untrusted network locations stored on the client computer and send a request to determine if the network location is included in a second list of untrusted network locations stored remotely from the client computer when it is determined that the network location is not included in the first list.