Abstract: An asset management system is provided, which includes a hardware module operating as an asset control core. The asset control core generally includes a small hardware core embedded in a target system on chip that establishes a hardware-based point of trust on the silicon die. The asset control core can be used as a root of trust on a consumer device by having features that make it difficult to tamper with. The asset control core is able to generate a unique identifier for one device and participate in the tracking and provisioning of the device through a secure communication channel with an appliance. The appliance generally includes a secure module that caches and distributes provisioning data to one of many agents that connect to the asset control core, e.g. on a manufacturing line or in an after-market programming session.

Abstract: One embodiment of the invention is directed to a method including receiving an alias identifier associated with an account associated with a presenter, determining an associated trusted party using the alias identifier, sending a verification request message to the trusted party after determining the associated trusted party, and receiving a verification response message.

Abstract: A method for generating a network address in a communication network includes at least one user equipment and a network equipment. The method includes: a) providing a same shared secret key both at the at least one user equipment and at the network equipment; and b) generating at least a portion of the network address at the at least one user equipment and at the network equipment based upon at least the shared secret key.

Abstract: Methods and devices for facilitating download of content, particularly data, from a third-party server using an administration server. The administration server receives a request from an electronic device to download content from the third-party server over a wireless network connection. It then generates an authorization message in response to the request based on applying one or more pre-determined rules to the request, wherein the one or more pre-determined rules are based on an estimate of wireless network traffic load and sends the authorization message to the electronic device indicating whether the electronic device is authorized to establish a download session with the third-party server.

Abstract: Techniques and configurations for implementing data obfuscation for Representational State Transfer (RESTful) web service communications such as those communicated using an Open Data (OData) protocol are described. In one example embodiment, an obfuscation service includes an OData client, an OData server, and an OData obfuscation data server, the obfuscation service operating to intercept and process OData web service requests being transmitted from requesting clients to backend enterprise data services. The obfuscation service may include or integrate with an obfuscation engine, including a context engine, a rules engine, and a hierarchical mapping engine to determine rules for data obfuscation based on determined context and hierarchical mappings. The obfuscation service may apply the determined rules to provide specific access control and data obfuscation results of data retrieved from the backend enterprise services.

Abstract: According to some embodiments, a method, an apparatus and a system perform delayed validation for software licensing and activation. In some embodiments, a method includes receiving a request to execute a software application having a license. The method also includes permitting execution of the software application. The method includes validating the license subsequent to the permitting of the execution of the software application.

Abstract: Methods and apparatus are disclosed to anonymize a dataset of spatial data. An example method includes generating a spatial indexing structure with spatial data, establishing a height value associated with the spatial indexing structure to generate a plurality of tree nodes, each of the plurality of tree nodes associated with spatial data counts, calculating a localized noise budget value for respective ones of the tree nodes based on the height value and an overall noise budget, and anonymizing the plurality of tree nodes with a anonymization process, the anonymization process using the localized noise budget value for respective ones of the tree nodes.

Abstract: A technique of controlling access by a client entity to a service in a communications network. Processing modules are interconnected in the network in order to supply the service to the client entity. A processing module implements an individual function of a chain of individual functions associated with the service. The access method includes the following steps implemented by an access control device associated with an access node giving access to the service, the device being referred to as a main device: receiving a chain of processing modules from the access node; sending, to a secondary access control device associated with a processing module of the chain, a request to access the processing module under consideration, the request including an access token negotiated between the main device and the client entity; receiving a response to the access request from the secondary device; and notifying the access node of the response.

Abstract: Privacy is defined in the context of a guessing game based on the so-called guessing inequality. The privacy of a sanitized record, i.e., guessing anonymity, is defined by the number of guesses an attacker needs to correctly guess an original record used to generate a sanitized record. Using this definition, optimization problems are formulated that optimize a second anonymization parameter (privacy or data distortion) given constraints on a first anonymization parameter (data distortion or privacy, respectively). Optimization is performed across a spectrum of possible values for at least one noise parameter within a noise model. Noise is then generated based on the noise parameter value(s) and applied to the data, which may comprise real and/or categorical data. Prior to anonymization, the data may have identifiers suppressed, whereas outlier data values in the noise perturbed data may be likewise modified to further ensure privacy.

Abstract: A method for controlling access to data, involves evaluating an access authorization associated with a requestor for approving access to requested data, where access to the requested data by the requestor is approved, obtaining, responsive to access approval, outbound data for the requested data, evaluating the access authorization associated with a requestor for approving access to outbound data, where access to the outbound data by the requestor is not approved, and providing an alert based on non-approval of access to the outbound data based on the access authorization.

Abstract: A communication device, which can simplify various setting processes, transmits, to a server via a network, external device information received from an external device by using proximity wireless communication.

Abstract: A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.

Abstract: A method, system, and apparatus of network artifact identification and extraction are disclosed. In one embodiment, a method includes aggregating a payload data (e.g., may be a component of the extracted artifact) from different network packets to form an aggregated payload data, matching the payload data with an entry of a library of known artifacts, determining a type of the payload data based on a match with the entry of the library of known artifacts, separating the payload data from a header data in a network packet, and communicating the aggregated payload data as an extracted artifact to a user. The method may include using the extracted artifact to perform network visibility analysis of users on packets flowing across the network. The method may validate that the entry is accurate by performing a deeper analysis of the payload data with the entry of the library of known artifacts.

Abstract: A location sentry system is provided for use within a mobile device. The sentry system can be configured to detect unauthorized attempts to locate mobile devices by monitoring messages passed between the mobile device and the wireless network and/or messages passed between components of the mobile device, and determining that one or more of the messages is/are indicative of an attempt to locate the mobile device. In response to a determination that an unauthorized attempt has been detected, the location sentry can be configured to take one or more actions. For example, the location sentry system could prevent location information from being sent back to the wireless network and/or the location sentry system could cause incorrect information to be sent to the wireless network.

Abstract: A method of communicating over a communications system includes determining that a communication event at a user terminal of the communications system requires use of a feature for processing data, the communication event being over the communications system and determining that the feature required by the communication event is not enabled for use at the user terminal when the communication event is initiated. Following the step of determining that the feature is not enabled, the method further includes retrieving a certificate enabling the use of the feature at the user terminal and using the feature at the user terminal to process data of the communication event.

Abstract: The invention relates to a method for extending an application in a client device. The method comprises forming a connection from the client device to a server in order to access a document vault in the server; receiving one or more extension elements from the document vault wherein said one or more extension elements comprise software logic; executing the software logic in said client device in order to adapt a document management application as an extension of a file management system of the client device according to the one or more extension elements.

Abstract: Embodiments for providing differentiated access based on authentication input attributes are disclosed. In accordance with one embodiment, a method includes receiving an authentication input at an authentication authority using an authentication protocol. The authentication input being associated with a client. The method also includes providing one or more representations for the authentication input, wherein each of the representations represents an attribute of the authentication input.

Abstract: A tracker node verifies content possession by a peer node in a peer-to-peer content distribution system. Upon receiving an announcement that a peer node claims to possess a content item, the tracker node in one embodiment obtains the content item, selects a random portion of the content item; formulates a challenge based on the random portion of the content item and determines an expected challenge response. The challenge may comprise, for example, a request for a hash of the random portion (or alternatively, a hash of the random portion and a random seed value). The tracker node issues the challenge to the announcing node and verifies the announcing node's possession of the content item if the challenge response from the announcing node matches the expected challenge response.

Abstract: A document encryption and decryption system for selectively encrypting and decrypting files and any other items and method for same to protect or secure its contents by helping to prevent unauthorized individuals from viewing data in human-perceivable or readable form. The encryption system includes remote authentication to verify a user's credentials stored on a remote database hosted by a web server. The encryption system further includes remote delete to automatically delete encrypted items stored on the user's computer, handheld or portable device, smartphone, and any other computing device of any kind when it logs onto a network if the user's computer or computing device is reported lost, stolen, or otherwise compromised. Decryption keys allow selective decryption of encrypted items that are on the computer or computing device of any kind. A Windows Communication Foundation service helps with authenticating the users with the encryption key and login process stored and processed by the web server.

Abstract: A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.

Abstract: A method and system for creating license management in software applications are disclosed. In one embodiment, the method comprises receiving an installer package associated with a software application to be run on a computer, the installer package not including license administration functionality. One or more executable files are extracted from the installer package. One or more license-enabled executable files are generated with the one or more executable files and a license wrapper. A new installer package is created with the one or more license-enabled executable files, the new installer package supporting the license administration functionality.

Abstract: Arbitrary numerical distributions are presented for use in devices having limited processing and storage capabilities by having the device accept strings of arbitrarily distributed numbers from a source outside of the device. In one embodiment, a master controller creates a table of values which follow the desired minimum, maximum, mean, and standard deviation, etc. of the particular desired statistical distribution required. The created table is then communicated to the limited capacity device and can be used whenever a distribution of random values is required. The master controller could have one of several slave devices associated with it in the system. In another embodiment, where the storage capability of the device is large enough to store a table of values with sufficient different entries to create a distribution of satisfactory “randomness” for the particular application, a random number generator within the device is used to select the order of presentation of the table of values.

Abstract: Apparatus and methods for provisioning of customer premise equipment (CPE) equipped with a secure microprocessor to receive e.g., digital video content by entering unique identification of the CPE at one or more servers located at the headend or other location of a content-based network. In one embodiment, the CPE comprises a download-enabled (e.g., DCAS) host with embedded cable modem and embedded set-top box functionality, and the provisioning includes enabling DOCSIS functionality of the CPE, assigning an IP address to the CPE and providing the CPE with a client image for the conditional access system chosen by the network operator. In one variant, the network operator can deactivate a provisioned device while connected to the network, as well when disconnected from the network. The network operator can also add, delete or replace conditional access client image in a provisioned device.

Abstract: In accordance with certain aspects, data is received from a calling program. Ciphertext that includes the data is generated, using public key encryption, in a manner that allows the data to be obtained from the ciphertext only if one or more conditions are satisfied. In accordance with another aspect, a bit string is received from a calling program. Data in the bit string is decrypted using public key decryption and returned to the calling program only if one or more conditions included in the bit string are satisfied.

Abstract: To prevent gaming of a reputation system, a security token is generated for a security module using metadata about the client observed during the registration of the security module. The registration server selects metadata for use in generating the security token. The generated security token is provided to identify the client in later transactions. A security server may conduct a transaction with the client and observe metadata about the client during the transaction. The security server also extracts metadata from the security token. The security server correlates the observed metadata during the transaction with the extracted metadata from the security token. Based on the result of the correlation, a security policy is applied. As a result, the metadata in the security token enables stateless verification of the client.

Abstract: Methods and system for implementing a clustered storage solution are provided. One embodiment is a storage controller that communicatively couples a host system with a storage device. The storage controller comprises an interface and a control unit. The interface is operable to communicate with the storage device. The control unit is operable to identify ownership information for a storage device, and to determine if the storage controller is authorized to access the storage device based on the ownership information. The storage controller is operable to indicate the existence of the storage device to the host system if the storage controller is authorized, and operable to hide the existence of the storage device from the host system if the storage controller is not authorized.

Abstract: An access control method and system for packet data network, Policy and Charging Rules Function (PCRF) entity, the method includes: a policy and charging rules function entity receiving an indication of gateway control session establishment from a bearer binding and event report function entity, wherein the indication of gateway control session establishment carries a session identifier, and the session identifier is used to identify whether a user equipment accesses the same packet data network again or the bearer binding and event report function entity relocation occurs; the policy and charging rules function entity receiving the indication of gateway control session establishment, acquiring the session identifier, and judging whether the user equipment accesses the same packet data network again or the bearer binding and event report function entity relocation occurs according to the session identifier.

Abstract: A computer-implemented method for dynamically delivering a securitized version of an application to a mobile device in a computing system programmed to perform the method includes receiving a request for the application from a mobile device; sending the request for the application to an application server, receiving the application from the application server in response to the request for the application, determining with the computing system, a securitized version of the original requested application, and sending the securitized version of the application to the mobile device. In the invention, if the securitized version is not previously held in storage by the computing device, the computing device creates the securitized version and sends that to the mobile device.

Abstract: Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or data isolation. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a rootkit defense mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or prevention of malicious code, for example, in a manner/context that is isolated and not able to be corrupted, detected, prevented, bypassed, and/or otherwise affected by the malicious code.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device used by a first user has been transferred from the first user to a second user; ascertaining, in response to said determining, which of one or more items that are at least conditionally accessible through the computing device are active; and providing one or more selective levels of access to the one or more items based, at least in part, on said ascertaining. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: A system, method and apparatus for protecting sensitive data in a file that has been replaced with pointer(s) for each sensitive data. The sensitive data items are protected by restricting subsequent access to and use of the sensitive data items via the pointers by: receiving a first request for data stored in a file on the data storage, determining whether the requested data includes at least one of the pointers, providing the requested data whenever the requested data does not include any of the pointers, and performing the following steps whenever the requested data includes at least one of the pointers: sending a second request containing the pointer(s) included in the requested data to the server that authenticates the second request, denying the first request whenever the authentication fails, and receiving and providing the extracted data item(s) corresponding to the pointer(s) included in the requested data whenever the authentication succeeds.

Abstract: Data is generated in a client based on events at a client, wherein each event is associated with a first dimension, a second dimension and a quantity. A random value is generated for each interval of the first dimension and each instance of the second dimension. The quantity of each event is modified using the random value to determine a modified quantity. A running total for each interval of the first dimension and each instance of the second dimension is determined using the modified quantities and transmitted to an untrusted third party. An exact result of processing the modified quantities and the running totals by the untrusted third party can then be received and decoded by the client.

Abstract: The present invention provides a system, method and apparatus for protecting sensitive data associated with RFID tags by extracting the sensitive data from RFID data associated with the RFID tag, generating a pointer indicating for the sensitive data, storing the extracted data and the pointer in a secure storage and replacing the sensitive data in the RFID data with the pointer. Furthermore, the present invention provides a method for protecting sensitive data associated with an RFID tag by receiving RFID data from the RFID tag, authenticating the RFID data, retrieving the sensitive data associated with the RFID tag from a secure storage using the RFID data whenever the RFID data is authentic and providing the sensitive data to one or more applications.

Abstract: An information processing apparatus includes: a first change unit that changes a setting content of a provided function based on a setting change request received from an external device; a second change unit that changes a setting content of a provided function based on a setting change request inputted from an operation part of the apparatus; a storage unit that, when a setting content of a function is to be changed, stores necessary/unnecessary information indicating presence/absence of necessity not to receive a setting change request from a device other than the external device or the operation part of the apparatus to change the setting content, by each function; a determination unit that, when the first and second change units are to change a setting content of a function, determines whether or not exclusive processing not to receive a setting change request from the other device is necessary, based on the necessary/unnecessary information stored in the storage unit; and a controller that, when the det

Abstract: The data exchange processing apparatus pertaining to the present invention includes a cryptographic engine unit performing cryptographic processing and verification processing, a stream control unit outputting content while performing cryptographic processing of the content using the cryptographic engine unit, an unauthorized device list update unit verifying an unauthorized device list using the cryptographic engine unit, and a state management unit outputting a permission notification to the unauthorized device list update unit when detecting a low load section of the content according to metadata of the content and processing position of the stream control unit, the low load section being a section in which processing load on the cryptographic engine unit is lower than in other sections. The unauthorized device list update unit, when receiving the permission notification from the state management unit, causes the cryptographic engine unit to execute verification processing of the unauthorized device list.

Abstract: A method, computer readable medium and apparatus for providing mobile social networking privacy are disclosed. For example, the method receives a request from a third party application for location information of a mobile endpoint device user, determines whether the third party application is a multiple user application and provides the location information of the mobile endpoint device user to the third party application in accordance with a privacy setting pre-defined by an authorized user if the third party application is a multiple user application.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device used by a first user has been transferred from the first user to a second user; ascertaining, in response to said determining, which of one or more items that are at least conditionally accessible through the computing device are active; and providing one or more selective levels of access to the one or more items based, at least in part, on said ascertaining. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: This invention relates to a method and a system for generating user passcodes for each of a plurality of transaction providers from a mobile user device. A method and system for activating a plurality of passcode generators on a user device configured with a passcode application installed on the user device is provided. Each of the passcode generators may correspond to a different user account or transaction provider, such that each passcode generator provides a user passcode configured for the corresponding account or transaction provider. One or more of the passcode generators may include a passcode generating algorithm and a passcode key. Access to one or more of the passcode generators may require providing a PIN or a challenge.

Abstract: A method and apparatus for location-based access control applies a location-based identifier to a document, wherein the location-based identifier indicates an original storage location of the document. The original storage location is an authorized node having access privileges specific to the document. In response to the document being moved or copied, an access control engine compares a current location of the document to the original storage location and denies access when there is a discrepancy. When the document is moved consistent with an access control policy, such as when an administrator moves the document, an original storage location identifier is changed consistent with a new location. The document is only accessible when accessed from an authorized location. The locations may be referred to as access nodes, wherein each access node corresponds to a folder.

Abstract: A method and apparatus to prove user assertions. A client request to authenticate a user assertion pertaining to user personal data may be received. The requested authentication may be generated for the client, the authentication proving the user assertion without revealing other information about the user. The requested authentication may be sent to the client.

Abstract: A system and method for transferring digital content includes a physical token incorporating a Near Field Communication (“NFC”) tag that represents a virtual gift of digital content such as an eBook. The tag can include a Uniform Resource Locator (URL) that can be used to gain access to the electronic content which can be stored on a remote server. A unique identifier on the tag is associated with gifted digital content. This association is preferably stored on a remote server in the “cloud”. A user receiving the physical and places it on or next to their electronic device, which includes an NFC receiver, and the device reads the tag and connects to the remote server. The remote server validates the information on the token and provides the user with access to the digital content, such as downloading the digital content to the user's electronic device.

Abstract: A storage medium having an encrypting device, including an electronic memory area, a read-in device, a read-out device, a key memory, in which a secret key is or can be stored, an encrypting device, and a decrypting device. The read-in device is designed to encrypt any data input at the interface for storage in the memory area using the key stored in the key memory and to store said encrypted data in the memory area. The read-out device has a direct read-out channel, by means of which stored encrypted data can be output to the interface in encrypted form by circumventing the decrypting device, and a decrypting read-out channel, by means of which stored encrypted data in the memory area can be decrypted by means of the decrypting device using the key stored in the key memory or a decryption key stored in the key memory and corresponding to the key and can be output to the interface in decrypted form.

Abstract: A first information handling system (“IHS”) receives identification information of a first user of a second IHS. The first IHS initiates a network session in response to authenticating the identification information of the first user. Within the network session, the first IHS receives identification information of a second user of the second IHS. The first IHS authenticates the identification information of the second user.

Abstract: A system and method is disclosed for authenticating a removable data storage device (RDSD) by using a trusted information module (TIM) to control access to data files stored on the RDSD. A security information input receiver receives identity verification factors from a user and provides the identity verification factors to the TIM for processing. In some embodiments of the invention, the TIM uses identity verification factors in cryptographic operation to authenticate the user, the RDSD and the information processing system to each other. The TIM then performs similar operations with the contents of one or more authorization files to control access and usage of the data files stored on the RDSD.

Abstract: A policy-enabled service gateway contains a gateway function and a local policy engine containing policies related to the functionality of the associated gateway function. New or updated policies may be provided to the local policy engine from a centralized policy server. The policies within the local policy engine are functionally related to the gateway function and provide for policy and/or charging enforcement associated with the gateway function. If the local policy engine does not contain a particular policy, it may request the policy from the centralized policy server. The local policy engine may choose to store the requested policy for future use.

Abstract: The management apparatus 105a manages copying of information from an original recording medium 101a to a copy recording medium 102a. The management apparatus 105a comprises: a transmission/reception unit 701a configured to receive an original-medium identifier from the copying apparatus 104a and to transmit permission information to the copying apparatus 104a, the original-medium identifier identifying the original recording medium, and the permission information indicating permission for the copying of the information; and a control unit 708a configured to determine whether to permit the copying of the information based on the received original-medium identifier and a registered original-medium identifier that identifies a registered original recording medium, and to allow the transmission/reception unit 701a to transmit the permission information when determining to permit the copying.

Abstract: A data delivery apparatus including a storage adapted to store limited-access data which associates user data for specifying a user, with data, access to which is permitted or limited to the user; a function determination unit adapted to determine whether a destination device to which the limited-access data is to be transmitted has an access control function of permitting or limiting access to the limited-access data for each user; an authentication unit adapted to, when the limited-access data destination device is determined not to have the access control function, request input of authentication information and performing an authentication process using the input authentication information; and a transmission control unit adapted to, when the authentication process by said authentication unit is successful, transmitting the limited-access data to the destination device.

Abstract: In embodiments of an email trust service, an email message is received at an email distribution service for distribution to a client device that corresponds to a recipient of the email message. Authentication techniques can be applied to verify that the email message is received from an authorized domain as specified in a sender address field of the email message. Additionally, it can be determined whether an Extended Validation certificate is associated with the authorized domain. Responsive to determining that an Extended Validation certificate is associated with the authorized domain, a trust indicator is associated with the email message to generate a trusted email message. The trust indicator indicates that the trusted email message is from an authorized domain when the email message is displayed at the client device.

Abstract: A system, method and program product for morphing social network data. A system is disclosed that includes: a system for splitting up M communities within a set of social network data into N split communities; a system for morphing the N split communities into P morphed communities using a cardinality key, wherein the cardinality key causes subsets of split communities to be unioned together; and a system for adding phony members into the P morphed communities.

Abstract: A computer implemented method for detecting and preventing spam account generation is disclosed. Upon receiving an account creation request from a client, the server analyzes the request and associates a spam score with the account creation request, based at least in part on a number of new account requests associated with the cookie received during a predefined time period, and compares the spam score with certain predefined thresholds. If the spam score is above a first threshold, the server may refuse the account creation request. If the spam score is within a certain range, the server may limit the access to the account associated with the account creation request. If the spam score is below a second threshold, the server may put no limit on access to (i.e., enable normal use of) the account.