Abstract: The present invention provides systems and methods for electronic commerce including secure transaction management and electronic rights protection. Electronic appliances such as computers employed in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Secure subsystems used with such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions.

Abstract: A server receives a consumer request pertaining to product asset management from a client. The consumer request comprises one or more product-related certificates that associates the client with one or more products. The product-related certificate comprises at least one extended attribute object identifier that has a corresponding product attribute. For each extended attribute object identifier, the server searches a data store to identify a product that corresponds to the extended attribute object identifier and generates a response to the consumer request based on the product that is identified in the data store.

Abstract: The invention is an apparatus that facilitates access to a data source to accept verification and authentication from an enabler using at least one token and at least one reference. The at least one reference could be a device serial number, a networking MAC address, or a membership ID reference from a web service. Access to the data source is also managed with a plurality of secondary enablers.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: A system and method for separating control of a network interface device. A portion of a network interface device (NID) is partitioned for utilization by a user. Permissions are established for management of the partitioned portion of the NID. The permissions including permissions that deny a service provider access to the partitioned portion. Access is granted for the service provider to manage the partitioned portion of the NID. Activities performed by the service provider in the partitioned portion of the NID are logged in response to granting access to the service provider and the permissions denying the service provider access.

Abstract: A service integration platform system includes an interface configured to receive a service request initiated by an Independent Software Vendor (ISV) and one or more processors configured to authenticate the service request and in the event that the service request is authenticated, route the service request to an Internet Service Provider (ISP) providing the service to be further processed. The service request is routed to a deployment environment provided by the ISP in the event that the service request is received on a deployment Universal Resource Identifier (URI) corresponding to the deployment environment; the service request is routed to a test environment provided by the ISP in the event that the service request is received on a test URI corresponding to the test environment.

Abstract: Methods for evaluating data packets addressed to a wireless communication device are disclosed herein. When in a dormant state, a wireless communication device receives page messages indicating a source of data packets addressed to the wireless communication device and determines whether the data packets represent unwanted traffic. When in an active state, the wireless communication device examines data packets to determine if the received packets represent unwanted traffic, and in response to determining that the traffic is unwanted, the wireless communication device transitions into a dormant state or enters an idle state from which the wireless communication can transition into the dormant state.

Abstract: Methods and systems for managing access to a wireless local area network are provided. A wireless access point (AP) may use a unified approach that utilizes an out-of-band channel to communicate authentication key and network address information to a guest device, and utilizes an in-band channel to establish communications with the guest device, and also provides support for in-band setup on all devices. The ability to use out-of-band where possible provides for an increase to security and usability, and the possibility of delegating access from one device to another. The unified approach thereby also provides easy management of guest access to the WLAN.

Abstract: A method for detecting at least one traitor computer system among a plurality of receiver computer systems including: assigning a version of protected content to each of the plurality of receiver computer systems that are currently identified as innocent by a content protection system that monitors distribution of protected content to the plurality of receiver computer systems; recovering at least one unauthorized rebroadcast of the content; generating a score for each of the plurality of receiver computer systems with respect to the recovered unauthorized rebroadcast; calculating a threshold independent of an estimation of maximum traitor computer systems; checking a highest score against the threshold; incriminating a receiver computer system having the highest score above the threshold as a traitor computer system; and removing any unauthorized rebroadcasts overlapping with the traitor computer system. The process may be repeated from generating scores until all traitors are identified.

Abstract: An Operations, Administration, and Maintenance (OA&M) 16 provides security for managed resources on a wireless client device 10 at many levels of granularity, from the entire device, to subsystems, to software and hardware components, services and applications, down to individual attributes.

Abstract: A computer-implemented method for securing access to kernel devices may include (1) identifying a context proxy privileged to access a secure device interface for a device, (2) receiving a request from the context proxy to allow a user-mode process to access a non-secure device interface for the device, (3) receiving a request from the user-mode process to access the non-secure device interface, and then (4) allowing the user-mode process to access the non-secure device interface directly based on the request from the context proxy. Various other methods and systems are also disclosed.

Abstract: Provided are domain contexts indicating user and device based domain systems for being applied to a new digital content protection/management system, and management methods thereof. A concept of “domain” is introduced in the present invention so that various business models can be obtained in accordance with content use of one home or small-sized group. The domain refers to as a group of user and device SAV and PAV indicating a context for being applied to the domain system includes: a domain identifier for specifying a domain as a region containing at least one content execution device and at least one content user; domain authentication information for guaranteeing authenticity of the domain; a user list containing information of users belonging to the domain; and a device list containing devices belonging to the domain.

Abstract: A method for monitoring the managed devices comprises that the manage center preserves the integrality list in advance, which includes the system integrality values of the managed devices and the corresponding relations of the managed devices and the system integrality values of themselves, and the managed device gathers the current system integrality value of itself and saves it when it starts; the managed device sends the information including the current system integrality value to the manage center after receiving the monitor command from the manage center; the manage center determines whether the received current system integrality value of the managed device coincides with the integrality value of the managed device saved by itself according to the received information and said integrality list, and implements the alert process when they do not coincide with each other.

Abstract: A system for binding a subscription-based computer to an internet service provider (ISP) may include a binding module and a security module residing on the computer. The binding module may identify and authenticate configuration data from peripheral devices that attempt to connect to the computer, encrypt any requests for data from the computer to the ISP, and decrypt responses from the ISP. If the binding module is able to authenticate the configuration data and the response to the request for data from the ISP, then the security module may allow the communication between the computer and the ISP. However, if either the configuration cycle or the response cannot be properly verified, then the security module may degrade operation of the computer.

Abstract: The various embodiments of the present invention provide a secure software distribution and execution method. According to the method, a server receives software from service provider for downloading to a client and identifies the sections for encoding. APIs are inserted in the identified sections. A unique ID is created based on the identity of the each client to generate an encryption algorithm, decryption key and decryption algorithm. The identified sections are encrypted with the generated encryption algorithm. The encrypted application along with encryption algorithm, decryption key and decryption algorithm are downloaded to the driver of the client machine. The API makes call to the driver by sending the encrypted segment when the encrypted portion is reached during the execution of software in the client machine so that the driver decrypts the encoded portion using the received key and the decryption algorithm to enable the continuous execution of the downloaded software.

Abstract: The systems, methods and apparatuses described herein permit encrypted media content to be displayed by an apparatus for a restricted time period. The apparatus may comprise a communication interface configured to couple to a controlling device to transmit a first nonce and to receive the encrypted media content and an association encryption envelope. The association encryption envelope may comprise at least a second nonce and a first time restriction expressed as a first time interval. The apparatus may further comprise a counter, a storage configured to store a value of the counter representing a time of when the first nonce is transmitted, and an engine configured to perform operations according to the first time restriction.

Abstract: A device includes an authentication unit that issues disposable authentication information to a mobile device which stores a rights object; a receiver that receives a request for remote authentication from an unauthorized device; and a transmitter that transmits a data that approves the remote authentication of the unauthorized device. The data that approves the remote authentication is transmitted to the mobile device via the unauthorized device, a disposable rights object, which is converted from the rights object for a temporary use of content, is transmitted to the unauthorized device according to a result of determining the data, and the mobile device and the unauthorized device are connected via a network.

Abstract: A system for securely downloading and playing coherent digital content such as music and preventing its play by unauthorized users. The system may include mass server/storage devices for receiving and storing digital content having predetermined gaps; and client devices communicating with the server/storage devices, and providing authorization to proceed. During playing of the digital content by the client devices, the missing gaps may be filled into the appropriate places, to allow the play of the coherent digital content.

Abstract: A system providing billing support for the exchange of media is disclosed. An embodiment of the present invention may provide for the authorization of and billing for the delivery of media from a media server to local storage for consumption on a television display. The media may be audio, still pictures, video, or data. Other embodiments may provide for the authorization of and billing for the transfer of media from a media peripheral to a media server for media backup or distribution. A media peripheral may be, for example, a digital camera, digital camcorder, personal computer (PC), personal digital assistant (PDA), multi-media gateway, and MP3 player. An embodiment may support pre-payment, payment at time of use, and post-use billing for the media exchange. In an embodiment of the present invention, the storing or accessing of media may be performed without identifying the user to the media server.

Abstract: A method, a secure device and a computer program product for securely managing files. The method includes providing a secure device, where the secure device is protected by design against malicious software or malware and adapted to establish a connection to a server via a host, the host connected to the server through a telecommunication network, upon receiving a request for using a file stored on the secure device, processing the request at the secure device according to an updated use permission associated to the file, where the updated use permission is obtained by instructing at the secure device to establish a connection between the secure device and the server via the host and updating at the device the use permission associated to the file, according to permission data sent from the server through the established connection.

Abstract: An IMS User Equipment (UE) is provided. The IMS UE comprises: searching means for searching, based on UPnP technology, a UPnP network for a host device that has IMS subscription information, establishing means for establishing a session with the host device discovered by the searching means, subscription retrieving means for retrieving, from the host device via the session, the IMS subscription information, registering means for registering with the IMS network using the IMS subscription information, key retrieving means for retrieving, from the host device via the session, a first encryption key shared with an IMS application server (AS) in an IMS network by sending identity of the IMS AS to the host device via the session, and communicating means for performing encrypted communication with the IMS AS using the first encryption key.

Abstract: A system and method for using a host electronic computing device to prevent access to data in a preselected memory portion of an electronic computing device remote from the host electronic computing device. Each of the electronic computing devices is adapted for selective electronic communication with the other. The system and method comprises a first software program for the remote device, the first software program comprising a unique identifier, a current expiration time value, a comparator for comparing the current expiration time value against a time-based parameter of the remote device, and a security trigger. The system and method further comprises a second software program for the host device, where the second software program includes means for identifying the remote device, means for accessing an expiration time reset schedule, and means for resetting the current expiration time value.

Abstract: The invention relates to a method for matching a number N of reception equipment with a number M of external security modules, each reception equipment being provided with a unique identifier, and each external security module having a unique identifier and containing information about access rights of a user to digital data distributed by an operator. The method comprises the following steps: memorizing a list of identifiers of reception equipment in each external security module, memorizing a list of identifiers of external security modules in each reception equipment, and when an external security module is connected to data reception equipment, a check plan is carried out to determine whether or not the identifier for the security module is present in the list of memorized identifiers in the connected reception equipment, and the same check plan is carried out for the identifier in the list of identifiers memorized in the security module.

Abstract: A novel method and apparatus for protection of streamed media content is disclosed. In one aspect, the apparatus includes control means for governance of content streams or content objects, decryption means for decrypting content streams or content objects under control of the control means, and feedback means for tracking actual use of content streams or content objects. The control means may operate in accordance with rules received as part of the streamed content, or through a side-band channel. The rules may specify allowed uses of the content, including whether or not the content can be copied or transferred, and whether and under what circumstances received content may be “checked out” of one device and used in a second device. The rules may also include or specify budgets, and a requirement that audit information be collected and/or transmitted to an external server. In a different aspect, the apparatus may include a media player designed to call plugins to assist in rendering content.

Abstract: An administrator may set restrictions related to the operation of a virtual machine (VM), and virtualization software enforces such restrictions. There may be restrictions related to the general use of the VM, such as who may use the VM, when the VM may be used, and on what physical computers the VM may be used. There may be similar restrictions related to a general ability to modify a VM, such as who may modify the VM. There may also be restrictions related to what modifications may be made to a VM, such as whether the VM may be modified to enable access to various devices or other resources. There may also be restrictions related to how the VM may be used and what may be done with the VM. Information related to the VM and any restrictions placed on the operation of the VM may be encrypted to inhibit a user from circumventing the restrictions.

Abstract: An electronic file browsing system includes an electronic file delivery device and a file processing server. When document file browsing is requested from a mobile phone, a mobile phone access server in the file delivery device creates link information including session ID as authentication information and sends it to the mobile phone. Based on this link information, the mobile phone accesses the file processing server. The file processing server obtains session ID from the mobile phone and adds this session ID to the delivery request of the document file to the mobile phone access server.

Abstract: A method and system for secure communication is provided. The method for secure communication with devices includes: obtaining a parameter for protecting a content; authenticating each other by exchanging a certificate with the device; and exchanging a key with the device using a key authenticated through the certificate to establish a secure authenticated channel with the device. Accordingly, it is possible to establish the secure authenticated channel and perform secure communication by computing a secure authenticated channel key.

Abstract: Provided is a system, method, and computer-readable storage medium having one or more computer-readable instructions thereon for providing leased images in cloud computing environments. The method includes monitoring a usage of a leased image provided by a cloud vendor, by a client computing device. A threshold period of time associated with the usage is determined. Whether an access to the leased image should be terminated based upon an expiry of the threshold period of time or based upon a request received from the client computing device is determined. The image is locked based upon whether the access to the leased image should be terminated. An access request received for the locked image is monitored; and access to the locked image is enabled when it is determined that the access request is valid.

Abstract: There is provided a system and method for controlled access by applications to mobile device resources. The method comprises receiving a request from one of a plurality of applications to access a first resource of a plurality of resources, determining whether the first resource of the plurality of resources is classified as a protected resource, if the determining determines that the first resource of the plurality of resources is classified as the protected resource, identifying an application authorization for the first resource, and configuring access by the one of the plurality of applications to the first resource according to the application authorization. Based on the application authorization, the method may further configure access by the one of the plurality of applications to a second resource of the plurality of resources. Additionally, the first resource of the plurality of resources may be connected to a communication network resource.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for voice over internet protocol (VoIP) phone authentication. In some examples, the method includes receiving an authentication request from a computing device; authenticating the computing device for access to a network based on the authentication request; determining if a VoIP endpoint device is associated with a network address associated with the authentication request; and authenticating the VoIP endpoint device if the VoIP endpoint device is associated with the network address.

Abstract: Systems, methods, and computer program products are provided for user authentication required for conducting online financial institution transactions. The disclosed embodiments leverage the capabilities of platforms other than conventional personal computers and laptops, such as gaming consoles and wireless devices. Unique intrinsic user activities, such as controller motions or activities, built-in hardware signatures or other input data are used as the authentication mechanism, so as to provide a higher degree of security in the overall authentication process by lessening the likelihood of password replication or interception during network communication.

Abstract: A system and a method are disclosed for managing applications on a mobile computing device. A command message is received at the mobile computing device specifying a command and a target application. The command message may have been sent by a application provider server. The command may be a removal command, an enable command, or a disable command. A removal or disable command may be used to remove or disable a problematic target application. The specified command is performed on the target application.

Abstract: A system is configured to receive personal data associated with a user, verify one or more facts from the personal data, and form an avatar based on a first subset of the received personal data, where a second, differing, subset of the received personal data is not associated with the avatar. The system is also configured to receive, from a data requester, a query including a request for the avatar, and send, to the data requester, a message that includes information associated with the avatar and an indication that the one or more facts from the personal data were verified.

Abstract: A multi-display device can interface with two or more different types of docking stations. The device can determine the type of dock and change the pin outs for a connector to interface with that dock. Once docked, the device can determine a charge status for the device and the dock to present the status to the user. Further, the dock can enter one of several modes, including a call receipt mode and an entertainment mode. The modes allow for expanded functionality for the device while docked. Two particular docks, the laptop dock and the smart dock, provide special functionality with the device.

Abstract: Methods and apparatuses are provided for facilitating data access controls in peer-to-peer or other similar overlay networks. A peer node storing a data object may receive a request for access to the stored data object, and may locate in the network an access control list associated with the data object using a routing mechanism included in the data object. The peer node may determine whether the requested access is authorized based on the access control list, and may grant or deny access based on the determination. A peer node storing an access control list may receive a request from a peer node storing a data object for information relating to access controls associated with the data object. The peer node storing the access control list may then send the requested information relating to the access controls associated with the data object.

Abstract: Systems and methods are provided for challenge/response animation. In one implementation, a request for protected content may be received from a client, and the protected content may comprise data. A challenge phrase comprising a plurality of characters may be determined, and a computer processor may divide the challenge phrase into at least two character subsets selected from the characters comprising the challenge phrase. Each of the at least two character subsets may include less than all of the characters comprising the challenge phrase. The at least two character subsets may be sent to the client in response to the request; and an answer to the challenge phrase may be received from the client in response to the at least two character subsets. Access to the protected content may be limited based on whether the answer correctly solves the challenge phrase.

Abstract: A method and system for distributed collaborative firewalling in a wireless wide area communication network including a plurality of controllers, comprises a binding table that is built by the controller in response to receiving identifiers of wireless clients being served by the controller, where the binding table lists the wireless clients associated with each access port under control of the controller. A processor of the controller is operable to apply stateless firewalling on wireless communication traffic from a wireless client using the binding table, and applying, by each access port, stateful firewalling on the wireless communication traffic from the wireless client.

Abstract: The present invention provides for a security system for an electronic device that, in one embodiment, includes a processor with a software access key encrypted thereon and a software application with a processor access key encoded therein so that operation of the electronic device and execution of the software application requires both the software access key and the processor access key.

Abstract: A system and method provide for integrating a Basic Input/Output System (BIOS) Read-Only-Memory (ROM) image. A method includes but is not limited to opening a BIOS modification application; opening a target BIOS binary image within the BIOS modification application; and adding an electronic security and tracking system and method (ESTSM) ROM image to the target BIOS binary image.

Abstract: Systems and techniques to provide a document control system. In general, in one implementation, the technique includes: receiving, at a permissions-broker server, a request from a client to take an action with respect to an electronic document, identifying, at the permissions-broker server and in response to the request, first document-permissions information associated with the electronic document, the first document-permissions information being in a first permissions-definition format, translating, at the permissions-broker server, the identified first document-permissions information into second document-permissions information in a second permissions-definition format, and sending the second document-permissions information to the client to govern the action with respect to the electronic document at the client.

Abstract: An apparatus and methods thereof provide for efficient usage of network bandwidth and ability to identify whether a client is authorized to receive such bandwidth. Content provided by a content source for a first content consumer is stored in the apparatus located in between the content source and the content consumer allowing delivery of such content to another content consumer from the apparatus thereby reducing the overall network load. For protected content, the apparatus identifies the need for authorization and provides a random identification to the target content consumer and storing that random identification as well as at least another parameter associated thereto such that when revalidation is necessary the content consumer can be validated by the apparatus.

Abstract: A computer implemented method includes introducing unpredictable temporal disruptions to the operating states of an authorized process and an unauthorized process. The authorized process is migrated to a virtual machine to avoid the unpredictable temporal disruptions while the unauthorized process is subject to the unpredictable temporal disruptions and thereby experiences an unstable environment that induces operating faults.

Abstract: Methods and arrangements to launch trusted, distinct, co-existing environments are disclosed. Embodiments may launch trusted, distinct, co-existing environments in pre-OS space with high assurance. A hardware-enforced isolation scheme may isolate the partitions to facilitate storage and execution of code and data. In many embodiments, the system may launch a partition manager to establish embedded and main partitions. Embedded partitions may not be visible to the main OS and may host critical operations. A main partition may host a general-purpose OS and user applications, and may manage resources that are not assigned to the embedded partitions. Trustworthiness in the launch of the embedded partition is established by comparing integrity metrics for the runtime environment against integrity measurements of a trusted runtime environment for the embedded partition, e.g., by sealing a cryptographic key with the integrity metrics in a trusted platform module. Other embodiments are described and claimed.

Abstract: A digital rights management (DRM) method and system between devices are discussed. In order to allow a first device connected with a second device to use a rights object (RO) bound to the second device, the second device decodes the particular content or the RO and transmits the decoded particular content or the decoded RO to the first device. State information of the RO according to a usage amount of the particular content used by the first device is managed by the second device.

Abstract: One embodiment relates to a method of connection-rate filtering by a network device. Address resolution protocol (ARP) request packets received from a sub-network are monitored, and a copy of the received ARP request packets are sent to an agent program. The agent program determines a rate of ARP request packets sent by a host in the sub-network. Other embodiments are also disclosed.

Abstract: In one embodiment the present invention includes a computer-implemented method comprising storing authorization data on a first client computer system, accessing virtual computing software from the first client computer system, accessing a virtual object in the virtual computing software in response to instructions received from the first client computer system, sending the authorization data from the first client computer system to a second computer system, wherein the authorization data specifies access rights on the second computer system, and accessing the second computer system using the authorization data and determining access rights on the second computer system based on said authorization data.

Abstract: A method and a system for managing one or more files in a communication network are provided. The system includes a server, a first client, and a second client. When the first client places a file in a virtual data drive of the first client, data segments and metadata associated with the file are uploaded at the server. The server generates a first representation of the file. The server then sends the first representation of the file to the first and second clients. The second client stores the first representation of the file in its local storage. The second client can then send a request to the server to access the file based on the first representation of the file. The requested file is sent to the second client by the server. The sent file is not cached by the second client, if the file is a secured file.

Abstract: A multi-functional device and a method of storing a transmission list of users in the same. The multi-functional device includes an authenticator to authenticate one or more users, a storage unit to store a transmission list of the authenticated users, a user interface to display the transmission list of the authenticated users, a controller to read the transmission list of the authenticated users stored in the storage unit and to control the user interface to display the read list, and a communication interface to transmit and receive data. The controller controls the communication interface to transmit and receive the data to/from a transmission address, which is selected from the displayed transmission list by the user interface.

Abstract: A method is provided for protecting data content against illegal copying. The data content is provided by an entertainment system and is output to output units in an authorized playback environment for playing back the data content. The method includes transmitting the data content in the authorized playback environment from the entertainment system to an output unit, and adding an interference signal to the data content such that, during playback of the data content outside the authorized playback environment a disruption is induced.

Abstract: Systems and methods are provided for extracting various features from data having spatial coordinates. The systems and methods may identify and extract data points from a point cloud, where the data points are considered to be part of the ground surface, a building, or a wire (e.g. power lines). Systems and methods are also provided for enhancing a point cloud using external data (e.g. images and other point clouds), and for tracking a moving object by comparing images with a point cloud. An objects database is also provided which can be used to scale point clouds to be of similar size. The objects database can also be used to search for certain objects in a point cloud, as well as recognize unidentified objects in a point cloud.