Abstract: A threat-aware microvisor is configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing on a node of a network environment. The microvisor may be embodied as a module disposed or layered beneath (underlying) an operating system kernel executing on the node to thereby control privileges (i.e., access permissions) to kernel resources, such as one or more central processing units (CPUs), network interfaces, memory, and/or devices, of the node. Illustratively, the microvisor may be configured to control access to one or more of the resources in response to a request by an operating system process to access the resource.

Abstract: One embodiment of the present invention sets forth a technique for managing playback of digital content on two or more different playback devices. A playback device designated as a controller is associated with a playback device designated as a playback target. Association is implemented via a local network discovery protocol. The controller issues commands to the target, which then streams digital content directly from a content server. The controller is able to separately stream related digital content for independent, but synchronized playback. Server mediated operations, such as device activation and application installation, are advantageously enabled by explicit association between the controller and the target.

Abstract: A method for a device to set a status of an application, including: acquiring status setting permission information of the application; determining if the acquired status setting permission information indicates that it is permitted to set the status of the application; and setting the status of the application as an inactive status, if it is determined that the acquired status setting permission information indicates that it is permitted to set the status of the application.

Abstract: Techniques for implementing software licensing in a massive parallel processing environment on the basis of the actual use of licensed software instances are disclosed. In one embodiment, rather than using a license server or a node-locked license strategy, each use of a licensed software instance is monitored and correlated with a token. A store of tokens is maintained within the licensing system and a token is consumed after each instance successfully executes. Further, a disclosed embodiment also allows jobs that execute multiple software instances to complete execution, even if an adequate number of tokens does not exist for each remaining software instance. Once the license tokens are repurchased and replenished, any overage consumed from previous job executions may be reconciled. In this way, token-based licensing can be adapted to large scale computing environments that execute jobs of large and unpredictable sizes, while the cancellation of executing jobs may be avoided.

Abstract: Various aspects of the disclosure relate to configuring and providing policies that manage execution of mobile applications. In some embodiments, a user interface may be generated that allows an IT administrator or other operator to set, change and/or add to policy settings. The policy settings can be formatted into a policy file and be made available for download to a mobile device, such as via an application store or to be pushed to the mobile device as part of a data push service. The mobile device, based on the various settings included in the policy file, may perform various actions to enforce the security constraints that are represented by the policy. The various settings that can be included in a policy are numerous and some examples and variations thereof are described in connection with the example embodiments discussed herein.

Abstract: Techniques for implementing software licensing in a massive parallel processing environment on the basis of the actual use of licensed software instances are disclosed. In one embodiment, rather than using a license server or a node-locked license strategy, each use of a licensed software instance is monitored and correlated with a token. A store of tokens is maintained within the licensing system and a token is consumed after each instance successfully executes. Further, a disclosed embodiment also allows jobs that execute multiple software instances to complete execution, even if an adequate number of tokens does not exist for each remaining software instance. Once the license tokens are repurchased and replenished, any overage consumed from previous job executions may be reconciled. In this way, token-based licensing can be adapted to large scale computing environments that execute jobs of large and unpredictable sizes, while the cancellation of executing jobs may be avoided.

Abstract: The disclosure of the present document can be embodied in a non-transitory computer-readable medium storing instructions that cause one or more processors to perform various operations, including, receiving, from a first client device associated with a user account of a first user, a request for sharing a document. The document is associated with a credential of the first user, and the credential is associated with the user account of the first user. The operations include transmitting, in response to the request, a code associated with the document, and receiving, from a second client device, a request to access the document. The request to access the document includes the code associated with the document. The operations include determining, based on the request to access the document, that the second client device is authorized to access the document, and communicating, to the second client device, a message including information about the document.

Abstract: A system for securely mediating messages between a native application and a browser application on a computing device includes running the browser application and a browser process that controls access by the browser-based application to the native resource. The browser process may use a data file distributed with the native application to allow or deny communications between the browser-based application and the native application. When communications are allowed the browser-based application accesses the native resource via the native application. In one implementation, the browser process may initiate a native messaging host and send communication requests to the native messaging host. The data file may be downloaded with the native application or separately from the native application from a site that distributes the native application or a site controlled by the developer of the native application. The data file identifies browser-based applications allowed to communicate with the native application.

Abstract: Embodiments for preventing data loss and allowing selective data access are provided. In some embodiments, the system and method are configured to receive task protocols and registration requests; determine an allowed list based on the protocols or requests, the list comprising registered data and codes needed to execute a task; allow a user to establish a connection to a device to execute the task on the device; identify data being transferred to and from the device; compare the data being transferred and the allowable list; and determine that at least some of the data being transferred is allowable.

Abstract: One embodiment provides an electronic mobile device comprising one or more mobile applications. Each mobile application has at least one corresponding graphical user interface (GUI) screen for display on the mobile device. The mobile device includes a security system. For each mobile application, the security system maintains corresponding security data, wherein the corresponding security data represents one or more secure components of a corresponding GUI screen. The security system generates a GUI screen for a mobile application based on corresponding security data, wherein each secure component of the UI screen is locked. User access to a locked component of the GUI screen is permitted only after successful user verification.

Abstract: A single still input image is converted into a decomposition video that, when played, appears to be a close facsimile of the input image. Each frame of the decomposition video has a subset of the pixels of the input image that is disjoint from the subset of pixels selected for any other frame. A union of the subsets, represented by each decomposition video frame, contains all the pixels of the input image. To preserve sufficient brightness, a decomposition video generally needs to contain a relatively small number of frames. To achieve effective and efficient blocking, of the content of the input image as it appears in each frame of a decomposition video, the present invention focuses upon a spatial filtering strategy and, preferably, a two-tiered strategy. A first tier focuses upon the obscuring of relatively high frequency spatial frequencies, while a second tier focuses upon the obscuring of relatively low frequency spatial frequencies.

Abstract: A communication terminal is provided with functions to redirect authentication data, make a substitute reply of a password to a biometric authentication part, and transfer the authentication data transmitted after the password to a browser's child process, in order to perform a substitute authentication using the biometric authentication or token, without requiring a user to input the password.

Abstract: During manufacturing a unique encrypted authentication code is created for each product based upon device specific information relating to that product. The unique encrypted authentication code together with the device specific information is stored in a database, and a representation of the unique encrypted authentication code is stored on the product. To determine whether a product in question is authentic, the readable representation of the unique encrypted authentication code is read and sent to a server along with a request for product authentication. The server provides an indication of authenticity of the product in question based upon the unique encrypted authentication code received and the device specific information associated with that unique encrypted authentication code in the database.

Abstract: A memory module determines that the memory module is connected to a memory module connector. The memory module receives the connector ID from the connector and communicates, to the connector, a memory module ID associated with the memory module. A connector-module ID token is generated using the connector ID and the memory module ID. It is determined that the connector-module ID token was not received from the connector within a predetermined time window. Data on the memory module is erased in response to not receiving the connector-module ID.

Abstract: A tethered item is associated with an identifier that uniquely identifies the item, and one or more content processing devices execute obtaining an identifier of the item, and correlating the obtained item identifier with information related to the tethered item.

Abstract: Systems and methods are described for performing policy-managed, peer-to-peer service orchestration in a manner that supports the formation of self-organizing service networks that enable rich media experiences. In one embodiment, services are distributed across peer-to-peer communicating nodes, and each node provides message routing and orchestration using a message pump and workflow collator. Distributed policy management of service interfaces helps to provide trust and security, supporting commercial exchange of value. Peer-to-peer messaging and workflow collation allow services to be dynamically created from a heterogeneous set of primitive services. The shared resources are services of many different types, using different service interface bindings beyond those typically supported in a web service deployments built on UDDI, SOAP, and WSDL.

Abstract: Systems, apparatus, methods, and computer program products are provided for determining a user's authentication requirements/credentials for a specific network access session based on the current location of the user in comparison to predetermined boundaries of location that have altered authentication requirements, in the form of, increased or decreased authentication requirements/credentials that differ from the standard authentication requirements.

Abstract: In one aspect, a method includes enabling a REST interface to have access to a volume, receiving a request to allow a native file access to the volume and allowing an application to use a native file interface to have access to the volume while preventing the modifications to the volume through the REST interface if the request is received.

Abstract: Disclosed in the disclosure are a rights control method and an apparatus for Digital Living Network Alliance (DLNA). An address/rights recoding unit is expanded at a DLNA apparatus side to record what addresses and corresponding rights; a service control program is expanded at the DLNA apparatus side, and when another DLNA apparatus requires the present DLNA apparatus to provide a service, the address of said another DLNA apparatus and the address/rights recording unit are compared and the rights is found out. Only users with a Media Access Control (MAC) address set as allowed to have related service can be allowed to use the service of the DLNA apparatus of the technology and to obtain Extensible Markup Language (XML) files of the apparatus and the service description. The service of DLNA service points can be flexibly arranged so as to enable different access users to obtain different rights, thus well guaranteeing the security of the multimedia data and the flexibility of the multimedia service management.

Abstract: Systems and methods are described for performing policy-managed, peer-to-peer service orchestration in a manner that supports the formation of self-organizing service networks that enable rich media experiences. In one embodiment, services are distributed across peer-to-peer communicating nodes, and each node provides message routing and orchestration using a message pump and workflow collator. Distributed policy management of service interfaces helps to provide trust and security, supporting commercial exchange of value. Peer-to-peer messaging and workflow collation allow services to be dynamically created from a heterogeneous set of primitive services. The shared resources are services of many different types, using different service interface bindings beyond those typically supported in a web service deployments built on UDDI, SOAP, and WSDL.

Abstract: A technique for preventing malicious observance of private information includes receiving an instruction of entering a mode of inputting private information; determining a correspondence between actual inputs and expected inputs; receiving an actual user input; and converting the actual input into an expected input as private information inputted by the user according to the correspondence. This security technique can prevent discovery of the private information of a user through observation.

Abstract: A technique for preventing malicious observance of private information includes receiving an instruction of entering a mode of inputting private information; determining a correspondence between actual inputs and expected inputs; receiving an actual user input; and converting the actual input into an expected input as private information inputted by the user according to the correspondence. This security technique can prevent discovery of the private information of a user through observation.

Abstract: Methods and systems for activating a software application while provisioning a web service to operate with the software application are described. Consistent with some embodiments, a product activation procedure is performed during a workflow to provision a web service to operate with a software application. By activating the software application during the web service provisioning workflow, an end-user can establish ownership of a proper license for the software application without having to input any license information, such as a serial number or product key, associated with the end-user's license.

Abstract: Systems and methods for application identification in accordance with embodiments of the invention are disclosed. In one embodiment, a user device includes a processor and memory configured to store an application, a session manager, an application identifier, and at least one shared library, and the processor is configured by the session manager to communicate the application identifier and the application identifier data to an authentication server and permit the execution of the application in response to authentication of the application by the authentication server.

Abstract: A secure active network includes a plurality of secure elements which communicate with one another to share and log information such as identification, location, and user activity associated with each secure element. Secure elements exchange data with one another, and log data received. The periodicity of communication between secure elements, encryption of the information, and the operating frequency in which the information is transmitted and received may be changed if communication is lost between any of the secure elements or if a determination is made that a secure element has traveled outside a predetermined zone. The integrity of the secure network may be verified at any time by comparing the logged information to a reference network.

Abstract: Systems and methods are described for aggregating information obtained from messages between playback devices and content protection systems, including but not limited to conditional access systems, downloadable conditional access systems, and digital rights management systems, that include a unique identifier and applying user modifiable rules to the aggregated information to identify abnormal behavior associated with the unique identifier including but not limited to one or more clone playback devices utilizing the unique identifier or a rogue playback device utilizing a unique identifier. One embodiment includes a plurality of playback devices connected to a headend via a network, where the headend includes at least one content protection system, and a clone monitor configured to register playback devices based upon a unique identification supplied by each playback device, when communicating with the at least one content protection system.

Abstract: A method for distributing content in a content distribution system is disclosed which comprises the steps of: encrypting at a Content Packager a content using a content encryption key to generate an encrypted content; sending the content encryption key to a Licensing Authority; receiving from the Licensing Authority a distribution key containing an encryption of the content decryption key (Kc) for a given set of authorized devices; creating a secure link between the content encryption key (Kc) and the content protected by this content encryption key using a signature of the content; and distributing the encrypted content together with the signature of the content. A method for receiving content distributed according to the above-mentioned method in a device able to play back the content is also disclosed where the content signature is checked before any play back of the content.

Abstract: According to one embodiment of the present disclosure, a method includes receiving an event notification from a virtual machine manager operable to control the execution of one or more virtual machines, the event notification corresponding to a first virtual machine and indicating an event type associated with the first virtual machine. The method also includes updating an inventory indicating a number of active instances of one or more applications based on the event notification. The method further includes determining compliance or non-compliance with one or more license policies based on the inventory, each license policy corresponding to at least one of the one or more applications.

Abstract: Systems and methods are described for performing policy-managed, peer-to-peer service orchestration in a manner that supports the formation of self-organizing service networks that enable rich media experiences. In one embodiment, services are distributed across peer-to-peer communicating nodes, and each node provides message routing and orchestration using a message pump and workflow collator. Distributed policy management of service interfaces helps to provide trust and security, supporting commercial exchange of value. Peer-to-peer messaging and workflow collation allow services to be dynamically created from a heterogeneous set of primitive services. The shared resources are services of many different types, using different service interface bindings beyond those typically supported in a web service deployments built on UDDI, SOAP, and WSDL.

Abstract: A method of connecting a computing device to a conference. One method comprises finding one or more potential dial-in numbers and looking up the one or more potential dial-in numbers in at least one database. One method further comprises one of, accessing a conference reception zone with one of the potential dial-in numbers when the one of the potential dial-in numbers is found in the at least one database and attempting to access the conference reception zone with the one or more potential dial-in numbers when the one or more potential dial-in numbers are not found in the at least one database. One or more potential conference pin numbers are obtained and it is determined whether one or more additional conference pin numbers are associated with the one or more potential dial-in numbers. A selected conference pin number is assigned a confidence level and the conference pin number is entered in the conference reception zone prior to accessing the conference.

Abstract: Systems, apparatus, methods, and computer program products are provided for determining a user's authentication requirements/credentials for a specific network access session based on the current location of the user in comparison to known boundaries of location associated with the user, such as the user's residence, place of business or the like. As such, the present invention serves to expedite the process for authenticating a user who desires to gain access to a network service, such as a banking application or the like.

Abstract: A mobile terminal including an interface module configured to connect the mobile terminal to a personal computer; a communication unit configured to communicate with the personal computer via a first communication mode, a controller configured to selectively transmit a communication mode change program to the personal computer via the interface module, the communication mode change program instructing the personal computer to communicate with the mobile terminal via a second communication mode that is different than the first communication mode, and a receiving unit configured to receive a mode change instruction from the personal computer instructing the mobile terminal to communicate with the personal computer via the second communication mode.

Abstract: The described systems and methods are directed at configuring a server based on a selected role. An installation application is configured to install core components in a server where these core components enable the server to perform the basic functions of a network computing device. A role management application is configured to enable a system administrator to select a role for the server and to automatically determine software components associated with the selected role. The role management application is then configured to build the software components and install the components on the server. The role management application is further configured to configure the components for the selected role. The automated installation process performed by the role management application enables a server to be efficiently configured for a particular role without installing other unnecessary components unrelated to the role.

Abstract: A method includes receiving, at a communications gateway associated with a customer premises, multimedia content from a communications network. The method includes superimposing, via the communications gateway, a heartbeat signal on an alternating current electrical power signal associated with an electrical wiring system of the customer premises. The method includes encoding the multimedia content based on the heartbeat signal to produce encoded multimedia content at the communications gateway. The method also includes wirelessly transmitting the encoded multimedia content from the communications gateway to a device.

Abstract: Methods, systems, and computer-readable media for providing device-based authentication for secure online access are provided. An authentication request is received from an online service. The authentication request may be associated with a login request received by the online service from a user. The authentication request may further indicate a list of device identifiers for computing devices connected to a provider network and previously designated by the user as authorized to access the online service. Communication logs collected from the provider network are analyzed to determine whether the login request originated from one of the authorized computing devices based on the list of device identifiers. If it is determined that the login request originated from one of the authorized computing devices, an indication is returned to the online service that the login request was received from an authorized computing device.

Abstract: Shareable content items links with use restrictions. In one embodiment, for example, a method comprises: receiving, from a client computing device used by a link submitter, a request to access a server-stored content item at a sharable link; denying the access requested by the link submitter based on one or more use restrictions associated with the shareable link; prompting the link submitter to request approval to access to the server-stored content item at the shareable link; responsive to receiving approval for the link submitter to access the server-stored content item at the shareable link, modifying the use restrictions associated with the shareable link to allow the link submitter to access the server-stored content item at the shareable link.

Abstract: Techniques for trusted platform module (TPM) assisted data center management are provided. A data center registers TPM remote attestations for physical processing environments of physical devices within a data center. Each time a physical processing environment is established; a new TPM remote attestation is generated and validated against the registered TPM remote attestation. Additionally, during registration other identifying information is supplied to the physical processing environments that permit each physical processing environment to be authenticated, validated, and controlled via unique identities. Inter-data center communication is established for sharing virtual processing environments and administrative operations are authenticated within each of the data centers perform any administrative operation is permitted to process within a particular data center.

Abstract: System and method for auditing for usage of licensed software in which a client executing the software generates and transmits a license key and a covert key to a server via network connection. The license key is transmitted to the server upon activation of the licensed software at the client. The covert key is generated based on at least a portion of the software code activated at the client and is transmitted to the server at random or at predetermined time intervals after transmission of the licensed key so as to avoid detection by a user. The license and covert keys are each associated with a device fingerprint that uniquely identifies the device transmitting each one of the respective keys. Unauthorized software usage at a client is determined at least when a covert key does not correspond to a device fingerprint having an associated license key.

Abstract: A system and method relate to a platform for distributing digital contents (digital content) to various client devices. A digital rights management platform allows a content provider to forward digital contents that is automatically ingested and processed in accordance with various requirements associated with providing the digital contents to the client devices. Information regarding the ingested digital contents may be provided to a coordinator device that uses this information to form a digital rights locker associated with the digital contents. A client device accesses the digital rights locker to obtain a rights token, or a proof of purchase, that is used to obtain rights data for accessing the digital contents.

Abstract: Provided is a system that improve security of data processing by determining whether processing of the data received from an image processing apparatus is restricted, communicating with the image processing apparatus when processing of the data is restricted, and receiving a response whether the processing of the data is permitted. It is determined in the portable terminal whether processing of the data received from the image processing apparatus is restricted. If processing of the data is restricted, the portable terminal communicates with the image processing apparatus, and the portable terminal processes data when it received information that indicates the processing of the data is permitted. If processing of the data is restricted, the portable terminal processes the data without communicating with the image processing apparatus.

Abstract: According to one embodiment, a system includes an overlay network device which includes an interface adapted for electrically communicating with a virtual overlay network (VON) gateway, logic adapted for receiving a plurality of packets from the VON gateway, logic adapted for determining whether the plurality of packets comprise an overlay header, logic adapted for de-encapsulating inner packets of packets comprising an overlay header, logic adapted for performing services on the plurality of packets or the de-encapsulated inner packets, and logic adapted for encapsulating the serviced inner packets or the serviced packets with an overlay header to be switched to a destination address in a virtual network and sending the encapsulated packets to the VON gateway or logic adapted for sending the serviced packets to the VON gateway without encapsulating the packets with an overlay header to be switched to a destination address in a non-virtual network.

Abstract: Methods, systems, and computer readable media can be operable to detect possible fraudulent use of a customer premise equipment device. Information identifying a device connected to a customer premise equipment device can be retrieved and compared to historical information identifying one or more devices previously connected to the customer premise equipment device. The customer premise equipment device can be classified as a device suspected of fraudulent use when the current information identifying a device connected to the customer premise equipment device is different than the historical information identifying the one or more devices previously connected to the customer premise equipment device.

Abstract: Embodiments of the invention relate to methods, apparatus and systems, including computer program products for license management in one or more computer systems. A first computer runs a master license server process instance. The master license service process instance is associated with a hardware identifier relates to the first computer and has a license to run a predefined number of concurrent production license server process instances that are responsible for license management towards clients. A request is received by the master license server process instance for a license from a production license server process instance in a second computer. The master license server process instance provides a virtual identifier to the production license server process instance to be used as a unique identifier for license management purposes towards clients by the production license server process instance. The virtual identifier is cryptographically secured against modification.

Abstract: One aspect of the present invention includes a configuration of a storage management system that enables the performance of deduplication activities at both the client (source) and at the server (target) locations. The location of deduplication operations can then be optimized based on system conditions or predefined policies. In one embodiment, seamless switching of deduplication activities between the client and the server is enabled by utilizing uniform deduplication process algorithms and accessing the same deduplication index (containing information on the hashed data chunks). Additionally, any data transformations on the chunks are performed subsequent to identification of the data chunks. Accordingly, with use of this storage configuration, the storage system can find and utilize matching chunks generated with either client- or server-side deduplication.

Abstract: A non-transitory computer readable medium may include executable instructions which, when executed by a processor, cause the processor provide for a repository of digital content and to create a first license based on the digital content. The instructions further cause the processor to transmit the first license and the digital content to a non-destructive testing (NDT) device, and wherein the digital content is configured to be executed by, used by, or displayed by the NDT device, or a combination thereof, based on the first license.

Abstract: A method for accessing information during a teleconferencing event. The method includes identifying a reference to a document transmitted by a telecommunication device participating in a teleconferencing event and identifying a name of the referenced document. The method includes determining, by a computer, an identity of a user of the participating telecommunication device. The method further includes determining the user has permission to access the identified document and, in response, transmitting the identified document to the participating telecommunication device.

Abstract: Protecting sensitive content, such as business critical documents or other computer files, is disclosed. In various embodiments, upon receiving an indication that a threat pattern associated with a content item has been matched, the protected content “self-destructs”, such as rendering the content item inaccessible, e.g., at a client and/or to a particular user or group of users.

Abstract: Methods are provided for tracking data corresponding to a mobile device that accesses a web page. Once a mobile device is registered with a network, the mobile device is instructed to request permission before accessing a web page. An access request is received, and based on a user profile, the access request is approved such that the mobile device may access the web page. Access data that corresponds to the mobile device accessing the web page is collected so that it can be added to and stored in a database.

Abstract: Techniques for personalizing content are presented. A principal requests access to content. Policy is evaluated in response to the request for the content. Scripts are processed in response to the policy evaluation to rewrite and modify the content. The modified content is then delivered to the requesting principal to personalize the content for the principal.

Abstract: In one embodiment a controller comprises logic configured to establish a pairing with a remote processor in a second electronic device, create a first secure communication channel with the remote processor, transmit a first portion of a processing task to the remote processor via the first secure channel, receive, via a second communication channel, an input from the first portion of the processing task, and complete at least a second portion of the processing task using the input. Other embodiments may be described.