The present invention relates to a cryptographic block identification apparatus which, in order to analyze encryption logic used by malware to conceal communication, identifies a cryptographic block where encryption logic is stored within a program of the malware. The cryptographic block identification apparatus includes a block candidate extraction part and a cryptographic block identification part. The block candidate extraction part analyzes an execution trace in which an execution step of malware is recorded, calculates an evaluation value representing cipher likeliness of the execution step based on whether or not an operation type that characterizes cipher likeliness of the execution step is included in the execution step, and extracts an execution step where the evaluation value exceeds a threshold L, as a block candidate which is a candidate of a cryptographic block. The cryptographic block identification part identifies a region of the execution trace in which the block candidates are consecutive beyond a threshold M, as a cryptographic block.

The present invention relates to a cryptographic block identification apparatus which, in order to analyze encryption logic used by malware to conceal communication, identifies a cryptographic block where encryption logic is stored within a program of the malware. The cryptographic block identification apparatus includes a block candidate extraction part and a cryptographic block identification part. The block candidate extraction part analyzes an execution trace in which an execution step of malware is recorded, calculates an evaluation value representing cipher likeliness of the execution step based on whether or not an operation type that characterizes cipher likeliness of the execution step is included in the execution step, and extracts an execution step where the evaluation value exceeds a threshold L, as a block candidate which is a candidate of a cryptographic block. The cryptographic block identification part identifies a region of the execution trace in which the block candidates are consecutive beyond a threshold M, as a cryptographic block.

Methods and apparatus for identifying media are described. An example apparatus includes at least one memory, instructions in the apparatus; and processor circuitry to execute the instructions to: determine application identification information for a media presentation application executing on a media device; determine a first watermark for the application identification information from a lookup table; request media identification information for media from the media presentation application; determine a second watermark for the media identification information from the lookup table; insert the first watermark in the media prior to output of the media by the media device; and insert the second watermark in the media prior to the output of the media by the media device.

Methods and apparatus for identifying media are described. An example apparatus includes at least one memory, instructions in the apparatus; and processor circuitry to execute the instructions to: determine application identification information for a media presentation application executing on a media device; determine a first watermark for the application identification information from a lookup table; request media identification information for media from the media presentation application; determine a second watermark for the media identification information from the lookup table; insert the first watermark in the media prior to output of the media by the media device; and insert the second watermark in the media prior to the output of the media by the media device.

A third party system generates a public-private key pair, the public key of the key pair being an encryption key, and the private key of the key pair being a decryption key. The third party system publishes the encryption key as a DNS record of a third party system. The third party system receives a request to sign a message on behalf of a domain owner, the message to be sent to a recipient, and accesses an encrypted delegated private key published by the domain owner via a DNS record of the domain owner, the encrypted delegated private key encrypted using the encryption key. The third party system decrypts the encrypted delegated private key using the decryption key, and generates a signature for the message using the delegated private key. The third party system sends the signature and the message to the recipient.

A third party system generates a public-private key pair, the public key of the key pair being an encryption key, and the private key of the key pair being a decryption key. The third party system publishes the encryption key as a DNS record of a third party system. The third party system receives a request to sign a message on behalf of a domain owner, the message to be sent to a recipient, and accesses an encrypted delegated private key published by the domain owner via a DNS record of the domain owner, the encrypted delegated private key encrypted using the encryption key. The third party system decrypts the encrypted delegated private key using the decryption key, and generates a signature for the message using the delegated private key. The third party system sends the signature and the message to the recipient.

Embodiments of the invention are generally directed to partial encryption of data stream. An embodiment of a method includes receiving, at a data transmitting device, a data stream having content including one or more of audio content, video content, and control content, determining one or more content that are to be encrypted. The method further includes partially encrypting the data stream by encrypting the one or more content, and leaving other content unencrypted, and transmitting, from the data transmitting device, the partially encrypted data stream to a data receiving device.

Embodiments of the invention are generally directed to partial encryption of data stream. An embodiment of a method includes receiving, at a data transmitting device, a data stream having content including one or more of audio content, video content, and control content, determining one or more content that are to be encrypted. The method further includes partially encrypting the data stream by encrypting the one or more content, and leaving other content unencrypted, and transmitting, from the data transmitting device, the partially encrypted data stream to a data receiving device.

Decoding a partially encrypted data stream may include receiving and scanning the partially encrypted data stream. Scanning the partially encrypted data stream may include identifying an encrypted portion sentinel in the partially encrypted data stream subsequent to a first portion, identifying an encrypted portion in the partially encrypted data stream subsequent to the encrypted portion sentinel, and generating a decrypted data portion by decrypting the encrypted portion. Decrypting the encrypted portion may include identifying an encrypted data portion in the encrypted portion, the encrypted data portion omitting an end encrypted portion sentinel, decrypting the encrypted data portion, and identifying an end encrypted portion sentinel in the encrypted portion subsequent to the encrypted data portion. Decoding the partially encrypted data stream may include including the decrypted data portion in the decrypted output data stream, and outputting the decrypted output data stream to a client device in the second network domain.

Systems and methods of motion detection on encrypted or scrambled video data streams are provided. Some methods can include identifying macroblock size information for an encrypted/scrambled video data stream and using the identified macroblock size information to determine a presence of motion in the encrypted/scrambled video data stream without decrypting and descrambling the encrypted/scrambled video data stream.