Abstract: Technology for policies with reduced associated costs is disclosed. A policy may include an ordered rule set. When evaluated, the highest priority rule in the order that does not skip may control the policy outcome. Rules within a policy may have associated costs, such as data fetch and evaluation costs. In some contexts, it may be less important to evaluate every rule than to evaluate the policy quickly. Reduced policies that have one or more rules removed or that skip evaluation of some rules may be created for these contexts. When a rule of a policy is skipped, it may result in a possibility of a false allow or false deny. In some cases, rules may be duplicative. Removal or skipping of duplicative rules does not increase the possibility of a false allow or false deny. By using reduced policies in identified contexts, policy evaluation costs may be reduced.

Abstract: One embodiment of the present invention provides a system for privacy-preserving sharing of data for secure collaboration. During operation, the system obtains a first set of data describing network events associated with one or more network addresses. Next, the system negotiates with a potential partner to determine a metric for deciding whether to share data. The potential partner is associated with a second set of data describing network events. The system then computes a value for the metric in a privacy-preserving way, based on the first set of data and the second set of data. Subsequently, the system determines whether the metric value exceeds a predetermined threshold, and, responsive to determining that the metric value exceeds the predetermined threshold, the system shares the first set of data with the potential partner, while controlling how the data should be shared to optimize benefits and risks of collaboration.

Abstract: A password protection application is executed on a mobile device and provides an interface by which an authorized user can define and configure a “data protection profile” for the device. This profile defines at least one security event (criteria or condition) associated with the device, and at least one protection action that should occur to protect data on the device upon the triggering of the event. Once defined in a profile, the application monitors for the occurrence of the security event. Upon the occurrence of the specified event, the protection action is enforced on the device to protect the data.

Abstract: In an embodiment, a method comprises intercepting, from a server computer, a first set of instructions that define one or more objects and one or more operations that are based, at least in part, on the one or more objects; generating, in memory, one or more data structures that correspond to the one or more objects; performing the one or more operations on the one or more data structures; updating the one or more data structures, in response to performing the one or more operations, to produce one or more updated data structures; rendering a second set of instructions, which when executed by a remote client computer cause the remote client computer to generate the updated data structures in memory on the remote client computer, wherein the second set of instructions are different than the first set of instructions; sending the second set of instructions to the remote client computer.

Abstract: System and method embodiments are provided herein for efficient representation and use of initialization vectors (IVs) for encrypted segments using template mode representation in Dynamic Adaptive Streaming over Hypertext Transfer Protocol (DASH). An embodiment method includes sending in a media presentation description (MPD), from a network server to a client, a template for generating a universal resource locator (URL) to obtain an IV that is used for encrypting a segment, in absence of an IV value in the MPD, receiving from the client a URL configured according to the template, and upon receiving the URL, returning an IV corresponding to the URL to the client. Another embodiment method includes receiving in a MPD, at a client from a network server, a template for generating a URL to obtain an IV that is used for encrypting a segment, upon detecting an absence of an IV value or IV base value in the MPD, configuring a URL for the IV using the template, sending the URL for the IV, and receiving an IV.

Abstract: A method comprising generating an updated security key upon expiration of a key exchange timer, transferring the updated security key to a Coaxial Network Unit (CNU), retaining an original key, wherein the updated security key comprises a different key identification number than the original key, accepting and decrypting upstream traffic that employs either the original key or the updated key, after transferring the updated security key to the CNU, creating a key switchover timer, before the key switchover timer expires, verify that upstream traffic transferred from the CNU on a logical link uses the updated security key, and when upstream traffic is encrypted using the updated security key, begin using the updated security key to encrypt downstream traffic and clear the key switchover timer.

Abstract: Systems and methods involve compute nodes configured to define and/or otherwise process information associated with one or more virtual machines. In one exemplary implementation, a compute node may be configured to enable a firewall between the virtual machine and at least a portion of a network. Moreover, the firewall may be configured to detect undesired traffic based on a list of rules or an Ethernet bridge table associated with communication between the virtual machine and the network. Various features may also relate to the compute node being configured to lock the virtual machine in response to the firewall detecting undesired traffic associated with the virtual machine.

Abstract: This disclosure describes methods for identifying an individual in an anonymous biometric authentication system, where an individual's biometric data is captured by a device, and the resulting probe is compared with the templates in a previously enrolled population. The system comprises a Biographic Identity Management System having a non-anonymous sector in communication with an anonymous sector through a network cloud. The anonymous sector or Anonymous Biometric Identity Management System contains an index of tokens associated, each associated uniquely with a biometric template, which may then be compared with a biometric probe to determine the identity of an individual.

Abstract: A queue in a connector service provides a unified communication channel and stores service packets sent to a target service from client applications. Incoming service request packets are modified at run time to add valid security tokens without requiring the user's action or notice. Before sending the packets, the connector service determines whether the authentication tokens are valid. Packets with valid authentication tokens are sent to the target service. If the communication request fails, the queue automatically adds the original communication packet to the end of the queue, so that it can be conditionally retried. When a loss of connectivity is detected, the connector service takes a snapshot of the queue by copying the packets to a storage module in the same order. When the connectivity is restored, the queue loads the saved requests from the storage module and starts processing them in the order they were received.

Abstract: One embodiment of the present invention provides a system for multi-domain clustering. During operation, the system collects domain data for at least two domains associated with users, wherein a domain is a source of data describing observable activities of a user. Next, the system estimates a probability distribution for a domain associated with the user. The system also estimates a probability distribution for a second domain associated with the user. Then, the system analyzes the domain data with a multi-domain probability model that includes variables for two or more domains to determine a probability distribution of each domain associated with the probability model and to assign users to clusters associated with user roles.

Abstract: Methods, media, and systems for, in one embodiment, protecting one or more keys in an encryption and/or decryption process can use precomputed values in the process such that at least a portion of the one or more keys is not used or exposed in the process. In one example of a method, internal states of an AES encryption process are saved for use in a counter mode stream cipher operation in which the key used in the AES encryption process is not exposed or used.

Abstract: A method of advertising using an electronic processor authorization challenge. An advertisement is combined with an authorization key to form an image. An electronic processor disassembles the image and presents the disassembled image to a user by a graphical user interface as an authorization challenge. The authorization challenge can be successfully overcome by a human user reassembling the divided image, then recognizing the authorization key, and then responding to the authorization key. The authorization key is data configured to be inputted into an electronic processor by a human user or data corresponding to a command configured to be performed by a human user. The authorization key can be an advertisement, a feature of an advertisement, a coupon, a CAPTCHA, a Reverse Turing Test, a command, an image, a string of text, a number, a letter, a symbol, a combination of a number, a letter, or a symbol.

Abstract: An exemplary system includes 1) a mobile computing device provided by a vertical solution provider for use by a customer of an industry service provider to access one or more services provided by the industry service provider and 2) a mobile media platform provider subsystem operated by the vertical solution provider and configured to communicate with the mobile computing device. The mobile media platform provider subsystem and the mobile computing device are configured to provide a mobile media platform managed by the vertical solution provider and configured to facilitate the use of the mobile computing device by the customer to access the one or more services provided by the industry service provider.

Abstract: A method and system for authenticating IP source addresses by accessing one or more HTTP requests whose source client identifies itself as a legitimate web crawler. One or more IP addresses are detected from the one or more HTTP requests and each detected IP address is authenticated via a probability estimation regarding its association with a legitimate web crawler. A lookup table is preferably compiled for the authenticated IP addresses for reference, publication and authentication purposes.

Abstract: Methods and systems for receiving sensitive information include receiving a request for entering sensitive information, the request received from a user interface rendered on a client device. The methods and systems rely upon nested iframes, each of which is hosted by a different server. An inner iframe is hosted by a server within a secure zone, such as a digital vault. A middle iframe is hosted within the secure zone and is invoked by an intermediate server. An outer iframe is hosted by a server that provides the user interface. The server that provides the user interface may be hosted by a cloud service provider, for example. Using the nested iframes and the network topology described in the present disclosure, users are able to exchange sensitive information with a server within the secure zone through a user interface provided outside the secure zone.

Abstract: Generating weights for biometric tokens in probabilistic matching systems is disclosed, where these weights are generated from computations performed on matched sets and unmatched sets of a reference data set. In an embodiment, scores from a similarity scoring function are distributed among bins, and a weight is computed for each bin as the log of (the matched set ratio/the unmatched set ratio), where the ratios are computed as the number of scores in a particular bin as compared to the total size of the set. The weights may then be used subsequently with scores computed by the scoring function to assess confidence of a computed similarity score, and are directed toward making the output of the probabilistic matching system more data-driven and more accurate.

Abstract: Provided are techniques for verifying, by a first device, that a management key block of a second device is valid. A management key block that includes a plurality of verification data, each of the plurality associated with a plurality of security classes ranked from a high to low, is generated. The first device, which is associated with a security class that is higher than a security class associated with the second device, verifies a management key block of the second device by calculating a management key precursor associated with the higher security class and verifying verification data associated with the higher security class. In this manner, the second device is unable to pass an unauthorized, or “spoofed,” management key block.

Abstract: Systems and methods for authenticating a user include a wearable user device receiving a first request to access a secure system. A plurality of authentication elements are then displayed on a display device to a user eye in a first authentication orientation about a perimeter of an authentication element input area. A user hand located opposite the display device from the user eye is then detected selecting a sequence of the plurality of authentication elements. For each selected authentication element in the sequence, the wearable user device moves the selected authentication element based on a detected movement of the user hand and records the selected authentication element as a portion of an authentication input in response to the user hand moving the selected authentication element to the authentication element input area. The user is authenticated for the secure system if the authentication input matches stored user authentication information.

Abstract: Provided are techniques for verifying, by a first device, that a management key block of a second device is valid. A management key block that includes a plurality of verification data, each of the plurality associated with a plurality of security classes ranked from a high to low, is generated. The first device, which is associated with a security class that is higher than a security class associated with the second device, verifies a management key block of the second device by calculating a management key precursor associated with the higher security class and verifying verification data associated with the higher security class. In this manner, the second device is unable to pass an unauthorized, or “spoofed,” management key block.

Abstract: In accordance with the exemplary embodiments of the invention there is at least a method and an apparatus to perform the method of sending towards a key management device associated with an application service provider for an application, a key request for the application being booted in the cloud network; and in response to the key request, receiving an application specific key for the application, where the key is based on multiple factors associated with the application server. Further, there is at least a method and an apparatus to perform the method of receiving a key request from an application server of a cloud network for the application being booted in the cloud network; in response to the key request, authenticating the request using multiple attributes associated with the application server; and sending an application specific key for the application towards the application server.