Abstract: The invention enables digital music content to be downloaded to and used on a portable wireless computing device. An application running on the wireless device has been automatically adapted to parameters associated with the wireless device without end-user input (e.g. the application has been configured in dependence on the device OS and firmware, related bugs, screen size, pixel number, security models, connection handling, memory etc. This application enables an end-user to browse and search music content on a remote server using a wireless network; to download music content from that remote server using the wireless network and to playback and manage that downloaded music content. The application also includes a digital rights management system that enables unlimited legal downloads of different music tracks to the device and also enables any of those tracks stored on the device to be played so long as a subscription service has not terminated.

Abstract: A computer-implemented method (and apparatus) includes receiving input data comprising bipartite graph data in a format of source MAC (Machine Access Code) data versus destination IP (Internet Protocol) data and timestamp information. The input bipartite graph data is provided into a first processing to detect malicious beaconing activities using a lockstep detection method on the input bipartite graph data to detect possible synchronized attacks against a targeted infrastructure. The input bipartite graph data is also provided into a second processing, the second processing initially converting the bipartite graph data into a co-occurrence graph format that indicates in a graph format how devices in the targeted infrastructure communicate with different external destination servers over time. The second processing detects malicious beaconing activities by analyzing data exchanges with the external destination servers to detect anomalies.

Abstract: A method including obtaining a BIOS image file carrying a private key signature of the BIOS management server, verifying that the BIOS image file has validity according to a public key of the BIOS management server, and verifying that the BIOS image file has integrity according to the pre-stored first file parameter. If both the validity and integrity of the BIOS image file are verified, the BIOS is started. This present disclosure improves the security and reliability of the data server.

Abstract: A BIOS (Basic Input/Output System) flashing method and a BIOS image file processing method, belonging to the field of computers, are provided. The methods include: obtaining a BIOS image file, the BIOS image file carrying a first verification parameter and a first file parameter, verifying that the first verification parameter has validity, verifying that the BIOS image file has completeness based on the first file parameter; and performing BIOS flashing employing the BIOS image file verified as having completeness. The present disclosure may improve security and reliability of data servers.

Abstract: A method for distributing multiple cryptographic keys used to access data includes: receiving a data signal superimposed with an access key request, wherein the access key request includes at least a number, n, greater than 1, of requested keys; generating n key pairs using a key pair generation algorithm, wherein each key pair includes a private key and a public key; deriving an access private key by applying the private key included in each of the n key pairs to a key derivation algorithm; generating an access public key corresponding to the derived access private key using the key pair generation algorithm; and electronically transmitting a data signal superimposed with a private key included in one of the n key pairs for each of the n key pairs.

Abstract: Disclosed are multi-tenant networked security systems and methods. The system includes a central server, a first user application provided on a first computing device, and a second user application provided on a second computer device, wherein the first and second computing devices are communicatively linked with the central server. The system further includes a persistent network key generated by the central server and based at least in part on a unique request identifier and a transient physical key generated by the first user application and based at least in part on the network key, wherein the network key is received by the first user application. The second user application is configured to communicate with the central server to analyze the network key and the physical key in order to verify that a user of the first user application possesses an ingress permission to an access point.

Abstract: Synthetic training sets for machine learning are created by identifying and modifying functional features of code in an existing malware training set. By filtering the resulting synthetic code to measure malware impact and novelty, training sets can be created that predict novel malware and to seek to preemptively exhaust the space of new malware. These synthesized training sets can be used in turn to improve training of machine learning models. Furthermore, by repeating the process of new code generation, filtering and training, an iterative machine learning process may be created that continuously narrows the window of vulnerabilities to new malicious actions.

Abstract: A method and apparatus are described for user protection from external e-mail attack. Some embodiments pertain to receiving an e-mail, detecting a suspicious element in the e-mail, disabling the suspicious element of the e-mail, flagging the suspicious element of the e-mail, displaying the e-mail in an e-mail user interface with the disabled element and the flag, receiving a user command to enable the disabled element of the displayed e-mail, and enabling the disabled element.

Abstract: A location-reporting request is sent by a processor to at least one remote server. The location-reporting request (i) requests processing of data away from a geo-location-aware client device and (ii) includes an instruction that instructs any available server to respond with a reported geographic location. An asserted geographic location is received from a remote server available to process the data responsive to the instruction in the location-reporting request. In response to determining that the asserted geographic location of the available remote server satisfies location-based data processing restrictions that regulate remote processing of the data away from the geo-location-aware client device, the asserted geographic location is verified using a geo-location assertion server. In response to a successful verification of the asserted geographic location of the available remote server, the data is sent to the available remote server to process.

Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: A local login processing method of an image forming apparatus is provided. The local login processing method include generating session information according to a remote login request upon receiving the remote login request from a mobile terminal, transmitting the session information to the mobile terminal, receiving, from the mobile terminal, a local login request including local login information generated by using at least some of the session information, and approving the local login request by comparing the session information and the local login information.

Abstract: A method, system, computer-readable media, and apparatus for ensuring a secure cloud environment is provided, where public cloud services providers can remove their code from the Trusted Computing Base (TCB) of their cloud services consumers. The method for ensuring a secure cloud environment keeps the Virtual Machine Monitor (VMM), devices, firmware and the physical adversary (where a bad administrator/technician attempts to directly access the cloud host hardware) outside of a consumer's Virtual Machine (VM) TCB. Only the consumer that owns this secure VM can modify the VM or access contents of the VM (as determined by the consumer).

Abstract: Embodiments are directed to a question and answer (QA) pipeline system that adjusts answers to input questions based on a user criteria, thus implementing a content-based determination of access permissions. The QA system allows for information to be retrieved based on permission granted to a user. Documents are ingested and assigned an access level based on a defined information access policy. The QA system is implemented with the defined information access policy, the ingested documents, and the inferred access levels. For the QA system implementation, a user enters a question; primary search and answer extraction stages are performed; candidate answer extraction is performed using only content the user is allowed to access; the candidate answers are scored, ranked, and merged; ranked answers based on user permissions are filtered; and answers are provided to the user.

Abstract: Techniques are provided for automated privacy scoring of user information. In one example, a system comprises a memory that stores computer executable components, and a processor that executes computer executable components stored in the memory. The computer executable components can comprise a privacy scoring component that employs a privacy identification model to generate a privacy score for a user and a product in the particular context based on information associated with the user and the product in the particular context. The computer executable components can also comprise a privacy enforcement component that implements one or more privacy features on the information based on the privacy score.

Abstract: The present teaching relates to searching encrypted data. In one example, a search request is received for encrypted documents. An encrypted query is generated based on the search request. The encrypted query is sent to a server that stores a first encrypted index and a second encrypted index. The first encrypted index maps encrypted keywords to full blocks each of which has a same size and is fully filled with encrypted document identities (IDs). The second encrypted index maps encrypted keywords to partial blocks each of which has the same size and is partially filled with encrypted document IDs. Based on the encrypted query, one or more encrypted document IDs are determined by searching against both the first encrypted index and the second encrypted index. A search result is generated based on the one or more encrypted document IDs. The search result is provided in response to the search request.

Abstract: For confining data to particular set of data servers based on a location restriction of the data, systems, apparatus, methods, and program products are disclosed. The apparatus may include a storage device for storing data, a processor, and a memory that stores code executable by the processor. In one embodiment, the processor identifies a location restriction of the data, encrypt. In another embodiment, the processor encrypts the data. In a further embodiment, the processor confines the data to particular set of data servers based on the location restriction.

Abstract: In response to a request of a first user, identity information for users is searched to retrieve a portion of the identity information corresponding to the first user. The identity information including fields, where a first subset of the fields is schemaless, and a second subset of the fields is interpreted according to a specified schema. Searching the identity information includes searching the first subset and the second subset of fields. An action for the request is authorized by using information included in at least one field of the first subset included in the retrieved portion of the identity information.

Abstract: Embodiments of the invention relate to systems and methods for confidential mutual authentication. A first computer may blind its public key using a blinding factor. The first computer may generate a shared secret using its private key, the blinding factor, and a public key of a second computer. The first computer may encrypt the blinding factor and a certificate including its public key using the shared secret. The first computer may send its blinded public key, the encrypted blinding factor, and the encrypted certificate to the second computer. The second computer may generate the same shared secret using its private key and the blinded public key of the first computer. The second computer may authenticate the first computer by verifying its blinded public key using the blinding factor and the certificate of the first computer. The first computer authenticates the second computer similarly.

Abstract: A computing device includes a processor and a machine-readable storage medium storing instructions. The instructions are executable by the processor to: initiate a transition mode in a database comprising a plurality of data elements; and responsive to a first query for a first data element during the transition mode, determine whether the first data element is already encrypted in the database. The instructions are further executable to, responsive to a determination that the first data element is already encrypted in the database: decrypt the first data element, and return the decrypted first data element to the first query. The instructions are further executable to, responsive to a determination that the first data element is not already encrypted in the database: return the first data element to the first query without decryption, and encrypt the first data element in the database.

Abstract: An electronic network device (200) and an electronic configurator device (300) for provisioning the network device. The network device is configured to send a public key to configurator device (300) over an established first wireless (231) connection, and to receive encrypted credentials wirelessly from the configurator device. The configurator device is configured to receiving the public key over the established first wireless connection, to send credentials wirelessly encrypted with the public key to the network device over the established first wireless connection.