Abstract: Storage leases specify access restrictions and time periods, restricting access to their associated data during the storage lease time period. Storage leases may be assigned to individual data storage blocks or groups of data storage blocks in a data storage device. A data storage device may include any arbitrary number of different storage leases assigned to different portions of its data storage blocks. Storage lease-enabled devices may provide security certificates to verify that data access operations have been performed as requested and that their storage leases are being enforced. Storage lease-enabled devices compare storage lease information for data units with the current time using a clock isolated from access by storage clients or time certificates from one or more trusted time servers. Storage leases may be used in combination with backup applications, file systems, database systems, peer-to-peer data storage, and cloud storage systems.

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups.

Abstract: Methods, systems, and computer-readable media for determining access rights for stored data are presented. Data tables may store data that is accessible to users. A request for explicit access to data may be received from a user. The system may determine the user's identity and further determine combined access rights based on the request for explicit access to data and the identity of the user. For example, implicit access rights for a user may be based on the identity. Based on the determined access rights, the system may retrieve data from the data tables. In an embodiment, the access rights may define that a first portion of a column is to be retrieved while a second portion of the column is to be restricted, or that a first portion of a row is to be retrieved while a second portion of the row is to be restricted.

Abstract: Disclosed are system and method for malware detection on virtual machines. An example method comprises: forming, on a virtual machine, a queue of identifiers of objects for malware analysis; determining a method for selecting objects in the queue for malware analysis; selecting one or more objects from the queue for malware analysis; providing identifiers of the selected objects to a security virtual machine for malware analysis; checking, by the security virtual machine, whether each of the selected objects has been previously provided for malware analysis by another virtual machine; when a selected object has not been previously provided by another virtual machine, performing, by the security virtual machine, a malware analysis of the selected object; and providing, to the virtual machine, a malware analysis result for the selected object.

Abstract: A method is provided for network identification based on high entropy data on a network which are not easily guessed or obtained outside the network, which can prevent an attacker from “spoofing” the network. A component in a client computer connected to a network may obtain over the network a network data block including device identification information of a device controlling the network. Upon parsing the network data block, such high entropy data as unique device identifiers may be obtained from the device identification information. Depending on availability of the unique device identifiers and authentication history of the client computer, different combinations of the unique device identifiers and/or other identification information may be used to generate a unique network identifier such as a network signature. The component may provide the network signature to applications within the client computer.

Abstract: An SP's default user authentication is automatically augmented. An access request from a user is redirected from the SP to an authentication augmentation system. The SP also sends an augmentation request. The augmentation system redirects the access request to an IdP, and receives back an authenticated user identity. The default authentication is automatically augmented with additional techniques such as identity proofing and/or multifactor authentication, without the SP or the IdP modifying their code to implement or integrate the augmented authentication. Responsive to successfully authenticating the user according to the additional techniques, an augmented authenticated user identity is redirected to the SP. The augmentation system can use an identity management protocol such as SAML to communicate with the SP and IdP. Authentication performed by a third party and extended to the SP can be augmented, in which case a session id can be used to access third party services.

Abstract: An apparatus including a ROM, a selector, and a detector. The ROM has partitions and encrypted digests. Each of the partitions is stored as plaintext, and each of the encrypted digests includes an encrypted version of a first digest associated with a corresponding one of the partitions. The selector selects one or more of the partitions responsive to an interrupt.

Abstract: There is disclosed herein a technique for use in providing an assessment of authentication requests. In one embodiment, the technique comprises obtaining authentication data that relates to an attribute of authentication requests in a current time period and a previous time period. The technique also comprises applying a weight to the authentication data that relates to the attribute of authentication requests in the previous time period and performing a computation involving the weighted authentication data and the authentication data that relates to the attribute of authentication requests in the current time period. The computation producing a computational result. The technique still further comprises providing the computational result for use in processing future authentication requests.

Abstract: Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. An anti-malware component executes within a virtual machine (VM) exposed by a hypervisor executing on the computer system. A memory introspection engine executes outside the virtual machine, at the processor privilege level of the hypervisor, and protects a process executing within the virtual machine by write-protecting a memory page of the respective process. By combining anti-malware components executing inside and outside the respective VM, some embodiments of the present invention may use the abundance of behavioral data that inside-VM components have access to, while protecting the integrity of such components from outside the respective VM.

Abstract: A semiconductor integrated circuit for processing content data by encrypting or decrypting the data has one or more inputs to received content and metadata. A metadata store comprises two portions, a first portion for storing metadata itself and a second portion for storing an address of locations of bitfields of metadata. This arrangement allows for efficient storage of the metadata but requires certain rules to ensure that bitfields of metadata cannot be stored and used with anything other than the content with which the metadata is associated.

Abstract: A management device of the emission amount or reduction amount of greenhouse gases including: a communication unit that performs communication with an IC card on which an ID and history information on activities outside of a designated area are recorded; a control unit that performs authentication by the read ID via the communication unit, and in a case when authentication is successful, reads the history information via the communication unit, and obtains information relating to the emission amount or reduction amount of greenhouse gases from the read history information; and a display unit that displays the information relating to the emission amount or reduction amount of greenhouse gases.

Abstract: Disclosed below are representative embodiments of methods, apparatus, and systems for monitoring and using data in an electric power grid. For example, one disclosed embodiment comprises a sensor for measuring an electrical characteristic of a power line, electrical generator, or electrical device; a network interface; a processor; and one or more computer-readable storage media storing computer-executable instructions.

Abstract: A pressure key includes a pressure sensor, a microprocessor chip, a storage device, a port, a record button and an enter button. When the pressure key is connected to a computing device and the record button is pressed, the pressure sensor is triggered to record a pressure signal input by a user. The microprocessor chip converts the pressure signal into a password, stores the password into the storage device, and sends the password to the computing device to lock the computing device. When the pressure key is connected to the computing device again and the enter button is pressed, the microprocessor chip retrieves the password from the storage device and sends the password to the computing device. The computing device is unlocked if the received password matches the password stored in the computing device.

Abstract: A computer-implemented for protecting user accounts may include: 1) identifying a credential that a computing device uses to log in to a user account of an online system, where the online system is configured to perform an adverse security action in response to a number of failed attempts to log in to the user account, 2) determining that an old version of the credential is no longer valid for logging in to the user account and that a new version of the credential is required to log in to the user account, and 3) taking a remedial action that prevents the adverse security action in response to determining that the old version of the credential is no longer valid. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An access object management system manages an object in a transmission system, which is allowed for access by a terminal in the transmission system, based on whether access by the terminal is restricted. The access object management system allows the terminal to access a part of the transmission system even when access by the terminal is restricted.

Abstract: A method for authenticating a software application instance, the method includes a user device transmitting a request for access to a server device, wherein the request includes an App ID. The method further includes a server device transmitting a session ID to the user device and transmitting the session ID and the App ID to an anti-clone engine. The method further includes the anti-clone engine generating and transmitting a challenge token to the user device, and receiving and processing a response token to determine whether the user device is an authentic software application instance. The method further includes the anti-clone engine transmitting an authorization message to the server device.

Abstract: The present invention discloses method and system for performing security monitoring on file downloading, and a non-transitory computer-readable medium that stores instructions for performing security monitoring on file downloading. The method includes upon detecting a file downloading operation, performing security detection on a downloaded file to determine whether the downloaded file is secure; if the downloaded file is secure, determining whether a downloading tool adopted when the file is downloaded is instant messenger (IM) software; and if the adopted downloading tool is IM software, modifying a filename extension of the downloaded file to ensure that the downloaded file is capable of being directly opened or run.

Abstract: Reputation metrics are used to gauge risk of individuals to an organization, such as employees of a business. The reputation metrics may be calculated from both internal and external data sources, including social network profiles of the individuals. Calculations of risk are used to make determinations regarding the activities the individuals are authorized to engage in.

Abstract: A computer-implemented method for detecting malware may include 1) identifying a file represented within a file system by a file name, 2) identifying a creation of a hard link to the file that uses an additional file name, 3) updating a database with an association between the file name and the additional file name, 4) identifying a file-closing operation within the file system and determining that the target file name of the file-closing operation was removed from the file system after the file-closing operation, 5) querying the database with the target file name and identifying an existing file name representing the file based on the association, and 6) scanning the existing file name for malware in response to the file-closing operation instead of scanning the target file name because the target file name was removed from the file system. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods, systems, and apparatuses for selectively exposing subscriber data include maintaining subscriber data at a digital data storage, wherein the digital data storage is protected by a service provider firewall. A request to expose subscriber data from a third-party requestor is received. Selected subscriber data and a security condition associated with the request are determined, wherein the security condition is based on an identity of the third-party requestor. The selected subscriber data is retrieved if the security condition is satisfied, and the selected subscriber data is transmitted to the third-party requestor.