Abstract: A computer implemented method, a computer program product, and a data processing system manage a set of federated log-in authentications at secure web sites. A client logs into a security context using a first alias from a list of existing federated single sign-on authentication aliases associated with an account. Responsive to logging into the security context, the client can receive the list of existing federated single sign-on authentication aliases. The client can then manage the list of authentication aliases.

Abstract: An Identification Device for providing validation information. The Identification Device includes a Token and a Validator. The display is adapted to display, during an Operational Phase, a first security code, referred to as the Indicator-of-Clearance (IoC) code, indicating the Clearance Status of the Token, whereby the first security code is generated by an Indicator-of-Clearance Function, such as a digital signature or hash function, programmed on the processor unit based on the Clearance Status and the Validator Clock.

Abstract: In accordance with some embodiments, technologies may be provided that is adaptable to any existing and potentially future digital rights management application. Thus, it is not necessary to provide duplicate systems to handle disparate digital rights formats in some embodiments.

Abstract: Disclosed are various embodiments for inspecting malware with little or no user interruption. A first computing device may compare a source code of an application to a fingerprint stored locally on the first computing device. The first computing device may transmit the source code to a second computing device to determine whether the source code resides in a database comprising approved applications. If the source code does not reside in the database, a thorough scan of the source code may be conducted.

Abstract: Methods, apparatus and articles of manufacture for modeling user working time using authentication events within an enterprise network are provided herein. A method includes collecting multiple instances of activity within an enterprise network over a specified period of time, wherein said multiple instances of activity are attributed to a given device; creating a model based on said collected instances of activity, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device; and generating an alert upon detecting an instance of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters.

Abstract: A system and method for calculating a risk assessment for an electronic file is described. A database of checks, organized into categories, can be used to scan electronic files. The categories of checks can include weights assigned to them. An analyzer can analyze electronic files using the checks. Issues identified by the analyzer can be weighted using the weights to determine a risk assessment for the electronic file.

Abstract: A method includes a particular user application, without operating system kernel access, performing the operations of: identifying a set of applications that a user has permission to access, receiving a request to a access a particular application of the set of applications, and causing execution of the particular application.

Abstract: A method of operating a security token to authenticate a user in a multi-factor authentication system is disclosed. The method includes: monitoring user custody of the token, the token having an identifying characteristic representing a possession factor for use through possession factor authentication; during a period of continuous user custody of the token based on the monitoring, obtaining a knowledge factor from a user having the continuous user custody; caching the knowledge factor in a memory of the token; and in response to a second authentication request, retrieving the knowledge factor from the memory to demonstrate to an authentication system knowledge of the knowledge factor, during the period of the continuous user custody.

Abstract: Technique for securely transferring programming content from a first device in a first layer to a second device in a second layer. Upon request to transfer protected content to the second device, the first device authenticates the second device. After authentication, the first device transfers the protected content and a rights file associated therewith to the second device. The rights file specifies the rights of the second device to use the protected content, according to its security level. These rights may concern, the number of times that the second device may subsequently transfer the protected content to other devices, the time period within which the second device may play the protected content, etc. The higher the security level of the second device is, the more rights accorded thereto. The second device may further need to meet a minimum security level in order for it to receive the protected content.

Abstract: Embodiments of the present application relate to a method for network validation of information, a system for network validation of information, and a computer program product for network validation of information. A method for network validation of information is provided. The method includes receiving verification information from a user, the verification information including a plurality of verification fields, determining a verification sequence of the plurality of verification fields based on a verification rule configuration and a verification scoring table, verifying a current verification field according to the verification sequence, verifying a next verification field in the event that the verification of the current verification field succeeds, and terminating verification in the event that the verification of the current verification field fails.

Abstract: A storage device includes a non-volatile memory having a plurality of storage areas. Received data is encrypted with a first cryptographic key and stored in one of the storage areas. Upon receiving an request from a host, a key processor replaces the first cryptographic key used to encrypt data stored on a specified one of the non-volatile memories with a different cryptographic key not previously used for any of the storage areas by generating a second cryptographic key, converting the previously used keys into first value by an operation, converting the candidate key into a second value by the same operation. The first and second values are compared, and when the first information is not the same as the second information, the second cryptographic key replaces the first cryptographic key, and when not, the second cryptographic key is discarded and a new second cryptographic key generated.

Abstract: A mechanism is provided for secure data storage in a distributed computing system by a client of the distributed computing system. A gateway device intercepts a data file from at least a portion of stream data during transmission. If the destination of the data file is the storage, the gateway device selects a set of analysis algorithms to determine whether the data file comprises sensitive data.

Abstract: A system or method may include receiving, by a processor, data describing a network, wherein the network includes a plurality of entities and links describing relationships between the plurality of entities. The method may further include identifying a set of seed entities from the plurality of entities based on predefined rules. The method may further include generating a set of sub-networks based on the set of identified seed entities, wherein each of the sub-networks may include one or more other entities of the plurality of entities having at least one link to the at least one seed entity. The method may further include calculating a risk score for each of the generated sub-networks.

Abstract: Dynamic key cryptography validates mobile device users to cloud services by uniquely identifying the user's electronic device using a very wide range of hardware, firmware, and software minutiae, user secrets, and user biometric values found in or collected by the device. Processes for uniquely identifying and validating the device include: selecting a subset of minutia from a plurality of minutia types; computing a challenge from which the user device can form a response based on the selected combination of minutia; computing a set of pre-processed responses that covers a range of all actual responses possible to be received from the device if the combination of the particular device with the device's collected actual values of minutia is valid; receiving an actual response to the challenge from the device; determining whether the actual response matches any of the pre-processed responses; and providing validation, enabling authentication, data protection, and digital signatures.

Abstract: The usage of data in a multi-tenant environment can be controlled by utilizing functionality at the hypervisor level of various resources in the environment. Data can be associated with various tags, security levels, and/or compartments. The ability of resources or entities to access the data can depend at least in part upon whether the resources or entities are also associated with the tags, security levels, and/or compartments. Limitations on the usage of the data can be controlled by one or more policies associated with the tags, security levels, and/or compartments. A control service can monitor traffic to enforce the appropriate rules or policies, and in some cases can prevent encrypted traffic from passing beyond a specified egress point unless the encryption was performed by a trusted resource with the appropriate permissions.

Abstract: A packet handling system is disclosed that can include at least one main processor, a plurality of offload processors connected to a memory bus and configured to provide security related services on packets prior to redirection to the main processor; an arbiter connected to each of the plurality of offload processors, the arbiter capable of scheduling resource priority for instructions or data received from the memory bus; and a virtual switch respectively connected to the main processor and the plurality of offload processors using the memory bus, with the virtual switch capable of receiving memory read/write data over the memory bus, and further directing at least some memory read/write data to the arbiter.

Abstract: Techniques for providing revocation information for revocable items are described. In implementations, a revocation service is employed to manage revocation information for various revocable items. For example, the revocation service can maintain a revoked list that includes revoked revocable items, such as revoked digital certificates, revoked files (e.g., files that are considered to the unsafe), unsafe network resources (e.g., a website that is determined to be unsafe), and so on. In implementations, the revocation service can communicate a revoked list to a client device to enable the client device to maintain an updated list of revocation information.

Abstract: A method begins by a processing module generating an integrity check value for each encoded data slice of a set of encoded data slices to produce a set of integrity check values. The method continues with the processing module encoding the set of integrity check values to produce encoded integrity check values. The method continues with the processing module sending the encoded integrity check values for storage in a memory system.

Abstract: A security assessment tool can determine computer assets in a network and provide an overall security score for the network. The overall security score can represent an objective measure of the security of the network that considers potential security threats to the computer assets, counter measures deployed in the network to address the potential security threats, and the effectiveness of the counter measures. Based on the overall security assessment, the security assessment tool can provide recommendations for improving the security of the network.

Abstract: Aspects of the invention relate to a customer authentication system for authenticating a customer making a request related to a customer account. The customer authentication system may include multiple application level data receiving and processing mechanisms for receiving customer requests and collecting customer data. The customer authentication system may additionally include a central authentication system for receiving the customer requests and customer data from the multiple application level data receiving and processing mechanisms, the central authentication system determining, based on authentication policy, whether the collected customer data is sufficient to authenticate each customer in order to fulfill the customer request. The central authentication system may return its conclusions and instructions to the multiple application level data receiving and processing mechanisms.