Abstract: The example embodiments are directed to an application and a system capable of identifying levels of secure data within electronic message content. In one example, the method includes at least one of: receiving an electronic message from a user device, the electronic message including message content and at least one recipient, determining that the message content includes a plurality of different levels of secure content corresponding to a plurality of different authentication levels, shielding each portion of the secure content, and providing an indicator indicating a level of authentication associated with each respective shielded portion of secure content from among the plurality of different levels of authentication, and transmitting the electronic message to the at least one recipient including the shielded secure content and the indications of the plurality of different levels of authentication.

Abstract: Described is a system for protecting sensitive information that is hardcoded in polynomial-size ordered binary decision diagram (POBDD) form. A software executable represented as a POBDD having sensitive information embedded therein is obfuscated into an obfuscated POBDD. An input query on the obfuscated POBDD is evaluated, and the sensitive information is revealed only if the input query is a correct input. Thus, an adversary is prevented from extracting the sensitive information embedded in the POBDD.

Abstract: The disclosed embodiments provide a system for processing user actions with a service. During operation, the system uses a statistical model to obtain a first metric associated with a user action received by a service. Next, the system applies a set of static decisions to the metric and one or more attributes of the user action to determine a first response to the user action. The system then uses a set of dynamic rules to produce a first modification to the first response. Finally, the system generates output for applying the first response to the user action.

Abstract: A user of a client device that is protected by a firewall may navigate to a website using a particular browser process (e.g., a window/tab of a browser) of the client device, sending a content request toward a web content server in the process. The firewall may intercept the content request, and may also receive information from the client device identifying which browser process initiated the content request. Before passing the content request to the appropriate web content server, the firewall may request and download a security policy from a security policy server. The security policy may notify the firewall which hosts are authorized/unauthorized for use with a particular domain, and which file types from each of these hosts are authorized/unauthorized for use with the particular domain. The firewall may then filter content related to the identified browser process based on the security policy.

Abstract: Space-efficient key allocations in broadcast encryption systems are provided. In some embodiments, a key bundle is read. The key bundle includes a first cryptographic key, an associated first key identifier, and an associated first cryptographic function identifier. A plurality of encrypted keys is received. Each encrypted key has an associated identifier. A first encrypted key is selected from the plurality of encrypted keys such that the key identifier of the first encrypted is equivalent to the first key identifier. A first cryptographic function is determined corresponding to the first cryptographic function identifier. The first cryptographic function is applied to the first encrypted key using the first cryptographic key to obtain a first intermediate cryptographic key. A content cryptographic key is determined using the first intermediate cryptographic key. The content cryptographic key is adapted for decryption of encrypted content.

Abstract: Present system relates to a method for authenticating a first device, the method being executed by a second device, the second device comprising a database, the database storing a profile associated to a user of the first device, the second device using the profile of the user to generate a first challenge comprising a question and a corresponding response for authentication of the first device, the method comprising, upon successful authentication of the first device using the first challenge, the steps of collecting contextual information from the first device and updating the profile associated to the user of the first device with the received contextual information for a subsequent generation of a second challenge for authentication of the first device.

Abstract: Format preserving encryption of object code is disclosed. One example is a system including at least one processor and a memory storing instructions executable by the at least one processor to identify object code to be secured, where the object code comprises a list of instructions, each instruction comprising an opcode and zero or more parameters. A format preserving encryption (FPE) is applied to the received object code, where the FPE is applied separately to a sub-plurality of instructions in the list of instructions, to generate an encrypted object code comprising a sub-plurality of encrypted instructions. An encrypted object code is provided to a service provider, where the encrypted object code comprises the sub-plurality of encrypted instructions, and any unencrypted portions of the object code.

Abstract: Authorization decisions can be made in a resource environment using authorization functions which can be provided by customers, third parties, or other such entities. The functions can be implemented using virtual machine instances with one or more transient compute containers. This compute capacity can be preconfigured with certain software and provided using existing compute capacity assigned to a customer, or capacity invoked from a warming pool, to execute the appropriate authorization function. The authorization function can be a lambda function that takes in context and generates the appropriate security functionality inline. The utilization of ephemeral compute capacity enables the functionality to be provided on demand, without requiring explicit naming or identification, and can enable cause state information to be maintained for a customer.

Abstract: Methods and systems are described for creating irrefutable binding data for a data file. An input sequence of data elements is derived based on information from the data file. A graphical representation of input regions corresponding to the input sequence of data elements is output on a display, superimposed on captured image data including a visible feature of a user associated with the data file. User input of each data element of the input sequence is captured by tracking the visible feature through the corresponding input regions, and the binding data is created from the captured images as the visible feature is tracked through the input regions.

Abstract: System and method for agentless computing system configuration management in networked environments. A configuration management service may be implemented as a service on a network with a standard network interface. A client may communicate with the service to specify a configuration for a target system, for example through a browser interface. The specified configuration may be stored by the service. The service may generate a package according to the specified configuration. The package may be delivered to the target system via the network. The package may then install the configuration, for example, one or more software, data, or other digital components, on the target systems in accordance with the specified configuration. The clients may request that the service verify and/or update the installed configuration on the target system. The service may, in response, generate an update package for the installed configuration. Target systems may include computer systems and virtual machines.

Abstract: In an embodiment, a system includes a processor with at least one core to execute an application to provide intrusion detection and protection, a radar sensor to detect presence of one or more persons within a detection zone about the system and to output a detection notification responsive to the presence detection, and a peripheral controller coupled to the radar sensor to receive the detection notification and to provide the detection notification to the application, where the application is to cause a protection measure to be performed responsive to the detection notification. Other embodiments are described and claimed.

Abstract: Access to transactional multimedia content may be based on network routing. Some multimedia content may be best delivered via a private network. Other multimedia content may be best delivered via a public network. A type of the multimedia content may thus determine network routing.

Abstract: The present invention is directed to allowing a more secure initial, and continuous authentication of virtual private network (VPN) tunneling. The device of the present invention contains its own microprocessor and operating system which connects to the host system via a universal serial bus (USB) or another coupling mode. The present invention involves executing and storing of the VPN software, certificates, credentials and sensors on the device, which allows for more security and manageability as opposed to executing the VPN on the host system. The device continuously authenticates the presence of the user via biometrics or the presence of second device, including a smartphone, a smartwatch, an NFC ring or a custom device with a microprocessor, via Quick Response (QR) Codes, Near-Field Communication (NFC) or Bluetooth Low Energy (LE) proximity authentication to activate or deactivate the VPN tunnel.

Abstract: A technique and system protects documents at rest and in motion using declarative policies, access rights, and encryption. Methods, techniques, and systems control access to documents and use of content in documents to support information management policies.

Abstract: This application relates to embodiments for providing a content stream to a device from a content server based on a protocol that is established between the device and an account server. The account server can initiate a session with the device and provide the device with a list of channels available for a user account associated with the device. When a channel is selected at the device, conditional access information can be provided from the account server to the device, which can thereafter relay the conditional access information to the content server. The content server can use the conditional access information to verify that the device has the appropriate permission to receive streaming content. In this way, because the conditional access information originates at the account server, permission to access streaming content can be managed by correspondence between the account server and the device, rather than the content server.

Abstract: In an example implementation, a method of controlling activity of a device includes concurrently detecting multiple unique device identifier (UDIDs) within proximity of a primary device, and determining that the multiple UDIDs are associated with a primary device activity. The method includes performing the activity while the concurrent detection of the multiple UDIDs persists, and stopping the activity when the concurrent detection of the multiple UDIDs stops.

Abstract: The disclosed computer-implemented method for mediating information requests may include (1) detecting, at the information-managing device, a request for the information-managing device to provide at least one element of personal information to a requesting device that is within physical proximity of the information-managing device, (2) evaluating, based at least in part on an attribute of the request, whether the request for the element of personal information is appropriate, and (3) performing a security action that responds to the request in a manner that is commensurate to the appropriateness of the request for the element of personal information. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods and systems for monitoring network activity. Various embodiments may deploy virtual security appliances to a certain location or with a specific configuration based on data regarding previous attacks and attacker activity. Accordingly, the deployed virtual security appliance(s) are better suited to gather more useful behavior regarding threat actor behavior and attacks.

Abstract: A computer system receives a first information detailing a TLS fingerprint. A computer system determines an amount of bad transactions associated with the TLS fingerprint, wherein a bad transaction is a transaction involved in one or more fraudulent activities. The computer system determines whether the amount of bad transactions associated with the TLS fingerprint exceeds a threshold amount.

Abstract: A method is provided, including establishing a plurality of context profiles for a user, at least one context profile is associated with: (i) subject areas pertinent to the at least one context profile (ii) permissions identifying respective third parties with which personal information can be shared when the at least one context profile is active; (iii) permissions identifying what personal information can be shared with respective third parties when the at least one context profile is active; (iv) permissions identifying respective third parties that are permitted to contact the user when the at least one context profile is active; and (v) permissions identifying how respective third parties may contact the user when the at least one context profile is active; when the at least one context profile is active, operating in one of two or more modes (e.g., a regular mode or a discovery mode).