Abstract: A user terminal generates a first key pair and a second key pair, transmits a permission request including a public encryption key of the second key pair after electronically signing the permission request with a secret encryption key, and acquires, from permission information transmitted from a right-holder terminal, a content decryption key by using a secret decryption key of the second key pair and uses the content. The right-holder terminal stores a third key pair and the content decryption key, verifies the permission request received, and encrypts the content decryption key by using the public encryption key of the second key pair included in the permission request and transmits the permission information including the encrypted content decryption key after electronically signing the permission information with a secret encryption key of the third key pair. The permission request and the permission information are transmitted and received via a blockchain.

Abstract: The present disclosure discloses an information processing method, including the steps of acquiring at least one executable file of a specified type; extracting a first operation instruction from the at least one executable file of the specified type; determining the first operation instruction as a feature instruction if a preset policy is met; extracting a feature value of the feature instruction; constructing a virus classification model based on the feature value of the feature instruction for obtaining a virus structural feature parameter; extracting a second operation instruction from at least one to-be-analyzed file when the at least one to-be-analyzed file is identified according to the virus classification model; and identifying the to-be-analyzed file as a virus file if the feature value of the second operation instruction corresponds to the virus structural feature parameter.

Abstract: A single architected instruction to perform multiple functions is executed. The executing includes performing a first function of the multiple functions and a second function of the multiple functions. The first function includes moving a block of data from one location to another location, and the second function includes setting one portion of a storage key using one selected key and another portion of the storage key using another selected key. The storage key is associated with the block of data and controls access to the block of data. The first function and the second function are performed as part of the single architected instruction.

Abstract: A method and system for providing invitation links with enhanced protection are presented. The method includes sending, to at least one invitee, at least one invitation link for accessing the protected resource, wherein the at least one invitation link includes a secret invitation code encoded therein, wherein the secret invitation code is unique to each invitee, the invitation link is sent to the at least one invitee through a primary communication channel; upon detecting an attempt to access the at least one invitation link, determining whether the encoded secret invitation code matches a known secret invitation code; upon determining that the secret invitation code matches the known secret invitation code, performing a verification process to authenticate the invitee via a secondary channel of communication; and upon determining that the verification process has been passed, granting access to the protected resource.

Abstract: A device obtains proof of its authority to use a first set of selectively activated features (first proof). An authorization server signs the first proof with its private key. The device sends a request to use a network service to a network node. The device sends the first proof to the network node. The network node validates the first proof using a public key of the authorization server. The network node grants the request to use the network service. The device sends a request for proof of authority for the network node to provide the network service (second proof). The device obtains the second proof, signed by another authorization server, and validates the second proof before using the network service. The first proof and the second proof each include a list of selectively activated features, where the selectively activated features are needed to use or provide the network service.

Abstract: A RFID tag (501), reader (502) and protocol allow a protected read operation in a two-step tag authentication with cipher-block cryptography. A challenge-response mechanism using a shared secret symmetric key (638) for tag authentication includes a challenge and information to read data from a tag's memory (637). Tag's response to the challenge-response mechanism includes the response to the reader's challenge and data from the tag's memory. A method embeds a protected write operation in a four-step reader authentication with cipher-block cryptography. The protocol allows a challenge-response mechanism using the shared secret symmetric key for reader authentication including a challenge and information to write data to the tag's memory. Reader's response to the challenge-response mechanism includes a response to the tag's challenge and data for writing to the tag's memory.

Abstract: The invention relates to a data isolation system for targeted services. The system includes separate ID management systems used by data holders, service providers and additional parties. The ID management systems reconcile IDs between the systems without sending restricted information from a data holder or other party. In some embodiments, the system may reconcile separate third party IDs to determine common people or entities represented by the IDs.

Abstract: A security server receives a full hash and a set of subhashes from a client. The security server determines that the full hash is whitelisted. The security server updates, for each subhash in the set of subhashes, an associated clean count. The security server adds a subhash to a subhash whitelist responsive to an associated clean count exceeding a threshold. The security server receives a second set of subhashes. The security server determines whether at least one of the subhashes in the second set of subhashes is included in the subhash whitelist. The security server reports to the client based on the determination.

Abstract: Systems and methods for controlling privileged operations. The system and method may comprise the steps of: providing a kernel module having a kernel authorization subsystem, the kernel module being loadable to a client computer system and configured to intercept file operations, wherein the kernel authorization subsystem may manage authorization of the one or more file operations; registering a listener for the kernel authorization subsystem; monitoring the file operations for a file access, and calling the registered listener by the kernel authorization subsystem when the kernel authorization subsystem detects the file access; calling a privileged daemon by the kernel module, when identifying the file access; and checking a policy, by the privileged daemon, and determining, based on the policy, whether at least one applied rule is applicable. If the at least one applied rule is applicable, the privileged daemon may initialize a launcher module, which may launch the target application.

Abstract: A network device may determine that network traffic for a communication session between a first peer device and a second peer device is to be protected using a security protocol suite. The network device may establish, using one or more tunnels, multiple security associations that are to be used to securely provide the network traffic of the communication session over an unsecured medium. The network device may determine a rekey scheduling time for each security association, of the multiple security associations, based on a combination of configuration information and dynamic network device information. The network device may perform, at each rekey scheduling time, a rekeying procedure to rekey each security association of the multiple security associations.

Abstract: Systems and methods for operating a computing system. The methods comprise: obtaining, by a first computing device, an original Security Identifier (“SID”); transforming, by the first computing device, the original SID into a composite SID by modifying the original SID to include at least (a) an SID format value indicating a structural format of an SID and (b) a pointer specifying a memory location at which non-SID authentication information is stored or a customer number indicating an entity to which a user is associated; and using the composite SID by the first computing device during SID based operation.

Abstract: In an exemplary process, while a device is in a locked state, a lock screen interface including a camera icon is displayed on a touch-sensitive display. A gesture is detected on the touch-sensitive display. In response to a determination that the gesture is on the camera icon and meets predetermined activation criteria, the lock screen interface ceases to be displayed and an interface for a camera application displayed. In response to a determination that the gesture starts at a location on the touch-sensitive display other than the camera icon and includes movement in a first direction, the lock screen interface ceases to be displayed and an unlocked user interface with access to a plurality of applications is displayed.

Abstract: An online service may maintain or create data for a user, and a user may be allowed to exert control over how the data are used. In one example, there may be several categories of data, and the user may be able to specify who may use the data, and the purpose for which the data may be used. Additionally, a user may be able to see how many of his “friends” (or other contacts) have extended trust to a particular entity, which may aid the user in making a decision about whether to extend trust to that entity. User interfaces may be provided to allow users to specify how their data are to be used.

Abstract: A content distribution system includes content receivers that provide a plurality of blockchain databases that store transaction records associated with subscriber requests for content, and a computer system that processes those transaction records and enables authorized content receivers to output requested content.

Abstract: One embodiment provides a system that facilitates efficient and transparent encryption of packets between a client computing device and a content producing device. During operation, the system receives, by a content producing device, an interest packet that includes a masked name which corresponds to an original name, wherein the original name is a hierarchically structured variable length identifier that includes contiguous name components ordered from a most general level to a most specific level. The system obtains the original name based on the masked name. The system computes a symmetric key based on the original name and a generated nonce. The system generates a content object packet that corresponds to the original name and includes the masked name, the nonce, and a payload encrypted based on the symmetric key, wherein the content object packet is received by a client computing device.

Abstract: The improved detection of malicious processes executing on a networked computing device is provided. An agent running on the networked computing device monitors the communications transmitted to devices outside of the network to determine whether the process is likely using a periodic beacon signal to communicate with an external control center associated with a potentially malicious party. The agent maintains a dictionary data structure of objects, identifiable by the process identifier and the remote device's address, to track a given process/destination group's communication history. The communication history is updated when new messages are identified for periodic patterns to be identified for the messages, which may be used to identify a process as potentially malicious.

Abstract: Protecting a fragment of a document includes automatically detecting the fragment without user intervention based on the content of the fragment and/or the context of the fragment within a set of documents, selectively encrypting the fragment to prevent unauthorized access, and providing an alternative view of the fragment that prevents viewing and access of content corresponding to the fragment unless a decryption password is provided. Automatically detecting the fragment may include detecting numbers and alphanumeric sequences of sufficient length that do not represent commonly known abbreviations, detecting generic terms, detecting proper names, detecting terms signifying a type of content, detecting mutual location of terms and sensitive content, and/or detecting user defined terms. The generic terms may correspond to password, passcode, credentials, user name, account, ID, login, confidential, and/or sensitive. The proper names may be names of financial organizations and security organizations.

Abstract: At an electronic computing device, a first memory footprint is obtained for a protected computer. The protected computer is monitored with the electronic computing device. At the electronic computing device, a second memory footprint is obtained for the protected computer. The first memory footprint is compared with the second memory footprint. When the first memory footprint does not match the second memory footprint, a security alert is initiated for the protected computer.

Abstract: The disclosure provides a method for protecting PIN code on Android platform, including: introducing, by Java layer, start event to C layer after invoked by upper layer; invoking, by C layer, Java layer via JNI to generate a password-storage-class-instance after receiving start event, and invoking Java layer after receiving a handle returned by Java layer to monitor input from user; storing, by Java layer, PIN code data into a instance memory when Java layer monitors PIN code data from user, updating storage location identification, and introducing encrypting event to C layer; introducing, by Java layer, confirming event to C layer when Java layer monitors confirmation information from user; accessing, by C layer, the instance via handle to encrypt the PIN code data when receiving encrypting event; and accessing, by C layer, the instance via handle to decrypt the encrypted data in instance memory to obtain PIN code.

Abstract: An authentication system includes first and second terminals, and an authentication subsystem. The authentication subsystem: generates a first token based on reception of a code image authentication start request, generates and stores a code image key in association with the first token, generates and stores a code image including the code image key at a URL of the storage unit, transmits the first token and the URL to the first terminal, registers the received first token as a key in an information transmitting and receiving unit, checks whether a received ID of the second terminal is a unique ID, when the received unique ID of the second terminal is the unique ID, checks whether the received code image key is stored in the storage unit, and transmits a first response code to the information transmitting and receiving unit using, as a key.