Abstract: A device for detecting a manipulation to a program code wherein the program code is configured to be executed from an execution environment on a computing system, is provided. The device includes a comparator unit which is configured to compare data of the program code with reference data in order to produce a comparison result to compare, if the execution environment conveys a termination command to the program code, and a detection unit which is configured to detect a manipulation of the program code on the basis of the comparison result. The device can prevent data, which is produced or used during the execution of a program code, from continuing to be used after termination of the program code if an attack or manipulation of the program code has occurred. A method is further proposed for detecting a manipulation to a program code.

Abstract: A computer identifies one or more privacy settings. The computer receives a query for information. The computer determines whether a response to the query satisfies the one or more privacy settings. If the computer determines that the response to the query does not satisfy the one or more privacy settings, the computer alters the response to satisfy the one or more privacy settings.

Abstract: A system and method for malware assessment of an unknown application file are provided. The system and method are particularly applicable to malware assessment for Android® operating system based applications. The malware assessment increases the confidence in an assessment that an application is benign or malware.

Abstract: Disclosed are various embodiments for controlling access to data on a network. Upon receiving a request comprising a device identifier and at least one user credential to access a remote resource, the request may be authenticated according to at least one compliance policy. If the request is authenticated, a resource credential associated with the remote resource may be provided.

Abstract: A computer identifies one or more privacy settings. The computer receives a query for information. The computer determines whether a response to the query satisfies the one or more privacy settings. If the computer determines that the response to the query does not satisfy the one or more privacy settings, the computer alters the response to satisfy the one or more privacy settings.

Abstract: Embodiments include method, systems and computer program products for file management. Aspects include monitoring a device to determine an execution of a new process on the device. Based at least in part on the new process starting, a file system is monitored for the creation of a new file, wherein the new file includes one or more file characteristics. The one or more file characteristics are compared to a knowledge database to determine a file type for the new file and the new file is associated with the new process based at least in part on determining the file type for the new file.

Abstract: A browser application has at least two web browser objects for browsing Private PAIR while hiding multi-page navigation from a user. The browser application is configured to automatically download XML data from Private PAIR, and generate one or more reports therefrom, including a Daily Updates report, a Cross Checker report, and a Docket Listing report. The browser application is preferably configured to selectively provide limited access to Private PAIR by restricting user navigation to programmatic navigation.

Abstract: Embodiments include method, systems and computer program products for file management. Aspects include monitoring a device to determine an execution of a new process on the device. Based at least in part on the new process starting, a file system is monitored for the creation of a new file, wherein the new file includes one or more file characteristics. The one or more file characteristics are compared to a knowledge database to determine a file type for the new file and the new file is associated with the new process based at least in part on determining the file type for the new file.

Abstract: Embodiments of the invention provide a computer-implemented method for managing cryptographic objects in a key management system. This system comprises a set of one or more hardware security modules (HSMs), as well as clients interacting with the HSMs on behalf of users who interact with the clients. The method comprises monitoring, for each HSM of the set, an entropy pool and/or a load at each HSM. The entropy pool of a HSM is the entropy that is available at this HSM for generating cryptographic objects. The load induced at a HSM is the load due to the users interacting with the clients to obtain cryptographic objects. Cryptographic objects are generated, at each HSM, according to the monitored entropy pool and/or load. The extent to which such objects are generated depends on the monitored entropy pool and/or load.

Abstract: A method for preventing deactivation of online services in a vehicle. The method includes generating a configuration message that contains details of what online services that are active in the vehicle cannot be deactivated, wherein the generation takes place on a computer unit that is at least temporarily connected to the vehicle; transmitting the configuration message to the vehicle; reading the configuration message in the vehicle; and disabling the option of deactivating online services in the vehicle in accordance with the configuration message.

Abstract: A database access control system is augmented to provide additional functionality to enable an external security device (e.g., an EDSM) to fully and accurately assess a database query against one or more security policies even when the EDSM is overloaded. To this end, a pair of channels is established between the ISA and the ESM, wherein the channel pair includes a first channel that is expected to have relatively low packet rate, and a second channel that is expected to have a relatively high packet rate. Packets representing initial session information (i.e., user information sent at the beginning of a user session) are directed to the first channel, whereas packets received following session establishment are directed to the second channel, because the latter are likely to be present during a potential overload scenario.

Abstract: A method, performed by a server device, may include receiving a request to activate an application session, the request being received from a user equipment on behalf of a particular application installed on the user equipment. The method may further include determining one or more application requirements associated with the particular application; determining conditions associated with one or more application servers; selecting a particular one of the one or more application servers based on the determined one or more application requirements and based on the determined conditions; and setting up the application session between the user equipment and between the selected particular one of the one or more application servers.

Abstract: In one example of federated mobile device management, a first management server federates with a second management server based on an exchange of one or more identity authentication certificates between them. After the first and second management servers have federated or affiliated, they can exchange mobile device management data, including compliance policies, rules, resources, etc., with each other. Based on a request from a client device for affiliated mobile device management, the first management server can request and receive device management data from the second management device. The first management server can evaluate the device management data received from the second management device for conformity with a baseline management policy. If it conforms, the first management server can use the device management data from the second management server, at least in part, to manage the client device.

Abstract: A system, apparatus, and method for sharing network credentials. One embodiment of a method comprises: establishing a Bluetooth connection between a first Internet of Things (IoT) device and a mobile device of a first user having an IoT app installed, the mobile device to couple the first IoT device to an IoT service; receiving a request from a user from the mobile device to configure the first IoT device using network credentials from a second IoT device, the second IoT device registered with an account of the user on the IoT service and configured to connect to a secure network of the user with the network credentials; establishing a communication channel between the first IoT device and the second IoT device through the IoT service and the mobile device to obtain the network credentials; and using the network credentials at the first IoT device to securely connect to the secure network.

Abstract: Disclosed are a document encryption prompt method and system. The document encryption prompt method comprises: detecting text content of a target document, and if the text content of the target document comprises a preset sensitive word, determining that the document is a sensitive document; and prompting a user to encrypt the sensitive document. A document encryption prompt system comprises: a detecting unit and a prompting unit. The detecting unit is configured to detect text content of a target document, and if the text content of the target document comprises a preset sensitive word, determine that the document is a sensitive document; and the prompting unit is configured to prompt the user to encrypt the sensitive document. According to this application, a user does not need to manually determine whether to encrypt a document, and the user can be prompted in time to perform encryption processing on the document, thereby improving the security of the document.

Abstract: Systems herein allow a user to load a virtual work environment on a terminal, such workstation, based on authentication mechanisms built into a user device, such as a cell phone. The user device authenticate with a management server using an SAML token. The management server can track which virtual machines and configurations make up the user's work environment, and can send that information to the user device for loading the virtual machines. When the user wishes to load the virtual machines at a terminal, the user device can send the SAML token to the terminal for use in authenticating with the management server. The management server can then provide the configurations for the virtual machines that the user selects to load at the terminal.

Abstract: Computing platform security methods and apparatus are disclosed. An example apparatus includes a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and an offloader to determine whether the central processing unit or the graphics processing unit is to execute the security task; and when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution.

Abstract: Method and apparatus for a system to communicate via perfect forward secrecy. A deterministic hierarchy is used to generate public and private keys, offline, on distinct devices, for use with asymmetrical cryptography over an unsecure medium. Because each private key is not transmitted over the unsecure medium, but must be used to de-encrypt the communications, it is very difficult for man-in-the-middle attacks to de-encrypt the communications. Because each private key is generated according to a deterministic hierarchy, a master entity can recreate the private keys and passively monitor the communications while maintaining perfect forward secrecy.

Abstract: A method for implementing a residential gateway service function, and a server are disclosed. The method may include: receiving, by a server, a data packet forwarded by a residential gateway (RGW) or a network side; identifying, by the server, a service type of the data packet according to information carried in the data packet; and providing, by the server, based on the service type of the data packet, a virtual residential gateway service for a user terminal connected to the RGW.

Abstract: A method of creating micro-segmentation policies for a network is provided. The method identifies a set of network nodes as seed nodes. The method monitors network packet traffic flows for the seed nodes to collect traffic flow information. The method identifies a set of related nodes for the set of seed nodes based on the collected network flow information. The method analyzes the collected network flow information to identify micro-segmentation policies for the network.