Abstract: Techniques for session security. Information corresponding to an electronic device used to access a resource is gathered. The information uniquely identifies the electronic device. Subsequent accesses to the resource during the session are monitored to determine whether changes occur to the information. A security action is taken in response to a change in the information.

Abstract: A system and method are provided for the secure sharing of information across and open network and for performing management of keys used for encrypting and decrypting data.

Abstract: A system to indicate to a user to enter a personal identification number (PIN) on a commercial off the shelf (COTS) device, the system comprising: a secure card reader communicatively coupled to the COTS device, and wherein the secure card reader receives a payment card; a payment application installed on the COTS device; and one or more devices other than the COTS device. The payment application installed on the COTS device transmits one or more prompts to the one or more devices other than the COTS device based on a set of signals received from the secure card reader. The secure card reader transmits the set of signals after the payment card is received at the secure card reader, and the one or more prompts comprise at least one indication to the user to enter the PIN on a display of the COTS device.

Abstract: Techniques and solutions are described for recording document transactions in a blockchain. Document transactions can include sending or receiving a document, or various workflow steps involving a document. Other steps in a workflow that includes a document can be recorded in the blockchain. Blockchain entries related to a document can include a unique identifier of the document, such as a hash value. When a document is sent between two computing systems, the document can be encrypted using a public encryption key of the receiving computing system. Sending and receiving of documents, and recording of blockchain transactions, can be facilitated by an intermediary service. A service providing recording of blockchain transactions can abstract recording details from applications calling the service. A party having the unencrypted document, or the unique document identifier (such as legitimately retaining or receiving the identifier), can retrieve a transaction history of the document from the blockchain.

Abstract: Aspects described herein are directed to the concealment of customer sensitive data in virtual computing arrangements. A local computing platform may receive an object including a customer sensitive object name from a user computing device operating on a same internal domain as the local computing platform. The local computing platform may conceal the customer sensitive object name from a virtual computing platform operating on a domain external from the internal domain. The local computing platform may provide the concealed object name to the virtual computing platform for facilitating object enumeration requests from the user computing device during virtual computing sessions. During a virtual computing session between the user computing device and virtual computing platform, the local computing platform may receive the concealed object name from the user computing device and may perform one or more operations to reveal the object name to the user computing device.

Abstract: A computer system for verifying vehicle software configuration may be provided. The computer system may include a processor and a non-transitory, tangible, computer-readable storage medium having instructions stored thereon that, in response to execution by the processor, cause the processor to: (1) retrieve a trusted data block from a memory, the trusted data block including a stored configuration hash value, a smart contract code segment, and a failsafe code segment; (2) generate a current configuration hash value based on at least one software module by executing the smart contract code segment; (3) determine that the current configuration hash value is invalid based on the stored configuration hash value by executing the smart contract code segment; and/or (4) execute the failsafe code segment, in response to determining that the current configuration hash value is invalid.

Abstract: The technology includes processes, computer program products, and systems for encrypted data processing. In a system of the technology, an arithmetic logic unit is arranged to receive encrypted data presented at said inputs, generate encrypted data based upon data presented at said inputs and provide said generated encrypted data to said output. The arithmetic logic unit performs operations on encrypted data and the processor does not require encryption or decryption to be carried out within it.

Abstract: Various embodiments are generally directed to techniques for multi-domain memory encryption, such as with a plurality of cryptographically isolated domains, for instance. Some embodiments are particularly directed to a multi-domain encryption system that provides one or more of memory encryption, integrity, and replay protection services to a plurality of cryptographic domains. In one embodiment, for example, an apparatus may comprise a memory and logic for an encryption engine, at least a portion of the logic implemented in circuitry coupled to the memory. In various embodiments, the logic may receive a memory operation request associated with a data line of a set of data lines stored in a protected memory separate from the memory.

Abstract: Provided is a database journaling method and apparatus for storing a log file in a storing apparatus by performing a lesser number of record commands to decrease a volume of data to be input and output by the storing apparatus, and the database journaling method may include determining whether a database is changed based on an operation performed on data in the database, generating a log file including log entries for the database when the database is changed, and performing journaling on the database by storing the generated log file in a storing apparatus, wherein each of the log entries includes a log record in which the data associated with a change of the database is stored, and metadata for the log record is recorded in a predetermined area embedded in the log record.

Abstract: In some embodiments, a first device may generate a data block for an ordered set of data blocks such that the data block is cryptographically chained to a given data block preceding the data block in the ordered set. The first device may obtain an encryption key used to encrypt information related to the data block, and use group members' keys to encrypt the encryption key to generate a group key. As an example, the group's members may include a first member associated with the first device and other members. The keys used to encrypt the encryption key may include the other members' keys. The first device may transmit the ordered set and the group key to a communication resource (e.g., accessible by the members). Other devices (associated with the other members) may use the ordered set and the group key to obtain content related to the ordered set.

Abstract: Examples herein describe techniques for generating dataflow graphs using source code for defining kernels and communication links between those kernels. In one embodiment, the graph is formed using nodes (e.g., kernels) which are communicatively coupled by edges. A compiler converts the source code into a bit stream and/or object code which configures a heterogeneous processing environment of a SoC to execute the graph. Before implementing the dataflow graph on the SoC, the programmer may wish to simulate the dataflow graph. In one embodiment, each kernel in the dataflow graph is assigned a respective thread. Additionally, the simulator can include a runtime library for simulating the different types of communication links between the kernels. Even those these communication links are different protocols or have different semantics, using the simulation components in the library makes the different types of communication links composable so they can inter-operate in the same simulation environment.

Abstract: This invention is directed to a communication processing apparatus that secures a safe connection from a non-IP-connection device to an IP-connection cloud (server). This communication processing apparatus includes a first connection unit that connects devices, a second connection unit that connects to servers, a switching unit that switches connections of the devices and the servers between the first connection unit and the second connection unit, a determiner that determines whether connection of a device to the first connection unit is permitted or unpermitted, and a connection controller that controls the switching unit in accordance with a determination result from the determiner.

Abstract: The present disclosure relates to a method for processing queries in a database system having a first database engine and a second database engine. The method includes: encrypting at least one predefined column of a first instance of a first table, resulting in a second instance of the first table containing at least part of the data of the first table in encrypted format. It may be determined whether to execute a received query in the first database engine on the first instance of the first table or in the second database engine on the second instance of the first table, where the determination involves a comparison of the query with encryption information.

Abstract: An apparatus includes a single board computer comprising a processing device. The apparatus also includes a touch screen display coupled to the single board computer. The apparatus further includes at least one interface configured to be coupled to a storage device. The processing device is configured to detect the storage device, perform a check-in process for the storage device, and generate a result of the check-in process for display on the touch screen display. To perform the check-in process, the processing device is configured to scan the storage device to identify any malware contained on the storage device, digitally sign one or more clean files on the storage device, and modify a file system of the storage device.

Abstract: Automatically estimating a sensitivity level of an information technology (IT) asset in one aspect may obtain information about an asset. Characteristics of the asset assigned based on the information may be compared with stored characteristics of known sensitive assets. A sensitivity level of the asset may be determined based on the comparing.

Abstract: In some embodiments, an electronic device obtains first motion information describing motion of an accessory of a multi-user device that is in communication with a display, and obtains second motion information describing motion of a user device that is associated with a first profile, wherein the motions of the accessory and the user device are detected during the first time period. In response to obtaining the first motion information of the accessory and/or the second motion information of the user device, in accordance with a determination that the motion of the accessory and the motion of the user device satisfy profile-switching criteria, including a criterion that is satisfied when the motion of the accessory and the motion of the user device have corresponding movement profiles during the first time period, the electronic device optionally initiates a process for configuring the multi-user device based on the first profile.

Abstract: Automatically estimating a sensitivity level of an information technology (IT) asset in one aspect may obtain information about an asset. Characteristics of the asset assigned based on the information may be compared with stored characteristics of known sensitive assets. A sensitivity level of the asset may be determined based on the comparing.

Abstract: One or more malware data pipelines is configured to provide malware data that includes original data fields identifying information for detected malware instances and corresponding files that are associated with the detected malware instances. Malware enrichment circuitry is configured to identify additional information to include in enriched data fields for the detected malware instances, the additional information being identified from one or more of: the original data fields, the corresponding files, and one or more third party services. A datastore is configured to store the malware data with the original data fields and the enriched data fields, wherein the datastore includes indices for both the original data fields and the enriched data fields to permit for searching and analysis across the original data fields and the enriched data fields.

Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.

Abstract: Systems and methods for secure storage of encrypted data on a distributed computing platform are disclosed. Exemplary implementations may: obtain data to be encrypted and securely stored; split the data into a set of data portions; receive, from a set of storage servers, a set of cryptographic keys; combine the set of cryptographic keys with one or more elements of client information to create a set of encryption keys to be used for encrypted communication; encrypt the set of data portions using the set of encryption keys; create one or more storage-request messages intended for the set of storage servers; post the one or more storage-request messages to the distributed ledger; and receive a set of confirmation messages that confirm storage of individual ones of the encrypted set of data portions such that an individual confirmation message confirms storage of an individual encrypted data portion.

Abstract: Responding to a data subject access request includes receiving the request and identifying the requestor and source. In response to identifying the requestor and source, a computer processor determines whether the data subject access request is subject to fulfillment constraints, including whether the requestor or source is malicious. If so, then the computer processor denies the request or requests a processing fee prior to fulfillment. If not, then the computer processor fulfills the request.

Abstract: The disclosed computer-implemented method for dynamically adjusting a backup policy may include dynamically adjusting a backup policy may include accessing a media file, evaluating an objective criterion of a difficulty to reproduce the media file to generate a difficulty rating, comparing the difficulty rating of the media file to an existing difficulty rating for at least one previous media file, and adjusting a backup policy for the media file based on the comparison of the difficulty rating. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method, system and computer-usable medium for generating a user behavior profile, comprising: monitoring user interactions between a user and an information handling system; converting the user interactions and the information about the user into electronic information representing the user interactions; generating a unique user behavior profile based upon the electronic information representing the user interactions and the information about the user; storing information relating to the unique user behavior profile within a user behavior profile repository; and, storing information referencing the unique user behavior profile in a user behavior blockchain.

Abstract: The present disclosure pertains to methods and systems for protecting data or other resources from malware. A driver executing in kernel mode of an operating system on a computing device may monitor one or more processes allowed to execute on the computing device. The one or more processes may include a first executing process. The driver may detect an attempt by a first thread of execution of the first executing process to access a protected file. The driver, responsive to the detection may identify a file type of the protected file. The driver, responsive to the identification of the file type, may determine whether the process is in a list of processes allowed for the file type. The drive may, responsive to determination, determine whether to deny or allow the first thread to access the protected file while allowing another thread of the executing process to execute on the computing device.

Abstract: A method of searching encrypted files includes a client computing device selecting a specific keyword to search a plurality of encrypted files stored at a server computing device and if the specific keyword has not been previously used to search the plurality of encrypted files, the method further includes using an encrypted keyword index stored at the server computing device to identify one or more encrypted files of the plurality of encrypted files that contain the specific keyword based upon keyword-file relationships stored in the encrypted keyword index.

Abstract: Various methods and systems for in-place unformatting of disks are provided. The system includes a preparation component configured for creating a backup file on the disk and a preformatting component for using the backup file to occupy a predetermined location that defines a backup zone on the disk. The backup file is a space-holder such that the preformatting component copies primal data and file table data to the backup zone. The system further includes a formatting component for formatting the disk storing the primal data and the file table and an unformatting component that copies the primal data and file table data from the backup zone back to their original locations to unformat the disk to a preformat configuration. A safeguard component may also be implemented to ensure that the preformat component is invoked before the format component if the preparation component was executed on a volume.

Abstract: A system that includes multiple hosts, each running a plurality of virtual machines. The system may be, for example, a cloud computing environment in which there are services and a service coordination system that communicates with the hosts and with the services. The services include a middleware management service that is configured to maintain per-tenant middleware policy for each of multiple tenants. The middleware management service causes the middleware policy to be applied to network traffic by directing network traffic to a middleware enforcement mechanism. This middleware policy is per-tenant in that it depends on an identity of a tenant.

Abstract: A method, system and computer program product for secure access management for tools within a secure environment. A virtual file system for a user in memory on a server side in the secure environment is accessed as part of an authenticated user session including a user command instigated by a user. At the virtual file system, an encrypted file stored in the secure environment is obtained, where the file is encrypted using a public key of a user. A read operation at the virtual file system of the encrypted file is intercepted and the encrypted file is sent to a client at a user system external to the secure environment over a secure connection for decryption by a remote cryptography device of the user system using the user's private key. The decrypted file is then received at the virtual file system enabling the user to run the required user command.

Abstract: A system and methods for securing an application package of a software application prior to installation and during the usage of the software application on mobile device is disclosed. The system comprises an application server configured for communicating the application package to a security server. The security server comprises one or more modules for adding multiple layers of security into the application package prior to recompilation and installation on mobile device. Further, the security server is configured for monitoring the application during runtime on the mobile device for detecting any abnormal environment and/or malware. The security server further communicates an alert to the user of the mobile device, a developer at the application server and blocks the application from usage. Various other embodiments are disclosed herein.

Abstract: Various embodiments of the present application set forth a computer-implemented method that includes receiving, by a trusted tunnel bridge and from a first application executing in a first network, a first encrypted data packet, where the first encrypted data packet includes an encrypted portion of data, and a destination device identifier (DDI). The method further includes determining, by the trusted tunnel bridge, a particular device in a second network and associated with the DDI included in the first encrypted data packet. The method further includes sending, by the trusted tunnel bridge directly to the particular device, the first encrypted data packet.

Abstract: Methods and apparati for permitting Computing Devices 200 to safely accept Payloads 220 from External Access Entity Devices 260, and to safely access external Networks 710. In an apparatus embodiment, a Computing Device 200 contains an Access Control Module 210 comprising an Access Verification Public Key 211 and a Device Signature Key 214. The Access Control Module 210 is configured to verify authorization of an External Access Payload 220 by verifying a digital signature affixed to the Payload 220 using the Access Verification Public Key 211. The authorized External Access Payload 220 is then permitted to execute on the Computing Device 200. The Access Control Module 210 is also configured to receive from a Network Access Device 600 information associated with a Network 710 access request, and to create a plurality of digital signatures, using the Device Signature Key 214, that link said information associated with the Network 710 access request with the Access Verification Public Key 211.

Abstract: One embodiment provides a storage management system. During operation, the system identifies a data file of a user. The system obtains an encrypted client registry from a primary cloud provider in a plurality of cloud providers that provide cloud storage to the user and retrieves a key associated with a device of the user by decrypting the encrypted client registry using a hash of a password associated with the user. The system obtains credentials of the plurality of cloud providers by decrypting a locally stored cloud configuration using the key and generates a plurality of coded fragments from the data file based on a generator matrix of erasure encoding. The number of coded fragments is determined based on a number of the cloud providers associated with the user. The system selects a respective coded fragment for uploading to a corresponding cloud provider in the plurality of cloud providers.

Abstract: To resolve a conflict between CMIS secondary types and certain ECM features such as content server categories, and allow the underlying ECM system to be fully CMIS-compliant, an ECM-independent ETL tool comprising a CMIS-compliant, repository-specific connector is provided. Operating on an integration services server at an integration tier between an application tier and a storage tier where the repository resides, the connector is particular configured to support CMIS secondary types and specific to the repository. On startup, the connector can import any category definition from the repository. The category definition contains properties associated with a category in the repository. When the category is attached to a document, the properties are viewable via a special category object type and a category identifier for the category. Any application can be adapted to leverage the ECM-independent ETL tool disclosed herein.

Abstract: In an embodiment, a secure boot method comprises writing a wrapped data encryption key (DEK) and a wrapped key encryption key (KEK) onto a label of a wrapped operating system image prior to uploading the wrapped operating system image to a virtual data center using one or more computing devices.

Abstract: A system for controlling file access on a mobile computing device. Policy conditions are held at a policy decision point (PDP) and can be dynamically modified at run-time. Access requests to a file or set of files are intercepted by an agent that subsequently brokers the adjudication of said request via a secure, encrypted and hidden back-channel where the requestor is never allowed access to or knowledge of either the adjudication process or the parameters associated with adjudication. The PDP then returns either an access approval or denial based on said policy conditions.

Abstract: This disclosure relates to a communication network within which devices participating in a communication session dynamically switch between sending media streams to a participating network device through one of multiple communication channel options. For instance, when establishing a communication session (e.g., a video conference), a sending network device establishes two potential communication channels with a receiving network device participating in the communication session. The sending network device determines which of the two potential communication channels is best suited for providing a media stream related to the communication session (e.g., an audio and/or video media stream), and assigns that communication channel as an active communication channel over which the sending network device provides the media stream to the receiving network device.

Abstract: Techniques for managing data stored within a database, such as a decentralized database are provided. Some techniques involve managing some data within a lower-trust database and some other data within a higher-trust database. A higher-trust database may be a decentralize database including a blockchain. A lower-trust database may store references to data within the blockchain, and optionally other data in association with those references. Disclosed techniques include WHERE clause query handling in databases with reference values, replacement of distinct data in a relational database with a distinct reference to that data, number line storing for secure indexing, APIs for databases, and consensus operations for private blockchain networks.

Abstract: This disclosure is directed to embodiments of systems and methods for containerizing files and managing policy data applied to the resulting containers. In some of the disclosed embodiments, a computing system determines that a file stored in storage medium is to be included in a container to be sent to at least one computing component associated with a device including a user interface. The computing system determines that the file is of a particular type and also determines code that can be used to access files of the particular type. The computing system combines the file and the code into the container such that container is configured to be executed by the at least one computing component so as to cause content of the file to be presented by the user interface. The computing system then sends the container to the at least one computing component.

Abstract: A method and an apparatus for processing a screen by using a device are provided. The method includes obtaining, at the second device, a display screen displayed on the first device and information related to the display screen according to a screen display request regarding the first device, determining, at the second device, an additional screen based on the display screen on the first device and the information related to the display screen, and displaying the additional screen near the display screen on the first device.

Abstract: Embodiments are directed towards managing and tracking item identification of a plurality of items to determine if an item is a new or existing item, where an existing item has been previously processed. In some embodiments, two or more item identifiers may be generated. In one embodiment, generating the two or more item identifiers may include analyzing the item using a small item size characteristic, a compressed item, or for an identifier collision. The two or more item identifiers may be employed to determine if the item is a new or existing item. In one embodiment, the two or more item identifiers may be compared to a record about an existing item to determine if the item is a new or existing item. If the item is an existing item, then the item may be further processed to determine if the existing item has actually changed.

Abstract: Systems and methods are provided for program security protection. An exemplary method for program security protection may comprise obtaining data packets transceived by a first program, analyzing similarities among the obtained data packets for a plurality of transmissions, and determining a security threat to the first program based on the analyzed similarities.

Abstract: Examples relate to integrity reports. In an implementation, an entity for executing a function is launched, the entity operating one or more files for executing the function. In response to the entity being launched, an entity image integrity report is generated comprising, for one or more files operated by the entity, a reference to the file measurement in a first integrity report the first integrity report containing measurements of a plurality of files operable in one or more entities. Alternatively, in response to the entity being launched, an entity integrity report is generated comprising a file measurement for each of the files operated by the entity.

Abstract: Systems and methods for adding digital content associated with a first user account within a content management system to a second user account within the content management system. In various embodiments, the system may be configured to allow a user to add digital content to an account within a content management system associated with the user when the user receives a shared link to access digital content associated with an account within the content management system belonging to another user. The system may be configured to add the digital content to the user account by associating the digital content with the user's account. In various embodiments, the system may be configured to add the digital content to the user's account by creating an entry in a server-side file journal associated with the user's account, where the entry includes one or more file reference strings associated with the digital content.

Abstract: A system for establishing a trusted path for secure communication between client devices and server devices, such as between an account holder and a financial institution, can provide the core security attributes of confidentiality (of the parties), integrity (of the information), anti-replay (protection against replay fraud) and/or anti-tampering (protection against unauthorized changes to information being exchanged and/or modules that generate and communicate such information). A messaging layer implementation in favor of a transport layer implementation can provide a trusted path. This infrastructure features secure cryptographic key storage, and implementation of a trusted path built using the cryptographic infrastructure. The trusted path protects against unauthorized information disclosure, modification, or replays. These services can effectively protect against Man-in-the-Middle, Man-in-the-Application, and other attacks.

Abstract: A method, a computing system and a computer program product are provided. A link for use by a user to access a file is created. Content of the file is encrypted using a common key. The common key is encrypted using a public key of the user and is registered in the link. Access rights regarding the file are set for the user and registered in the link. The link includes information for use by the user to access the file when the access rights indicate that the user is authorized to access the file.

Abstract: Approaches for locally attesting an operational condition of a computer system during powering on the computer system. Prior to an operating system being loaded, an attestation client, executing on a computer system, analyzes a set of resources of the computer system to create measurement data. The attestation client provides the measurement data to an attestation server executing in a secure enclave on the computer system. The attestation server processes the measurement data and provides the processed measurement data to a remediation server. Upon the computer system being determined to be operationally healthy, the remediation server provides an unlock key to a locked persistent storage to permit the computer system to read the operating system stored on the persistent storage. Thereafter, a BIOS on the computer system may read the operating system and permit the same to be loaded on the computer system.

Abstract: The application discloses a method, a computer program product and a processing system for generating a secure alternative representation. The method in a processing system including: providing, by the processing system, a first sequence including a plurality of first values; providing, by the processing system, a plurality of storage cells belonging to a plurality of groups, each of the groups having one or more storage cells; performing, by the processing system, for each of the storage cells a symbol-deriving and cell-filling procedure; composing, by the processing system, a queue for each of the groups by picking up the symbol(s) filled in the storage cell(s) of the corresponding one of the groups; and generating, by the processing system, a secure alternative representation for the first sequence by concatenating the composed queue for each of the groups.

Abstract: In one embodiment, a method receives a request from a user for one or more extensions to a first program. The first program is associated with a first bundle that indicates the first program starts at a first time and ends at a second time. A second program that starts before the first time or starts after the second time is selected. The second program is associated with a second bundle that indicates the second program ends at the first time or starts at the second time. The method generates an extension bundle that includes information for the one or more extensions and uses the extension bundle to record an extended program for the user that includes the first program and at least a portion of the one or more extensions from the second program.

Abstract: A method for detecting intrusions uses a searchable enciphering algorithm and includes: generating a trap bypass key for a security device, which is able to determine keywords characteristic of intrusions, generating by the security device a trap for each keyword by using the trap bypass key; providing the traps to an intrusions detection device; intercepting by the detection device character strings sent on the network by a sender and enciphered with a public key of a receiver; applying by the detection device a test procedure on the character strings enciphered using the traps; and detecting an intrusion on the network if there exists according to the test procedure an enciphered character string representative of a cipher of a keyword.

Abstract: Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers. The machines are virtual machines (VMs) in some embodiments, containers in other embodiments, or a mix of VMs and containers in still other embodiments. Some embodiments execute a guest-introspection (GI) agent on each machine from which contextual attributes need to be captured. In addition to executing one or more machines on each host computer, these embodiments also execute a context engine and one or more attribute-based service engines on each host computer. One of these service engines is a firewall engine. Through the GI agents of the machines on a host, the context engine of that host in some embodiments collects contextual attributes associated with network events and/or process events on the machines.