Abstract: Systems and methods for synchronizing database operations with a distributed blockchain are disclosed. The database operations are performed on a database that is shared between multiple users including a first user. Exemplary implementations may: receive database information reflecting one or more database operations performed by the first user on a first version of the database; verify whether the one or more database operations are allowed to be performed by the first user; record on the distributed blockchain, responsive to the verification being affirmative, a message that describes or refers to a description of one or more modifications to the database; effectuate transmissions of notifications to the first version of the database; subsequent to the transmissions, propagate or revert the one or more database operations, based on the verification result.

Abstract: A database system including: a database server for storing registration information including encrypted data encrypted using a probabilistic encryption method; and a terminal. The terminal includes: an encryption unit; a decryption unit; an encrypted search query generating unit for generating an encrypted search query obtained by encrypting a search query used for retrieving the encrypted data; and an additional processing unit for encrypting a search condition of a plaintext and transmitting a data acquisition request including the encrypted search condition. The database server holds database operation command definition information and search additional information.

Abstract: According to certain aspects of the disclosure, a computer-implemented method computer-implemented method may be used for screening electronic communications. The method may comprise analyzing contents of an electronic communication to determine whether the contents include sensitive information. A recipient list of the electronic communication may be compared to a screening list. Based on the analyzing and the comparing, it may be determined whether the contents are permitted to be transmitted to the recipient list. Upon determining that the contents are not permitted to be transmitted to at least one party of the recipient list, a notification may be provided to an author of the electronic communication indicating that contents are not permitted to be transmitted to the at least one party of the recipient list.

Abstract: Responding to a data subject access request includes receiving the request and identifying the requestor and source. In response to identifying the requestor and source, a computer processor determines whether the data subject access request is subject to fulfillment constraints, including whether the requestor or source is malicious. If so, then the computer processor denies the request or requests a processing fee prior to fulfillment. If not, then the computer processor fulfills the request.

Abstract: Embodiments allow join operations to be performed upon encrypted database tables stored on an unsecure server (e.g., as part of a DBaaS offering), with reduced information leakage. Such secure join operations may be implemented through the combination of two cryptographic techniques: non-deterministic (randomized) searchable encryption; and attribute based encryption. The searchable encryption (e.g., Symmetric Searchable Encryption: SSE) allows join values to be revealed only for rows fulfilling additional predicate attributes that the client has filtered for, thereby offering fine granular security. The attribute based encryption (e.g., Key-Policy Attribute-Based Encryption: KP-ABE) avoids the unmanageable consumption of memory that would otherwise result from the creation of intermediate constructions on the server. Embodiments offer a solution reducing information leakage of join values not contained in the result of the actual database query.

Abstract: Methods and apparati for permitting Computing Devices 200 to safely accept Payloads 220 from External Access Entity Devices 260, and to safely access external Networks 710. In an apparatus embodiment, a Computing Device 200 contains an Access Control Module 210 comprising an Access Verification Public Key 211 and a Device Signature Key 214. The Access Control Module 210 is configured to verify authorization of an External Access Payload 220 by verifying a digital signature affixed to the Payload 220 using the Access Verification Public Key 211. The authorized External Access Payload 220 is then permitted to execute on the Computing Device 200. The Access Control Module 210 is also configured to receive from a Network Access Device 600 information associated with a Network 710 access request, and to create a plurality of digital signatures, using the Device Signature Key 214, that link said information associated with the Network 710 access request with the Access Verification Public Key 211.

Abstract: Disclosed herein is a technique for performing an operation on a hierarchy of content. The operation is performed atomically by utilizing a hidden directory in a hidden area of a filesystem namespace. In particular, a number of actions associated with the operation are performed in the hidden area to ensure that the hierarchy of content always appears in a consistent state to users and/or system processes.

Abstract: Embodiments are directed to a question and answer (QA) pipeline system that adjusts answers to input questions based on a user criteria, thus implementing a content-based determination of access permissions. The QA system allows for information to be retrieved based on permission granted to a user. Documents are ingested and assigned an access level based on a defined information access policy. The QA system is implemented with the defined information access policy, the ingested documents, and the inferred access levels. For the QA system implementation, a user enters a question; primary search and answer extraction stages are performed; candidate answer extraction is performed using only content the user is allowed to access; the candidate answers are scored, ranked, and merged; ranked answers based on user permissions are filtered; and answers are provided to the user.

Abstract: Systems, methods, and media for the automated removal of private information are provided herein. In an example implementation, a method for automatic removal of private information may include: receiving a transcript of communication data; applying a private information rule to the transcript in order to identify private information in the transcript; tagging the identified private information with a tag comprising an identification of the private information; applying a complicate rule to the tagged transcript in order to evaluate a compliance of the transcript with privacy standards; removing the identified private information from the transcript to produce a redacted transaction; and storing the redacted transcript.

Abstract: A method for migrating data and a terminal are provided. The method includes the following. An application migration instruction is received, and a target application and a target terminal corresponding to the application migration instruction are determined. A target system type of the target terminal and a local system type are acquired. User data of the target application is acquired. When the local system type is not matched with the target system type, the target terminal is instructed to download the target application from an application store. The user data is migrated to the target terminal.

Abstract: Provided is a method and system for code obfuscation of an application. A method configured as a computer may include receiving an application program package that includes an intermediate language (IL) code generated by compiling code for an application including a plurality of classes and a plurality of methods as a dex file over a network, selecting a protection target class or a protection target method from among the plurality of classes and the plurality of methods, encrypting the selected protection target class or the selected protection target method by retrieving and encrypting an IL code corresponding to the selected protection target class or the selected protection target method from the dex file, and adding decryption information for decrypting the encrypted protection target class or the encrypted protection target method to a secure module that is further included in the application program package.

Abstract: Systems, methods, and computer program products for an application to securely record and propagate an invocation context for invoking other applications are described. The applications being invoked not only receive a user's authentication token, but also authentication tokens of an entire invocation chain. Accordingly, the applications being invoked can verify a chain of custody through verification of nested, cryptographically signed payloads of a chain of authentication tokens. An application can thus verify identities of each application in the chain of custody, as well as the invocation contexts (e. g. the HTTP request method and path) in which each application in the chain invoked the next application.

Abstract: In an embodiment, a user equipment (UE) is disclosed. The UE comprises a cellular radio transceiver, a non-transitory memory, a processor, a third party application stored in the non-transitory memory, and an application stored in the non-transitory memory. When executed by the processor, the third party application causes the processor to attempt to access confidential information of the UE. When executed by the processor, the application causes the processor to determine a status of consent to release confidential information to the third party application and to take action in response to a determination that the status of consent is consent is not granted to release confidential information to the third party application.

Abstract: A computer implemented method, program product, and system implementing said method, for transforming a call graph representation of an algorithm into a secured call graph representation of said algorithm. The call graph comprises inputs (a, b, f), internal variables being the edges of the graph (c, d, e), elementary functions being the nodes of the graph, said functions being either linear or not linear, and outputs (g), the method comprising: a step of masking each input of the call graph, a step of replacing each unmasked internal variable of the call graph with a masked variable, a step of replacing at least each non-linear function of the call graph with an equivalent function that applies to masked variables, a step of unmasking each output of the call graph.

Abstract: A system and method for creating and managing multimedia sales promotions with a multimedia dashboard application running on a computing device that is in networked communication with an inventory database for a particular retailer and is also in operative communication with a distribution server. In the preferred embodiment, the computing device is a handheld smartphone or tablet computer capable of operating the fully integrated multimedia sales promotion system. The multimedia dashboard application includes an item selector, a multimedia recording module, multimedia editors, and a distribution controller. The same multimedia dashboard application is used to record multimedia segments, select segments to be uploaded to and downloaded from the inventory database, edit the segments to produce multimedia promotions, and control the distribution of the promotions which provides users with a simplified and integrated system and process to market their goods.

Abstract: In one embodiment, a method comprises creating and storing, one or more data objects; wherein a first plurality of the data objects is associated with a base set of data representing data shared across a plurality of users; wherein a second plurality of the data objects is associated with one or more child sets of data, wherein each of the child sets of data represents data local to a project, wherein each of the users is associated with one or more of the child sets of data; wherein each data object is associated to an identifier value and to a version identifier value for a plurality of versions of the data object, wherein each of the versions represents a change to the data object by any of a plurality of users; receiving a request from a first user to view a third plurality of data objects; selecting, based on the base set of data, the particular set of data, the version identifier value for the data objects in the third plurality, and one or more rules associated with the particular set of data and the f

Abstract: According to one example, a method is described for accessing a composite document in which a trigger is received. A handling instruction for a content-part, from a composite document, and a status for the content-part, from a second computer, are retrieved. An action for the content-part is determined based on the handling instruction and the status, and the content-part action is executed. In the event that the content-part action is to revoke the content-part, the content-part is revoked. In the event that the content-part action is to synchronize the content-part, the content-part is synchronized.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for generating native application search results. In one aspect, a method includes accessing application package files for native applications, and for each native application: determining, from the application package file, an application name of the native application, accessing, at the data processing apparatus, application pages of the native application, and for each of the application pages, generating application page data describing content of the application page, an application page name of the application page, the content described by the application page data including text that a user device displays on the application page when the user device displays the application page, and indexing the application page data and application icon for the native application in an index that is searchable by a search engine.

Abstract: A computing system includes: a control unit configured to: receive user information through a vault user account; process the user information for storage in an information vault; implement a security protocol for the vault user account including to determine a security breach to the vault user account based on receiving an electronic communication from a user electronic contact address addressed to a breach detection contact address; a storage unit, coupled to the control unit, configured to store the user information.

Abstract: A processor-implemented method improves security in a blockchain network of devices, which supports a blockchain, by protecting security, privacy, financial fairness, and secure transfer of identity assets. An identity asset provider device creates an identity asset related to an entity. The identity asset provider also creates a provider key, which is composed of multiple bits, and which is needed to decrypt an encrypted version of the identity asset. The identity asset provider device transmits the provider key bit-by-bit to an identity asset consumer device. A price for the provider key depends on how many bits have been transmitted to the identity asset consumer device.

Abstract: A browsing session integrated with a hidden credential authentication system and with a privacy level mode property is created or resumed. Private browsing data is encrypted and hidden and can be accessed by inputting correct credentials. If credentials inputted into the hidden credential authentication system match credentials stored on a storage medium, access is granted to one or more types of private browsing data.

Abstract: In one example in accordance with the present disclosure, a system for web services generation based on client-side code scans client-side code of a web technology to find included server call code, where the server call code includes a request to a web service. The system analyzes the server call code to determine a type of the request to the web service. The system generates web service code capable of handling requests of the type of the request to the web service.

Abstract: A method for servicing document search requests. The method includes receiving, by a document management service, a document search query from a requesting user, identifying, in a document repository, by the document management service, a document that matches the search query, and obtaining a permission level by the document management service, from an access control cache, based on a combination of the requesting user and an access control list required by the document. The access control cache is located on the document management service, and the access control cache is populated using content in an access control repository located on a repository server, separate from the document management service. The method further includes making a determination that the permission level is sufficient and based on the determination, returning the document to the requesting user, as a search result.

Abstract: A method for application management and an electronic device therefor are provided. The electronic device includes a memory configured to store a first application, and a processor configured to obtain a request for installing a second application, compare a first identifier corresponding to the first application with a second identifier corresponding to the second application, if the first identifier is the same as the second identifier, compare first signature information corresponding to the first application with second signature information corresponding to the second application, if the first signature information is different from the second signature information, compare the first signature information with additional signature information corresponding to the second application, and if the first signature information is the same as the additional signature information, replace at least a portion of the first application by using at least a portion of the second application.

Abstract: The subject matter described herein is generally directed to detecting and managing collisions in storage. A hash identifier (ID) for a first block of data is calculated and a determination is made whether the calculated hash ID matches hash IDs associated with a storage. If the calculated hash ID matches at least one of the hash IDs, the first block of data is compared with a second block of data, associated with the hash IDs, in the storage. If the first block of data is different from the second block of data based on the comparison, a hash number is associated with the calculated hash ID and the first block of data is stored in storage using the calculated hash ID and associated hash number as an index to the first block of data in the storage. In this manner, collision between data blocks is detected and prevented.

Abstract: Techniques to provide mobile access to content are disclosed. A request from a mobile application running on a mobile device to access content is received at a connector node. A user credential associated with the request is used to identify at the connector node a policy associated with the request. A policy metadata associated with the policy is provided from the connector node to the mobile application running on the mobile device. The mobile application may include application code that is responsive to the policy metadata to perform, with respect to the request to access content, an action indicated by the policy.

Abstract: In some embodiments, a first device may generate a data block for an ordered set of data blocks such that the data block is cryptographically chained to a given data block preceding the data block in the ordered set. The first device may obtain an encryption key used to encrypt information related to the data block, and use group members' keys to encrypt the encryption key to generate a group key. As an example, the group's members may include a first member associated with the first device and other members. The keys used to encrypt the encryption key may include the other members' keys. The first device may transmit the ordered set and the group key to a communication resource (e.g., accessible by the members). Other devices (associated with the other members) may use the ordered set and the group key to obtain content related to the ordered set.

Abstract: An import configuration section of a file is identified, where the import configuration identifies a database table. Key specifications of the database table are reserved based on the import configuration. A first and a second Boolean flag parameter associated with the database table is identified. A determination is made that i) a value of the first Boolean flag indicates importing of entries from the file into the database table is allowed, and that ii) a value of the second Boolean flag indicates removal of entries of the database table is allowed. In response to the determining entries are removed from the database table corresponding to the key specifications, and entries are imported from the file into the database table corresponding to the key specifications.

Abstract: A method includes receiving an access request at a first computing device from a second computing device, the access request specifying a data structure, the data structure including first data stored in a first portion of the data structure and second data stored in a second portion of the data structure. The method also includes extracting a first key from the access request and identifying a data rights definition that is associated with the data structure and that is associated with a second key, the data rights definition indicating that the first data but not the second data is shared with an entity associated with the second computing device. The method further includes comparing the first key to the second key, and, based on the comparison, determining whether to grant the second computing device access to the first data but not the second data.

Abstract: Methods and systems for performing real time digital content concealment are described herein. A computing device may, in response to detecting a user within view of an image capture device of a client device, perform a first type of text recognition on a first region of digital content and a second type of text recognition on a second region of the digital content, where the first type of text recognition is determined based on a first type of content items contained in the first region and the second type of text recognition is determined based on a second type of content items contained in the second region. Based at least in part on rules corresponding to the user, the computing device may determine content items within the digital content to be concealed, and may modify the digital content to conceal the content items.

Abstract: Disclosed are various embodiments for detecting unknown software vulnerabilities and system compromises. During a learning period, it is determined which of a plurality of portions of a software package are invoked. At least one unused portion of the software package is determined based at least in part on the portions of the software package invoked during the learning period. Access to the unused portion(s) of the software package is then prevented.

Abstract: Some embodiments provide a method for a device having multiple users. The method identifies a process installed on the device that requires an isolated storage in a file system of the device. For each of a set of the users of the electronic device, the method assigns at least one container for use by the process within a user-specific section of the file system. The containers assigned to the process in a section of the file system specific to a particular user are only accessible by the process when the particular user is logged into the device. The method assigns at least one container for use by the process within a non-user-specific section of the file system. The containers assigned to the process within the non-user-specific section of the file system are accessible by the process irrespective of which user is logged into the device.

Abstract: An example method of key management for encryption of traffic in a network having a network nodes includes negotiating, between a first network node and a centralized key management server, to obtain a master key shared among the network nodes; receiving, at the first network node, a first identifier for the first network node and a second identifier for a second network node; generating, at the first network node, a first session key by supplying the master key, the first identifier, and the second identifier as parametric input to a function; establishing, using a network stack of the first network node, a first point-to-point tunnel through the network to the second network node without a key exchange protocol; and sending first traffic from the first network node to the second network node through the first point-to-point tunnel, the first traffic including a portion encrypted by the first session key.

Abstract: A clipboard component provides a multi-item clipboard store. The clipboard component uses a technical strategy that facilitates its efficient adoption and use by end users and application developers. From an end user's standpoint, the clipboard component provides a new user experience which is easy for the users to discover, learn and use, due, in part, to the use of ergonomic control mechanisms for activating paste and copy operations. From a developer's standpoint, the clipboard component provides a way of allowing existing legacy applications to interact with a multi-item clipboard store, even though these applications were not originally created to provide that type of interaction. The clipboard component can also, upon instruction by a user, apply one or more supplemental operations to a copied content item, such as transferring the item to a target computing device.

Abstract: Embodiments of the invention are directed to systems, methods, and computer program products for layering authorization of resource distribution documents within an entity. In this way, the invention generates a multi-step layering process for resource distribution document generation. As such, each individual involved in resource distribution document generation process may add a unique layer to the resource distribution document prior to being authorized for use. Once the several layers have all been applied to the resource distribution document, the document becomes authenticated and approved for use. In some embodiments, the layers may include physical layers on the resource distribution document, such as account numbers, signature lines or the like. In some embodiments, the layers may include digital layers that combine to create a digital or physical marking on the resource distribution document identifying authentication for depositing.

Abstract: Application security analysis including systems and methods for analyzing applications for risk is provided. In an example method, the applications reside on a mobile device configurable to access an enterprise system. The example method includes evaluating each of a plurality of applications variously for privacy, data leakage, and malicious behavior. The example method also includes calculating a risk score for each of the plurality of applications based on the evaluating; and automatically remediating (e.g., quarantining) the applications, of the plurality of applications, for which the risk score meets or exceeds a risk score threshold. The method may evaluate all of the applications residing on a mobile device. The method may include grouping application behaviors, for each of the applications, that indicate an increased risk into groups comprising two or more of privacy risk, a data leakage risk, an account takeover risk, a device takeover risk, and a malware risk.

Abstract: In some examples, a multi-node system may access physical storage divided into extents and further arranged into extent groups that may be allocated on demand as thin provisioned storage in response to write requests. Protection class instances are set with specified data protection capabilities. Each instance acts as a logical unit having a distinct addressable block storage space from the extent groups allocated thereto. The extents in an extent group to be allocated to a given protection class instance may vary depending on the protection class capabilities. Management information for the extents, extent groups, and protection classes may be stored in mirrored devices separate from the write data stored in the extents for providing redundant protection to the management information and for increasing the availability of write data in the event of a failure that may cause data loss at one or more locations in the system.

Abstract: A proxy computer system receives content intended for a client computer from a third-party network service, where the content includes an encrypted portion. The proxy computer system makes a determination as to whether the encrypted portion is to be decrypted for the client computer, where the determination is made based at least in part on a historical analysis of the client computer. The proxy computer system sends the content to the client computer in a form that is based on the determination.

Abstract: Disclosed are systems, methods and computer program products for controlling access to operating system (OS) resources. An exemplary method includes: creating an OS resource associated with a first program; assigning a unique label to the first program; associating the unique label with the OS resource; and configuring a resource descriptor of the OS resource to allow access to the OS resource to processes having the same unique label as the first program, and to deny access to the OS resource to processes having a different label.

Abstract: A method for execution by one or more processing modules of one or more computing devices of a dispersed storage network (DSN), the method begins by maintaining dispersed storage network (DSN) storage and maintenance loading information. The method continues by estimating a future data access task rate and determining a probability level of potential future data loss based on the estimated future data access task rate. The method continues, when the probability level of the potential future data loss compares unfavorably to a maximum probability of data loss threshold level, by facilitating execution of a preventative data loss mitigation process and when a current data access task rate is greater than a maximum task rate level, suspending the execution of the preventative data loss mitigation process.

Abstract: A method for enabling data classification and or enforcement of Information Rights Management (IRM) capabilities and or encryption in a software application according to which, an agent is installed on each terminal device that runs the application and a central management module which includes the IRM, encryption and classification policy to be enforced, communicates with agents that are installed on each terminal device. The central management module distributes the appropriate IRM and or classification policy to each agent and applies the policy to any application that runs on the terminal device.

Abstract: The disclosed computer-implemented method for terminating a computer process blocking user access to a computing device may include (1) receiving, at a user computing device, a communication indicating that a user is unable to access the user computing device, (2) identifying, by the user computing device, an active computer process running on the user computing device, and (3) executing a process termination application stored on the user computing device to terminate the active computer process and enable the user to access the user computing device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computing device includes a first component, a second component and a monitoring component. The monitoring component, receives, from the first component, a command to issue one or more transactions or data to the second component, and determines whether the first component is authorized to issue the one or more transactions, according to one or more policies or rules, which are received through an out-of-band mechanism to which the first component does not have access. If the monitoring component determines that the first component is authorized to issue the one or more transactions or data to the second component, it forwards the one or more transactions data to the second component. Otherwise, the monitoring component blocks the one or more transactions or data from being issued to the second component.

Abstract: An information integration system may include a set of integration services embodied on one or more server machines in a computing environment. The set of integration services may include connectors communicatively connected to disparate information systems. The connectors may be configured for integrating data stored in the disparate information systems utilizing a common model employed by the set of integration services. The common model may overlay, augment, integrate, or otherwise utilize a content management interoperability services data model and may include common property definitions and a common security model. The common security model may include permissions particularly defined for use by the set of integration services. These common property definitions and permissions may be uniquely defined and utilized by the information integration system.

Abstract: A device may receive a firewall filter entry that includes one or more match conditions associated with filtering network traffic. The device may identify an access control list (ACL) template associated with the firewall filter entry. The ACL template may be associated with a template type. The device may identify one or more rules, for verifying the firewall filter entry, based on the template type associated with the ACL template. The device may verify the firewall filter entry using the one or more rules. The device may determine a hardware resource, for storing the firewall filter entry, based on the template type and based on verifying the firewall filter entry. The device may store the firewall filter entry using the hardware resource of the device.

Abstract: Responding to a data subject access request includes receiving the request and validating an identity of the requestor. In response to validating the identity of the requestor, a computer processor determines whether the data subject access request is subject to fulfillment constraints. If so, then the computer processor notifies the requestor that the data subject access request is subject to one or more limitations and the computer processor takes action based on those limitations. Fulfillment constraint data is updated and maintained in a database or server.

Abstract: Method of searching comprising applying a function to individual elements within a digital work to form a set of index elements. Storing the index elements as an index for the digital work. Receiving a search term. Applying the function to one or more individual elements within the search term to convert the search term into one or more converted search term elements. Identifying a digital work having an index containing one or more index elements that match one or more of the converted search term elements. Returning search results of the identified digital work. Method of searching for a digital work comprising the steps of providing a search term. Receiving search results formulated by applying a function to one or more individual elements within the search term to convert the search term into one or more converted search term elements.

Abstract: Embodiments of content management systems that utilize encryption are disclosed. An object management module of a content management system is adapted to encrypt an object using a data key that is generated based on the content. The data key is encrypted using a tenant key associated with a tenant of the system. The encrypted object is stored in an object store, and a storage record for the stored encrypted object is stored in a data store, along with the encrypted data key and a tenant key identifier.

Abstract: A computer system and method for authenticating a user device associated with a user during the process of logging into a server. The server can generate input requests each of which is valid only during a defined time period, and displays said input requests in succession in a login screen. The user device reads in the input request displayed at the time of the login and calculates a response by using said input request, the password of the user device, and the current time. The user device transmits the calculated response to the login screen and the response is transmitted by the login screen to the server. The server confirms the authentication when the response calculated by the server matches the response transmitted by the user device.

Abstract: A data search server stores a system ciphertext including a data ciphertext and a keyword ciphertext in each category-specific DB unit for each data category, and stores each category-determination secret key being associated with each category-specific DB unit. A search request receiving unit receives from a data search terminal a search request including a search trapdoor and an index tag. A data searching unit searches for a category-determination secret key with which the index tag is decrypted to the same value as a key-determination value. Using the search trapdoor, the data searching unit performs a search of a Public-key Encryption with Keyword Search scheme on system ciphertexts in a category-specific DB unit associated with this category-determination secret key. A search result transmitting unit transmits to the data search terminal a data ciphertext included in a system ciphertext which has been found as a hit in the search.