Abstract: A computer system and method for authenticating a user device associated with a user during the process of logging into a server. The server can generate input requests each of which is valid only during a defined time period, and displays said input requests in succession in a login screen. The user device reads in the input request displayed at the time of the login and calculates a response by using said input request, the password of the user device, and the current time. The user device transmits the calculated response to the login screen and the response is transmitted by the login screen to the server. The server confirms the authentication when the response calculated by the server matches the response transmitted by the user device.

Abstract: Technologies for hardware assisted native malware detection include a computing device. The computing device includes one or more processors with hook logic to monitor for execution of branch instructions of an application, compare the monitored branch instructions to filter criteria, and determine whether a monitored branch instruction satisfies the filter criteria. Additionally, the computing device includes a malware detector to provide the filter criteria to the hook logic, provide an address of a callback function to the hook logic to be executed in response to a determination that a monitored branch instruction satisfies the filter criteria, and analyze, in response to execution of the callback function, the monitored branch instruction to determine whether the monitored branch instruction is indicative of malware. Other embodiments are also described and claimed.

Abstract: Provided herein are methods and systems for multi-person authentication and validation systems for sharing of images. The multi-person authentication and validation system may identify the respective representations of one or more individuals captured in an image, and request authorization for sharing the image from the one or more individuals captured in the image. In some instances, the multi-person authentication and validation system may provide a different image version for sharing if at least one of the one or more individuals denies authorization.

Abstract: A sandbox architecture that isolates and identifies misbehaving plug-ins (intentional or unintentional) to prevent system interruptions and failure. Based on plug-in errors, the architecture automatically disables and blocks registration of the bad plug-in via a penalty point system. Publishers of bad plug-ins are controlled by disabling the bad plug-ins and registering the publisher in an unsafe list. Isolation can be provided in multiple levels, such as machine isolation, process isolation, secure accounts with limited access rights, and application domain isolation within processes using local security mechanisms. A combination of the multiple levels of isolation achieves a high level of security. Isolation provides separation from other plug-in executions and restriction to system resources such as file system and network IP.

Abstract: Systems, methods, and articles of manufacture to securely share data stored in a blockchain. A contactless card may receive a request to provide a data element from a device. An applet of the contactless card may encrypt the data element and a wallet address. The applet may generate a signature for the request, and transmit, to a mobile device, the signature and the encrypted data. The mobile device may transmit, to a verification service, the signature and encrypted data. The verification service may verify the signature based on a public key. A node in a blockchain may generate a block in the blockchain, the block comprising indications of the verification of the signature, the requested data element, and the wallet address. An encrypted data element corresponding to the data element may be decrypted using a public key. The device may receive the decrypted data element from the wallet address.

Abstract: A system, computer program product, and computer-executable method of detecting malware in a virtual machine (VM), the computer-executable method comprising periodically creating snapshots of the VM, analyzing each of the snapshots in comparison to one or more previous snapshots to determine whether anomalies exist, and based on a threshold amount of anomalies detected, scanning the VM to determine whether malware is detected.

Abstract: A detection module monitors, at a network layer, the network traffic between a client computer and a server computer. The detection module extracts application layer data from the network traffic and decodes the application layer data to identify a remote file operation that targets a shared file stored in the server computer. The detection module evaluates the remote file operation to determine if it is a malicious remote file operation. The detection module deems the remote file operation to be malicious when the remote file operation will corrupt the shared file.

Abstract: The present disclosure relates to a sensor network, machine type communication (MTC), machine-to-machine (M2M) communication, and technology for internet of things (IoT). The present disclosure may be applied to intelligent services based on the above technologies, such as smart home, smart building, smart city, smart car, connected car, health care, digital education, smart retail, security and safety services. A method for performing an encryption process is provided.

Abstract: Network protocols generally implement integrity protection, encryption and authentication as separate validation steps. Since each validation step contributes encoding and processing overhead associated with individual packet transfers over the network, such network protocols can make inefficient use of limited packet space. Systems and methods according to the present disclosure combine integrity protection, encryption and authentication into a single validation step thereby making efficient use of limited packet space.

Abstract: Systems and methods for communicating content between nodes of a network, wherein particular nodes of the network are members of a sub network. Flows can be admitted to a subnetwork, depending upon available bandwidth as allocated to the sub networks of the network. Each sub network has a unique password when privacy is enabled on the sub network.

Abstract: Systems and methods for performing data deduplication one storage blocks while the data is encrypted. An example method may comprise: selecting a first storage block and a second storage block from a plurality of encrypted storage blocks, wherein the first storage block and the second storage block are encrypted using different cryptographic input; causing the first storage block and the second storage block to be decrypted and further encrypted using a common cryptographic input; determining that a cipher text of the first storage block and a cipher text of the second storage block are the same; and updating a reference to the first storage block to reference the second storage block in response to the determining that the cipher text of the first storage block and the cipher text of the second storage block are the same.

Abstract: A method for execution by a computing device begins by receiving from a requester a read request regarding a set of encoded data slices stored in a set of storage units. The method continues by obtaining an access policy for the read request that includes time varying availability patterns for the set of storage units. The method continues by retrieving from a first group of storage units, during a first time varying availability pattern, first encoded data slices of the set of encoded data slices. The method continues by retrieving from a second group of storage units, during a second time varying availability pattern, second encoded data slices of the set of encoded data slices. The method continues by determining whether the decode threshold number of encoded data slices has been retrieved. When yes, the method continues by decoding the encoded data slices to recover the data segment.

Abstract: Disclosed in some examples are methods, systems, and machine readable mediums which provide for encrypted file system element containers which secure sensitive file system elements. The encrypted file system element containers are sent from a network based file storage system upon selection of file system elements for a network based file download and stored in a user's computing device in an encrypted state while the data is at rest. An application on the user's computing device may provide access to the file system elements (e.g., files, directories, and the like) inside the encrypted file system element containers according to a set of one or more access rules. Example access rules include a time-to-live (TTL) rule that deletes or causes the encrypted file system element containers to be inaccessible after a predetermined amount of time.

Abstract: A searchable encryption method enables encrypted search of encrypted documents based on document type. In some embodiments, the searchable encryption method is implemented in a network intermediary, such as a proxy server. The network intermediary encrypts documents on behalf of a user or an enterprise destined to be stored on a cloud service provider. The searchable encryption method encodes document type information into the encrypted search index while preserving encryption security. Furthermore, the searchable encryption method enables search of encrypted documents using the same encrypted index, either for a particular document type or for all encrypted documents regardless of the document type.

Abstract: An example method includes, during execution of a first application, and responsive to receiving an indication of a first event, sending, to the first application, a request to obtain data associated with graphical elements that are output by the first application for display, and receiving, from the first application, the data associated with the graphical elements, wherein the data comprises data items that each include one or more representations of the respective data item, and wherein each data item is stored in a system clipboard. The example method further includes, during execution of a second application, and responsive to receiving an indication of a second event, determining a group of data items that each satisfy at least one criterion, retrieving at least one data item of the group of data items from the system clipboard, and sending the at least one data item to the second application for output.

Abstract: A secure method of maintaining and accessing files (for example, multimedia files) is provided. Each file is divided into fragments or slices and each slice is encrypted and stored on a separate node. Each node is also required to maintain an instance of a public block-chain (or distributed ledger) which holds conventional block-chain transaction information for managing payment for access to the files. Preferably, each node is also paid in digital currency both as a conventional block-chain miner for maintaining the public block-chain and also for maintaining the slices.

Abstract: A server receives a piece of data for encryption. The server encrypts the piece of data such that no single key can decrypt the encrypted piece of data and any combination of a first multiple of unique keys taken a second multiple at a time are capable of decrypting the encrypted piece of data. Each of the first multiple of unique keys is tied to account credentials of a different user. The second multiple is less than or equal to the first multiple. The encrypted piece of data is returned.

Abstract: The present disclosure provides systems and methods to engage an autonomous mode of an autonomous vehicle. In particular, the systems and methods of the present disclosure can receive login credentials for an autonomous vehicle. A user of the autonomous vehicle can be authenticated based on the login credentials. Responsive to authenticating the user, a secure communication session can be established between the autonomous vehicle and one or more remotely located computing systems. Authorization data for an autonomous mode of the autonomous vehicle can be communicated between the autonomous vehicle and the one or more remotely located computing systems. Responsive to communicating the authorization data for the autonomous mode of the autonomous vehicle, the autonomous mode of the autonomous vehicle can be enabled.

Abstract: Techniques are disclosed for providing a device-based PIN authentication process used to protect encrypted data stored on a computing system, such as a tablet or mobile device. A client component and a server component each store distinct cryptographic keys needed to access encrypted data on the client. The mobile device stores a vault encryption key used to decrypt encrypted sensitive data stored on the mobile device. The vault key is encrypted using a first encryption key and stored on the mobile device. The first encryption key is itself encrypted using a second encryption key. The second encryption key is derived from the PIN value.

Abstract: Techniques are disclosed for implementation of a data storage device as a security device for managing access to resources. These techniques can be implemented for multi-factor authentication (MFA) to provide multiple layers of security for managing access to resources in an enterprise and/or a cloud computing environments. As a security device, a storage device can be used a portable device to provide a point of trust for multi-factor authentication across any client application or device operated to access resources. A storage device may be configured with security data for authentication with an access management system. After configuration, a portable storage device may be used for authentication of a user without credential information at any client device based on accessibility of the device to the portable storage device. A storage device configured as a security device can ensure that legitimate users have an easy way to authenticate and access the resources.

Abstract: A data acquisition and recording system (DARS) for mobile assets that includes a data recorder. The data recorder includes a data encoder, an onboard data manager, a vehicle event detector, at least one local memory component, and a queuing repository. DARS processes data from at least one input sensor and stores a compressed record of the data at least once per second in the local memory module. DARS is designed to run in near real-time mode, storing a full record comprising five minutes of data to a remote memory module every five minutes, and in real-time mode, streaming data to the remote memory module by uploading a record of data at least once per second and up to once every tenth of a second. Remotely located users can view video, audio, and data acquired by DARS through a web browser, which provides for quicker emergency response, validate the effectiveness of repairs and rerouting, and monitor crew performance and safety.

Abstract: A system for managing multiple independent cockpit displays, comprising: first and second displays configured to receive input and display pages, the pages defined by parameters in a database; and a control system comprising a processor coupled to a memory storing the database, the processor configured to: receive a request to display a first page on the first display; retrieve a flag associated with the first page, the flag being a parameter in the database and indicating whether a page is safe or unsafe for simultaneous display and editing; retrieve group designators associated with the first page and a second page, the group designator being a parameter in the database, the group designator identifying related pages; and control display and editing of pages on the first display based on at least one of: the flag associated with the first page, and the group designators associated with the first and second pages.

Abstract: Methods, systems, and computer readable media for testing time sensitive network (TSN) elements are disclosed. According to one method for testing a TSN element, the method occurs at a test system. The method includes synchronizing a test system clock with a clock at a system under test (SUT). The method also includes receiving a sequence of messages, wherein the sequence of messages is generated using schedule rules associated with a TSN stream. The method further includes determining, using timing information associated with the test system clock, whether the schedule rules are accurately implemented by the SUT.

Abstract: In order to provide a server device and the like that are capable of quickly extracting data without need for a client that performs a query of search processing to have a secret key. A server device includes: data storage unit that stores concealed registration data including distribution information of registration data distributed by secret sharing scheme and a ciphertext of the registration data encrypted by searchable encryption; token calculation unit that generates a token for data search of the searchable encryption by communicating with an external server device and performs secret computation by using a search query and the distribution information; and data search unit that performs data search from the token for data search received from the token calculation unit and the concealed registration data acquired from the data storage unit, and outputs a search result.

Abstract: The present invention is directed to allowing a more secure initial, and continuous authentication of virtual private network (VPN) tunneling. The device of the present invention contains its own microprocessor and operating system which connects to the host system via a universal serial bus (USB) or another coupling mode. The present invention involves executing and storing of the VPN software, certificates, credentials and sensors on the device, which allows for more security and manageability as opposed to executing the VPN on the host system. The device continuously authenticates the presence of the user via biometrics or the presence of second device, including a smartphone, a smartwatch, an NFC ring or a custom device with a microprocessor, via Quick Response (QR) Codes, Near-Field Communication (NFC) or Bluetooth Low Energy (LE) proximity authentication to activate or deactivate the VPN tunnel.

Abstract: Disclosed is a method for processing innovation-creativity data information, a user equipment (UE) and a cloud server, which provide a user with an integrated data information collecting mode, allowing that innovation-creativity data information of a user be collected anytime, anywhere, through various means, and be sent to a cloud. A first data string is generated based on the data information, and preserving information returned from the cloud is received, which includes the first data string or a second data string. The first data string enables verification of data information integrity, ensuring integrity of the data information. The second data string includes trusted time information issued by a trusted time issuing device based on time when the first data string is received. The data information goes through a data-oriented online processing, realizing a seamlessly connected IP services for real-time protection of innovation and creativity.

Abstract: Various embodiments are generally directed to techniques for multi-domain memory encryption, such as with a plurality of cryptographically isolated domains, for instance. Some embodiments are particularly directed to a multi-domain encryption system that provides one or more of memory encryption, integrity, and replay protection services to a plurality of cryptographic domains. In one embodiment, for example, an apparatus may comprise a memory and logic for an encryption engine, at least a portion of the logic implemented in circuitry coupled to the memory. In various embodiments, the logic may receive a memory operation request associated with a data line of a set of data lines stored in a protected memory separate from the memory.

Abstract: A method begins with a computing device receiving a request to acquire digital content from a digital content provider and forwarding the request to a dispersed storage network (DSN) pre-paid module. The method continues with the DSN pre-paid module validating the request, generating a plurality of sets of at least a threshold number of digital content read requests, and sending the plurality of sets of the at least a threshold number of digital content read requests to the digital content provider via the computing device when the request to acquire the digital content is validated. The method continues with at least one of the DSN pre-paid module and the computing device receiving a plurality of sets of at least a decoded threshold number of encoded data slices and decoding the plurality of sets of the at least a decoded threshold number of encoded data slices to produce the digital content.

Abstract: A wildcard searchable encryption method enables wildcard search of encrypted text in a cloud-stored encrypted document. In some embodiments, the wildcard searchable encryption method is implemented in a network intermediary, such as a proxy server. The network intermediary encrypts documents on behalf of a user or an enterprise destined to be stored on a cloud service provider. The wildcard searchable encryption method performs keyword pre-processing of the document to be encrypted to generate a set of keyword-wildcard combinations in plaintext for some or all of the keywords in the document. The processed document is encrypted using an exact match searchable encryption algorithm. As a result of the encryption process, a search index is generated to include the keyword-wildcard combinations. As thus configured, the wildcard searchable encryption method enables wildcard search of the encrypted text, such as searches for prefixes or suffixes of the keywords.

Abstract: Methods and systems provide secure data transmission from a mobile device to a central computer system over a communication network. The method includes executing a first computer program in the mobile device and allocating by the first computer program a volatile memory space in the mobile device for a defined session. The method includes storing data in the allocated volatile memory space. The method includes transmitting the stored data to the central computer using a secure transmission protocol over the communication network. The method includes de-allocating by the first computer program the volatile memory space at the termination of the session. The de-allocation erases the transmitted data from the volatile memory space.

Abstract: A system, computer program product, and computer-executable method of providing a layout-independent cryptographic stamp of a distributed data set from a data storage system, the system, computer program product, and computer-executable method comprising receiving a request for a cryptographic stamp of the distributed data set, creating a hash of each slice of the distributed data set, and using each hash from each slice of the distribute data set to create the cryptographic stamp of the distributed data set.

Abstract: A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity.

Abstract: The present disclosure provides method for accessing digital web content. It provides for selective access rights for users, to a web content. When the user tries to retrieve the data, the system checks for the rights available to the user, and accordingly implements the access before providing the content.

Abstract: Disclosed is a MAC tag list generating apparatus capable of efficiently performing message authentication through which information pertaining to a falsified position as well as existence of falsification can be obtained. This MAC tag list generating apparatus is provided with: a group test matrix generating means for generating a group test matrix W, which is a parameter of a combined group test, on the basis of a plurality of items obtained by dividing an obtained message M; and a MAC tag list generating means that, while sharing results obtained by applying a pseudo random function to the items forming each row of the generated group test matrix W, sums the results, and then applies the summed results to pseudo random permutation to generate a MAC tag list T, which is a MAC tag list pertaining to the message M.

Abstract: Interprocess communication between processes that run on a host operating system of a computer is performed by way of a protected temporary file. File access operation on the temporary file is hooked to detect writing to the temporary file. When a process writes a message to the temporary file, a verification is performed to determine whether or not the process is authorized to access the temporary file. When the process is authorized to access the temporary file, the process is allowed to write the message to the temporary file. This allows another process that is intended to receive the message to read the message from the temporary file and act on the message. Otherwise, when the process is not authorized to access the temporary file, the process is blocked from writing the message to the temporary file.

Abstract: Methods, systems and apparatus for securing credential distribution are disclosed. One method includes receiving, by a cloud system, a notification from a credential management system that a wireless device is associated with an authenticated user of the credential management system, wherein the credential management system stores private network credentials of the authenticated user, and wherein the cloud system further receives an identifier of the wireless device with the notification, authenticating, by the cloud system, the wireless device, receiving, by the cloud system, a request from the wireless device for private network credentials, and distributing, by the cloud system, the private network credentials to the wireless device, thereby allowing the wireless device to obtain local network access with the private network credentials.

Abstract: Responding to a data subject access request includes receiving the request and validating an identity of the requestor. In response to validating the identity of the requestor, a computer processor determines whether the data subject access request is subject to fulfillment constraints. If so, then the computer processor notifies the requestor that the data subject access request is subject to one or more limitations and the computer processor takes action based on those limitations. Fulfillment constraint data is updated and maintained in a database or server.

Abstract: A method of creating, at a permissions management resource, access permissions relating to a subject device for at least one data processing device, the method comprising: obtaining, at the permissions management resource, input data; generating, at the permissions management resource, at least one permission relating to accessing the subject device in response to the input data; transmitting, from the permissions management resource to the subject device and/or the at least one processing device, a communication comprising the at least one permission.

Abstract: A file discovery method, comprising receiving file discovery data comprising, for each of a plurality of files, discovery information and signature data, the discovery information for a first file of the plurality of files being indicative of at least one directory to be scanned for another of the plurality of files relative to a first directory, scanning, in a first scanning operation, a file system for the first file, and scanning, in a second scanning operation subsequent to the first scanning operation, the at least one directory for a second file matching signature data comprised by the file discovery data using a path to the first file as the first directory.

Abstract: An automated security survey generator for provisioning services in a cloud environment. Services, including infrastructure services, provided by the cloud are provisioned from blueprints. A survey is attached to each of the blueprints. When a service is provisioned, the attached survey is executed such that questions are presented to a requestor. Responses to the questions and actions are evaluated and actions associated with the responses are performed. The survey can prevent the service from being provisioned.

Abstract: The present disclosure provides a method and system for transforming web application output that is vulnerable to XSS attacks to CSP-compliant web application output. This transformation is accomplished by parsing the output code to identify headers and script and splitting the headers and script to form CSP-compliant web application output.

Abstract: Performing cryptographic operations such as encryption and decryption may be computationally expensive. In some contexts, initialization vectors and keystreams operable to perform encryption operations are generated and stored in a repository, and later retrieved for use in performing encryption operations. Multiple devices in a distributed system can each generate and store a subset of a larger set of keystreams.

Abstract: Implementations of a system and method of generating and using bilaterally generated variable instant passwords are disclosed. The system is used to secure electronic transactions (e.g., an auction in which one or more bidders are unknown to the auctioneer). In this system an Internet Service Provider (ISP), on request from a USER (e.g., a bidder), facilitates an authentication process with a SERVICE PROVIDER (e.g., an auctioneer). The SERVICE PROVIDER may send a sub-folder, containing a USER name, a temporary sub variable character set, and a CALL, to the USER through the ISP. The password used to access the sub-folder is transmitted directly to the USER by the SERVICE PROVIDER. The USER gets authenticated to the SERVICE PROVIDER by using the USER name, the temporary sub variable character set, and the CALL retrieved from the sub-folder. After USER's authentication, further transactions (e.g., bids) are performed using a password for each transaction.

Abstract: Systems and methods for hot-swapping storage pool backend functional modules of a host computer system. An example method may comprise: identifying, by a processing device of a host computer system executing a virtual machine managed by a virtual machine manager, a storage pool backend functional module; and activating the identified storage pool backend functional module by directing, to the identified storage pool backend functional module, backend storage function calls.

Abstract: According to one example, a system and method are disclosed for malware and grayware remediation. For example, the system is operable to identify applications that have some legitimate behavior but that also exhibit some undesirable behavior. A remediation engine is provided to detect malware behavior in otherwise useful applications, and allow the useful parts of the application to run while blocking the malware behavior. In an example method of “healing,” this may involve modifying the application binary to remove undesirable behavior. In an example method of “personalization,” this may involve inserting control hooks through the operating system to prevent certain subroutines from taking effect.

Abstract: A method for safeguarding a stored file from malware. In one embodiment, the method includes at least one computer processor receiving, to a storage system, a first file from a first computing device. The method further includes analyzing the received first file to determine whether the received first file is suspected of encryption by malware. The method further includes responding to determining that the received first file is suspected of encryption by malware, initiating one or more actions, including suspending replacement of an instance of the first file backed up to the storage system with the received first file. The method further includes storing the received first file to a portion of the storage system designated for file isolation.

Abstract: A method for safeguarding a stored file from malware. In one embodiment, the method includes at least one computer processor receiving, to a storage system, a first file from a first computing device. The method further includes analyzing the received first file to determine whether the received first file is suspected of encryption by malware. The method further includes responding to determining that the received first file is suspected of encryption by malware, initiating one or more actions, including suspending replacement of an instance of the first file backed up to the storage system with the received first file. The method further includes storing the received first file to a portion of the storage system designated for file isolation.

Abstract: Obligatorily-acquired digital content items are stored under service control in one or more local storage machines of a computer based on service commands provided by a centralized management service; and voluntarily-acquired digital content items are stored under user control in the one or more local storage machines of the computer based on user commands. The obligatorily-acquired digital content items are protected from user-commanded deletion. The obligatorily-acquired digital content items are deleted from the one or more local storage machines based on service commands provided by the centralized management service. However, the voluntarily-acquired digital content items are deleted from the one or more local storage machines based on user commands.

Abstract: A digital escrow pattern and trustworthy platform is provided for data services including mathematical transformation techniques, such as searchable encryption techniques, for obscuring data stored at remote site or in a cloud service, distributing trust across multiple entities to avoid a single point of data compromise. Using the techniques of a trustworthy platform, data (and associated metadata) is decoupled from the containers that hold the data (e.g., file systems, databases, etc.) enabling the data to act as its own custodian through imposition of a shroud of mathematical complexity that is pierced with presented capabilities, such as keys granted by a cryptographic key generator of a trust platform. Sharing of, or access to, the data or a subset of that data is facilitated in a manner that preserves and extends trust without the need for particular containers for enforcement.

Abstract: Techniques for ensuring that media playback proceeds sequentially through media content of a digital media asset are disclosed. In one embodiment, distinct portions (e.g., segments) of a digital media asset can be separately encrypted such that on playback decoded data being output from at least one prior portion can be used to derive a cryptographic key that is used in decrypting a subsequent portion of the digital media asset.