Abstract: Systems are provided for the streamlining authentication of encrypted data. In streaming authentication, the authentication and decryption of a data file is performed in a streaming manner. The data file can be stored as a collection of discrete encrypted portions. When the data file is to be accessed, it can be authenticated in a streaming manner, as discrete portions of the large file are loaded from storage or transmitted to other systems.

Abstract: A method, a computing system and a computer program product are provided. A link for use by a user to access a file is created. Content of the file is encrypted using a common key. The common key is encrypted using a public key of the user and is registered in the link. Access rights regarding the file are set for the user and registered in the link. The link includes information for use by the user to access the file when the access rights indicate that the user is authorized to access the file.

Abstract: In various embodiments, a data subject request fulfillment system may be adapted to prioritize the processing of data subject access requests based on metadata of the data subject access request. For example, the system may be adapted for: (1) in response to receiving a data subject access request, obtaining metadata regarding the data subject; (2) using the metadata to determine whether a priority of the data subject access request should be adjusted based on the obtained metadata; and (3) in response to determining that the priority of the data subject access request should be adjusted based on the obtained metadata, adjusting the priority of the data subject access request.

Abstract: The invention performs anonymous read/write accesses of a set of user devices to a server. Write accesses of the user devices of the set comprise generating an encrypted file by an anonymous encryption scheme; computing a pseudorandom tag; indexing the encrypted file with the tag as user set index of the user set and writing the encrypted file and the associated tag to the a storage system of the server. Read accesses of the user devices of the set comprise downloading tag data corresponding to a plurality of tags from the server, the tag data enabling the user devices of a respective set to recognize so-called “own” tags computed by one of the user devices of the respective set of user devices; determining the own tags among the plurality of tags; reading one or more encrypted files associated to the own tags; and decrypting the encrypted files.

Abstract: Described herein is a framework for collecting event related tweets. In accordance with one aspect of the framework, an initial set of keywords is constructed from a reference source. Tweets are collected from a messaging stream using the initial set of keywords for a first time window. The collected tweets are filtered to generate a candidate keywords set. The selected tweets of the candidate keywords set are grouped into a plurality of clusters. The clusters are classified into event related and non-event related clusters. The initial set of keywords is updated to obtain a new set of keywords.

Abstract: A system and method of utilizing ECC memory to detect software errors and malicious activities is disclosed. In one embodiment, after a pool of memory is freed, every data word in that pool is modified to ensure that an ECC error will occur if any data word in that pool is read again. In another embodiment, the ECC memory controller is used to detect and prevent non-secure applications from accessing secure portions of memory.

Abstract: A system that includes multiple hosts, each running a plurality of virtual machines. The system may be, for example, a cloud computing environment in which there are services and a service coordination system that communicates with the hosts and with the services. The services include a middleware management service that is configured to maintain per-tenant middleware policy for each of multiple tenants. The middleware management service causes the middleware policy to be applied to network traffic by directing network traffic to a middleware enforcement mechanism. This middleware policy is per-tenant in that it depends on an identity of a tenant.

Abstract: An electronic device is provided. The electronic device includes at least one first memory being nonvolatile and a processor configured to read a file from the first memory or to write a file on the first memory. The first memory stores instructions, the instructions, when executed, causing the processor to provide a software layer structure including a first virtual file system layer configured to interface with an application program layer, a compressed file system layer configured to compress at least a part of data of the written file or to decompress at least a part of data of the read file, a second virtual file system layer configured to manage the written or read file, and a first file system layer configured to read at least a part of the file from the first memory or to write at least a part of the file on the first memory.

Abstract: A computer stores a file in a folder. The computer executes a process including acquiring identification information of files included in a single archive file, when the folder stores the single archive file, the single archive file being generated by integrating the files and performing a compression process, or by integrating the files; outputting the acquired identification information of the files as candidates that may be associated with another folder, file, or an individual data object in another file, which is managed by the computer; and storing association information with respect to one of the files which is specified to be associated with another folder, file, or an individual data object included in another file, the association information being information for associating the one of the files with another folder, or file, or an individual data object included in another file, which is a target of association.

Abstract: Techniques describe preventing sensitive data from being misappropriated during a clipboard operation. A copy operation for data being copied to a clipboard is intercepted. Information describing a first application from which the data was copied is retrieved. The data and the information are stored into the clipboard. A paste operation is evaluated based on the data, and the information is evaluated against a policy to determine whether the paste operation should be blocked.

Abstract: A traceable data audit apparatus, method, and non-transitory computer readable storage medium thereof are provided. The traceable data audit apparatus is stored with an original data set. The original data set includes a plurality of records and is defined with a plurality of fields. Each of the records has a plurality of items corresponding to the fields one-on-one. The fields are classified into an identity sensitive subset and an identity insensitive subset. The traceable data audit apparatus generates a released data set by applying a de-identification operation to each of the items corresponding to the fields in the identity sensitive subset and stores an audit log of the original data set. The audit log includes a date, a consumer identity, an identity of the original data set, and a plurality of evidences. Each of the evidence is one of the records of the released data set.

Abstract: Methods and systems for providing message playback using a shared electronic device is described herein. In response to receiving a request to output messages, a speech-processing system may determine a group account associated with a requesting device, and may determine messages stored by a message data store for the group account. Speaker identification processing may also be performed to determine a speaker of the request. A user account associated with the speaker, and messages stored for the user account, may be determined. A summary response indicating the user account's messages and the group account's message may then be generated such that the user account messages are identified prior to the group account's messages. The messages may then be analyzed to determine an appropriate voice user interface for the requester such that the playback of the messages using a shared electronic device is more natural and conversational.

Abstract: Disclosed are various embodiments for active data that tracks usage. The active data includes instructions that are executable by a computing device. The computing device is scanned to identify characteristics of the computing device. The characteristics of the computing device are utilized to determine whether the usage of the active data is authorized. Data is transmitted to a network service, including identifying information for the particular computing device and data that identifies a deployment of the active data.

Abstract: Implementations of a system and method of generating and using bilaterally generated variable instant passwords are disclosed. In some implementations, a computer implemented method of Authenticated Dialogue Initiation between a USER and another party is provided. In some implementations, the USER may attempt to establish a connection with another party at their IP address; the other party may be known or unknown by the USER. In this implementation, a publically available authentication device, comprised of a variable character set, is used to generate a CALL for a password. The password is used to authenticate the other party; authentication is to completed once the correct password is received from the IP address of the party contacted by the USER. In some implementations, Authenticated Dialogue Initiation may be used to control (e.g., grant, deny, and/or limit) another party's access to the USER's computer system.

Abstract: Aspects of the subject disclosure may include, for example, predicting opportunities for a mobile communication device to access a network via available pathways during a first time period according to a history of network connectivity of the mobile communication device, selecting a first pathway of the available pathways according to the opportunities that are predicted for the mobile communication device to access the network via the available pathways during the first time period, and directing transmission of first data to the mobile communication device via the first pathway during the first time period, wherein a presence of a second data at the mobile communication device enables an application to access the first data at the mobile communication device. Other embodiments are disclosed.

Abstract: Various embodiments may provide systems and methods for achieving continuous measurements (e.g., continuous video images) of the same spot on the Earth using Low Earth Orbit (LEO) satellite constellations and/or Middle Earth Orbit (MEO) satellite constellations. Various embodiments may provide a system of Virtual Low Earth Orbit (LEO) Stationary Satellites (VLSSs) over any area of the Earth for a continuous or a periodic amount of time.

Abstract: A method is provided for securing a mobile communications device to a level required for accessing a network, for example a secured enterprise network, by means of a public network such as the Internet. A mobile communications device is also provided incorporating functionality to enable centralized control over the configuration of the mobile device and thereby to control the actions of users of that device and of applications software that may be installed and executed on that device. Furthermore, a system is provided to implement a mobile communications infrastructure for an enterprise network with centralized control over the configuration of mobile communications devices within the system.

Abstract: Organizations maintain and generate large amounts of sensitive information using computer hardware resources and services of a service provider. Furthermore, there is a need to be able to delete large amounts of data securely and quickly by encrypting the data with a key and destroying the key. To ensure that information stored remotely is secured and capable of secure deletion, cryptographic keys used by the organization should be prevented from being persistently stored during serialization operations.

Abstract: Provided are a method, a system, and a computer program product in which a computational device stores a first part of data in a first cloud storage maintained by a first entity. A second part of the data is stored in a second cloud storage maintained by a second entity.

Abstract: Responding to a data subject access request includes receiving the request and validating an identity of the requestor. In response to validating the identity of the requestor, a computer processor determines whether the data subject access request is subject to fulfillment constraints. If so, then the computer processor notifies the requestor that the data subject access request is subject to one or more limitations and the computer processor takes action based on those limitations. Fulfillment constraint data is updated and maintained in a database or server.

Abstract: In some embodiments, a first device may generate a data block for an ordered set of data blocks such that the data block is cryptographically chained to a given data block preceding the data block in the ordered set. The first device may obtain an encryption key used to encrypt information related to the data block, and use group members' keys to encrypt the encryption key to generate a group key. As an example, the group's members may include a first member associated with the first device and other members. The keys used to encrypt the encryption key may include the other members' keys. The first device may transmit the ordered set and the group key to a communication resource (e.g., accessible by the members). Other devices (associated with the other members) may use the ordered set and the group key to obtain content related to the ordered set.

Abstract: A method of restoring confidential information items of a first device to a second device by using a set of servers. The method generates a public and private key pair and ties the private key to the hash of executable code of the servers at the time of generating the public and private keys. The method receives the encrypted confidential information items in a secure object which is encrypted with a user-specific key and the public key. The method only provides the confidential information to the second device when the second device provides the same user-specific key as the key that encrypts the secure object and the hash of the executable code of the servers at the time of accessing the private key to decrypt the secure object matches the hash of the executable code running on the servers at the time of generating the private key.

Abstract: A control point module may receive information associated with a plurality of users accessing a plurality of files. Each of the files may be stored in a folder of the plurality of folders. Users who have accessed one or more files stored in a folder may be assigned to each corresponding folder. Users who have been assigned to each folder of a plurality of pairs of the folders may be compared to identify one or more differences of assigned users between each folder of each pair of the folders. Furthermore, a recommended control point may be determined based on the identified one or more differences of the assigned users.

Abstract: A method of encrypting data transmitted from a first device to a second device, performed by using an Advanced Encryption Standard (AES) encryption algorithm, includes obtaining size information of an encryption key and size information of data that is to be encrypted and includes a plurality of bits; encrypting a first bit group, which is at least one bit corresponding to a size of the encryption key, among the plurality of bits, by using the encryption key; selecting a third bit group, which is at least one bit of the encrypted first bit group based on size information of the encryption key and a size of a second bit group including bits that are different from the first bit group among the plurality of bits; and encrypting the second bit group and the selected third bit group by using the encryption key.

Abstract: Techniques are disclosed for implementation of a data storage device as a security device for managing access to resources. These techniques can be implemented for multi-factor authentication (MFA) to provide multiple layers of security for managing access to resources in an enterprise and/or a cloud computing environments. As a security device, a storage device can be used a portable device to provide a point of trust for multi-factor authentication across any client application or device operated to access resources. A storage device may be configured with security data for authentication with an access management system. After configuration, a portable storage device may be used for authentication of a user without credential information at any client device based on accessibility of the device to the portable storage device. A storage device configured as a security device can ensure that legitimate users have an easy way to authenticate and access the resources.

Abstract: Described embodiments provide systems and methods for encrypting journal data of a storage system. At least one key is generated, each key having an associated key identifier. The at least one key and the associated key identifiers are stored to a key store. User data is read from a replica volume of the storage system. The read user data is encrypted with an associated key. Encrypted data is written to a journal associated with the replica volume. The key identifier of the associated key is written to the journal.

Abstract: A method and apparatus of enabling access to a resource secured with a shared access control mechanism is provided. The method includes providing a public key and an authentication protected private key for a user. The private key is released to the user after receiving correct authentication. In one embodiment, the authentication may be one or more of a password, pass phrase, biometric, and smart card. The private key may be used to release the shared access control mechanism for the resource. In one embodiment, a plurality of users may have their private key provide access to the shared access control mechanism.

Abstract: A method for obfuscating keys is provided. The method includes identifying that a memory is subject to one of a core dump or an hibernation and overwriting a key in unencrypted form in the memory, responsive to the identifying, wherein at least one method operation is performed by a processor. A system and a computer readable media are also provided.

Abstract: A method is provided in one example embodiment and includes initiating an execution of a compiled script, evaluating a function called in the compiled script, detecting an execution event based on at least a first criterion, and storing information associated with the execution event in an execution event queue. The method also includes verifying a correlation signature based on information associated with at least one execution event in the execution event queue. In specific embodiments, the method includes evaluating an assignment statement of a script during compilation of the script by a compiler, detecting a compilation event based on at least a second criterion, and storing information associated with the compilation event in a compilation event queue. In yet additional embodiments, the verification of the correlation signature is based in part on information associated with one or more compilation events in the compilation event queue.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for service oriented software-defined security framework are disclosed. In one aspect, a system includes a security control device, one or more assets, and a security controller that communicates with the security control device and the one or more assets. The security controller includes a processing engine configured to register the security control device by creating a physical-logical attribute mapping for the security control device, and generating a security service description associated with the security control device. The processing engine is further configured to register the one or more assets by creating a physical-logical attribute mapping for each of the one or more assets, and generating security service requirements for each of the one or more assets. The processing engine is further configured to generate a security service binding based on a request for service.

Abstract: A computer system for processing vehicle ownership support data includes an infrastructure platform which includes a plurality of hardware and software components, infrastructure services, APIs, and SDKs adapted to communicate in a communication network. The infrastructure platform receives telematics data such as vehicle identification data, driving performance data, vehicle operation data and vehicle sensor data for a corresponding vehicle. Such telematics data can be received from a vehicle device (Onboard Device (OBD)), or from a cloud-based telematics platform. The infrastructure platform identifies vehicle ownership support services associated with the at least one vehicle and analyzes the received telematics data associated with the identified services. The infrastructure platform provides vehicle ownership support services to a mobile application accessible at a customer's mobile device associated with the vehicle or the customer.

Abstract: An information processing apparatus includes a data processing unit which executes processing for decoding and reproducing encrypted content. The data processing unit executes processing for determining whether the content can be reproduced by applying an encrypted content signature file. The encrypted content signature file stores information on issue date of the encrypted content signature file and an encrypted content signature issuer certificate with a public key of an encrypted content signature issuer. In determining whether the content can be reproduced, the data processing unit compares expiration date of the encrypted content signature issuer certificate with the information on issue date of the encrypted content signature file, and does not perform processing for decoding and reproducing the encrypted content when the expiration date is before the issue date, and performs the processing for decoding and reproducing the encrypted content only when the expiration date is not before the issue date.

Abstract: A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.

Abstract: The disclosed computer-implemented method for detecting potentially malicious files may include (1) detecting an attempt by the computing device to execute a file, (2) prior to execution of the file, determining that a filename of the file contains a combination of characters indicative of a false filename extension included within a middle section of the filename, (3) determining, based at least in part on the false filename extension being included within the middle section of the filename, that the file is potentially malicious, and then in response to determining that the file is potentially malicious, (4) preventing the computing device from executing the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The system and method presents a secure blockchain enabled encryption. Incoming information and data files may be encrypted using any preferred method of encryption, then sliced into segments, each segment of which is hashed and encrypted onto one or more blockchains depending upon the size of the segments desired. A retrieval and recombination mechanism is employed to quickly locate and decrypt all of the segments of each information file such that the blockchain distributed across multiple servers, including cloud-based servers. Upon request, the encrypted blockchain segments may also be shared among multiple users without compromising the encryption of the information file.

Abstract: Various embodiments include methods of evaluating device behaviors in a computing device and enabling white listing of particular behaviors. Various embodiments may include monitoring activities of a software application operating on the computing device, and generating a behavior vector information structure that characterizes a first monitored activity of the software application. The behavior vector information structure may be applied to a machine learning classifier model to generate analysis results. The analysis results may be used to classify the first monitored activity of the software application as one of benign, suspicious, and non-benign. A prompt may be displayed to the user that requests that the user select whether to whitelist the software application in response to classifying the first monitored activity of the software application as suspicious or non-benign. The first monitored activity may be added to a whitelist of device behaviors in response to receiving a user input.

Abstract: A request to make a purchase from a mobile device of a first entity is detected. In response to the detected request, a determination is made whether the first entity has a subservient relationship with a second entity. In response to a determination that the first entity has the subservient relationship with the second entity, another determination is made whether the first entity is located proximate to the second entity. A first set of purchasing limitations is applied to the request in response to the determination that the first entity has the subservient relationship with the second entity and a determination that the first entity is located proximate to the second entity.

Abstract: An electronic resource tracking and storage computer system is provided that communicates with a distributed blockchain computing system that includes multiple computing nodes. The system includes a storage system, a transceiver, and a processing system. The storage system includes an resource repository and transaction repository that stores submitted blockchain transactions. A new resource issuance request is received, and a new resource is added to the resource repository in response. A new blockchain transaction is generated and published to the blockchain. In correspondence with publishing to the blockchain, the transaction storage is updated with information that makes up the blockchain transaction and some information that was not included as part of the blockchain transaction. The transaction storage is updated when the blockchain is determined to have validated the previously submitted blockchain transaction.

Abstract: A query-based system for sharing encrypted data, comprising at least one hardware processor; and at least one non-transitory memory device having embodied thereon instructions executable by the at least one hardware processor to: receive a file and a plaintext tag and provide secure access to the file using the plaintext tag, and, responsive to receiving a search query matching the plaintext tag, securely retrieve the file, wherein providing secure access to the file comprises: encrypting the file into multiple portions, storing each portion separately, deriving multiple differently encrypted ciphertexts by encrypting the plaintext tag multiple times, separately indexing each portion using a different one of the ciphertexts, wherein securely retrieving the file comprises: deriving multiple differently encrypted search queries by encrypting the search query multiple times, querying using the multiple encrypted search queries, retrieving at least some of the multiple portions, and recovering the file from the r

Abstract: There is disclosed a method for use in managing data storage. In one embodiment, the method comprises operating storage processors of respective data storage systems at different location. The storage processors comprising a distributed data manager and an IO stack arranged within the storage processor such that the distributed data manager can receive a LUN outputted by the IO stack. The method further comprises distributed data managers receiving LUNs outputted by their corresponding IO stacks, controlling LUN output and providing LUN output that enables active-active access to the storage systems at the respective different locations.

Abstract: There is disclosed a method for managing data storage. In one embodiment, the method comprises operating a storage processor of a first data storage system at a first location. The storage processor comprising a first distributed data manager and an IO stack arranged therein such that distributed data manager can receive a LUN outputted by IO stack. The method also comprises initiating a communication between first distributed data manager and second distributed data manager associated with a second data storage system at a second location. The method further comprises migrating stored data on first data storage system to second data storage system and providing LUN information associated with stored data to second data storage system such that a LUN identify of migrated data stored on second data storage system is similar to a LUN identity of corresponding stored data on first data storage system.

Abstract: A request to perform one or more operations using a second key that is inaccessible to a customer of a computing resource service provider is received from the customer, with the request including information that enables the computing resource service provider to select the second key from other keys managed on behalf of customers of the computing resource service provider. A first key, and in addition to the first key, an encrypted first key, is provided to the customer. Data encrypted under the first key is received from the customer. The encrypted first key and the data encrypted under the first key is caused to be stored in persistent storage, such that accessing the data, in plaintext form, from the persistent storage requires use of both a third key and the second key that is inaccessible to the customer.

Abstract: The various aspects provide a method for recognizing and preventing malicious behavior on a mobile computing device before it occurs by monitoring and modifying instructions pending in the mobile computing device's hardware pipeline (i.e., queued instructions). In the various aspects, a mobile computing device may preemptively determine whether executing a set of queued instructions will result in a malicious configuration given the mobile computing device's current configuration. When the mobile computing device determines that executing the queued instructions will result in a malicious configuration, the mobile computing device may stop execution of the queued instructions or take other actions to preempt the malicious behavior before the queued instructions are executed.

Abstract: A communication device is provided which includes a transmission unit, a BCC memory unit, a reception unit, a determination module, an accepting module and a mail generation module. The BCC memory unit stores the BCC destination of the mail sent in the past while being associated with the mail. The determination module determines whether or not a mail that the reception unit receives is a reply mail to the mail including the BCC destination that the transmission unit sent in the past. The mail generation module generates a mail addressed to sending destinations to which the BCC destination stored in the BCC destination memory unit while being associated with a mail of a reply source is added in addition to a sending destination that the accepting module accepts for the mail determined to be a reply mail to the mail including the BCC destination and sent in the past.

Abstract: A method for identifying malware is provided. The method includes performing a static analysis of a plurality of files and for each file of the plurality of files, determining in the static analysis whether the file includes an application programming interface (API). For each file, of the plurality of files, found to have an application programming interface, the method includes determining in the static analysis whether the application programming interface is proper in the file and alerting regarding an improper application programming interface when found in one of the plurality of files. A scanner for detecting malware is also provided.

Abstract: Described systems and methods allow protecting a computer system from malware, such as return-oriented programming (ROP) exploits. In some embodiments, a set of references are identified within a call stack used by a thread of a target process, each reference pointing into the memory space of an executable module loaded by the target process. Each such reference is analyzed to determine whether it points to a ROP gadget, and whether the respective reference was pushed on the stack by a legitimate function call. In some embodiments, a ROP score is indicative of whether the target process is subject to a ROP attack, the score determined according to a count of references to a loaded module, according to a stack footprint of the respective module, and further according to a count of ROP gadgets identified within the respective module.

Abstract: An email is received. The email consists of a common content, at least one recipient for the common content, a private content, and at least one recipient for the private content. Each of the at least one recipients for the private content is a recipient of the common content. The common content is stored in a first storage location, and the private content is stored in a second storage location.

Abstract: A searchable encryption method enables encrypted search of encrypted documents based on document type. In some embodiments, the searchable encryption method is implemented in a network intermediary, such as a proxy server. The network intermediary encrypts documents on behalf of a user or an enterprise destined to be stored on a cloud service provider. The searchable encryption method encodes document type information into the encrypted search index while preserving encryption security. Furthermore, the searchable encryption method enables search of encrypted documents using the same encrypted index, either for a particular document type or for all encrypted documents regardless of the document type.

Abstract: A file access method and apparatus, and a storage system are provided. After receiving a file access request from a process, a first physical address space is accessed according to a preset first virtual address space and a preset first mapping relationship between the first virtual address space and the first physical address space, where the first physical address space stores a file system. After obtaining an index node of a target file from the first physical address space according to a file identifier of the target file carried in the file access request, a file page table of the target file is obtained according to file page table information. The file page table records a second physical address space in the first physical address space. The target file is accessed according to the second physical address space.

Abstract: A method of a security system to provide access by a requester to an encrypted data object stored in an object store, the requester being authenticated by the object store, the method comprising: receiving, from the object store: the encrypted object having associated an object identifier; and an identifier of the requester; deriving a first cryptographic key to decrypt the object; deriving a second cryptographic key; re-encrypting the object based on the second key and communicating the re-encrypted object to the requester; wherein each of the first and second keys are based on the object identifier, the requester identifier and a secret key portion generated by the security system, the secret key portion being different for each of the first and second keys, the method further comprising: in response to a second authentication of the requester by the security system, communicating the secret key portion for the second key to the requester.