Abstract: This disclosure provides for a system, method, and machine-readable medium for performing dynamic runtime field-level access control using a hierarchical permission context structure. The hierarchical permission context structure includes various levels of roles, where each role is assigned one or more permissions. The one or more permissions assigned to the one or more roles indicate the amount of control a given user has over data displayable in an electronic document. The electronic document includes one or more fields having corresponding records in one or more databases. A record includes metadata about the data for a corresponding field. When an electronic document is requested, the fields of the electronic document are generated from the data stored in their corresponding records. An evaluation is performed that determines whether the user requesting the electronic document is authorized to view the data for one or more of the fields based on their corresponding metadata.

Abstract: A system and method are disclosed for compiling a database of investor-related data by gathering and linking customer-specific data records from multiple unaffiliated financial institutions, where such data records are coded in such a manner that the database compiler is enabled to link, across data providers and/or time periods, data records that pertain to the same investor without being provided any information that reveals the identity of any investor.

Abstract: The present disclosure involves systems and computer implemented methods for protecting portions of electronic documents. An example method includes receiving a request for access to an electronic file having sections, at least one section encrypted using a first key based on a first password. A second key is generated in response to receiving a second password, wherein the second key is generated based on the second password. The second key is compared to the first key. If the second key is identical to the first key, the least one section of the electronic file encrypted using the first key is decrypted using the second key. The electronic file is then presented such that the section(s) previously encrypted using the first cryptographic key is made visible. If the second key is not identical to the first, the electronic file is presented with the encrypted section(s) obscured.

Abstract: A method, article of manufacture, and apparatus for processing information are disclosed. In some embodiments, this includes receiving a query plan, identifying a first work file based on the query plan, determining a first work file transaction ID associated with the first work file, determining a data transaction ID, comparing the first work file transaction ID and the data transaction ID, creating a second work file based on the query plan if the data transaction ID is greater than the first work file transaction ID, and storing the second work file in a storage device. In some embodiments, the second work file may be associated with a second work file transaction ID.

Abstract: Methods and systems to install a player to process content data are disclosed. In some embodiments, a method includes launching a content access manager on a user device to read metadata containing compatible player data, determine whether a compatible player able to access the content data is installed on the user device, and if not, to install a compatible player. Other embodiments involve receiving content data and data about one or more compatible players able to access the content data, generating the metadata using the data about one or more compatible players, and distributing the content data, the metadata, and the content access manager in a transmittable unit. Additional apparatus, systems, and methods are disclosed.

Abstract: Data processing systems and methods for: (1) receiving, via privacy data compliance software, from a first set of users, respective answers for question/answer pairings regarding the proposed design of a product; (2) using the question/answer pairings to prepare an initial privacy impact assessment for the product; (3) displaying, via the privacy data compliance software, the plurality of question/answer pairings to a second set of users, and receiving recommended steps to be implemented as part of the design of the product; (4) initiating the generation of one or more tasks in project management software that would advance the completion of the recommended steps; and (5) after the tasks have been completed, generating, by the privacy data compliance software, an updated privacy impact assessment for the product that reflects the fact that the tasks have been completed.

Abstract: Disclosed is a system and method for configuring control rules for applications executable on a computer. An example method includes classifying computer applications into one of a plurality of classification groups that include at least one predetermined classification group and an unknown classification group. The method further includes configuring control rules when the applications are classified in the unknown classification group that is done by determining, by the hardware processor, a computer competency score for a user of the computer; categorizing the applications into one or more predefined categories, and defining control rules for the application based on the determined computer competency score for the user and the one or more predefined categories of the at least one application.

Abstract: A service provider computing environment includes a service provider computing device, which receives tenant secrets policies from tenants. The tenants are tenants of multi-tenant assets of a service provider. One or more data security zones in which the multi-tenant assets are located are identified. A service provider secrets policy includes data security jurisdiction zone secrets policy data for the one or more data security jurisdiction zones. The data security jurisdiction zone secrets policy data is analyzed to determine allowed secrets data with respect to each of the identified data security jurisdiction zones. The service provider computing environment determines of the tenant secrets policies satisfy the requirements of the service provider secrets policy. If the tenant secrets policies satisfy the requirements of the service provider secrets policy, the service provider computing environment allows the tenant secrets policies to be applied to tenant data or information in the multi-tenant assets.

Abstract: A system and method are provided for the secure sharing of information across and open network and for performing management of keys used for encrypting and decrypting data.

Abstract: The embodiments set forth techniques for implementing a cloud service that enables cloud data to be shared between different users in a secure manner. One embodiment involves a sharing manager and a sharing client, where the sharing manager is configured to manage various data components stored within a storage system managed by the cloud service. These data components can include user accounts, share objects (for sharing data between users—and, in some cases, public users not known to the sharing manager)—as well as various “wrapping objects” that enable data to be logically separated in an organized manner within the storage system. According to this approach, the sharing client is configured to interface with the sharing manager in order to carry out various encryption/decryption techniques that enable the cloud data to be securely shared between the users.

Abstract: An example computer-implemented method to translate a namespace includes receiving a first synchronization request associated with a first content item. This first synchronization request can include a first content item path and come from a client device. The example method can then include determining that a portion of the first content item path matches an entry path in an entry in a namespace mount table. The entry can include a second namespace. The example method can then include modifying the first synchronization request by removing the portion of the first content item path and including the second namespace in the first synchronization request. The example method can then include sending the first synchronization request to a content management system.

Abstract: Examples of secure application development and execution are disclosed herein. An example method may include parsing code of an application configured for execution on a user device to identify one or more sensitive portions of the code. Example methods may further include identifying a trusted execution environment, different from the user device, suitable to execute the one or more sensitive portions of the code. Example methods may further include configuring the code to provide the one or more sensitive portions of the code from the user device to the trusted execution environment during execution of the application on the user device.

Abstract: According to an embodiment, a concealing apparatus includes a concealing processor, a mapping information generator, a tag generator, and a concealed, information output unit. The concealing processor is configured to generate a concealed text by concealing a plaintext with a concealing key. The mapping information generator is configured to generate mapping information that is mapped to a keyword for retrieving the plaintext. The tag generator is configured to generate a tag based on the keyword and the mapping information. The concealed information output unit is configured to output the concealed text and the tag as a pair.

Abstract: An aspect includes a cognitive password entry system. A processor detects a login attempt targeting a website for a user identifier having a previously stored instance of a password associated with the user identifier. A number of login attempts is monitored since the password was manually entered at the website. The processor determines whether a prompting period has been reached based on the number of login attempts meeting a prompting period threshold. The stored instance of the password is used as an entered password for the login attempt based on determining that the prompting period has not been reached. A cognitive aid prompt is output based on determining that the prompting period has been reached.

Abstract: A device may analyze a first file for malware. The device may determine that the first file causes a second file to be downloaded. The device may store linkage information that identifies a relationship between the first file and the second file based on determining that the first file causes the second file to be downloaded. The device may analyze the second file for malware. The device may determine a first malware score for the first file based on analyzing the second file for malware and based on the linkage information. The device may determine a second malware score for the second file based on analyzing the first file for malware and based on the linkage information.

Abstract: A method for verification of search results in an encrypted search process includes transmitting a search query including the encrypted keyword from a client to a server, and receiving a response to the search query and a first plurality of hash values from at least one hash tree from the server. The method further includes generating, a first message authentication code (MAC) based on the response, generating a first regenerated root node hash value using the first MAC, the first plurality of hash values, and a predetermined hash function, and generating an output message with the client indicating that the response is invalid in response to the first regenerated root node hash value not matching a predetermined first root node hash value stored in the memory of the client.

Abstract: An information processing system includes a first apparatus and a second apparatus. The first apparatus includes a first transmission unit that transmits, to the second apparatus, feature information for generating an electronic signature that is added to a program; a first reception unit that receives an electronic signature transmitted from the second apparatus in accordance with the feature information transmitted from the first transmission unit; and a first addition unit that adds the electronic signature received by the first reception unit to the program. The second apparatus includes a second reception unit that receives the feature information transmitted from the first transmission unit; a generation unit that generates an electronic signature from the feature information received by the second reception unit; and a second transmission unit that transmits the electronic signature generated by the generation unit to the first apparatus.

Abstract: A method enables prefix search of cloud stored encrypted files that are encrypted using an order preserving encryption (OPE) algorithm. The encrypted text prefix search method generates a minimum possible plaintext string and a maximum possible plaintext string of the same character length including the search term as the prefix. The minimum and maximum possible plaintext strings are encrypted using the same order preserving encryption algorithm for the encrypted text. The method determines from the minimum ciphertext and the maximum ciphertext a set of common leading digits. The set of common leading digits is used as an OPE encrypted prefix search term and provided to a cloud storage service to search in the cloud stored encrypted files for encrypted text matching the OPE encrypted prefix search term.

Abstract: Systems and methods for incrementally communicating a document to a client computer are disclosed herein. Time consistent views of the document are maintained throughout the incremental downloading through use of a cryptographically secured permissions token identifying a version of the document the user is permitted to access.

Abstract: A method, non-transitory computer readable medium, and policy rating server device that receives a request from a client computing device for one or more privacy ratings. The request identifies at least one application, such as an application installed on the client computing device for example. A policy associated with the identified application is obtained. The obtained policy is analyzed to identify a plurality of key words or phrases associated with use by the at least one application of functionality of, or personal information stored on, the client computing device. One or more privacy ratings are generated based on numerical values assigned to each of the identified key words or phrases. The generated one or more privacy ratings are output to the client computing device in response to the request.

Abstract: An aspect includes a cognitive password entry system. A processor detects a login attempt targeting a website for a user identifier having a previously stored instance of a password associated with the user identifier. A number of login attempts is monitored since the password was manually entered at the website. The processor determines whether a prompting period has been reached based on the number of login attempts meeting a prompting period threshold. The stored instance of the password is used as an entered password for the login attempt based on determining that the prompting period has not been reached. A cognitive aid prompt is output based on determining that the prompting period has been reached.

Abstract: A method of restricting the distribution of an image attachment to an electronic message via an electronic communications network comprises receiving, via the electronic communications network, the electronic message at a server; removing the image attachment from the electronic message; fragmenting the image into at least two image parts; and creating a set of rendering instructions as to how the at least two the image parts should be reconstituted to represent the original image.

Abstract: Techniques and mechanisms for assigning a universal unique identifier to an instance of a plurality of information objects. In an embodiment, a first unique identifier is assigned to a first universal information object management environment and a second unique identifier is assigned to a plurality of information objects within the first information object management environment. Locally-unique identifiers are assigned each to a respective instance of the plurality of information objects, wherein a first information object management environment includes a first instance of the plurality of information objects. In another embodiment, a universal unique identifier for the first instance is created by collecting into a single key the first unique identifier, the second unique identifier and the locally-unique identifier assigned to the first instance.

Abstract: Methods, apparatus and articles of manufacture for selective encryption of outgoing data are provided herein. A method includes monitoring a set of outgoing data from a first user, identifying one or more items of sensitive information from the set of outgoing data, encrypting the one or more items of sensitive information to produce one or more items of encrypted sensitive information, and replacing the one or more items of sensitive information with the one or more items of encrypted sensitive information in the set of outgoing data.

Abstract: Methods and apparatus to securely share data are disclosed. An example includes retrieving, by executing an instruction with a processor at a first computing device associated with a first user of a cloud service, an encrypted archive file and a wrapped encryption key from a second computing device associated with a second user of the cloud service, the wrapped encryption key wrapped with key data associated with the first user of the cloud service at the second computing device, unwrapping the wrapped encryption key with the key data to obtain an unwrapped encryption key, and decrypting the encrypted archive file with the unwrapped encryption key to obtain a decrypted archive file.

Abstract: An extension is provided to the SEND protocol without requiring a CGA or third party trust anchor. A shared key is provided to both a sender and receiver of a neighbor discovery (ND) message. A digital signature option is contained in the ND message. A digital signature field is determined by the algorithm field in the option. When the ND message is received, the receiver may verify the digital signature field using the pre-shared key according to the algorithm field. If the ND message passes verification, the receiver may process the message.

Abstract: A device may receive a firewall filter entry that includes one or more match conditions associated with filtering network traffic. The device may identify an access control list (ACL) template associated with the firewall filter entry. The ACL template may be associated with a template type. The device may identify one or more rules, for verifying the firewall filter entry, based on the template type associated with the ACL template. The device may verify the firewall filter entry using the one or more rules. The device may determine a hardware resource, for storing the firewall filter entry, based on the template type and based on verifying the firewall filter entry. The device may store the firewall filter entry using the hardware resource of the device.

Abstract: A terminal device includes: an application processor that processes a started application program; an operation lock determination section that determines whether to start operation lock while processing the application program; and an operation lock processor that determines whether input operation information matches operation lock information in a case where the operation lock determination section determines to start the operation lock, the operation lock information indicating an operation to be restricted while processing the started application program, the operation lock processor restricting an operation corresponding with the input operation information in a case where the input operation information matches the operation lock information.

Abstract: A searchable encryption method enables encrypted search of encrypted documents based on document type. In some embodiments, the searchable encryption method is implemented in a network intermediary, such as a proxy server. The network intermediary encrypts documents on behalf of a user or an enterprise destined to be stored on a cloud service provider. The searchable encryption method encodes document type information into the encrypted search index while preserving encryption security. Furthermore, the searchable encryption method enables search of encrypted documents using the same encrypted index, either for a particular document type or for all encrypted documents regardless of the document type.

Abstract: A computer program for managing and manipulating archive zip files of a computer. The program includes a system and method for opening, creating, and modifying, and extracting zip archive files. The program is fully integrated into Microsoft Windows Explorer and is accessed via Explorer menus, toolbars, and/or drag and drop operations. An important feature of the program is the archive manager which may be used to open a zip file, create a new zip file, extract zip files, modify zip files, etc. The program is integrated into Microsoft Windows Explorer using the shell name space extension application program interface developed by Microsoft.

Abstract: A computer-implemented method for detecting man-in-the-middle attacks may include (1) registering a mobile device of a user within a computing environment as an authenticated mobile device that corresponds to the user, (2) receiving an authentication request to log into a secure computing resource as the user, (3) transmitting, in response to receiving the authentication request, an out-of-band push authentication prompt to the registered mobile device of the user through a different channel than a channel through which the authentication request was received, (4) comparing a geolocation indicated by the authentication request with a geolocation indicated by the registered mobile device, and (5) performing remedial action in response to detecting a man-in-the-middle attack based on a determination that the geolocation indicated by the authentication request and the geolocation indicated by the registered mobile device do not match.

Abstract: Customers accessing resources and/or data in a multi-tenant environment can obtain assurance that a provider of that environment will honor only requests associated with the customer. A multi-tenant cryptographic service can be used to manage cryptographic key material and/or other security resources in the multi-tenant environment. The cryptographic service can provide a mechanism in which the service can receive requests to use the cryptographic key material to access encrypted customer data, export key material out of the cryptographic service, destroy key material managed by the cryptographic service, among others. Such an approach can enable a customer to manage key material without exposing the key material outside a secure environment.

Abstract: The systems and methods disclosed herein transparently provide data security using a cryptographic file system layer that selectively intercepts and modifies (e.g., by encrypting) data to be stored in a designated directory. The cryptographic file system layer can be used in combination with one or more cryptographic approaches to provide a server-based secure data solution that makes data more secure and accessible, while eliminating the need for multiple perimeter hardware and software technologies.

Abstract: Print operations are monitored and a DLP policy is applied, independently of the print interface technology used by applications that initiate print operations. A DLP component monitors for and detects print drivers being loaded into the print spooler. When a print driver is loaded, the print spooler creates a corresponding driver object, which is intercepted. The instantiated driver object creates multiple device objects to carry out various print functions. The device object print functions of interest are intercepted. Attempts to send text to the printer at a print driver level by intercepted device object functions are monitored, and application level context information is identified, such as the associated 0user. The DLP policy is applied to monitored attempts to send text to the printer at the print driver level, taking into account application level context information and the specific text of the monitored attempt.

Abstract: Embodiments of the present invention provide a method and system for a dynamic copy-and-paste operation on a graphical user interface. Initially, a first application having a set of content to copy is identified. An indication to copy a subset of content from the first application to a second application is received. The second application has a predefined category. A communication channel is established between the first and second applications. A portion of content to copy from the first application to the second application is determined. Finally, the copied content is displayed on the second application graphical user interface.

Abstract: A network element (101-104) of a software-defined network is adapted to construct a configuration system on the basis of configuration data received from a controller (105, 106) of the software-defined network. The network element is arranged to transmit, in response to an event indicating a need to verify the configuration system, status information to the controller. The event may include for example a loss and a subsequent reestablishment of a connection between the network element and the controller. The status information indicates a first portion of the configuration data which has been implemented in the configuration system prior to the event. After receiving the status information, the controller is able transmit an appropriate second portion of the configuration data to the network element so as to enable verification of an appropriate portion of the configuration system. Thus, there is no need to verify the whole configuration system after the event.

Abstract: In embodiments of the present invention, a framework for an extensible, file-based security system is described for determining an appropriate application, application environment, and/or access or security control measure based at least in part on a file's reputation. In response to the selection of a file, an application controller may be used to select a software application from two or more software applications to open the selected file, based at least in part on the selected file's reputation. If launched, a software application may be configured to open the file in an environment, such as a virtual machine, quarantined environment, and the like, that is appropriate for the file based at least in part on the reputation information. A software application may be a secure software application configured to manage secure files, or an insecure software application configured to manage insecure files.

Abstract: Data processing systems and methods for: (1) receiving, via privacy data compliance software, from a first set of users, respective answers for question/answer pairings regarding the proposed design of a product; (2) using the question/answer pairings to prepare an initial privacy impact assessment for the product; (3) displaying, via the privacy data compliance software, the plurality of question/answer pairings to a second set of users, and receiving recommended steps to be implemented, before the product's implementation date, as part of the design of the product; (4) initiating the generation of one or more tasks in project management software that would advance the completion of the recommended steps; and (5) after the tasks have been completed, generating, by the privacy data compliance software, an updated privacy impact assessment for the product that reflects the fact that the tasks have been completed.

Abstract: Anti-malware process protection techniques are described. In one or more implementations, an anti-malware process is launched. The anti-malware process is verified based at least in part on an anti-malware driver that contains certificate pairs which contain an identity that is signed with the trusted certificate from a verified source. After the anti-malware process is verified, the anti-malware process may be assigned a protection level, and an administrative user may be prevented from altering the anti-malware process.

Abstract: In an example, a computing device may an input verification engine (IVE) that provides input verification services within a trusted execution environment (TEE), including a memory enclave. Taking a Java-based Android application as an example, the IVE securely verifies and validates user inputs for sensitive computing applications, without exposing the inputs to external applications. The IVE may be implemented in native C/C++ or similar, or may provide instructions to dynamically provision an enclave and import a minimal Java Virtual Machine (JVM) into the enclave so that the IVE can run in Java. The IVE may also contain binary analysis tools to analyze an input binary to identify and tag portions that receive user input, so that in a binary translation, those portions can be run within the enclave.

Abstract: Disclosed is an apparatus and method for a computing device to determine if an application is malware. The computing device may include: a query logger to log the behavior of the application on the computing device to generate a log; a behavior analysis engine to analyze the log from the query logger to generate a behavior vector that characterizes the behavior of the application; and a classifier to classify the behavior vector for the application as benign or malware.

Abstract: The present invention aims to improve data protection against illegal access by a strong differentiation of the security level specific on a type of data so that when the protection on a part of the data is violated, the remaining data are still inaccessible. A method for controlling access, via an open communication network, to user private data, comprising steps of: dividing the user private data into a plurality of categories, each category defining a privacy level of the data, encrypting the user private data of each category with a category key pertaining to the category of the data, attributing to a stakeholder a device configured for accessing to at least one category of user private data, and authorizing the access to the at least one category of user private data for the device of the stakeholder, by providing the stakeholder with the category keys required for decrypting the user private data of the corresponding category.

Abstract: A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity.

Abstract: A framework is set forth herein that uses a composition mechanism to produce function data that describes a kernel. The composition mechanism may then send the function data to an execution mechanism. The execution mechanism uses the function data to dynamically execute pre-compiled code modules, which are identified by the function data. According to another aspect, the framework provides different mechanisms for implementing the kernel, depending on the native capabilities of the execution mechanism.

Abstract: Methods and apparatus for providing access to content across a plurality of devices and environments. In one embodiment, a downloadable rights profile is utilized in order for a user device to determine whether to provide content to a subscriber. The user device is first registered to content delivery the network; the device then requests a rights profile indicating the rights of the subscriber associated with the device to access content. The rights profile is transmitted to the device. The rights profile may be configured to be valid only for a pre-determined time, thus enabling a subscriber's rights to be updated (including revoked). Security mechanisms may also be utilized to ensure access to content is limited only to authorized subscribers. In another embodiment, a user-based authentication procedure is utilized, thereby making the rights determination and content provision process completely agnostic to the underlying hardware.

Abstract: An extension is provided to the SEND protocol without requiring a CGA or third party trust anchor. A shared key is provided to both a sender and receiver of a neighbor discovery (ND) message. A digital signature option is contained in the ND message. A digital signature field is determined by the algorithm field in the option. When the ND message is received, the receiver may verify the digital signature field using the pre-shared key according to the algorithm field. If the ND message passes verification, the receiver may process the message.

Abstract: Systems, methods, and devices configured to build and utilize an intelligent cipher transfer object are provided. The intelligent cipher transfer object includes a set of participants protected by cloaking patterns. A portable dynamic rule set, which includes executable code for managing access to the protected set of participants, is included within the intelligent cipher transfer object. For a given user, the intelligent cipher transfer object may provide access to some of the participants while preventing access to other participants, based on the portable dynamic rule set therein.

Abstract: The present invention discloses a method for realizing bluetooth-binding between a smart key device and a mobile device, which belongs to the field of information security. The method comprises: the smart key device performs bluetooth pairing with a current paired mobile device, obtains and determines a bind identification when the pairing succeeds; in case that the bind identification is bind, it determines whether a mac address of the current mobile device is the same as a stored mac address of the bound mobile device, and, if yes, executes a data interactive operation, otherwise, reports an error; in case that the bind identification is unbind, it takes the mac address of the current paired mobile device as the mac address of the bound mobile device and the address, and sets the bind identification as bind, and executes the data interactive operation.

Abstract: Techniques are disclosed for identifying roles with similar membership and/or entitlement information in an identity management system of an enterprise. A role defined in an identity management system may be associated with membership information and entitlement information. The membership information may identify one or more members who has been assigned the role. The entitlement information may determine how members of the role can interact with a target system within the enterprise. The entitlement information may include a list of actions that members of the role can perform on the target system. Embodiments allow for identifying roles that have similar membership and/or entitlement information. If an existing role already gives similar entitlement(s) to similar member(s), the role may be prevented from being created. Thus, embodiments prevent creating and maintaining redundant roles.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to network unmanned aerial vehicles (UAVs). An example method includes establishing, with a processor, a discoverable network node in a first unmanned aerial vehicle in response to deployment in a geographic region of interest, joining, with the processor, a second unmanned aerial vehicle to the communication network in response to a connection request, acquiring, with the processor, payload data with a sensor of the first unmanned aerial vehicle from the geographic region of interest, identifying, with the processor, a profile type of the payload data, and transmitting, with the processor, a first portion of the payload data to the second unmanned aerial vehicle when the profile type of the payload data has a first profile type.