Abstract: The present invention generally relates to systems and methods for classifying executable files as likely malware or likely benign. The techniques utilize temporally-ordered network behavioral artifacts together with machine learning techniques to perform the classification. Because they rely on network behavioral artifacts, the disclosed techniques may be applied to executable files with obfuscated code.

Abstract: The present disclosure involves systems and computer implemented methods for protecting portions of electronic documents. An example method includes receiving a request for access to an electronic file having sections, at least one section encrypted using a first key based on a first password. A second key is generated in response to receiving a second password, wherein the second key is generated based on the second password. The second key is compared to the first key. If the second key is identical to the first key, the least one section of the electronic file encrypted using the first key is decrypted using the second key. The electronic file is then presented such that the section(s) previously encrypted using the first cryptographic key is made visible. If the second key is not identical to the first, the electronic file is presented with the encrypted section(s) obscured.

Abstract: Methods and systems are disclosed a digital investigation tool capable of recovering and decrypting content. The tool combines digital techniques with decryption capability for a wide range of encryption algorithms. In one implementation, the tool identifies the type and/or vendor of the encryption algorithm used to protect the content. The tool then automatically obtains the decryption information needed to decrypt the content. Depending on the encryption algorithm used, the information may include a master key, user-specific keys, user IDs, passwords, and the like. The decryption information may be accumulated in a local or remote storage location accessible by the tool, or it may be acquired in real time on an as-needed basis from a third-party encryption vendor, a key server, and the like. Such an arrangement allows law enforcement agencies as well as corporate security personnel to quickly recover and decrypt content stored on a computer system.

Abstract: Embodiments of the disclosure enable resource access for secure application containers. In accordance with one embodiment, a method is provided that comprises identifying a tracing wrapper for an application to be executed by a process. The tracing wrapper to track an event associated with an interaction of the application with one or more system resources. An instance of the application is executed by the process using an application account having access to the system resources. A first system resource of the system resources is determined to be used by the application in view of the tracing wrapper. The application is then copied to a secure container to be executed by the process using a container account of the secure container. The secure container is isolated from access to the one or more system resources. Thereupon, the container account is provided access to the first system resource.

Abstract: A network interface controller (NIC) that includes a set of receive NIC queues capable of performing large receive offload (LRO) operations by aggregating incoming receive packets is provided. Each NIC queue turns on or off its LRO operation based a set of LRO enabling rules or parameters, whereby only packets that meet the set of rules or parameters will be aggregated in the NIC queue. Each NIC queue is controlled by its own set of LRO enabling rules such that the LRO operations of the different NIC queues can be individually controlled.

Abstract: An embodiment of the invention introduces a method for accessing data in cloud storage space, which contains at least the following steps. A file is obtained. File uploads are generated, where each file upload contains partial data of the file. The file uploads are stored in storage servers of the cloud storage space, where the storage servers are governed by different cloud storage providers.

Abstract: An email is received. The email consists of a common content, at least one recipient for the common content, a private content, and at least one recipient for the private content. Each of the at least one recipients for the private content is a recipient of the common content. The common content is stored in a first storage location, and the private content is stored in a second storage location.

Abstract: Apparatus, systems, and methods may operate to restore an operational state of an associated virtual machine (VM) using encrypted information stored in encrypted memory locations. A single hypervisor may be used to encrypt and decrypt the information. Access may be permitted to a designated number of the encrypted memory locations only to a single application executed by the associated VM subject to the hypervisor. Access may be denied to any other application executed by the associated VM, or any other VM.

Abstract: Provided are a method and system for backing up the private key of an electronic signature token, the method comprising: a first electronic signature token transmits a private key backup request data packet comprising a first signature; a second electronic signature token authenticates the first signature in the private key backup request data packet; if the first signature passes authentication, then determining whether the first electronic signature token has a backup relationship with the second electronic signature token; if yes, then encrypting the private key of the second electronic signature token, and transmitting a private key backup response data packet comprising a second signature and the encrypted private key; the first electronic signature token authenticates the second signature in the private key backup response data packet; if the second signature passes authentication, then determining whether the second electronic signature token has a primary-standby relationship with the first electronic

Abstract: A system is provided for downloading, for distribution and for acoustic reproduction of a music album, which includes at least one or several digital music files and/or multimedia content in the form of one or several multimedia files assignable to the music file, wherein the music file and/or multimedia file are provideable as data sets for downloading, wherein the music file and/or multimedia file are as data sets pre-holdable grouped after downloading as a music album in a data memory of an end-user-device, wherein the music file and/or multimedia file is treatable by a treatment means, particularly in dependency to an authorization, and wherein the treated music file and/or multimedia file is transferable to an output device of the end-user-device, especially a speaker device with or without a display device, in such a way, that the music file and/or multimedia file is at least acoustically emittable to one user.

Abstract: An email is received. The email consists of a common content, at least one recipient for the common content, a private content, and at least one recipient for the private content. Each of the at least one recipients for the private content is a recipient of the common content. The common content is stored in a first storage location, and the private content is stored in a second storage location.

Abstract: Systems, methods, and non-transitory computer readable media configured to create, process, and/or modify images are provided. Recipient image data associated with an original image captured by a second computing system can be received by a first computing system. A first intermediate image may be generated based on the recipient image data. A first viewable image for display on the first computing system may be generated based on the first intermediate image.

Abstract: Methods and systems for classifying mobile device behavior include configuring a server use a large corpus of mobile device behaviors to generate a full classifier model that includes a finite state machine suitable for conversion into boosted decision stumps and/or which describes all or many of the features relevant to determining whether a mobile device behavior is benign or contributing to the mobile device's degradation over time. A mobile device may receive the full classifier model and use the model to generate a full set of boosted decision stumps from which a more focused or lean classifier model is generated by culling the full set to a subset suitable for efficiently determining whether mobile device behavior are benign. Boosted decision stumps may be culled by selecting all boosted decision stumps that depend upon a limited set of test conditions.

Abstract: A secure secrets proxy is instantiated in a first computing environment and includes secure secrets proxy authentication data for identifying itself to a secrets distribution management system in a second computing environment as a trusted virtual asset to receive and cache secrets data in a secure secrets cache outside the second computing environment. A virtual asset requests one or more secrets, triggering a process to authenticate the requesting virtual asset, gathering authorized secrets data representing secrets the virtual asset is allowed to have. The secure secrets proxy is provided data representing the requested secrets and stores that secrets data in the secure secrets cache of the proxy.

Abstract: A method for encrypting on-screen contents, an electronic apparatus using the method, and a recording medium using the method are provided. The method is adapted for the electronic apparatus having a screen. In the method, contents are displayed on the screen. A user's operation is then detected to generate a trigger signal. The displayed contents are encrypted according to the trigger signal.

Abstract: A method enables prefix search of cloud stored encrypted files that are encrypted using an order preserving encryption (OPE) algorithm. The encrypted text prefix search method generates a minimum possible plaintext string and a maximum possible plaintext string of the same character length including the search term as the prefix. The minimum and maximum possible plaintext strings are encrypted using the same order preserving encryption algorithm for the encrypted text. The method determines from the minimum ciphertext and the maximum ciphertext a set of common leading digits. The set of common leading digits is used as an OPE encrypted prefix search term and provided to a cloud storage service to search in the cloud stored encrypted files for encrypted text matching the OPE encrypted prefix search term.

Abstract: Disclosed are a transmission device, a reception device and a method for providing a simultaneous data transmission for a data session through a plurality of heterogeneous networks. The transmission device divides particular data to be transmitted into two or more partial data, transmits first partial data after inserting first tunneling information which induces the first partial data to pass through a first network of two or more networks into the first partial data, and transmits second partial data of the two or more partial data after inserting second tunneling information which induces the second partial data to pass through a second network of the two or more networks into the second partial data.

Abstract: Systems and methods for controlling the use of audio, video and audiovisual content are provided. A data structure includes content usage rights for multiple release windows. The usage rights may be encoded in the content or otherwise bound to the content. Playback devices are configured to access the appropriate usage rights and control usage in accordance with the usage rights.

Abstract: The present disclosure relates to a sensor network, Machine Type Communication (MTC), Machine-to-Machine (M2M) communication, and technology for Internet of Things (IoT). The present disclosure may be applied to intelligent services based on the above technologies, such as smart home, smart building, smart city, smart car, connected car, health care, digital education, smart retail, security and safety services. A method and a User Equipment (UE) for controlling access to location information about the UE are provided. The UE includes a controller configured, upon sensing access to the location information about the UE by an application operating in an operating system (OS) of the UE, to match a rule defining access authorization of the application to the location information, and to determine whether to allow or deny access of the application to the location information based on the access authorization, and a display configured to display a screen under control of the controller.

Abstract: In one embodiment, a method for authenticating access to encrypted content on a storage medium, wherein the encrypted content is encrypted according to a full disk encryption (FDE) key, the storage medium including an encrypted version of the FDE key and an encrypted version of a protected storage area (PSA) key, and wherein the encrypted version of the FDE key is encrypted according to the PSA key, the method comprising: providing an authenticated communication channel between a host and a storage engine associated with the storage medium; at the storage engine, receiving a pass code from the host over the authenticated communication channel; hashing the pass code to form a derived key, wherein the encrypted version of the PSA key is encrypted according to the derived key; verifying an authenticity of the pass code; if the pass code is authentic, decrypting the encrypted version of the PSA key to recover the PSA key; decrypting the encrypted FDE key using the recovered PSA key to recover the FDE key; and dec

Abstract: A computer-implemented method for providing security to access and store data may include transferring first information for display from a token device having a memory to a first computing device at a first time, the token device connected to the first computing device and the first information describing public data stored on the token device. A request to retrieve a root directory of private data may be received, the request specifying a root directory name. In response to receiving the request to retrieve a root directory of private data, the root directory may be requested by establishing a wireless connection between the token device and a server computing device, transferring the root directory name to the server computing device, wherein the root directory name is used as a password to retrieve the root directory, and receiving the root directory from the server computing device by the token device.

Abstract: Systems and methods for providing data integrity for stored data are disclosed. A method may include, in connection with the receipt of a read command at a storage resource, reading a data block from the storage resource, the data block including a data field, a data integrity field indicating the integrity the data field, and an encryption indicator field indicating whether the data block is encrypted with a current cryptographic key for the storage resource. The method may further include determining whether the data field is encrypted with the current cryptographic key based at least on the encryption indicator field. The method may additionally include returning at least a portion of the data block in reply to the read command in response to determining that the data field is encrypted with a cryptographic key other than the current cryptographic key.

Abstract: An electronic device implements a method of encrypting directories of a file system. A processor receives a request to access a directory entry of a file system, and identifies a user who is logged into the electronic device. The processor determines whether the user has access to a directory encryption key associated with the directory entry and, if not, identifies an encrypted file name stored in the directory entry, and determines whether the encrypted file name complies with one or more naming rules. If the encrypted file name does not comply with one or more naming rules, the processor applies one or more functions to a file name associated with the encrypted file name to generate an encoded encrypted file name that complies with the one or more naming rules, and causes the encoded encrypted file name to be displayed as a representation of the directory entry.

Abstract: A system and method to create and assign a policy for a mobile communications device are disclosed. The policy may be created based on personal data associated with the mobile communications device. For example, known sources of personal data on the mobile communications device may be identified and a policy may be created based on the known personal data. The policy may then be used to identify additional personal data associated with the mobile communications device. Thus, the personal data associated with the mobile communications device may be monitored. If an application attempts to access the monitored personal data, the access will be detected.

Abstract: A connection interface switching device for multiple portable devices provides a communication channel between an I/O peripheral set and for a plurality of portable devices which are bundled with a default control program installed in the portable devices, and switches among the portable devices to establish a communication channel selected between one portable device and the I/O peripheral set according to a switch instruction generated by the default control program of the portable device. The connection interface switching device includes plural I/O ports, a controller, a memory module, a storage module and an I/O peripheral port, and an origin of the computer signal is controlled and switched to achieve the effect of sharing the same I/O peripheral set among multiple portable devices through the communication channel.

Abstract: A method and device for controlling a download of a broadcast service security module are disclosed. In a method for controlling a download of a security module for a broadcast service in a user terminal connected to a service server and a security server through a network, a loader is downloaded by allowing the user terminal to be connected to the service server. The user terminal is connected to the security server through the loader. A bootloader is downloaded from the security server. A security module is downloaded from the security server by executing the bootloader.

Abstract: Two endpoint devices communicate with one another in a secure session using a secure protocol. Trusted control messages are passed upstream from one of the endpoint devices through one or more additional secure sessions to a centralized managing server. Additionally, trusted control messages are passed downstream from the centralized manager server through secure sessions to one or more of the endpoint devices. Each endpoint device is integrated into a terminal device.

Abstract: Various methods are provided for determining run-time characteristics of an application at the time of installation and/or modification. Based on the determined run time characteristics, various methods control the installation and/or modification of the application based on a user privacy profile. One example method may comprise receiving a request to modify an application. A method may further comprise determining whether a conflict is present between the application and a user privacy profile. A method may further comprise causing the determined conflict and at least one conflict resolution to be displayed in an instance in which a conflict is determined. A method additionally comprises causing a user privacy profile to be modified in an instance in which an indication of acceptance is received in response to the displayed at least one conflict resolution.

Abstract: Intelligent methods of providing online security against hackers, which prevents the hackers from obtaining unauthorized access to secure resources. A first application session established between a first client and a first application of a first host device is detected. The first application is associated with a first plurality of security time limits that divide security for the first application into security tiers. A duration of the first application session established between the first client and the first application is monitored. One or more first security actions are executed against the first application session responsive to the duration of the first application session reaching a security time limit of the first plurality of security time limits. One or more second security actions are executed against the first application session responsive to the duration of the first application session reaching another security time limit of the first plurality of security time limits.

Abstract: A method for replacing the operating software of a limited-resource portable data carrier at a terminal includes controlling the operation of the data carrier and executing at least one function provided by the data carrier. The terminal includes new operating software, a bootstrap loader for loading new operating software, and a terminal certificate providing authorization for transmitting a loading key. In authentication of the terminal, the terminal certificate is transmitted to the data carrier and verified there and a loading key is transmitted to the data carrier. The operation control of the data carrier changes over to the bootstrap loader which deletes the present operating software of the data carrier and transmits the new operating software using the loading key from the terminal. The new operating software is then verified and activated by the bootstrap loader which transfers the control of the data carrier to the new operating software.

Abstract: Approaches are described for automatically generating new security credentials, such as security tokens, which can involve automatically re-authenticating a user (or client device) using a previous security token issued to that user (or device). The re-authentication can happen without any knowledge and/or action on the part of the user. The re-authentication mechanism can invalidate and/or keep track of the previous security token, such that when a subsequent request is received that includes the previous security token, the new security token can be invalidated, and the user caused to re-authenticate, as receiving more than one request with the previous security token can be indicative that the user's token might have been stolen.

Abstract: A computer device includes a download unit which downloads one or more files into a storage device. A file logging unit records a resource locator identifying a source network location of the file, when the file is downloaded, and associates the resource locator with a first fingerprint of the file. A system policy unit stores the resource locator associated with a process control policy relevant to the file. A process control unit is arranged to obtain a second fingerprint of the file upon launching a process in a runtime execution environment, retrieve the resource locator from the file logging unit by matching the second fingerprint with the first fingerprint, retrieve the process control policy from the system policy unit according to the retrieved resource locator, and selectively apply process execution privileges which determine execution of the process in the runtime execution environment according to the retrieved process control policy.

Abstract: Embodiments are directed towards managing data storage for secure storage of shared documents. A user or an application may provide data destined for encryption and a public key. Instruction set information that references at least a seed file that may be installed on the network computer may be generated. An encryption key based on the instruction set information may be generated. Header information that includes the instruction set may be generated. And, the header information may be encrypted using the public key. A secure bundle that includes the public key, the encrypted header information, and the encrypted data may be generated and provided to the user that provided the data and the public key or the application that provided the data and the public key. Decrypting the data included in the secure bundle the above actions are generally performed in reverse.

Abstract: A search system includes a storage device and a search server. The storage device stores an index database storing an index encrypted with an index key and the index key encrypted with a user key and associated with the encrypted index and stores a document database storing a document encrypted with a document key and the document key encrypted with the user key and associated with the encrypted document. The search server extracts a term for search from a requested search query, decrypts the encrypted index key with a user key which belongs to a user requesting the search query, encrypts the extracted term with the decrypted index key without storing the decrypted index key in a non-transitory storage device, searches the index database with the index encrypted using the encrypted first term, and sends a search result to a terminal.

Abstract: A system, method, and computer readable medium for providing optimized streaming of one or more applications from streaming servers onto one or more clients. The one or more applications are contained within one or move isolated environments, and the isolated environments are streamed from the servers onto clients. The streaming is optimized using update-caches which are maintained on the streaming server and compared against the client's most recent update-caches. The update-caches are updated when applications are installed, removed or patched inside particular isolated environment and when the operating system is patched or updated. The system may include authentication of the streaming servers and authentication of clients and credentialing of the isolated environments and applications the clients are configured to run. The system may further include encrypted communication between the streaming servers and the clients.

Abstract: A secure and transparent digital credential sharing arrangement which utilizes one or more cryptographic levels of indirection to obfuscate a sharing entity's credentials from those entities authorized to share the credentials. A security policy table is provided which allows the sharing entity to selectively authorize or revoke digital credential sharing among a plurality of entities. Various embodiments of the invention provide for secure storage and retrieval of digital credentials from security tokens such as smart cards. The secure sharing arrangement may be implemented in hierarchical or non-hierarchical embodiments as desired.

Abstract: Methods and systems for securing information are provided. The method includes generating a hash key by an input/output (I/O) processing module interfacing with a processor executable application to encrypt a block of data of a data container to secure and store the data container; generating cipher text for the block of data encrypted with the hash key; using an encryption key to encrypt the hash key for the block of data; providing the cipher text and the encrypted hash key by the I/O processing module to a storage system for storage; where the I/O processing module segregates the encrypted hash key from the cipher text and maintains the encrypted hash key as part of metadata for the cipher text; and storing the cipher text with the encrypted hash key as the metadata for the cipher text for the block of data.

Abstract: One embodiment provides an access-control framework for publishing and obtaining a collection of encrypted data in encrypted form. During operation, a content consumer can obtain a Manifest object for a data collection, such that the Manifest includes references to a set of encrypted Content Objects of the data collection, and includes one or more Access Control Specifications (ACS) that each specifies a decryption protocol for decrypting one or more Content Objects of the data collection. The consumer can disseminate Interest messages to receive encrypted Content Objects listed in the Manifest over an Information Centric Network (ICN). The client can also obtain, from the Manifest, an ACS associated with a respective encrypted Content Object, and decrypts the respective encrypted Content Object using the decryption protocol specified in the ACS.

Abstract: An information processing apparatus comprises: a manual login unit configured to display a login screen, and to perform user authentication using user information input through the login screen; an auto login unit configured to perform user authentication using user information held beforehand, without displaying the login screen; a determination unit configured to determine whether or not a password included in user information of a user who is to log in is required to be changed; and a control unit configured to cause not the auto login unit but the manual login unit to perform the user authentication, in the case where the determination unit determines that the password is required to be changed.

Abstract: A security monitoring system is disclosed which is adapted for use with a component having a service processor. The system may use a device configured to communicate with the component. A network may be used which is dedicated to communicating with the service processor for routing only data concerning performance or health of the component. The device may also use at least one subsystem for analyzing the data concerning health or performance of the component to determine if a security threat has affected operation of the component.

Abstract: In one embodiment of the present invention, a first user—the creator—uses a web browser to encrypt some information. The web browser provides to the creator a URL which contains the key used for encryption, such as in the form of an anchor embedded within a URL. The web browser also provides a hash of the cryptographic key and the encrypted information to a web server. The creator transmits the URL to a second user—the viewer—who provides the URL to a web browser, thereby causing the web browser to navigate to a decryption web page maintained by the web server, but without transmitting the cryptographic key to the web server. The viewer's web browser hashes the cryptographic key and sends the hash to the web server, which uses the hash to identify and return the encrypted information to the viewer's web browser, which in turn uses the encryption key to decrypt the message and display the decrypted message to the viewer.

Abstract: Methods, system, and media for determining similar malware samples are disclosed. Two or more malware samples are received and analyzed to extract information from the two or more malware samples. The extracted information is converted to a plurality of sets of strings. A similarity between the two or more malware samples is determined based on the plurality of the sets of strings.

Abstract: Methods for a secret supplemental username are provided. In one example, a method includes the steps of detecting a threat to an account with a primary username and password and disabling the primary username associated with the account in response to the threat. The method includes the additional steps of generating a supplemental username associated with the account and securely communicating the supplemental username.

Abstract: Disclosed herein is a technique for updating firmware of an embedded Universal Integrated Circuit Card (eUICC) included in a mobile device. The technique includes the steps of (1) receiving, from a firmware provider, an indication that an updated firmware is available for the eUICC, (2) in response to the indication, providing, to the firmware provider, (i) a unique identifier (ID) associated with the eUICC, and (ii) a nonce value, (3) subsequent to providing, receiving, from the firmware provider, a firmware update package, wherein the firmware update package includes (i) authentication information, and (ii) the updated firmware, (4) subsequent to verifying the authentication information, persisting, to a memory included in the mobile device, a hash value that corresponds to the updated firmware, and (5) installing the updated firmware on the eUICC.

Abstract: Methods, devices, systems, and non-transitory process-readable storage media for a computing device to reversibly obfuscate contents of a digital file includes generating a binary string by applying a shared hash function to a public filename of the digital file. The method may include subdividing the digital file into a first plurality of data segments corresponding to one of a number of bits represented by the generated binary string and a file size of the digital file, shuffling the first plurality of data segments using a shared, looping shuffle algorithm. Each shuffling operation of the shared, looping shuffle algorithm may use a different bit of the generated binary string in a predefined first sequence. The shuffled first plurality of data segments may be combined to obtain a shuffled digital file. A reverse of the method may be performed to obtain the original digital file.

Abstract: Method of searching comprising applying a function to individual elements within a digital work to form a set of index elements. Storing the index elements as an index for the digital work. Receiving a search term. Applying the function to one or more individual elements within the search term to convert the search term into one or more converted search term elements. Identifying a digital work having an index containing one or more index elements that match one or more of the converted search term elements. Returning search results of the identified digital work. Searchable index for a digital work formed by applying a function to individual elements within the digital work to form a set of index elements.

Abstract: Implementing a signaling service protocol to permit signaling service messages between members for a message group of a sysplex coupled together using a signaling service includes executing a data transfer application that communicates with a respective partner data transfer application on each member of the message group, the data transfer application comprised of a plurality of interworking modules including a converter module. The converter module receives a request related to performing a communication-related function from one of the other interworking modules, and wherein the converter module comprises a plurality of sub-modules with each sub-module corresponding to a respective communications-related function. Based on the request the converter module determines what particular communication-related function is being requested and then identifies a corresponding sub-module within the converter module.

Abstract: A computer-implemented method for managing emergency information may include intercepting, on a mobile-computing device, an emergency communication being transmitted from the mobile-computing device. Intercepting the emergency communication may include monitoring outgoing communications on the mobile-computing device and determining that an outgoing communication being monitored is a communication about an emergency. This method may also include sending, from the mobile-computing device to a remote server that collects emergency data from a plurality of mobile-computing devices, information about the emergency communication and location information that identifies a location of the emergency. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method includes assessing a trustworthiness level of a user computer by communication between the user computer and a first server. A record indicating the trustworthiness level is sent from the first server to the user computer, for storage by the user computer. A request is sent from the user computer to a second server, different from the first server, for a service to be provided to the user computer by the second server. The record is provided from the user computer to the second server by communicating between the user computer and the second server. At the second server, the trustworthiness level is extracted from the record, and the requested service is conditionally allowed to be provided to the user computer depending on the extracted trustworthiness level.

Abstract: A method includes receiving an instruction used to define a widget-container containing a service module associated with a widget. The widget-container is a procedural software framework configured to be executed at a widget-container processing device in response to a reference to the widget-container being accessed from a content aggregation point. The widget-container has a portion configured for receiving the widget. The method also includes determining whether processing of the widget within the portion of the widget-container is restricted and/or allowed.