Abstract: A location-reporting request is sent by a processor to at least one remote server. The location-reporting request (i) requests processing of data away from a geo-location-aware client device and (ii) includes an instruction that instructs any available server to respond with a reported geographic location. An asserted geographic location is received from a remote server available to process the data responsive to the instruction in the location-reporting request. In response to determining that the asserted geographic location of the available remote server satisfies location-based data processing restrictions that regulate remote processing of the data away from the geo-location-aware client device, the asserted geographic location is verified using a geo-location assertion server. In response to a successful verification of the asserted geographic location of the available remote server, the data is sent to the available remote server to process.

Abstract: Systems and arrangements for integrating two or more overlapping requirements from different assessments are presented. In some examples, determining whether requirements are considered overlapping may include identifying a plurality of aspects of each requirement and comparing the aspects to aspects of other requirements to determine whether at least a threshold number of aspects are the same. Upon identifying two or more overlapping requirements, the system may integrate the two or more overlapping requirements into an integrated requirement. A unique identifier may be generated for the integrated requirement and associated with the integrated requirement. Data may be received responsive to a request for data for an integrated requirement and the system may associate the received data with the integrated requirement and may map the received data to the two or more requirements integrated into the integrated requirement.

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract: Systems and methods to generate safe zones and safe routes associated with a device are disclosed. These safe zones and safe routes can be used to map complicated location behavior into location behavior scores that can be applied systematically to tracking and authentication applications.

Abstract: Using an ARM processor, a method is provided for endpoint computing systems such as mobile devices or laptops to provide a hardware isolated runtime environment for multiple operating systems (OS's). OS isolation is performed by hardware ARM Security Extensions added to ARMv6 processors (or higher) and controlled by a software Secure Monitor Module (SMM). The invention therefore comprises hardware enforcement mechanisms configured by the SMM to confine each OS to its own respective resources (kernel, RAM, drivers, storage). The invention is applicable to systems with different OS switching mechanisms, such as full computer system reboot to switch OS's, suspension of one OS and resuming another, or using a virtual machine hypervisor to execute several OS's in parallel.

Abstract: A method for distributing multiple cryptographic keys used to access data includes: receiving a data signal superimposed with an access key request, wherein the access key request includes at least a number, n, greater than 1, of requested keys; generating n key pairs using a key pair generation algorithm, wherein each key pair includes a private key and a public key; deriving an access private key by applying the private key included in each of the n key pairs to a key derivation algorithm; generating an access public key corresponding to the derived access private key using the key pair generation algorithm; and electronically transmitting a data signal superimposed with a private key included in one of the n key pairs for each of the n key pairs.

Abstract: A facility for booting a virtual machine hosted on a host is described. In one example facility, the facility boots the virtual machine in accordance with a policy instance associated with the virtual machine. As part of the booting, the facility extracts information needed to complete the booting from a virtual trusted platform module associated with the virtual machine, the extraction based upon the policy instance associated with the virtual machine. At the completion of the booting, the facility copies contents of a policy instance associated with the host into the policy instance associated with the virtual machine.

Abstract: In a method of controlling sharing of an object between entities in a distributed system, a processor will identify an object and generate an access control list (ACL) for the object so that the ACL includes a list of clauses. Each clause will include a blessing pattern that will match one or more blessings, and at least one of the clauses also may include a reference to one or more groups. Each group represents a set of strings that represent blessing patterns or fragments of blessing patterns. The processor may generate each clause of the ACL as either a permit clause or a deny clause to indicate whether an entity or entities that have a blessing matched by the blessing pattern are permitted to access the object. The processor will save the ACL to a data store for use in responding to a request to access the object.

Abstract: An electronic device is provided. The electronic device includes a processor, a memory configured to connect to the processor, and an embedded secure element (eSE) configured to connect to the processor over a physical channel to receive secure data sent by the processor over the physical channel, and store the secure data.

Abstract: An anonymized biometric representation of a target individual is used in a computer based security system. A detailed input biometric signal associated with a target individual is obtained. A weakened biometric representation of the detailed biometric signal is constructed such that the weakened biometric representation is designed to identify a plurality of individuals including the target individual. The target individual is enrolled in a data store associated with the computer based security system wherein the weakened biometric representation is included in a record for the target individual. In another aspect of the invention, a detailed input biometric signal from a screening candidate individual is obtained. The detailed biometric signal of the screening candidate is matched against the weakened biometric representation included in the record for the target individual.

Abstract: Method and apparatus for secure processing. The method includes detecting communication among secure and non-secure data entities, prohibiting execution of non-secure executable instructions on secure data entities unless the non-secure executable instructions are recorded in a permitted instruction record, and prohibiting execution of non-secure executable instructions if the non-secure executable instructions are recorded in a prohibited instruction record.

Abstract: A first collection including a pattern of life (POL) feature vector and a Q&A feature vector is constructed. A second collection is constructed from the first collection by inserting noise in at least one of the vectors. A third collection is constructed by combining a vector of the second collection with a corresponding vector of a different collection. Using a forecasting configuration, a POL feature vector of the third collection is aged to generate a changed POL feature vector containing POL feature values expected at a future time. The changed POL feature vector is input into a trained neural network to predict a probability of the cyber-attack occurring at the future time.

Abstract: Embodiments of the present invention provide a method to temporally isolate data accessed by a computing device so that the data accessed by the computing device is limited to a single set of data. The method includes removing any data that is accessed by the computing device when operating in different modes so that the data is inaccessible by the computing device when operating in the mode. The method also includes switching to the mode after the data associated with the modes different from the mode have been removed. The method also includes operating in the mode based on a plurality of rules associated with the security policy in temporal isolation from any other mode associated with the computing device. The computing device is limited to operating in the mode and is prevented from accessing any data that is distinct from the single set of data of the mode.

Abstract: The invention enables digital music content to be downloaded to and used on a portable wireless computing device. An application running on the wireless device has been automatically adapted to parameters associated with the wireless device without end-user input (e.g. the application has been configured in dependence on the device OS and firmware, related bugs, screen size, pixel number, security models, connection handling, memory etc. This application enables an end-user to browse and search music content on a remote server using a wireless network; to download music content from that remote server using the wireless network and to playback and manage that downloaded music content. The application also includes a digital rights management system that enables unlimited legal downloads of different music tracks to the device and also enables any of those tracks stored on the device to be played so long as a subscription service has not terminated.

Abstract: The present invention discloses an unconditional secure communication method based on beam-forming and security code, which comprises the following steps of: Legitimate users send to the signal pie-encoded and modulated, meanwhile eavesdropper receives signals and calculates the bit error rate; computing security coding parameters, legitimate received users send pilot sequence, and legitimate sending users estimate legitimate channel, and extract information on legal channel coding and modulating signal was SVD pre-coding and sending; the signal was decoded, that will be judgment and demodulation then the signal after decoding do security code is transmitted to message or tapping, due to lack of legal channel information, eavesdropper cannot lift pre-coding processing of the received signal with the high bit error rate. This method can establish advantages channel of the wiretap model channel and to ensure that legitimate users can receive signals at the lower bit error rate.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable storage media for placing a user account in escrow to remove it from an administered account. An employee and/or an employer can select to remove a user account from an administered account associated with the employer. To ensure that the each party, the employer and employee, has an opportunity to retain their content stored in the removed user account, the user account can be placed into escrow, requiring login credentials of both the user and the administrator (employer) to access the user account. The user account can therefore not be accessed unless both the employer and employee each login to the account at the same time. By placing the user account in escrow, both parties can be assured that they can access the content items in the user account, and that the other party cannot access the content without their knowledge.