Abstract: Systems and methods for contextual and cross application threat detection in cloud applications in accordance with embodiments of the invention are disclosed. In one embodiment, a method for detecting threat activity in a cloud application using past activity data from cloud applications includes receiving activity data concerning actions performed by a user account associated with a user within a monitored cloud application, receiving external contextual data about the user that does not concern actions performed using the user account within the monitored cloud application, where the external contextual data is retrieved from outside of the monitored cloud application, deriving a baseline user profile using the activity data and external contextual data and associating the baseline user profile with the user account, and determining the likelihood of anomalous activity using the baseline user profile.

Abstract: The present disclosure describes an integrated full and partial shutdown application programming interface. Embodiments herein disclosed include receiving an indication that a mobile device of a user is compromised. Further embodiments identify one or more applications associated with the mobile device and remotely access the mobile device to perform a switch-off of the one or more applications. The switch-off may include logging the user out of the one or more applications before removing the one or more applications from the mobile device.

Abstract: A biometric data brokerage system (BDPS) and method for transfer of biometric records between at least one biometric collection device (BCD) and at least one biometric processing service (BPS) are disclosed. Embodiments provide a BDPS that utilizes biometric record translation routines that allow for biometric record submissions from any BCD to any BPS, regardless of biometric record format requirements. The need for costly and proprietary biometric record formatting software on BCDs is thereby eliminated.

Abstract: Provided are an authentication system and a method of operating the authentication system. The authentication system allows network cameras to authenticate an image storage device as a client. The authentication system includes an authentication preprocessing unit provided in the client to calculate and store an offset time representing a difference between time information of the client and time information that is received from a network camera in response to a time information request to the network camera, and an authentication processing unit provided in the network camera to authenticate the client by receiving authentication information including the offset time from the client in response to an authentication request of the client.

Abstract: Local internet functionality may allow host devices positioned in branch office locations to securely communicate outgoing internet traffic directly over the internet. Local internet functionality may also allow said host devices to securely receive incoming internet traffic through the creation and tracking of local internet sessions. Local internet functionality is achieved by forwarding egress internet traffic over a local internet virtual pathway extending to a WAN interface/port of a local host device. The WAN interface/port is configured to communicate traffic received over the local internet virtual pathway directly over the internet, while communicating all other egress traffic over secure tunnels of the virtual edge router. The WAN interface/port is further configured to monitor outgoing local internet traffic to create and track local internet sessions.

Abstract: A system and method for providing or exchanging healthcare information (e.g., medical information) to authorized users in a secure manner. The method is implemented in a computer infrastructure having computer executable code tangibly embodied on a computer readable storage medium having programming instructions operable to: assign identification information to a plurality of users and a plurality of items; associate the identification information of a user of the plurality of users with one or more items of the plurality of items; set-up security policies including predetermined locations, within predetermined stages within a sequence and during predetermined times; and provide the user access to the one or more items when there is a matching between the identification information of the user and the one or more items, and all of the security policies associated with the user and the one or more of the plurality of items are met.

Abstract: A geolocation-based encryption method and system. The geolocation-based encryption method and system may comprise the steps of: providing an encryption application running on a first mobile computing device and a second mobile computing device; generating a key based, at least in part, of a geolocation data, a device identification data, and a unique file identifier associated with said digital content; selecting a target location on the first mobile computing device to create a GPS data, which may be a portion of the geolocation data; encrypting a digital content based on the key; establishing secure session(s) among the user, a recipient, and server(s); and transmitting the encrypted digital content to the server(s). The encrypted digital content may be transmitted from the server(s) to the second mobile computing device. The encryption application may decrypt the encrypted digital content based on the key.

Abstract: Methods and systems may provide for selecting a hypervisor protocol from a plurality of hypervisor protocols based on a communication associated with a remote agent. The selected hypervisor protocol may be used to conduct a trust analysis of one or more digitally signed values in the communication, wherein a cloud attestation request may be processed based on the trust analysis. Processing the cloud attestation request may involve generating a trustworthiness verification output, a geo-location verification output, etc., for a cloud computing node corresponding to the remote agent.

Abstract: The disclosed embodiments include computerized methods and systems that facilitate two-factor authentication of a user based on a user-defined image and information identifying portions of the image sequentially selected by the user. In one aspect, a communications device presents a first digital image of a first user on a touchscreen display. The communications device may receive, from the first user, information identifying portions of the first digital image selected in accordance with a candidate authentication sequence established by the first user. The selected first image portions may, for example, be associated with corresponding facial features of the first user. The communications device may determine whether the candidate authentication sequence matches a reference authentication sequence associated with the first digital image, and may authenticate an identity of the first user, when the first selection sequence is determined to match the second selection sequence.

Abstract: A system for generating an access control policy comprises a user interface (1) for enabling a user to indicate a topic (10) and a set of permissions (15). A document analyzer (2) analyzes the content of a plurality of documents (11) to find a set of documents (13) relating to the topic (10). A property finder (5) analyzes the content of a plurality of documents (11) to find at least one distinguishing property (12) of documents relating to the topic (10). A document selector (6) selects the set of documents (13), based on the distinguishing property (12). An associating subsystem (3) associates the set of permissions (15) with the set of documents (13) to obtain an access control policy (4).

Abstract: Methods, apparatus and articles of manufacture for using steganography to protect cryptographic information on a mobile device are provided herein. A method includes querying a user to select one or more items of data stored on a computing device to be used in connection with one or more cryptographic actions associated with said computing device, and protecting one or more items of cryptographic information within the one or more selected items of data.

Abstract: A method for providing a token code in conjunction with a value token is disclosed. The token code serves as a shared secret for authenticating the use of the value token. Multiple token holders can possess the same value token, but each token holder may have a different token code for use with the value token.

Abstract: A method in one example implementation includes receiving information related to a network access attempt on a first computing device with the information identifying a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether network traffic associated with the software program file is permitted and then creating a restriction rule to block the network traffic if the network traffic is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the method includes pushing the restriction rule to a network protection device that intercepts the network traffic associated with the software program file and applies the restriction rule to the network traffic. In more specific embodiments, the method includes searching a whitelist identifying trustworthy software program files to determine the trust status of the software program file.

Abstract: An indication that a user wishes to conduct a bank transaction is received. An authentication path to be presented to the individual is pseudo-randomly determined. The authentication path comprises a combination of authentication challenges to be presented to the individual. A determination is made whether the user presented valid responses to the authentication challenges. The user is authenticated to conduct the bank transaction based on whether the user is determined to have presented valid responses to the authentication challenges.

Abstract: An intercepting proxy server processes traffic between an enterprise user and a cloud application which provides Software as a Service (SaaS). The intercepting proxy server provides interception of real data elements in communications from the enterprise to the cloud and replacing them with obfuscating information by encrypting individual real data elements without disturbing the validity of the application protocol. To the processing cloud application real data are only visible as encrypted tokens. Tokens included in results returned from the cloud, are intercepted by the intercepting proxy server, and replaced with the corresponding sensitive real data. In this way, the enterprise is able to enjoy the benefits of the cloud application, while protecting the privacy of real data.

Abstract: The invention relates to a method for providing a wireless local network, wherein stationary communication devices and mobile communication devices are connected in the manner of a mesh as the sub-network, which is particularly connected to an infrastructure network and configured to exchange authentication messages with at least one communication device, which is particularly disposed in the infrastructure network and provides an authentication function. During an attempt to establish a first link by a first communication device connected to a communication device providing the authentication function to a second communication device connected to the communication device providing the authentication function, an authenticator role to be assigned as part of an authentication process is associated with the first and second communication devices, wherein at least one property correlating with the connection is analyzed for meeting a criterion.

Abstract: Embodiments disclosed herein provide systems and methods to provide wireless network application access to a wireless device via an untrusted access node. In a particular embodiment, a method provides receiving communications directed to an application system within a wireless communication network from a wireless communication device via a wireless access node external to the wireless communication network. The method further provides determining whether the communications are authorized for the application system based on a signature included in the communications, wherein the signature comprises a unique identifier generated at the wireless communication device that corresponds to an identity of the wireless communication device and an identity of an integrated circuit within that wireless communication device that is associated with a subscriber of the wireless communication network.

Abstract: When an access occurs to an I/O device from an OS 231a, an I/O allocation unit refers to an I/O allocation table, and determines whether the I/O device is allocated to other OS 231b. When the I/O device is allocated to another OS 231b, a control unit notifies the OS 231a of an error. When the I/O device is not allocated to either of the OSs 231a-b, the I/O allocation unit updates the I/O allocation table in order to allocate the I/O device to the OS 231a, and an I/O emulation unit emulates the access to the I/O device.

Abstract: A first computing device is detected as substantially collocated with a wireless token device, using a short-range wireless communication network and a connection is established between the first computing device and the token device over the short-range wireless network. Authentication data is sent to the first computing device from the token device over the short-range wireless network to authenticate the token device at the first computing device. Authentication of the token device permits data accessible through the first computing device to be made available to a holder of the token device and to be presented on a user interface of the first computing device. In some instances, the wireless token device may otherwise lack user interfaces for presenting the data itself.

Abstract: Improved techniques are provided for processing authorization requests. In some embodiments, an authorization request specifying a non-hierarchical resource can be processed without having to sequentially process the various security policies configured for a collection of resources.