Abstract: The invention discloses a secure data processing method and system, wherein the secure data processing method comprises the following steps of: a security control server receiving a data upload request from a terminal, and obtaining a file feature, an identification code of the terminal and a directory path of a file with the file feature in the terminal comprised in the data upload request; the security control server judging whether the terminal is a trustable machine and/or judging whether the directory path is a credit directory according to the identification code and/or the directory path, and if the terminal is a trustable machine and/or the directory path is a credit directory, adding the uploaded file feature into a security database, or otherwise, not adding it into the security database; the trustable machine is a terminal in which data is considered as secure data. The invention further provides a secure data processing system implementing the foregoing method.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for receiving a support request from a requester, and obtaining a policy for evaluating administrative privileges required for fulfilling the request where the policy is based on a history of actions of the requester. Receiving a system access request for access to digital content, where the system access request is associated with the support request, and providing an access control decision based on the policy.

Abstract: A method for encrypting a message is described in which a public key and a private key are generated. The public key is encrypted using a shared symmetric key shared with an agent. The private key is encrypted using a private symmetric key. The encrypted public key is sent to the agent and decrypted by the agent with the shared symmetric key. A message encrypted with the shared symmetric key is received from the agent, and is decrypted using the shared symmetric key.

Abstract: A method for requesting an object by means of a client system, which is coupled to a server system operatively via a communications network is provided, wherein a server means of the server system receives via the communications network a request message from an electronic document displayed at a client system, the request message comprises at least a first parameter, which identifies a user of the client system, and a second parameter, which identifies the requested object, the server means evaluates the parameters of the received request message, wherein data for the first parameter assigned to the user and data for the second parameter assigned to the object are determined, wherein the respective data are stored in a storage means of the server system, and after a successful evaluation, the requested object is provided for transmission to the user.

Abstract: A system implemented on a server computer for managing digital certificates includes a certificate management agent module, a digital certificate processing module and a configuration module. The certificate management agent module processes requests to create a plurality of certificate management agents. Each of the certificate management agents is configured to manage a lifecycle of a digital certificate for a client electronic device. The digital certificate processing module processes requests from the certificate management agent module for digital certificates for the plurality of certificate management agents. The configuration module receives and processes configuration parameters for the certificate management agents and for the digital certificates.

Abstract: Novel tools and techniques might provide for implementing application, service, and/or content access control. Based at least in part on a consumer's choice of applications, services, content, and/or content providers—particular in exchange for a subsidy on content and/or network access fees provided to the consumer by chosen content providers—, a computing system may determine whether access to applications, services, and/or content not associated with the chosen content providers (“other content”) should be allowed or restricted. If restricted, the computing system might utilize various network access techniques and/or technologies to block the consumer's access to the other content, to allow access to the other content on a charge per access basis, or to allow access to the other content at reduced network access speeds. In some embodiments, an access provider (e.g., an Internet service provider, etc.) might perform both determination and implementation of content access and restriction.

Abstract: A network surveillance system, including a management server within a network of resources in which users access the resources in the network based on credentials, including a deployment module planting honeytokens in resources in the network, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, and wherein the deployment module plants a first honeytoken in a first resource, R1, used to access a second resource, R2, using first decoy credentials, and plants a second honeytoken in R2, used to access a third resource, R3, using second decoy credentials, and an alert module alerting that an attacker is intruding the network only in response to both an attempt to access R2 using the first decoy credentials, and a subsequent attempt to access R3 using the second decoy credentials.

Abstract: A method of establishing connectivity between a mobile network operator (MNO) and a machine type communications (MTC) service provider. A machine type communications interworking function (MTC-IWF) Proxy is hosted on an IPX network service. MTC-IWF Proxy is connected to a MTC-IWF of the MNO and is also connected to a Service Capacities Center (SCS) of the MTC service provider. MTC-IWF Proxy connects to the MNO and the MTC service providers via trigger-service provider (Tsp) interface. Identity mapping services are provided between a first set of subscriber identifiers used by the MNO and a second set of subscriber identities used by the MTC service provider. The MTC-IWF Proxy hides the internal topology and relays signaling protocols used over a Tsp interface, thus enabling the MTC service providers and MNOs communicate without modifying their internal signaling protocols.

Abstract: A portable hardware device such as a USB memory stick is used to provide parental locking functionality to a computer. When the device is coupled to the computer, the computer is unlocked and allowed to operate normally. When the device is not coupled to the computer, the computer is locked, and some or all of the computing functionality is blocked. This enables parents to lock and unlock a child's computer with a “key.” A detecting module detects the coupling and uncoupling of devices to the computer. When a device is coupled to the computer, an identifying module identifies the device by reading its unique identifier, and determining whether the coupled device is the one being used as the key. If so, the computer is unlocked, and allowed to operate. If not, a blocking module blocks at least some capabilities of the computer.

Abstract: A plurality of data files is received. Thereafter, each file is represented as an entropy time series that reflects an amount of entropy across locations in code for such file. A wavelet transform is applied, for each file, to the corresponding entropy time series to generate an energy spectrum characterizing, for the file, an amount of entropic energy at multiple scales of code resolution. It can then be determined, for each file, whether or not the file is likely to be malicious based on the energy spectrum. Related apparatus, systems, techniques and articles are also described.

Abstract: In some implementations, a system may control an environment in which biometric data is entered when a user enrolls data for a user account or authenticates after having enrolled user data. Enrollment and/or authentication may be required to occur under one or more conditions. In some implementations, data from an electronic device associated with a user may be used to determine whether conditions on enrollment and/or authentication have been satisfied.

Abstract: In an approach for automated vehicle authorization. A processor receives a first set of credentials from at least a first near field communication device, wherein the first set of credentials indicates information about a person. A processor receives a second set of credentials from at least a second near field communication device, wherein the second set of credentials indicates information about a vehicle. A processor compares the first set of credentials to the second set of credentials. A processor determines whether the person indicated by the first set of credentials has authority to operate the vehicle, based on, at least, the comparison of the first set of credentials to the second set of credentials.

Abstract: A trigger event monitoring system is provided in one or more virtual assets. One or more trigger parameters, including security threat patterns, are defined and trigger data is generated. The one or more trigger monitoring systems are used to monitor extrusion and intrusion capabilities and self-monitored trigger events that may harm or otherwise leave a virtual asset in a vulnerable state. In one embodiment, trigger events and monitoring of at least a portion of message traffic sent to, or sent from, the one or more virtual assets are initiated and/or performed to detect any message including one or more of the one or more of the trigger parameters. Any message meeting the one or more trigger parameters is identified as a potential security threat and is assigned a threat score, which is provided to the virtual asset. Various corrective actions may take place.

Abstract: Techniques for electronic signature processes are described. Some embodiments provide an electronic signature service (“ESS”) configured to facilitate the creation, storage, and management of electronic signature documents. In one embodiment, an electronic signature document may be associated with custody transfer rules that facilitate transfers of custody of an electronic signature document from one user or party to another. A custody transfer may results in a transfer of rights or capabilities to operate upon (e.g., modify, view, send, delete) an electronic signature document and/or its associated data. A custody transfer rule may be trigged by the occurrence of a particular event, such as the receipt of an electronic signature.

Abstract: Access to a user profile of a user device at a location may be provided to a destination device upon detecting that the location is within a proximity of a destination location. An expiring token may be generated, associated with the user profile, and communicated to the second device. Access to the user profile provided to the destination device may be terminated upon an expiration of the expiring token.

Abstract: A method of operating a server comprises receiving an authorization request comprising a password, accessing an expiry date for the password, transmitting a response comprising the expiry date, ascertaining whether the password has expired, and receiving a new password, if the password has expired. Optionally, the transmitted response further comprises a date representing the last use of the password and/or an integer value representing a retry parameter.

Abstract: A method for deriving a verification token from a credential may be provided. The credential may be a set of attributes certified by an issuer to a user using a public key of the issuer. The method may comprise generating the verification token out of the credential and binding the verification token to a context string, wherein the verification token may comprise at least one commitment. A commitment may be a blinded version of an attribute. The method may also comprise generating an opening key for the verification token enabling a generation of a confirmation for a validity of the attribute.

Abstract: Disclosed herein are techniques and systems for transmitting a multi-broadcast signal from a wireless broadcasting device (or beacon) as part of a beacon recognition process. Specifically, the multi-broadcast signal may be in the form of multiple packets that are broadcast from the beacon within a recognition time period. A process may include creating a first packet having a first identifier (ID) and a randomly generated value, broadcasting the first packet from the beacon, generating a second ID based at least in part on the randomly generated value included in the first packet, and broadcasting, within a period of time from the broadcast of the first packet, a second packet having the second ID and a device ID that uniquely identifies the beacon. A mobile device in proximity to the beacon may include logic to detect and interpret a multi-broadcast signal from the beacon.

Abstract: A malware detection system and method detects changes in host behavior indicative of malware execution. The system uses linear discriminant analysis (LDA) for feature extraction, multi-channel change-point detection algorithms to infer malware execution, and a data fusion center (DFC) to combine local decisions into a host-wide diagnosis. The malware detection system includes sensors that monitor the status of a host computer being monitored for malware, a feature extractor that extracts data from the sensors corresponding to predetermined features, local detectors that perform malware detection on each stream of feature data from the feature extractor independently, and a data fusion center that uses the decisions from the local detectors to infer whether the host computer is infected by malware.

Abstract: A method of accessing, in a mobile communication device, an application issued by a Service Provider from a trusted application, also known as a wallet. A secure element, such as a SmartMX device, comprises a service manager that manages the application and a link between the application and an application-codec issued by the Service Provider, wherein the application-codec is designed for interfacing between the service manager and the application, for processing an access request requesting access to the application received from the service manager and, triggered by the wallet, accessing the application via the service manager by means of the link between the application and the application-codec, such that the application-codec linked with the respective application performs accessing the application under control of the service manager.