Abstract: Systems, methods, and computer-readable media are disclosed for authenticating access to a service provider system, or more specifically, to a user account maintained on the service provider system, using a single key authentication mechanism. The service provider system may receive an authentication image from a user application executing on a user device. The authentication image may include first data generated in response to user input to the user device, second data generated by the user application, and third data generated by the service provider system. The service provider system may then authenticate access to the user account based at least in part on the authentication image and send an indication to the user device that access to the user account has been authenticated. Authenticating access to the user account includes determining that the first data, second data, and third data match respective data expected by the service provider system.

Abstract: An exemplary computer-implemented method includes obtaining at least one teleportation invite block that records a virtual universe teleportation invite marked by at least one parameter. The teleportation invite identifies a virtual universe user as an invitee. Responsive to the parameter, assess whether the virtual universe teleportation invite is potentially malicious, and alert the invitee in case the virtual universe teleportation invite is potentially malicious.

Abstract: A database server stores encrypted vector data in which each of a plurality of elements is encrypted by encryption maintaining semi-homomorphism between calculation before encryption and calculation after encryption. The database server receives an obfuscated query (N-randomized query) from a terminal device, performs calculation for each of a plurality of segments of vectors of the obfuscated query with a segment of the encrypted vector data, and transmits the calculation to the terminal device in reply. The terminal device may acquire a result of decryption calculation transmitted in reply by a decryption device.

Abstract: A system of controlling one or more building control devices. The system may incorporate receiving from a third party a request for access to a user account at a manufacturer of building control devices, where the user account may be associated with one or more of the user's building control devices from the manufacturer. The third party may be a demand response provider, an aggregator of building control devices, or a different entity. The building control devices may be connected to a network. The system may be implemented over one or more networks with a server, an application programming interface (API), and/or a service bus.

Abstract: A method of establishing a secure connection between a user equipment, UE, and a media gateway, MGw, at setup of a communication session between the UE and another party. The MGw is controlled by a control server and the setup of the communication session comprises a security handshake procedure. The method comprising, prior to receiving a communication session set-up request, determining by the control server whether the MGw supports a procedure for early commencement of the security handshake and providing by the UE to the control server an indication that the UE supports the procedure for early commencement of the security handshake procedure and connection parameters for use in the security handshake. On receiving, by the control server, a communication session setup request from the other party, if both the UE and the MGw support the procedure for early commencement of the security handshake procedure, an instruction is sent to the Media gateway to commence the security handshake procedure.

Abstract: This disclosure describes a bot detection system that distinguishes bot transactions from human transactions. The system utilizes an anomaly-based filter process to reduce the number of false positives as determined by the system. The filter process includes maintaining a database of anomaly patterns, wherein the patterns are encoded as anomaly pattern strings. As anomalies are detected, they are encoded in the anomaly pattern strings, and the database is updated by maintaining counts on the occurrences of the strings. When a particular pattern string as reflected in the database has a count that exceeds a threshold, the string is determined to be associated with a bot as opposed to a human user.

Abstract: A system of controlling one or more building control devices. The system may incorporate receiving from a third party a request for access to a user account at a manufacturer of building control devices, where the user account may be associated with one or more of the user's building control devices from the manufacturer. The third party may be a demand response provider, an aggregator of building control devices, or a different entity. The building control devices may be connected to a network. The system may be implemented over one or more networks with a server, an application programming interface (API), and/or a service bus.

Abstract: The present invention relates to an electronic device. In particular, the present invention relates to an electronic device comprising a first and a second biometric sensor and processing circuitry arranged to authenticate the user of the electronic device. The present invention also relates to a corresponding method and computer program for authenticating the user of an electronic device.

Abstract: Embodiments of the present invention provide systems and methods for thwarting attempts at the unauthorized access to the restricted resources within the target server in a multi-node system. Real-time detection of the user ID and thread ID associated with attempts to access the restricted resources within the target server in a multi-node system is achieved by analyzing causality, message queue, and event-driven patterns.

Abstract: A flexible policy system allows compliant apps on a mobile device to interact with a secure container memory space to ensure that data leak prevention policies are being enforced. Third-party applications can include an SDK or application wrapper that provide policy enforcement via agent functionality. An administrator can define policies via a web-based portal, allowing a server to identify appropriate users and devices and to distribute policies to those devices to be enforced within the secure container on each device. Policies can identify the datatypes and security levels, and the related applications and users that have authority to access that data. The agent or application wrapper enforces these policies on the mobile device before applications can access data in the secure memory space.

Abstract: Embodiments of the present invention provide systems and methods for monitoring action records in virtual space. The systems and methods for monitoring action records in virtual space display recorded activity on an avatar within the virtual space by communicating in a virtual space with a user account. The recorded activity is analyzed and processed in order to compile information on the avatar and display an avatar (which is a reflection of the compiled information).

Abstract: Continuous sensitive content authentication is described. In one example, a request to open content, such as a photograph, spreadsheet, or text-based document, among other types of content, is received. Based on a sensitivity level or access profile rule associated with the content, an individual can be prompted to perform an authentication procedure before the content is displayed. The content can be displayed in response to a verification using the authentication procedure or removed (or not displayed) in response to a rejection using the authentication procedure. Additionally, the authentication procedure can be continuously polled to confirm the verification while the content is displayed. While the content is being displayed, the content can be removed from display at any time if the authentication procedure no longer produces the verification result. In some cases, the content can also be deleted after a rejection is detected using the authentication procedure.

Abstract: A method for operating a field device is disclosed, the field device having settings and/or functions classified into different security levels, where one of the settings and/or functions of the field device is selected by a user, at least one security measure is implemented depending upon the security level with which the selected setting and/or function is associated, and the security measure determines whether the selected setting and/or function of the field device is released for the user.

Abstract: Systems and methods are provided for discerning the intent of a device wearer primarily based on movements of the eyes. The system may be included within unobtrusive headwear that performs eye tracking and controls screen display. The system may also utilize remote eye tracking camera(s), remote displays and/or other ancillary inputs. Screen layout is optimized to facilitate the formation and reliable detection of rapid eye signals. The detection of eye signals is based on tracking physiological movements of the eye that are under voluntary control by the device wearer. The detection of eye signals results in actions that are compatible with wearable computing and a wide range of display devices.

Abstract: Determining whether to allow access to a message is disclosed. A message is received from a sender. The message is associated with a first time-to-live (TTL) value. A determination is made that the first time-to-live value has not been exceeded. The determination is made at least in part by obtaining an external master clock time. In response to the determination, access is allowed to the message.

Abstract: Security credentials issued by an entity, such as an identity broker, can have a limited lifetime. Access to resources or content under those credentials then can only be obtained for a limited period of time, limiting the ability of an unauthorized entity obtaining the credentials to utilize those credentials for access. Along with the credentials, a refresh token can be issued to a requesting client that can enable the limited lifetime of the credentials to be renewed up to a maximum lifetime of the credentials and/or the token. A service providing access can determine that the client has a valid copy of the refresh token when the credentials are about to expire, and if so can cause the lifetime of the credentials to be extended another credential lifetime. This renewal can be done transparent to a user and without again contacting the identity broker.

Abstract: A method includes: at a server, obtaining security intelligence data used for classifying whether a data associated with a user activity in a network is undesirable at a first time; classifying whether a first data in the network is undesirable based on the security intelligence data; receiving a request for classifying whether a second data is undesirable based on the security intelligence data; determining whether the server is overloaded with tasks; if the server is determined to be overloaded with tasks: logging the second data in a repository, and tagging the second data to re-visit classification of the second data; and when the server is no longer overloaded, classifying whether the second data is undesirable to produce a second classifying result and re-classifying whether the first data is undesirable based on updated security intelligence data obtained by the server.

Abstract: A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy.

Abstract: An information processing apparatus includes a signing unit and first and second obtaining units. The signing unit signs a document by using a certificate used for connecting to an access point. The document is obtained via the access point. The first obtaining unit obtains, in response to an access request to access the signed document, identification information concerning the certificate used for signing the signed document. The second obtaining unit obtains identification information concerning a certificate used for connecting to an access point when the access request is received. The display controller performs control so that the sighed document will be displayed if the identification information obtained by the first obtaining unit and the identification information obtained by the second obtaining unit coincide with each other.

Abstract: Techniques for malicious HTTP cookies detection and clustering are disclosed. In some embodiments, a system, process, and/or computer program product for malicious HTTP cookies detection and clustering includes receiving a sample at a cloud security service; extracting a cookie from network traffic associated with the sample; determining that the cookie is associated with malware; and generating a signature based on the cookie.