Abstract: A virtual machine transmits local files to a secure virtual machine hosted by a hypervisor for malware detection. When malware is detected, the secure virtual machine can responsively provide remediation code to the virtual machine on a temporary basis so that the virtual machine can perform suitable remediation without a permanent increase in size of the virtual machine.

Abstract: Within a secure messaging environment, a determination is made that a request to send a message has been generated by a message sender. A message protection policy configured to process the message within the secure messaging environment is identified. The message protection policy specifies that, within the secure messaging environment, a secured digital certificate, other than a digital certificate of the message sender, is configured with an associated private key to digitally sign the message on behalf of the message sender. Based upon the message protection policy, a determination is made to digitally sign the message using the private key of the secured digital certificate. The message is signed on behalf of the message sender using the private key of the secured digital certificate.

Abstract: A method for using digital signatures for signing blockchain transactions includes: generating a domain key pair comprising a domain private key and a domain public key, wherein the domain public key is signed after generation; receiving a plurality of member public keys, wherein each member public key is received from an associated member of a blockchain network and is a public key in a key pair comprising the member public key and a member private key corresponding to the associated member; signing each member public key using the domain private key; receiving a transaction block from a specific member of the blockchain network, wherein the transaction block includes a plurality of blockchain transaction values and a hash signed using the member private key corresponding to the specific member; signing the received transaction block using the domain private key; and transmitting the signed transaction block.

Abstract: Within a secure messaging environment, a determination is made that a request to send a message has been generated by a message sender. A message protection policy configured to process the message within the secure messaging environment is identified. The message protection policy specifies that, within the secure messaging environment, a secured digital certificate, other than a digital certificate of the message sender, is configured with an associated private key to digitally sign the message on behalf of the message sender. Based upon the message protection policy, a determination is made to digitally sign the message using the private key of the secured digital certificate. The message is signed on behalf of the message sender using the private key of the secured digital certificate.

Abstract: The present teaching relates to generating an identifier for a person. In one example, an actual name of the person is received. The identity of the person that is associated with the actual name of the person is proved at a pre-determined level of assurance (LOA) required by an identity management system. When the identity of the person has been proved, a peripheral name is solicited from the person. An identifier that includes the actual name and the peripheral name of the person is created. Whether the identifier is unique is determined. The steps of soliciting, creating, and determining are repeated until the identifier is unique. The peripheral name is associated with the person. The identifier is associated with the person.

Abstract: The present disclosure relates to a method and system for securing a performance state change of one or more processors. A disclosed method includes detecting a request to change a current performance state of a processor to a target performance state, and adjusting an operating level tolerance range of the current performance state to include operating levels associated with a transition from the current performance state to the target performance state. A disclosed system includes an operating system module operative to transmit a request for a performance state change of at least one processing core. The system includes performance state control logic operative to change the performance state of the at least one processing core based on the request.

Abstract: A method of distributing data over multiple Internet connections is provided. The method includes the steps of: (a) providing a client computer with access to a plurality of Internet connections; and (b) providing a host computer for determining the allocation of data to be sent to the client computer over each of the plurality of Internet connections using at least one of (i) predetermined criteria and (ii) dynamically changing criteria.

Abstract: A security aware email server and a method of managing incoming email are described. The server includes a memory device configured to store rules, instructions, and user preferences. The processor makes a determination of whether a sender of an incoming email used a secure or unsecure sending network to send the email and determines an action to take with the email based on the determination and the user preferences.

Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to receive a query statement. The query statement is one of many distributed storage and distributed processing query statements with unique data access methods. Token components are formed from the query statement. The token components are categorized as data components or logic components. Modified token components are formed from the token components in accordance with a policy. The query statement is reconstructed with the modified token components and original computational logic and control logic associated with the query statement.

Abstract: Systems and methods are provided for authenticating a user of a computing device. An example system includes a memory storing instructions, and a processor configured to execute the instructions to receive an authentication request from a user of a computing device, determine a context of the authentication request, determine a physical location of the user, and perform, based on the context of the authentication request and the physical location of the user, an associate proximity detection. The associate proximity detection includes steps to identify an associate based on at least one of the context of the authentication request or the physical location of the user, determine a physical location of the identified known associate, and determine a proximity of the user to the identified known associate. The authentication request may be approved when the determined proximity is within a threshold.

Abstract: Systems (100) and methods (1900) for configuring a computer network (“CN”). The methods comprise: receiving Access Control Information (“ACI”) input to a first network node (101-103, 105-107) by a user assigned to a mission; verifying that the user has a right to have access to the CN (100) based on the ACI; granting the user access to CN in response to the verifying; and obtaining Mission Related Information (“MRI”) by the first network node. The MRI is associated with the user and at least identifies a first mission plan (120) specifying a manner in which an assigned value for at least one first identity parameter is to be dynamically modified by at least one node (105-107, 113, 114) of CN. Thereafter, the first network node or a second network node (105-107, 113, 114) of CN is configured to operate in accordance with the first mission plan.

Abstract: A technique for enabling nominal flow of an executable file on a client. The executable file includes executable code lacking at least one nominal constant, wherein only the nominal constant enables the nominal flow of the executable file and wherein a server has access to the at least one nominal constant. In a method aspect performed by the client, the method includes retrieving hardware information of the client, wherein the hardware information is at least substantially unique, transmitting one of the hardware information and information derived therefrom to a server and, in turn, receiving at least one constant that has been transformed based on one of the hardware information and the information derived therefrom. The client then performs, using one of the hardware information and the information derived therefrom, an inverse transformation on the at least one transformed constant to recover the nominal constant.

Abstract: Access to resources or data can be managed based at least in part upon a validation of credentials. A customer can have customer credentials, such as a username and password pair, that can be used to obtain access according to terms of a customer account. A computing device used to gain the access can also have device credentials, which can be based upon identifying information from the device or provided to the device upon a successful login. The customer account might be locked for a period of time if a number of unsuccessful login attempts are received over a designated period of time. If, however, a request is received with device credentials for a trusted and/or recognized device, at least one additional login attempt might be granted in order to prevent a customer from being locked out of the account due to actions of other persons and/or devices.

Abstract: An Initialization Unit (IU) initiates an initial secure connection with an Intrinsic Use Control (IUC) Chip based on very large random numbers (VLRNs). The IUC Chip in turn initiates a secondary secure connection between it and one or more Use Controlled Components (UCCs). Polling by the IU allows confirmation of an ongoing secure connection, and also allows the IUC Chip to confirm the secondary secure connection to the UCCs. Removal or improper polling response from one of the UCCs results in a response from the IUC Chip that may include notification of tampering, or temporary or permanent discontinued operation of the offending UCC. Permanent discontinued operation may include destruction of the offending UCC, and cascaded discontinued operation of all other UCCs secured by the IUC Chip. A UCC may in turn be another nested layer of IUC Chips, controlling a corresponding layer of UCCs, ad infinitum.

Abstract: In accordance with an embodiment, described herein is a system and method for providing security in a multitenant application server environment. In accordance with an embodiment, per-partition security configuration includes: per-partition security realm (including configuration for authentication, authorization, credential mapping, auditing, password validation, certificate validation, and user lockout); SSL configuration, including keys, certificates, and other configuration attributes; and access control for partition and global resources. An administrator can designate one or more partition users as partition administrators, via grant of roles.

Abstract: System and method for accessing a distributed storage system uses a storage-level access control process at a distributed file system that interfaces with the distributed storage system to determine whether a particular client has access to a particular first file system object using an identifier of the particular client and storage-level access control rules in response to a file system request from the particular client to access a second file system object in the particular first file system. The storage-level access control rules are defined for a plurality of clients and a plurality of first file system objects of the distributed storage system to allow the particular client access to the second file system object in the particular first file system object only if the particular client has been determined to have access to the particular first file system object according to the storage-level access control rules.

Abstract: A method for remote triggered black hole filtering can include advertising a first modified next hop address for a destination address of network traffic, and advertising a second modified next hop address for a source address of network traffic. The first next hop address of the destination address might be overwritten with the first modified next hop address. Filtered traffic then can be forwarded to the first modified next hop address, wherein filtered traffic comprises only network traffic addressed to the destination address or from the source address. In some cases, the filtered traffic is transported and received via a sinkhole tunnel. A second next hop address of the source address can be overwritten to a second modified next hop address. The attack traffic, which can be filtered traffic that is both addressed to the destination address and from the source address, might be forwarded to a discard interface.

Abstract: The disclosed embodiments include methods, systems, system terminals, and point-of-sale terminals for authenticating a user. The disclosed embodiments include, for example, a method for receiving, by one or more processors, authentication data from an authentication network, the authentication data including an authentication code identifying an authentication transaction associated with an authenticating partner system. The method may also include validating, by the one or more processors, the authentication data, the validating comprising comparing the authentication data with validation data corresponding to a prior authentication event associated with the user. The method may also include generating, by the one or more processors, validation information based on the validating, the validation information comprising a determination whether to validate the user for the authentication transaction.

Abstract: In one embodiment, a user device may reestablish access to a user resource while forgoing use of a user credential during a system reboot. The user device may receive the user credential from a user during an initial login to access the user resource. The user device may create an ephemeral entropy to access the user resource. The user device may access the user resource using the ephemeral entropy.

Abstract: A context-aware delegation engine can enable an account owner to identify granular criteria (or context) that will be used to determine what content a delegate will have access to. The account owner can therefore leverage a wide range of information to dynamically determine whether a delegate will receive access to particular content. The delegation engine can be configured to provide a delegation policy to be evaluated to determine whether a delegate should receive access to particular content. Such a delegation policy can be generated based on input provided by the delegator thereby providing the delegator with fine-grained control over which content will be accessible to a particular delegate. The delegation policy can be structured in accordance with an authorization protocol schema such as XACML, SAML, OAuth 2.0, OpenID, etc. to allow the evaluation of the delegation policy to be performed by a policy decision point in such authorization architectures.