Abstract: Logic may implement implicit integrity techniques to maintain integrity of data. Logic may perform operations on data stored in main memory, cache, flash, data storage, or any other memory. Logic may perform more than one pattern check to determine repetitions of entities within the data. Logic may determine entropy index values and/or Boolean values and/or may compare the results to threshold values to determine if a data unit is valid. Logic may merge a tag with the data unit without expanding the data unit to create an encoded data unit. Logic may decode and process the encoded data unit to determine the data unit and the tag. Logic may determine value histograms for two or more entities, determine a sum of repetitions of the two or more entities, and compare the sum to a threshold value. Logic may determine that a data unit is valid or is corrupted.

Abstract: Example embodiments relate to controlling secured access to electronically provided application functionality or content. An Internet browser executing on a first computing device initiates periodic polling of a paired second computing device associated with a user for measurements of short range communication protocol signal strength of the second computing device and determines that the second computing device is within an authentication distance of the first computing device. The secure Internet browser transmits an authentication request comprising a device identifier of the second computing device.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for recovering and verifying a public key. One of the methods includes accepting information encoding parameters of an elliptic curve, a published public key, a hash value of a message, a digital signature, and an identification parameter; generating a recovered public key based on the parameters of the elliptic curve, the hash value of the message, the digital signature, and the identification parameter; comparing the published public key and the recovered public key to verify the published public key.

Abstract: Apparatus and methods for generating secondary content scheduling and dynamic insertion for users of a managed content distribution network, such as a cable, satellite, of HFCu network. In one embodiment, the secondary content comprises advertising content which is directly related or tied to demographics, psychographics, and/or other metrics of applicability to one or more users of the content distribution network. Individual insertion opportunities are identified (either in advance or dynamically), and relevant or targeted secondary content is dynamically “switched in” for delivery to the one or more users via interaction between a local or client application (e.g., operative on the user's set top box or personal electronic device) and a switched digital video entity of the network, and subsequently switched out if no longer required, thereby conserving network bandwidth and/or other resources.

Abstract: A method for generating secure alternative representation for a numerical datum, being performed in a processing system comprising a processing unit coupled to a storage unit, is provide. The method comprises: receiving the numerical datum; providing a plurality of semi-finished conditions; associating each of the semi-finished conditions with one or more secret parameters to form a plurality of secret conditions; for each of the secret conditions: determining whether the numerical datum satisfies the secret condition; outputting a first character as a result element if the numerical datum satisfies the secret condition; and outputting a second character as the result element if the numerical datum does not satisfy the secret condition; and concatenating each result element being output corresponding to the secret conditions as an alternative representation for the numerical datum.

Abstract: Systems and methods which enable an authentication procedure to be used within the standard network security architecture to authenticate third party applications that are forbidden access to a particular secret key are disclosed. Third party smartphone applications that are unable to use SIM-based authentication due to being forbidden access to a SIM-based key are provided an alternate secret key for use in an EAP-AKA or EAP-SIM type procedure according to embodiments. An authentication server or other backend authentication infrastructure of embodiments requests authentication vectors from a backend system sharing the alternative secret key. Accordingly, the backend authentication platform of embodiments is adapted to know or detect that an application is using an alternative secret key (e.g., a secret key other than the SIM-based secret key) and to perform the appropriate procedure for the key type.

Abstract: Embodiments concern a dynamic authorization framework. Security Classification Process (SCP) is the process of classifying raw data, information extracted from raw data, content or code from security-value perspective. Security Achievability Determination Process (SADP) is a process based on a SV/SC that has been assigned, the RHE may determine the Security Requirements and how the security requirements may be achieved. During the Security Achievability Listing Process (SALP), the RHE uploads onto the Resource Listing Entity (RLE) the URI of the resource, the SAM associated with the resource and optionally a digital certificate associated with the resource. During the SAM Assessment Process (SAMAP) process, a Client evaluates the security mechanisms that must be carried out in order to meet the SAM that was provided as part of the Discovery Process (DP). Based on the SAM obtained from the RLE, the Client may initiate a Security Achievability Enabling Process (SAEP).

Abstract: A multi-party system, devices, and method for token-based obfuscation of secret information. A first party device may store a secret original program T and original data D, retrieve a set of secret keys SK, obfuscate the original program T with the set of secret keys SK to generate an obfuscated program T?, obfuscate the original data D with the set of secret keys SK to generate a token of the data Token(D), and transfer the obfuscated program T? and Token(D) to a second party device. The second party device may evaluate the obfuscated program T? on the token of the data Token(D) to generate a result equivalent to evaluating the original program T on the original data D if the same set of secret keys SK is used to obfuscate the original program T and the original data D, without exposing the original program T to the second party.

Abstract: A target transceiver transfers target instructions to a control server that associates a data source with contact information, conditions, and tokens. The target transceiver transfers the contact tokens to a source transceiver for the data source. The source transceiver encrypts and transfers a data target ID and the token to the control server. The control server receives and decrypts the data target ID and the token and identifies the data source, the data target, and the conditions. The control server processes the conditions to select a portion of the contact information and transfers the selected portion of the contact information to the source transceiver. The source transceiver transfers the user data to the target transceiver based on the selected contact information.

Abstract: Methods and systems of data tokenization are described herein to provide protection for sensitive data. A tokenization service controller may extract sensitive data by determining a schema, the schema identifying which fields contain sensitive data. A token may be generated corresponding to each instance of the extracted sensitive data. The tokenization service controller may then generate a tokenized data set comprising a plurality of tokenized records arranged according to the same format as the original records, wherein the tokenized records use the generated tokens in place of the corresponding sensitive data.

Abstract: A data management and storage (DMS) cluster of peer DMS nodes provides domain shares and authentication for different domains. Each DMS node includes a domain manager and multiple containers, each container including a domain share. Each container associated with a domain may provide an authentication service for authenticating users for a different domain to access domain shares of the domain, such as by contacting a domain controller of a compute infrastructure associated with the domain. The domain manager controls the creation and deletion of containers and their domain shares. The domain manager also provides a proxy service for the containers for communication with client devices of different domains external to the DMS cluster.

Abstract: A method of authorizing an operation on a remote device with a cryptographic signature verification component, the remote device being operable in a communications network having human-readable messages with message signatures, comprising receiving at an arbitrator an authorization request to perform an operation requiring authorization on the remote device; retrieving from the request an operation identifier and plaintext data; sending a human-readable request with the identifier and the plaintext data to an authorizer; receiving a reply from an authorizer, the reply message comprising at least the plaintext data and a verifiable cryptographic signature identifying the authorizer derived from the request; and on receiving the reply, sending a request to perform the operation to the remote device with an authorization derived from at least the cryptographic signature, the cryptographic signature being suitable for verification by the cryptographic signature verification component on the remote device.

Abstract: Encryption of data occurs before it is written to the storage platform; decryption occurs after it is read from the storage platform on a computer separate from the storage platform. By encrypting data before it travels over a wide-area network to a storage platform (and by only decrypting that data once it has arrived at an enterprise from the storage platform), we address data security over the network. Application data is encrypted at the virtual disk level before it leaves a controller virtual machine, and is only decrypted at that controller virtual machine after being received from the storage platform. Encryption and decryption of data is compatible with other services of the storage system such as de-duplication. Any number of key management services can be used in a transparent manner.

Abstract: Embodiments provide a computer-implemented method for managing interval boundaries of electronic records. The method includes receiving electronic records, associating a first selection criterion and second selection criterion with the electronic records, and associating some of the electronic records with a group based at least in part on determining that the second selection criterion is within a predetermined range of a first threshold. The method further includes generating a group record that identifies the group, associating a third selection criterion with the group record, the third selection criterion being within the interval boundaries, and identifying an expiration of an interval boundary based at least in part on determining that the electronic data representing the third selection criterion is within a predetermined range of a second threshold.

Abstract: Embodiments provide a computer-implemented method for managing interval boundaries of electronic records. The method includes receiving electronic records, associating a first selection criterion and second selection criterion with the electronic records, and associating some of the electronic records with a group based at least in part on determining that the second selection criterion is within a predetermined range of a first threshold. The method further includes generating a group record that identifies the group, associating a third selection criterion with the group record, the third selection criterion being within the interval boundaries, and identifying an expiration of an interval boundary based at least in part on determining that the electronic data representing the third selection criterion is within a predetermined range of a second threshold.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprise a computing device, which allows a device to be used in different classification levels by powering the device down and booting to a different classified level without the need to switch hard drives. The disclosed software shield and persona switcher (Shielder) module provides independent application environments (personas) for separate security domains while allowing fast transition between personas. Shielder module supports multiple security classification via a minimal system storage partitioning. Shielder module allows efficient collection and reallocation of memory and persistent storage according to need and priority. Shielder module provides secure management of communication media by directing the system communication according to the security profile of the active persona.

Abstract: Systems for generating enhanced biometric data and using enhanced biometric data to process events are provided. A system may receive a request for enhanced biometric data and may extract details associated with the request. Based on a user associated with the request and the extracted details, a user profile may be selected from a plurality of user profiles associated with the user. The user profile may include biometric data of the user, predetermined limits on types of events to be processed, amounts, and the like. The system may generate enhanced biometric data based on the user profile and may transmit the enhanced biometric data to a computing device of the requesting user. The user may then provide the enhanced biometric data when requesting to process an event.

Abstract: The disclosed computer-implemented method for enforcing data loss prevention policies on endpoint devices may include (i) detecting that an endpoint device has terminated a connection with a protected network that is protected by a network-level data loss prevention system and has connected to an external network that is not protected, (ii) switching, in response to detecting that the endpoint device has connected to the external network, from an in-network data loss prevention policy to an out-of-network data loss prevention policy, (iii) detecting an inbound data transfer to the endpoint device, (iv) determining that the inbound data transfer comprises a transfer from a protected source that is protected by the out-of-network data loss prevention policy, and (v) performing a security action in response to determining that the inbound data transfer to the endpoint device comprises the transfer from the protected source. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Pre-boot authentication at an information handling system is selectively bypassed based upon conditions detected at the information handling system that indicate a trusted environment. A security monitor integrated with the pre-boot authentication system detects predetermined conditions that authorize bypassing of the pre-boot authentication, such as location, behavior or password type indications of a trusted environment. In one embodiment, a password is input with touches to match a timing and position passcode, such as by mimicking a musical rhythm.

Abstract: Embodiments described herein provide a system for improving a classifier by computing a statistic for the utility of sharing data with a second party. The system may encrypt a set of class labels based on a public key/private key pair to obtain a set of encrypted class labels. The system may send a public key and the set of encrypted class labels to a second computing device. The system may receive an encrypted value computed by the second computing device based on the public key. The system may decrypt the encrypted value based on a private key to obtain a decrypted value. The system may then send a pair of encrypted values computed based on the decrypted value to the second computing device. The system may subsequently receive an encrypted utility statistic from the second computing device, and decrypt the encrypted utility statistic to obtain a decrypted utility statistic.