Abstract: The present invention is directed to a system and method for restricting data, or portions thereof, to specific display devices when accessed by a user. Furthermore, the system and method of the invention are directed, in part, to evaluating in real time, the access level of a device and restricting the availability of sensitive information on the device according to the access level as determined by device location and hardware configuration.

Abstract: Methods and systems for generating or validating compact certificates include receiving a first format of the certificate. Moreover, obtain a signature for the certificate in the first format. For each field of the certificate decode the field to obtain a value for the field from the first format and encoding the value for the field into a second format. Decoding and encoding for each field is done incrementally in the same order of the fields as the first format. In other words, a next field is not decoded from the first format until the field is encoded in the second format. Furthermore, a security envelope is encoded using the signature in the first format and the fields.

Abstract: A method and apparatus for control of a computer system are disclosed. The computer system includes a terminal for operator based monitoring of the computer system. A monitoring device is provided to determine information about the state of the operator based monitoring. The information is communicated to a controller of the data security system. The controller then controls the data security system based at least in part on the information.

Abstract: Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a cyber-attacker. An end-user device interacts and communicates with a server of a computerized service, or with a local application or Web-browser running on the end-user device. A usage interference is injected or introduced, or an input/output mismatch or abnormality is created, causing an output displayed on the screen of the end-user device, to be non-matching to the expected or intended output that is typically displayed in response to regular non-interfered user gestures or regular non-interfered user input. The reaction or corrective manual actions of the user are tracked and analyzed, to differentiate among users, or to differentiate between an authorized human user and a human cyber-attacker, or to differentiate between an authorized human user and a computer bot or an automated computerized script.

Abstract: A tool for identify verification using computing device collaboration. The tool generates a hash based, at least in part, on device specific information for one or more user owned devices. The tool determines whether a hash for the initial device matches the hash for at least one of the one or more user owned devices, and if so, sends, one or more challenge questions to the initial device, wherein the one or more challenge questions include at least one challenge question based on the device specific information for the one or more user owned devices. The tool determines whether each of one or more responses to the one or more challenge questions is correct.

Abstract: Techniques for secure message offloading are presented. An intermediary is transparently situated between a user's local messaging client and an external and remote messaging client. The user authenticates to the local client for access and the intermediary authenticates the user for access to the remote client using different credentials unknown to the user. Messages sent from the local client are transparently encrypted by the intermediary before being passed to the remote client and messages received from the remote client are transparently decrypted before being delivered to the local client.

Abstract: One embodiment of the present invention sets forth a technique for providing application command recommendations to a privacy-sensitive client device. The technique includes receiving a command log from each general client device included in a plurality of general client devices and analyzing the command logs to generate a command recommendation file. The command recommendation file may indicate a relationship between one or more application commands executed by at least one of the general client devices and one or more application commands that are available for execution by the privacy-sensitive client device. The technique further includes transmitting the command recommendation file to the privacy-sensitive client device.

Abstract: A gateway device may control access to content based, at least in part, on an audience that will consume the content. In relation to a request for content to be delivered to a media output device, the gateway device may obtain biometric data from one or more trait capture devices having a physical relation to the media output device. The gateway can determine the potential audience of the content and enforce content restrictions based on the audience. The content restrictions may be based on one or more content attributes about the content and one or more audience traits about the audience. The gateway may use thresholds associated with the audience trait to determine whether the content attribute is appropriate for the audience. The threshold or a combination of thresholds may provide for granular control of access to content.

Abstract: A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.

Abstract: A mechanism is provided for determining and verifying a passcode is disclosed. The mechanism defines a passcode by a set of rules, each representing the position of a target key relative to a reference key on a given keyboard. The mechanism receives user selection of a passcode subset of the set of passcode pattern rules for representing a passcode comprising a pattern of keys on the keyboard. The mechanism stores the passcode subset of rules for subsequent verification against a user input passcode for controlling access to a resource.

Abstract: A home network router and method of operation are provided for seamlessly sharing access to a network service by multiple devices in a home network by configuring the home network router to receive and store authenticated user credentials for the network service at the home network router after associating the user credentials with the network service so that, upon reception of a second user request from a second client device to access the network service, the user credentials are retrieved from the home network router for direct delivery to and authentication by the network service without requiring re-entry of the one or more user credentials from the second client device.

Abstract: A graphical user interface includes objects for controlling privacy settings specific to particular user data corresponding to charitable giving. Graphically depicted sharing zones each represent a privacy setting. An information container represents particular user data. The user may drag and drop the information container between sharing zones to control privacy of the user data represented by the information container.

Abstract: Various embodiments provide an approach to classifying security events based on the concept of behavior change detection or “volatility.” Behavior change detection is utilized, in place of a pre-defined patterns approach, to look at a system's behavior and detect any variances from what would otherwise be normal operating behavior. In operation, machine learning techniques are utilized as an event classification mechanism which facilitates implementation scalability. The machine learning techniques are iterative and continue to learn over time. Operational scalability issues are addressed by using the computed volatility of the events in a time series as input for a classifier. During a learning process (i.e., the machine learning process), the system identifies relevant features that are affected by security incidents. When in operation, the system evaluates those features in real-time and provides a probability that an incident is about to occur.

Abstract: Described herein are techniques and mechanisms for access policy creation and enforcement. According to various embodiments, a message may be received via a communications interface. The message may include a request to perform an action within a proposal system. The proposal system may be operable to create a request for proposals based on user input. The request for proposals may describe a business need associated with a business entity. The proposal system may be further operable to process a plurality of proposal documents received in response to the request for proposals. The request may be associated with a user account. A determination may be made as to whether the requested action complies with an access policy. The requested action may be performed when it is determined that the requested action complies with the access policy.

Abstract: Examples relate to determining string similarity using syntactic edit distance. In one example, a computing device may: receive domain name system (DNS) packets that were sent by a client device, each DNS packet specifying a domain name; generate, for each domain name, a syntax string by replacing each character of the domain name with one of a plurality of metacharacters, each metacharacter representing a category of characters that is different from each other category of characters represented by each other metacharacter; determine, for each domain name, a syntactic edit distance between the domain name and each other domain name, the syntactic edit distance between domain names being determined based on syntax strings of the corresponding domain names; cluster each domain name into one of a plurality of clusters based on the syntactic edit distances; and identify the client device as a potential source of malicious software based on the clusters.

Abstract: A method and system for authenticating a subscriber of a user using a graphical user interface or telephone using the same user name and password is provided. As a result, subscribers need to memorize only one user name and/or password, saving precious time and energy to the subscriber because of the low risk of forgetting the user name and/or password. In addition, with the advent of cross-category products such as web phones (Web user interface integrated in a telephone) and soft phone (software on a personal computer reproducing the function of a telephone), it can become confusing for subscribers to remember which passwords and user name to use for which device. Having one password and one user name to remember makes the situation simpler.

Abstract: A method, system, and computer program product for detecting and enforcing compliance with access requirements for a computer system in a restricted computer network. A compliance validation configuration file is created for the computer system. A maintenance service utility is configured to launch a compliance validation executable file at a specified time during operation of the computer system. A digital hash is generated for the compliance validation executable file and for the compliance validation configuration file. A determination is made if the computer system or a computer system user is a member of a configured restricted group. If the computer system or the computer system user is a member of a configured restricted group, a determination is made if a directory site code for a subnet of the restricted computer network to which the computer system is connected corresponds to a configured and allowed site.

Abstract: Embodiments of the invention relate to efficiently storing encrypted data in persistent storage or passing to another data processing component. A downstream decrypter is utilized to act within the data path between a data generator and a storage server. The decrypter fetches an encryption key and any other necessary auxiliary information necessary to decrypt received data. Following decryption of the data, the decrypter has the ability to operate directly on plaintext and perform storage efficiency functions on the decrypted data. The decrypter re-encrypts the data prior to the data leaving the decrypter for persistent storage to maintain the security of the encrypted data.

Abstract: A method and a system is provided for establishing a communications path over a communications network between a personal security device (PSD) and a remote computer system without requiring the converting of high-level messages such as API-level messages to PSD-formatted messages such as APDU-formatted messages (and inversely) to be installed on a local client device in which the PSD is connected.

Abstract: Techniques are disclosed for provisioning Internet of Things (IoT) devices in accordance with a state machine model. More particularly, collections of IoT devices may be organized into enclaves, groups or “shoals” that operate as autonomous or semi-autonomous groups of devices functioning as a collective having a common objective or mission. IoT devices participating in a shoal may be provisioned with shoal-specific context information as part of their device-specific provisioning activity. By way of example, a shoal context object can include a current state variable and a target next state variable. The shoal's target next state variable establishes a goal (e.g., for provisioning activity) without dictating how the individual shoal members (IoT device) are to achieve that goal. This mechanism may be used to drive a shoal's separate devices through their individual provisioning state machines until the shoal itself is made operational.