Abstract: A pluggable trust architecture addresses the problem of establishing trust in hardware. The architecture has low impact on system performance and comprises a simple, user-supplied, and pluggable hardware element. The hardware element physically separates the untrusted components of a system from peripheral components that communicate with the external world. The invention only allows results of correct execution of software to be communicated externally.

Abstract: Portion-level digital rights management (DRM) in digital content is described. In one or more embodiments, a selection of a portion of the digital content is received at a computing device. Then, a policy is assigned to the selected portion by adding a markup element with an identifier to the selected portion. Based on the assigned policy, the selected portion is encrypted without encrypting another portion of the digital content. Subsequently, access to the selected portion is controlled based on the policy independently of the other portion. In this way, different portions of a single document can be protected with different policies. Different users may then have access to different portions of the digital content based on their user ID being associated with a particular policy, which improves security and management of distributable digital content.

Abstract: A mobile communication terminal (400) has a controller (410), a touch display (430) and a proximity sensor (420). The touch display has an inactive mode (610; FIG. 5A) essentially without user interaction ability, a lock screen mode (620; FIG. 5B) with limited user interaction ability, and an operational mode (650; FIG. 5C). The lock screen mode generally prevents a user from accessing functionality (560) provided by the mobile communication terminal in the operational mode.

Abstract: A method for dynamically authenticating and granting access to a computing system may be provided. The method comprises receiving text data identifying a fact comprised in the text data, storing the identified fact in a knowledge base relating to a user profile, deriving at least one authentication question from the stored fact, and conducting a textual authentication dialog The dialog comprises presenting the at least one authentication question, receiving a response, analyzing the response using natural language processing, and determining, based on the analysis, whether the response comprises the stored fact from which the authentication question has been derived. Additionally, the method comprises granting access to the computing system, and presenting an enrichment question and receiving a related answer.

Abstract: A computer-implemented method, a computer program product, and a computer system for transformation of security information and event management (SIEM) rules and deploying the SIEM rules in a network of event processors. A computer system or server converts the SIEM rules to formal representations. The computer system or server generates rule abstraction of the formal representations, by using an abstraction function. The computer system or server constructs a finite automaton based on the rule abstraction. The computer system or server eliminates irrelevant transitions in the finite automaton to generate an optimized finite automaton. The computer system or server generates optimized formal rules, based on the optimized finite automaton. The computer system or server converts the optimized formal rules to optimized SIEM rules. The computer or server deploys the optimized SIEM rules in the network of the event processors.

Abstract: Systems and methods are provided for automated retrieval, processing, and/or distribution of cyber-threat information using a cyber-threat device. Consistent with disclosed embodiments, the cyber-threat device may receive cyber-threat information in first formats from internal sources of cyber-threat information using an accessing component of the cyber-threat device. The cyber-threat device may receive cyber-threat information second formats from external sources of cyber-threat information using an accessing component of the cyber-threat device. The cyber-threat device may process the received cyber-threat information in the first formats and the second formats into a standard format using a processing component of the cyber-threat device. The cyber-threat device may provide the processed items of cyber-threat information to a distributor using a distributing component of the cyber-threat device.

Abstract: Provided is a computer implemented method for performing mutual authentication between an online service server and a service user, including: (a) generating, by an authentication server, a server inspection OTP; (b) generating, by an OTP generator, a verification OTP having the same condition as the server inspection OTP and using the same generation key as an OTP generation key and a calculation condition different from a calculation condition is applied or a generation key different from the OTP generation key is used and the same calculation condition as the calculation condition used for generating the server inspection OTP is applied to generate a user OTP; and (c) generating, by the authentication server, a corresponding OTP having the same condition as the user OTP and comparing whether the generated corresponding OTP and the user OTP match each other to authenticate the service user.

Abstract: A quantum communication system for distributing a key between first and second units, the system being configured to implement phase-based measurement device independent quantum cryptography, the system comprising first and second units adapted to apply phase shifts to light pulses and a detection unit adapted to cause interference between light pulses received from the first and second units and measure said interference, wherein the first and second units each comprise at least one phase modulator adapted to apply a phase shift, said phase shift comprising a global phase component and a relative phase component, wherein said global phase component represents a phase shift selected randomly in the range from 0° to 360° from a fixed phase reference and said relative phase component is a phase shift selected randomly from 0°, 90°, 180° and 270° from the phase shift introduced by the global phase component.

Abstract: The disclosed subject matter relates to systems, methods, and media for media session concurrency management with recurring license renewals. More particularly, the disclosed subject matter relates to using recurring license renewals for concurrent playback detection and concurrency limit enforcement for video delivery services and managing server resources for handling such recurring license renewals.

Abstract: The present disclosure relates to a method for processing queries in a database system having a first database engine and a second database engine. The method includes: storing a first instance of a first table in the first database engine in plaintext; encrypting at least one predefined column of the first table, resulting in a second instance of the first table containing at least part of the data of the first table in encrypted format. The second instance of the first table in the second database engine is stored in the second database engine. It may be determined whether to execute a received query in the first database engine on the first table or in the second database engine on the second instance of the first table, where the determination involves a comparison of the query with encryption information.

Abstract: Systems and methods are disclosed that provide for secure communications between a user device and an authentication system. The systems and methods create a dynamic identification for the device that is stored in both the device and authentication system.

Abstract: Aspects of the present disclosure relate to identifying identical fields encrypted with different keys. A first field of a first data set is identified for encryption. A first hash value is generated for the first field. The first field is encrypted with a first encryption key to generate a first encrypted value. A second field of a second data set is identified for encryption. A second hash value is generated for the second field. The second field is encrypted with a second encryption key to generate a second encrypted value. The first hash value is compared to the second hash value, and in response to a determination that the first and second hash values are identical, the first and second data sets are associated. The association between the first and second data sets is stored.

Abstract: A computer security device for protecting sensitive data stored in nonvolatile memory in a computer includes: an overvoltage generator comprising a high-voltage supply charging a capacitor through a resistor, wherein the capacitor is in electronic communication with the nonvolatile memory of the computer through a silicon-controlled rectifier; and a controller operable to receive a signal and in electronic communication with the overvoltage generator, wherein the controller is operable to produce a destruct signal. The generator is operable to apply an over-voltage condition to the nonvolatile memory of the computer through the silicon-controlled rectifier upon receiving the destruct signal from the controller.

Abstract: The disclosed embodiments disclose techniques for seamlessly updating a cloud-based security service. A dispatcher virtual machine (VM) executing in a cloud data center receives network requests sent from clients located in a remote enterprise location to untrusted remote sites, and routes this network traffic through a chain of security service VMs that analyze the network traffic. During operation, the dispatcher VM determines that an existing security service VM in the chain needs to be upgraded to an updated version, and instantiates an updated chain of security service VMs that includes this updated version. The dispatcher VM then seamlessly transfers the flow of network traffic from the initial chain to the updated chain to seamlessly update the cloud-based security service without interruption. Upon determining that the updated version is operating correctly, the dispatcher VM halts and deallocates the previous version and any other unneeded portions of the initial chain.

Abstract: The present disclosure relates to a method for identifying unauthorized access of an account of an online service, such as an email or a social network service, wherein the account is associated with a legitimate user, the method comprising the steps of: retrieving login information from recent login activity of the account corresponding to a geographic location associated with the ongoing or most recent login attempt; retrieving usage information comprising a geographic location of a legitimate user from a device of the legitimate user; comparing the login information and the usage information by comparing the geographic location associated with the ongoing or most recent login attempt and the geographic location of a legitimate user; and identifying potentially unauthorized login(s) by an unauthorized user.

Abstract: Technologies are described for managing metadata associated with external content. For example metadata can be obtained that describes content stored on external systems. The metadata can be obtained without locally storing the content items themselves. For example, the metadata can be retrieved from the external systems while the external content continues to be stored on the external systems. The metadata can also include indications of the actions that can be performed in relation to the external content. For example, actions can be obtained (e.g., locally determined and/or obtained from the external systems) and added to the metadata. The metadata can be stored and used locally. For example, the metadata can be used to locally perform the actions in relation to the external content. The metadata can also be used to locally initiate actions that are then carried out in the external systems.

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

Abstract: A process of filtering a wireless service provided to at least one wireless device from a wireless network includes receiving identification of the at least one wireless device in a filtering server from an administrator and receiving filtering instructions from the administrator in the filtering server. The process further including receiving a request for an internet resource from at least one wireless device, comparing the request for the internet resource to the filtering instructions based on the time of day and day of week to determine whether the requested internet resource is allowable in view of the filtering instructions or not allowed based on the filtering instructions. The disclosure also provides a system as well.

Abstract: A method of providing for access to a computer resource, the method including the steps of: (a) providing an initial registration process including the identification and downloading of a user selected candidate image; (b) creating a first derived identifier from the candidate image; (c) upon a user requesting access to the computer resource, requesting from the user a second candidate image, and deriving a second derived identifier from the second candidate image; and (d) comparing the first and second derived identifier and where they are equivalent, granting the user access to the computer resource.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing data are provided. One of the methods includes: receiving, by one or more computing devices, a transaction request from a first node, the transaction request comprising transaction data; determining, by the one or more computing devices based on the transaction data, a blockchain network corresponding to the transaction request from a plurality of blockchain networks connected to the one or more computing devices, wherein the first node is excluded from a consensus process associated with the determined blockchain network; forwarding, by the one or more computing devices, the transaction request to the determined blockchain network; receiving, by the one or more computing devices from the determined blockchain network, a block generated based on consensus validation on the transaction request; and forwarding, by the one or more computing devices, the block to the first node.