Abstract: A messaging application for a messaging service for an electronic communications device including a data store, the application being configured to: store, in encrypted form, message data for an identity registered on the messaging service as a database file on the electronic communications device; require a user to input a predetermined access code for the registered identity before giving the user access to the stored message data; and delete from the device the database file containing the encrypted message data in the event that a particular different predetermined code other than the predetermined access code is provided in place of the predetermined access code.

Abstract: Authentication tokens, systems, and methods are described. An illustrative method is disclosed to include receiving an electronic file including a digital image, receiving biometric information that is associated with a person, modifying the electronic file with the biometric information such that one or more pixels in the digital image are replaced with the biometric information, and storing the modified electronic file as a digital authentication token to be used in connection with authorized publications of original digital work.

Abstract: One embodiment described herein provides a system and method for isolating data written by different users on a cloud drive. During operation, the system receives a write request from a first user comprising to-be-written data, the to-be-written data being associated with a writer's identifier for the first user. The system then writes the to-be-written data bound with the writer's identifier into physical media associated with the cloud drive, thereby facilitating user data isolation by preventing a second user having a reader's identifier that is different from the writer's identifier of the first user from gaining access to the written data.

Abstract: Network traffic associated with a communication between a client device and a resource is monitored. At least of the monitored traffic is encrypted. The encrypted traffic is categorized. One example way to categorize the encrypted traffic includes using Domain Name System (DNS) query information. A policy is applied to the communication based at least in part on the categorization of the encrypted traffic.

Abstract: The invention regards a method and system for recording observation data without violating privacy. Environment is sensed and observation data including information on the sensed environment is generated. The observation data is processed for determining presence of one or more persons in the sensed environment. Those person(s) amongst the present person(s) that did not agree to store their private data are identified and privacy compliant observation data is generated by obfuscating the private data of these persons. The privacy compliant observation data is store for later use.

Abstract: The embodiments set forth systems and techniques to authenticate a user device for device services, such as by transferring or extending a trusted device status from a separate and trusted associated user device, which can be paired with the user device. This can be done automatically without requiring the user to sign in at or on behalf of the user device, and the automated process can include verifying a trusted status for the associated user device, receiving data items from both devices, evaluating the data items, and facilitating an authentication of the user device when the evaluating returns a favorable result. Data items can include provisioned machine identifiers, temporally limited one-time user passwords, and a provisioned password reset key. Authentication or trusted device status transfer can be achieved by way of an authentication token that is given to the user device.

Abstract: A computer-implemented method for metadata-based retention of personal data may be provided. The method comprises recording data by a recording system. The data comprise payload data and metadata comprising information about the payload data and an event type; and a rule is associated with the event type, wherein the rule is indicative whether the data shall be stored persistently or temporary. The method comprises further segmenting the recorded data into a plurality of non-overlapping data segments, encrypting each data segment of the plurality of non-overlapping data segments with a unique key each, transmitting the encrypted data segments wirelessly, and storing, using a secure service container, selected ones of the plurality of non-overlapping data segments as a function of the rule.

Abstract: A computer-implemented method for loading data into a secure storage volume may be provided. The method comprises receiving data to be stored on the secure storage volume, storing the received data in a buffer, and upon determining that the secure storage volume is unlocked, transferring the received data from the buffer to the secure storage volume in encrypted form.

Abstract: Computer-implemented systems and methods are described for providing user access to content via customized options for a plurality of regions, a customized option being provided to a user based on a region associated with the user. An upload of content for distribution and metadata describing the content are received. A first option definition is received that defines first criteria for accessing the content in a first region. A second option definition defining second criteria for accessing the content in a second region is received. One or more options for the content are provided to the user based on the region associated with the user. An identification of an option is received from the user, and access to the content is provided according to the criteria of the option that the user has identified.

Abstract: Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth.

Abstract: A system for detecting directory reconnaissance in a directory service includes a sensor and a directory reconnaissance detector, each of which is executing on one or more computing devices. The sensor determines whether a query that is submitted to a directory server is a suspicious query and, if the query is determined to be a suspicious query, transmits the suspicious query to the directory reconnaissance detector. The director reconnaissance detector includes a receiver, a context obtainer, an alert determiner and an alert transmitter. The receiver receives the suspicious query from the sensor and the context obtainer obtains context information associated with the suspicious query. The alert determiner determines whether a security alert should be generated based at least on the suspicious query and the context information. The alert transmitter generates the security alert responsive to a determination that the security alert should be generated.

Abstract: The security of a database is substantially increased by partitioning raw data, irreversibly encrypting the partitioned raw data, reversibly encrypting the raw data, and then storing pairs of irreversibly encrypted data and reversibly encrypted data. In response to a search query, the query is partitioned and irreversibly encrypted, and the irreversibly encrypted query is used to search the stored irreversibly encrypted data. When a match is found, the reversibly encrypted data paired with the stored irreversibly encrypted data that matches the irreversibly encrypted query is output in response to the search query.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for controlling authorization of access to user data. One of the methods includes receiving a first request that includes a first digital activity decentralized identifier (DID) and a first hash value of first digital activity data; storing the first digital activity decentralized identifier and the first hash value in a first record in a decentralized identifier blockchain that is configured to store records associated with a plurality of decentralized identifiers of a plurality of users; and controlling authorization of access to the first digital activity data stored in the first consortium blockchain using information stored in the first record in the decentralized identifier blockchain, including determining whether to authorize another user access to the first digital activity data based on the information stored in the first record in the decentralized identifier blockchain.

Abstract: A virtual smart card entity enabling a data processing apparatus to request for access to at least one service provider host in the computer network is disclosed. A credential management server provides credential information associated with the virtual smart card entity to the data processing apparatus where after the virtual smart card entity is configured according to the credential information. The data processing apparatus can then send a request for access to at least one service provider host using the configured virtual smart card entity.

Abstract: A system and method provide automatic access to applications or data. A portable physical device, referred to herein as a Personal Digital Key or “PDK”, stores one or more profiles in memory, including a biometric profile acquired in a secure trusted process and uniquely associated with a user that is authorized to use and associated with the PDK. The PDK wirelessly transmits identification information including a unique PDK identification number, the biometric profile and a profile over a secure wireless channel to a reader. A computing device is coupled to the reader. An auto login server is coupled to the reader and the computing device and launches one or more applications associated with a user name identified by the received profile.

Abstract: A processing device in one embodiment comprises a processor coupled to a memory and is configured to generate access profiles for respective user identifiers, to obtain data characterizing a current access for a given one of the user identifiers, to extract a plurality of features from the data characterizing the current access for the given user identifier, and to generate feature risk scores based on the extracted features and the access profile for the given user identifier. The processing device is further configured to aggregate the feature risk scores into a composite risk score. The aggregation illustratively comprises weighting the feature risk scores utilizing automatically-set feature risk score weights. The composite risk score is compared to a threshold, and an alert is generated relating to the current access based on a result of comparing the composite risk score to the threshold.

Abstract: A method includes identifying power connections between plural components of a time sensitive network (TSN) that are interconnected via a predetermined connection plan. The method also includes determining a topology of the components of the TSN based on the power connections. Also, the method includes scheduling flows for the TSN based on the topology determined based on the power connections.

Abstract: A system and method is described that sends multiple simulated phishing emails, text messages, and/or phone calls (e.g., via VoIP) varying the quantity, frequency, type, sophistication, and combination using machine learning algorithms or other forms of artificial intelligence. In some implementations, some or all messages (email, text messages, VoIP calls) in a campaign after the first simulated phishing email, text message, or call may be used to direct the user to open the first simulated phishing email or text message, or to open the latest simulated phishing email or text message. In some implementations, simulated phishing emails, text messages, or phone calls of a campaign may be intended to lure the user to perform a different requested action, such as selecting a hyperlink in an email or text message, or returning a voice call.

Abstract: A computer-implemented method includes: retrieving a plurality of blocks from a blockchain node of a blockchain network. The plurality of blocks are encoded using error correction coding (ECC) as encoded blocks. For each encoded block: The encoded block is divided into a plurality of datasets. Hash values of the plurality of datasets are calculated. A request that includes at least one of the plurality of datasets, the hash values, and a data storage scheme that provides assignments of the plurality of datasets to the plurality of blockchain nodes is sent to each of the plurality of blockchain nodes of the blockchain network. Responses for accepting the request is received from at least a number of blockchain nodes that equals a number of the one or more datasets of information bits. Each of the plurality of blockchain nodes is sent a notification for adopting the data storage scheme.

Abstract: A user, using a user-computing device connected to a computer network, is authenticated to access a computing resource managed by a system on the computer network. The user computing device presents a user interface to prompt the user to input a value for each of a set of user-defined credentials that the user has previously defined for a SAIF server to authenticate the user to access the computer resource, thereby forming a set of input values. Modified values, each generated from and representing a corresponding one of the input values, are transmitted and validated by comparing them with corresponding modified forms of user-defined credential values stored in a memory, thereby determining whether the user is authenticated to access the computing resource on the system.