Abstract: A method includes receiving, at a first distributed control system (DCS) node over a network, information associated with a security manager. The method also includes establishing multiple communication channels between the first DCS node and the security manager over the network using the information, where the communication channels include a non-secure channel and a secure channel. The method further includes receiving security credentials from the security manager at the first DCS node over the non-secure channel and receiving a security policy and an activation time from the security manager at the first DCS node over the secure channel. In addition, the method includes transitioning the first DCS node to communicate with a second DCS node over the network using the security policy at the activation time.

Abstract: A method includes obtaining a gaze feature of a user of a device, wherein the device has already been unlocked using a second feature, the gaze feature being based on images of a pupil relative to a display screen of the device, comparing the obtained gaze feature to known gaze features of an authorized user of the device, and determining whether or not the user is authorized to use the device based on the comparison.

Abstract: Examples of systems and methods are provided for facilitating establishing a remote session between a host device and a remote server. The system may facilitate establishing a trusted relationship between a client device and the host device. The system may provide remote session login information to the host device to enable the host device to establish a first remote session with the remote server. The system may launch a second remote session with the remote server using the login information.

Abstract: A server may store one or more accounts. Each account may be associated with an authentication code and a total number of information devices that are allowed to be registered. The authentication codes may be provided to users for registering information devices. The information device may transmit a connection request, including an entered authentication code, to a server. Upon receiving the connection request, the server may determine whether to register the particular information device. The server may determine whether the information device is allowed to be registered based on registerable information, which is associated with an account that is associated with the received authentication code and which represents a remaining number of information devices that are allowed to be registered using the associated authentication code. If the information device is allowed to be registered, the server may send authentication information to the information device, so it may transmit state information.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for analyzing data that includes security threat information. One of the methods includes identifying intelligence types that each categorizes a subset of data, associating, for each of the intelligence types, each of the subsets of data, which are categorized by the respective intelligence type, with the respective intelligence type, determining rules for a third party that each indicate that the third party should receive data associated with particular types of potential security threats and priority information for the data, determining, for each of the potential security threats indicated in the rules, a group of the subsets that include information associated with the respective potential security threat, assigning, for each subset in each of the groups, a priority to the respective subset using the priority information, and providing the determined subsets to the third party using the respective priorities.

Abstract: A method for sharing data from within a secure network perimeter includes providing a sharing folder associated with a first user for transferring data therefrom to destinations outside the secure perimeter. Data stored within the sharing folder is stored in a secured fashion. Semi-trusted applications are provided an ability to retrieve the secured data in a unsecured fashion for sharing of same. The semi-trusted applications are other than able to retrieve and share secured data from at least a folder other than the sharing folder in unsecured form.

Abstract: A cryptographic system for reproducibly establishing a reliable data string, such as a cryptographic key, from a noisy physically unclonable function (PUF, 110) is provided. The system comprises a hard decision decoder (150) to decode a first multiple of error correctable data words to obtain a second multiple of corrected and decoded data words and a reliability information extractor (180) to determine reliability information, e.g. soft decision information, that is indicative of a reliability of corrected and decoded data words. The system further comprises a soft decision decoder (160) configured to use the reliability information to decode at least one further correctable data word. Error correcting a PUF using reliability information decreases the false rejection rate.

Abstract: Examples of systems and methods are provided for communication and for facilitating establishing a remote session between a client device and a remote server. The system may facilitate establishing a trusted relationship between the client device and a host device. The system may be configured to receive login information from the host device for a first remote session established between the host device and the remote server. The system may facilitate continuing the first remote session previously established between the host device and the remote server as a continued remote session between the client device and the remote server.

Abstract: A term of use policy document defines permissible actions that may be implemented by a user using a computing device. A natural language processing (NLP)-based question and answer (Q&A) system is trained to understand the policy document. The device includes a management application that interacts with the Q&A system to identify a policy violation. When the user performs an action on the device, the application converts that action into an NLP query directed to the Q&A system to determine whether the action constitutes a violation. The query may be accompanied by metadata associated with the user, the device or its state. Upon receipt of the query and any associated metadata, the Q&A system determines if the user action is compliant with the policy and returns a response. Based on the response, the user's computing device may take an enforcement action, e.g., restricting or disabling functionality, or issuing a warning.

Abstract: A system for privacy screen-based security comprises an input interface and a processor. The input interface is configured to receive authentication information. The processor is configured to, in the event authentication is determined to be successful, provide a privacy access screen, wherein the privacy access screen provides access to a set of applications or data, and determine whether to transition to a new privacy screen.

Abstract: Disclosed is a method for preventing unauthorized removal of an electronic device from a docking station including inserting a first plug into a first port of the electronic device, inserting a second plug into a second port of the electronic device, setting the docking station to a locked state, preventing removal of the first plug from the first port while the docking station is in the locked state, setting the docking station to an unlocked state, removing the first plug from the first port, and removing the second plug from the second port.

Abstract: A memory access circuit and a corresponding method are provided. The memory access circuit includes a crypto block in communication with a memory that encrypts data of a data block on a block basis. The memory access circuit also includes a fault injection block configured to inject faults to the data in the data block. The memory access circuit further includes a data scrambler and an address scrambler. The data scrambler is configured to scramble data in the memory by shuffling data bits within the data block in a plurality of rounds and mash the shuffled data bits with random data. The address scrambler is configured to distribute the scrambled data across the memory. A memory system including the memory access circuit is also disclosed to implement the corresponding method.

Abstract: A computer-implemented method for performing remote data storage includes providing, by at least one client, files to be stored on a remote server, evaluating popularity of the files, and storing the files on the server in a form that depends on the popularity of the files. Files with a first level of popularity are stored in a deduplicated form and files with a second level of popularity are stored in an encrypted form, the first level of popularity being higher than the second level of popularity.

Abstract: Technologies and implementations for secure access to online services are generally disclosed.

Abstract: A method for securely obtaining a control word in a chip set of a receiver, said control word for descrambling scrambled content received by the receiver, the method comprising, at the chip set: receiving a secured version of a virtual control word from a conditional access/digital rights management client communicably connected to the chip set; obtaining the virtual control word from the secured version of the virtual control word; and using a first cryptographic function to produce a given output from an input that comprises the virtual control word and either a plurality of signature verification keys or one or more values derived from a plurality of signature verification keys, each signature verification key being associated with a conditional access/digital rights management system, the given output comprising at least one control word, wherein the first cryptographic function has the property that it is infeasible to determine a key pair including a signature key and a signature verification key and an

Abstract: A system may be configured to receive an upload, from a first user device, of a basis content item that includes first content; determine whether a first user of the first user device has a right to restrict a use of the first content in an in-use content item uploaded by a second user device when the in-use content includes the first content; in response to determining that the first user has the right, store the basis content in the system; in response to determining that the first user does not have the right, discard the basis content; receive an upload, from a second user device, of a first in-use content item; and determine whether the first in-use content item matches the basis content item.

Abstract: Methods are provided for dynamically defining network access control rules. A placeholder for a parameter of an interface to an endpoint such as a data processing system or virtual machine may be provided in a network access control rule, instead of a static parameter. The parameter may be dynamically determined, by a firewall or a hypervisor for example, and the placeholder may be replaced with the dynamically determined parameter.

Abstract: Systems and computer program products are provided for dynamically defining network access control rules. A placeholder for a parameter of an interface to an endpoint such as a data processing system or virtual machine may be provided in a network access control rule, instead of a static parameter. The parameter may be dynamically determined, by a firewall or a hypervisor for example, and the placeholder may be replaced with the dynamically determined parameter.

Abstract: Embodiments of methods and systems for encrypting and decrypting with encryption attributes are presented. An encryption attribute contains information to identify one or more segments of a file to be encrypted. An encryption process encrypts those one or more segments to generate a partly encrypted file instead of encrypting the entire file. That is, the file includes some data that are encrypted and some data that are not. In one embodiment, at least three encryption keys are used such that the encryption attribute is encrypted with using a third key.

Abstract: The invention relates to a client computer for querying a database stored on a server via a network, the server being coupled to the client computer via the network, wherein the database comprises first data items and suffix items, wherein each suffix item describes a suffix of at least one first data item of the first data items, wherein for each suffix item a first referential connection exists in the database assigning said suffix item to the at least one first data item comprising the suffix of said suffix item, wherein each suffix item is encrypted with a suffix cryptographic key in the database, wherein each first data item is encrypted with a first cryptographic key in the database, wherein the client computer has installed thereon an application program, the application program being operational to: receiving a search request, the search request specifying an infix search expression, said expression comprising a first wildcard term on the left side of a search criterion and a second wildcard term o