Abstract: Methods, systems, and computer-readable media are disclosed for access control. A particular method receives a resource access identifier associated with a shared computing resource and embeds the resource access identifier into a link to the shared resource. The link to the shared resource is inserted into an information element. An access control scheme is associated with the information element to generate a protected information element, and the protected information element is sent to a destination computing device.

Abstract: Aspects of the subject matter described herein relate to a simplified login for mobile devices. In aspects, on a first logon, a mobile device asks a user to enter credentials and a PIN. The credentials and PIN are sent to a server which validates user credentials. If the user credentials are valid, the server encrypts data that includes at least the user credentials and the PIN and sends the encrypted data to the mobile device. In subsequent logons, the user may logon using only the PIN. During login, the mobile device sends the PIN in conjunction with the encrypted data. The server can then decrypt the data and compare the received PIN with the decrypted PIN. If the PINs are equal, the server may grant access to a resource according to the credentials.

Abstract: Methods, systems, and computer-readable media are disclosed for processing a secure data connection request. A particular method receives, at a first gateway, a secure data connection request from a client identifying a server to connect to. The first gateway sends the client device a redirect message instructing the client device to attempt alternate connection via a second gateway. The client sends a secure data connection request to the second gateway and the second gateway facilitates the secure data connection between the client and the server.

Abstract: Large-scale event processing systems are often designed to perform data mining operations by storing a large set of events in a massive database, applying complex queries to the records of the events, and generating reports and notifications. However, because such queries are performed on very large data sets, the processing of the queries often introduces a significant delay between the occurrence of the events and the reporting or notification thereof. Instead, a large-scale event processing system may be devised as a large state machine organized according to an evaluation plan, comprising a graph of event processors that, in realtime, evaluate each event in an event stream to update an internal state of the event processor, and to perform responses when response conditions are met. The continuous monitoring and evaluation of the stream of events may therefore enable the event processing system to provide realtime responses and notifications to complex queries.

Abstract: A mobile device, such as a mobile phone, smart phone, personal music player, handheld game device, and the like, when operatively combined with a PC, creates a secure and personalized computing platform through configuration of the mobile device's CPU (central processing unit) and OS (operating system) to function as an immutable trusted core. The trusted core in the mobile device verifies the integrity of the PC including, for example, that its drivers, applications, and other software are trusted and unmodified, and thus safe to use without presenting a threat to the integrity of the combined computing platform. The mobile device can further optionally store and transport the user's personalization data—including, for example, the user's desktop, applications, data, certificates, settings, and preferences—which can be accessed by the PC when the devices are combined to thus create a personalized computing environment.

Abstract: Systems, methods, and computer storage media having computer-executable instructions embodied thereon that maintain privacy during user profiling are provided. A profiling service receives, from a first device, rules for profiling a user. The rules were encrypted using a private key. The profiling service also receives, from a second device, user data. The user data was encrypted using a public key communicated to the second device by the first device. The profiling service then matches the encrypted rules with the encrypted user data, and based on the matching, generates a profile for the user. In embodiments, such a user profile can be utilized to deliver personalized digital content to a user.

Abstract: Embodiments of the invention provide methods and apparatus for recommending items from a catalog of items to users in a population of users by generating trait vectors that represent items in the catalog responsive to explicit and/or implicit preference data for a group of less than all the users and using the trait vectors to recommend items to users in the population that are not in the group.

Abstract: Embodiments of the invention provide methods and apparatus for recommending items from a catalog of items to a user by parsing the catalog of items into a plurality of catalog clusters of related items and recommending catalog items to the user from catalog clusters to which items previously preferred by the user belong.

Abstract: Large-scale event processing systems are often designed to perform data mining operations by storing a large set of events in a massive database, applying complex queries to the records of the events, and generating reports and notifications. However, because such queries are performed on very large data sets, the processing of the queries often introduces a significant delay between the occurrence of the events and the reporting or notification thereof. Instead, a large-scale event processing system may be devised as a large state machine organized according to an evaluation plan, comprising a graph of event processors that, in realtime, evaluate each event in an event stream to update an internal state of the event processor, and to perform responses when response conditions are met. The continuous monitoring and evaluation of the stream of events may therefore enable the event processing system to provide realtime responses and notifications of complex queries.

Abstract: Described is a technology comprising a system in which two distrusting parties can submit sets of encrypted keywords using two independent secret keys to a third party who can decide, using only public keys, if the underlying cleartext message of a cryptogram produced by one distrusting party matches that of a cryptogram produced by the other. The third party (e.g., a server) uses generator information corresponding to a generator of an elliptic curve group to determine whether the sets of encrypted keywords match each other. Various ways to provide the generator information based upon the generator are described. Also described is the use of one-ray randomization and two-way randomization as part of the system to protect against dictionary attacks.

Abstract: A recommendation system for optimizing content recommendation lists is disclosed. The system dynamically tracks a list interaction history of a user, which details that user's interactions with a plurality of different lists presenting different recommended items to that user. The system automatically correlates one or more list preferences with that user based on the list interaction history, and builds a recommendation list with a plurality of candidate items having different recommendation confidences. The recommendation list is built such that each candidate item with a higher recommendation confidence is prioritized over each candidate item with a lower recommendation confidence according to the one or more list preferences correlated to that user.

Abstract: Methods, systems, and computer-readable media are disclosed for applying information protection. A particular method includes receiving a data file at a gateway coupled to a network. The data file is to be sent to a destination device that is external to the network. The method also includes selectively applying information protection to the data file at the gateway prior to sending the data file to the destination device. The information protection is selectively applied based on information associated with the destination device, information associated with the data file, and information associated with a user of the destination device.

Abstract: Methods, systems, and computer-readable media for facilitating personalization of web content is provided, while protecting the privacy of the user data utilized to personalize the user's experience. A privacy vault may collect user data including user activity data, demographic data, and user interests submitted by a user. In one embodiment, the privacy vault operates on a user client device. The privacy vault sends the user data to a community vault that collects user data from multiple users. The community vault generates segment rules that whether a user belongs to a user segment, which expresses a user's interest. The segment rules are then communicated back to the privacy vault, which assigns one or more user segments to the user based on the user data available to the privacy vault and the segment rules. The privacy vault may communicate user segments to one or more content providers that supply personalized content that is selected based on the user segments provided.

Abstract: Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services.

Abstract: This document describes grouping personal accounts to tailor a web service. By grouping personal accounts, a service provider may tailor a web service to multiple people based on information about those people.

Abstract: A data set may be distributed over many data stores, and a query may be distributively evaluated by several data stores with the results combined to form a query result (e.g., utilizing a MapReduce framework). However, such architectures may violate security principles by performing sophisticated processing, including the execution of arbitrary code, on the same machines that store the data. Instead of processing queries, a data store may be configured only to receive requests specifying one or more filtering criteria, and to provide the data items satisfying the filtering criteria. A compute node may apply a query by generating a request including one o more filter criteria, providing the request to a data node, and applying the remainder of the query (including sophisticated processing, and potentially the execution of arbitrary code) to the data items provided by the data node, thereby improving the security and efficiency of query processing.

Abstract: Large-scale event processing systems are often designed to perform data mining operations by storing a large set of events in a massive database, applying complex queries to the records of the events, and generating reports and notifications. However, because such queries are performed on very large data sets, the processing of the queries often introduces a significant delay between the occurrence of the events and the reporting or notification thereof. Instead, a large-scale event processing system may be devised as a large state machine organized according to an evaluation plan, comprising a graph of event processors that, in realtime, evaluate each event in an event stream to update an internal state of the event processor, and to perform responses when response conditions are met. The continuous monitoring and evaluation of the stream of events may therefore enable the event processing system to provide realtime responses and notifications of complex queries.

Abstract: A computer may identify an individual according to one or more biometrics based on various physiological aspects of the individual, such as metrics of various features of the face, gait, fingerprint, or voice of the individual. However, biometrics are often computationally intensive to compute, inaccurate, and unable to scale to identify an individual among a large set of known individuals. Therefore, the biometric identification of an individual may be supplemented by identifying one or more devices associated with the individual (e.g., a mobile phone, a vehicle driven by the individual, or an implanted medical device). When an individual is registered for identification, various device identifiers of devices associated with the individual may be stored along with the biometrics of the individual. Individuals may then be identified using both biometrics and detected device identifiers, thereby improving the efficiency, speed, accuracy, and scalability of the identification.

Abstract: Systems, methods, and computer storage media having computer-executable instructions embodied thereon that provide contextual indicators associated with a user session are described. Content items within a document associated with a user session are selected. Upon receiving an indication that the user desires to perform a context-aware search, the document associated with the user session is analyzed for contextual information related to the content items selected by the user. Various “contextual indicators” associated with the user session are derived. The contextual indicators are provided for output in association with the user session. The contextual indicators may be fed to a search engine and used to identify search results that the user has an increased likelihood (relative to the current context surrounding the user) of desiring to access.

Abstract: In aspects, a gateway that sits between a single network protocol client and a server receives a request from the client for a network address of the server. The gateway issues multiple name resolution requests and waits for a first response. Depending on various factors, the gateway determines whether or not to wait for additional responses before responding to the client. If needed, the gateway may obtain an address of a translating device to assist the client in communicating with the server.