Abstract: Cell-bound complement activation product (CB-CAP) profiling and scoring serve as diagnostic biomarkers for patients to determine whether a patient who has not met at least four American College of Rheumatology (or similar e.g. SLICC) criteria for a definite Lupus diagnosis should be classified as exhibiting a pre-existing condition that this document refers to as pre-Lupus.

Abstract: An apparatus and a method for reading from a non-volatile memory whereby soft decision data is used to determine the reliability of hard decision data. The hard decision data read from the non-volatile memory is de-randomized and the soft decision data read from the non-volatile memory is not de-randomized. Using the soft decision data, the hard decision data is decoded.

Abstract: Implementing communications security includes creating levels of permissions for association with inbound communications. The levels of permissions are indicative of components of the communications enabled for transmission to a recipient computer. The communications security also includes creating conditions upon which currently-assigned levels of permissions are adjustable to a next level of the levels of permissions.

Abstract: A method of preventing observation of password entry on an electronic device is provided. The electronic device has a processor coupled to a camera, a display, and a memory. The method comprises activating the camera to acquire an image when the electronic device is in a password entry mode; detecting one or more faces present in the image; and presenting a warning when more than one face is present in the image.

Abstract: Embodiments of the invention provide methods and systems for enforcing system self integrity validation policies. The method includes accessing, by a policy enforcer, a plurality of policies configured to enforce system integrity, monitoring system performance to determine actions executed by the system, and based on at least one of the plurality of policies, comparing the system performance with system performance required by the at least one or the plurality of policies. The method further includes, based on the comparison, determining that the system has performed in a manner contrary to the requirements of the at least one policy, and in response, prohibiting access of the system to services provided by a service provider.

Abstract: Data sharing session techniques are described. In one or more implementations, a first user login session is initiated as running in a context of a first user profile of a first user with an operating system of a computing device. A request is received by the operating system to run the first user login session in a context of a second user profile of a second user. The second user profile is associated by the operating system with a shadow login session created within the first user login session of the operating system of the computing device such that interaction of the second user with the operating system is associated with the second user profile and interaction of the first user with the operating system is associated with the first user profile.

Abstract: A projector can be connected in cascade to another projector. Either a first mode for the projector to operate as a leading projector in the cascade connection or a second mode for the projector to operate as a second or subsequent projector in the cascade connection is set. The projector is made available for use based on success of authentication by an authentication unit or on reception of use permission information of the projector by a receiving unit.

Abstract: The master secure element comprises a processor, a memory and a logic unit and at least controls the user input of the handset in order to secure the user authentication based on PIN entry. The PIN code is entered directly into the secure element with no possibility for the host processor to intercept the code or for a malware program to inject the code into the master secure element.

Abstract: The present invention is directed to an apparatus, a method, and a computer program product for authenticating a user based on a sequence of rhythmic inputs. The user via a mobile device provides one or more inputs (e.g., pushing a button, tapping a touchscreen, a biometric, or the like) to one or more sensors associated with the mobile device as an attempt of authorization. The one or more inputs may be provided in a rhythmic manner (e.g., provided in time with music). The present invention then compares the provided one or more inputs to one or more predetermined sequences of inputs that are associated with positive authentication of the user (e.g., a known password). The phone determines that the one or more provided inputs match one or more predetermined rhythmic sequences associated with positive authentication of the user and authenticates the user.

Abstract: This disclosure is directed to methods and systems for managing difficulty of use and security for a transaction. A transaction manager operating on a computing device may determining a range of possible steps for a transaction comprising security measures available for the transaction. The transaction manager may identify a threshold for a security metric to be exceeded for authorizing the transaction, the security metric to be determined based on performance of steps selected for the transaction. The transaction manager may select for the transaction at least one step from the range of possible steps, based on optimizing between (i) a difficulty of use quotient of the transaction from subjecting a user to the at least one step, and (ii) the security metric relative to the determined threshold.

Abstract: One embodiment provides an electronic mobile device comprising one or more mobile applications. Each mobile application has at least one corresponding graphical user interface (GUI) screen for display on the mobile device. The mobile device includes a security system. For each mobile application, the security system maintains corresponding security data, wherein the corresponding security data represents one or more secure components of a corresponding GUI screen. The security system generates a GUI screen for a mobile application based on corresponding security data, wherein each secure component of the UI screen is locked. User access to a locked component of the GUI screen is permitted only after successful user verification.

Abstract: A wearable device includes a communication unit that wirelessly communicates with a first external device; a motion sensor that senses the user's motion; and a control unit. The wearable device collects a first motion data generated by the user's motion and transmits the first motion data to the first external device, receives a first security level data and a second security level data from the first external device, and receives only the first security level data from the first external device when the wearable device is converted into a non-wearing state from a wearing state.

Abstract: A wearable device includes a communication unit that wirelessly communicates with a first external device; a motion sensor that senses the user's motion; and a control unit. The wearable device collects a first motion data generated by the user's motion and transmits the first motion data to the first external device, receives a first security level data and a second security level data from the first external device, and receives only the first security level data from the first external device when the wearable device is converted into a non-wearing state from a wearing state.

Abstract: An apparatus, method and computer-readable storage medium to efficiently connect to wireless access point(s). An electronic device may capture coded information. The coded information may include a security key to connect to a wireless access point, and the coded information may be an image, an audio clip, or a video. The coded information may be a Quick Response Code. The coded information may be captured from a display of a second electronic device. The second electronic device may include the wireless access point.

Abstract: This invention is directed to an electronic device with an embedded authentication system for restricting access to device resources. The authentication system may include one or more sensors operative to detect biometric information of a user. The sensors may be positioned in the device such that the sensors may detect appropriate biometric information as the user operates the device, without requiring the user to perform a step for providing the biometric information (e.g., embedding a fingerprint sensor in an input mechanism instead of providing a fingerprint sensor in a separate part of the device housing). In some embodiments, the authentication system may be operative to detect a visual or temporal pattern of inputs to authenticate a user. In response to authenticating, a user may access restricted files, applications (e.g., applications purchased by the user), or settings (e.g., application settings such as contacts or saved game profile).

Abstract: This invention is an image-based CAPTCHA system that relies on human users changing location and orientation of multiple partial fragments of complete images. The underlying source images represent objects, symbols, concepts or text recognizable by a human user. Such source images are fragmented by the system into a group of image fragments, with selected portions of resulting fragments being omitted and optionally distorted in order to prevent automated assembly of the resulting group of fragments into a representation of the source image by simple means of boundary inspection. Once the user arranges the fragment tiles into the orientation that they believe represents the original image and submits their answer to the system, the user's answer is evaluated to determine whether the challenge posed by the system was passed successfully.

Abstract: Techniques for managing identities are provided. In some examples, identity management, authentication, authorization, and token exchange frameworks may be provided for use with mobile devices, mobile applications, cloud applications, and/or other web-based applications. For example a mobile client may request to perform one or more identity management operations associated with an account of a service provider. Based at least in part on the requested operation and/or the particular service provider, an application programming interface (API) may be utilized to generate and/or perform one or more instructions and/or method calls for managing identity information of the service provider.

Abstract: According to one aspect of the present disclosure, a method and technique for OCR-based single sign-on in a computing environment is disclosed. The method includes: responsive to launching of an application login interface, capturing an image of the login interface; determining a location of a cursor on the login interface from the image; determining whether the location of the cursor corresponds to a credential input field of the login interface; and responsive to determining that the location of the cursor corresponds to the credential input field of the login interface, automatically sending a keystroke to the login interface to insert at least one character to the login interface.

Abstract: In accordance with embodiments of the present disclosure, an information handling system may include a processor, a storage resource communicatively coupled to the processor, and a basic input/output system (BIOS) comprising a program of instructions executable by the processor and configured to cause the processor to initialize one or more information handling resources of the information handling system. The BIOS may be further configured to, during runtime of an operating system, receive an input/output request from the operating system to access a system partition instantiated on the storage resource, authenticate the input/output request, and responsive to authenticating the input/output request, provide a runtime service of the BIOS to complete the input/output request to the system partition.

Abstract: A method and apparatus for determining an input are provided. The method includes authenticating an external device, when the external device approaches in a predetermined range; determining an area approached by the external device and determining whether the determined area is valid; and outputting a predetermined indication to a predetermined area related to the area approached by the external device.

Abstract: Methods, devices and systems for detecting suspicious or performance-degrading mobile device behaviors intelligently, dynamically, and/or adaptively determine computing device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the mobile device behaviors are to be observed. The various aspects efficiently identify suspicious or performance-degrading mobile device behaviors without requiring an excessive amount of processing, memory, or energy resources.

Abstract: Security software on a client observes a request for a resource from an application on the client and then determines the application's reputation. The application's reputation may be measured by a reputation score obtained from a remote reputation server. The security software determines an access policy from a graduated set of possible access policies for the application based on the application's reputation. The security software applies the access policy to the application's request for the resource. In this way, the reputation-based system uses a graduated trust scale and a policy enforcement mechanism that restricts or grants application functionality for resource interactivity along a graduated scale.

Abstract: A system and method for identifying infection of unwanted software on an electronic device is disclosed. A software agent configured to generate a bait and is installed on the electronic device. The bait can simulate a situation in which the user performs a login session and submits personal information or it may just contain artificial sensitive information. Parameters may be inserted into the bait such as the identity of the electronic device that the bait is installed upon. The output of the electronic device is monitored and analyzed for attempts of transmitting the bait. The output is analyzed by correlating the output with the bait and can be done by comparing information about the bait with the traffic over a computer network in order to decide about the existence and the location of unwanted software.

Abstract: A method and device for monitoring calls to an application program interface (API) function includes monitoring for a memory permission violation of a computing device caused by the API function call. If a memory permission violation occurs, control of the computing device is transferred to a virtual machine monitor to intervene prior to execution of the API function. The virtual machine monitor may perform one or more actions in response to the API function call.

Abstract: Systems, methods, and media for detecting the presence of return-oriented programming (ROP) payloads are provided, comprising; identifying a potential gadget address space; determining if a piece of the data corresponds to an address of the potential gadget address space; and in response to determining that the piece of the data corresponds to an address of the potential gadget address space: determining whether a plurality of operations, each associated one of a plurality instructions beginning at the address, indicates that an ROP payload is present in the data, and indicating that an ROP payload is present in the data in response to making a determination that a plurality of operations indicates that an ROP payload is present in the data a given number of times.

Abstract: A method for software inspection analyzes a body of computer code to assess whether the body of computer code contains malware. Various embodiments extract the executable elements of the body of computer code and modify those elements using rules defining the format of instructions for the programming language in which the computer code was written, and using rules defined from the security specification of that programming language, to produce a model of the body of computer code. The method then analyzes the model using a model checking system, which determines whether any of the language rules have been violated, in which case the method flags the computer code as potentially including malware.

Abstract: A method operates, during development of an application program intended to be run on a mobile user device, to perform a computer assisted analysis of the application program to determine at least one user privacy-related aspect of the application program; and to present the determined at least one user privacy-related aspect. The determined at least one user privacy-related aspect may be presented to a developer of the application program. An apparatus and system for performing the method are also disclosed.

Abstract: Techniques from the proposed invention relate to providing enhanced security. For example, techniques described herein allow a computer system, such as a mobile device, to support a wide variety of security functions and security sensitive applications on a mobile device by providing enhanced security via secure input and output data transmission and verification through a secure module. The secure module may cause user interfaces to be provided to users by providing obfuscated user interface data to the operating system that do not reveal elements that are part of the user interfaces. The secure module may receive obfuscated user input values representing user input values, and de-obfuscate these user input values, whereby the actual input values are not exposed to the underlying operating system. The secure module may track the flow of user input/output data through the computing device to ensure the integrity and authenticity of this data.

Abstract: Methods, systems, and computer-readable storage media for secure storage of and selective access to encrypted audit data. Implementations include actions of receiving a set of audit data in response to occurrence of an incident, determining a set of static audit data and a set of dynamic audit data based on the set of audit data, encrypting items in the set of static audit data using a first attribute-based encryption scheme to provide a set of encrypted static audit data, and items in the set of dynamic audit data using a second attribute-based encryption scheme to provide a set of encrypted dynamic audit data, and transmitting the set of encrypted static audit data and the set of encrypted dynamic audit data to an off-premise database for storage and selective access.

Abstract: Methods, apparatus, and systems for generating digital signatures are disclosed. An apparatus may present itself to a host computer as a mass storage device to provide cryptographic processing results through a standard mass storage access mechanism for exchanging files.

Abstract: A computer-implemented method for applying parental-approval decisions to user-generated content. The method may include receiving, from a child, a request to upload user-generated content to the Internet. The method may also include providing the user-generated content to a guardian of the child and receiving, from the guardian of the child, a decision indicating whether the user-generated content is allowed to be uploaded to the Internet. The method may further include applying the decision of the guardian to the user-generated content. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for routing at least one message, this method being implementation-dependent on a trusted operating system of an electronic device comprising an electronic assembly on which the trusted operating system and a Rich-OS operating system are executed. The method may include operations for consulting a trusted memory of a terminal, which may be called a first memory, and when the first memory contains a message, determining the operating system targeted by the message from among at least the Rich-OS operating system and the trusted operating system. And when the message targets the Rich-OS system, transferring the message from the first memory to a memory accessible to the Rich-OS system, which may be called a second memory.

Abstract: A replaceable printer component includes a first memory device and a communication link. The first memory device is configured to store a first secret. The communication link is configured to communicatively link the first memory device to a printer controller when the replaceable printer component is installed in a printing system. The printing system comprises a second memory device storing a second secret. The second memory device is communicatively linked to the printer controller. The printer controller is configured to determine an authenticity of the replaceable printer component based on the first secret and the second secret.

Abstract: A system for securely sharing data and conducting transactions in an electronic environment. The system may include a personal information device having a processor, memory and biometric sensor. Personal data is stored in the memory of the personal information device. The personal information device may be registered with a centralized system. Data stored on the personal information device may be uploaded to an access device upon verification of a user's identity using a biometric recognition technique.

Abstract: In some implementations, a first user associated with a first user account may send a request to exchange digital libraries with a second user associated with a second user account. Upon acceptance, the second user receives first library information associated with the first user account that identifies content items that may be accessed by the second user due to the exchange. Similarly, the first user receives second library information associated with the second user account that identifies second content items that may be accessed by the first user. In other examples, a user may access the digital library of a selected person or entity, such as a historical figure, celebrity, author, friend, or organization. Additionally, in some cases, a user may view content of a content item that a selected person is currently reading, and which may include annotations made to the content item by the selected person.

Abstract: The subject disclosure is directed towards encryption and deduplication integration between computing devices and a network resource. Files are partitioned into data blocks and deduplicated via removal of duplicate data blocks. Using multiple cryptographic keys, each data block is encrypted and stored at the network resource but can only be decrypted by an authorized user, such as domain entity having an appropriate deduplication domain-based cryptographic key. Another cryptographic key referred to as a content-derived cryptographic key ensures that duplicate data blocks encrypt to substantially equivalent encrypted data.

Abstract: An improved method and system for providing path-level access control to a structured document in a collection stored in a database, where the structured document includes a plurality of nodes is disclosed. The method includes the steps of providing an access control policy for the collection, where the access control policy comprises a plurality of access control rules, generating a path for each node of the plurality of nodes in the document, and generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules. According to the method and system of the present invention, the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.

Abstract: A system and method is disclosed for providing role based notifications to users of the modular learning system (MLS). The modular learning system includes a variety of types of users interacting with the modular learning system and with one another. The MLS enables users to create learning applications, purchase learning application, perform learning applications, and interact with one another to accomplish these tasks. The MLS maintains activity items related to these actions on the MLS. These activity items include a description of the activities performed as well as user roles entitled to view information about the activity item. When a user requests a notification from the MLS, the MLS identifies the user's role in the MLS and activity items that may be viewed by that user role.

Abstract: The invention relates to a client computer for querying a database stored on a server via a network, the server-being coupled to the client computer via the network, wherein the database comprises a set of first relations, wherein each first relation in the set of the first relations comprises first data items, wherein for each first relation the first data items are encrypted with a respective first cryptographic key in the first relation, wherein the first data items form a partially ordered set in each first relation, in each first relation the partial order being formed with respect to the first data items of said first relation in non-encrypted form.

Abstract: Methods and systems for secure cloud storage are provided. According to one embodiment, a trusted gateway device establishes and maintains multiple cryptographic keys. A request is received by the gateway from a user of an enterprise network to store a file. The file is partitioned into chunks. A directory is created within a cloud storage service having a name attribute based on an encrypted version of a name of the file. For each chunk: (i) a cryptographic key is selected; (ii) existence of data is identified within the chunk associated with one or more predefined search indices; (iii) searchable encrypted metadata is generated based on the identified data and the selected cryptographic key; (iv) an encrypted version of the chunk is generated; and (v) a file is created within the directory in which a name attribute includes the searchable encrypted metadata and the file content includes the encrypted chunk.

Abstract: Data category visibility are defined at the permission set and profile levels so that users who may not be assigned a role can have the data filtered by data category access rules. In an embodiment, data is filtered based on products or projects so that the products or project can be used as a data category group, once the product or project as been assigned to the user, the user may be granted access, via a data category visibility in a permission set, regardless of the user's role or position in the user hierarchy.

Abstract: Systems, methods, and computer program products are provided for managing access control. A first set of access control rules is stored in a memory of mobile communication device. The mobile communication device receives from a trusted server over a communication network a notification message indicating that an access control rule has been updated in a secure element. In response to receiving the notification message, the mobile communication device retrieves from the secure element a second set of access control rules including at least the access control rule that has been updated. The first set of access control rules is updated based on the second set of access control rules retrieved from the secure element. An applet stored on the secure element is accessed via an application running on the mobile communication device, in accordance with the updated first set of access control rules.

Abstract: A method for sharing notes created in a multilayered document among users of a social network within a digital education platform is provided. In one embodiment, the digital education platform allows a user to create notes linked to a particular location in the document using a notepad application. Notes are aggregated and stored in the user's personal library on the digital education platform. When a user requests to share another user's notes and is granted access, the digital education platform retrieves the other user's notes and inserts the shared notes into the requesting user's existing notes associated with the document, based on their individual sharing attributes and metadata.

Abstract: A domain manager system as disclosed herein can control the selective activation of multiple independently-operable execution environments or domains on a computing device in accordance with one or more policies. In some embodiments, activation of a domain may at least temporarily transform a general purpose computing device into a specific purpose computing device or “appliance” by disabling use of one or more shared system resources by other domains.

Abstract: A method, system, and computer program product are provided for utilizing target of opportunity to perform at least one special operation while a key session is opened with a key manager for another purpose. The method of recognizing a target of opportunity includes receiving a command to be performed on a removable storage medium and determining if the command requires interaction with the encryption key manager. If it is determined that the command requires interaction with the key manager the command is held off. A request is sent to the encryption key manager. A target of opportunity is recognized by determining if at least one special operation may be performed. If it is determined that at least one special operation may be performed then the at least one special operation and the request are performed.

Abstract: Devices, methods and products are described that provide removable storage device data protection. One aspect provides a method comprising: ascertaining a protected removable storage device connected to an information handling device, said protected removable storage device having a first partition for storing data according to a first file system type, and a second partition for storing user data according to a second file system type; and responsive to said information handling device recognizing said second file system type, querying for user credentials to decrypt a data encryption key used to encrypt said user data of said second partition. Other embodiments are described.

Abstract: Systems and methods are disclosed to integrate signals. Some embodiments include an integrator comprising an active input; a passive input; a first integrator having a first integrator input and a first integrator output; a second integrator having a second integrator input and a second integrator output; a first plurality of switches coupled with the first integrator input, the second integrator input, the active input, and the passive input; a second plurality of switches coupled with the first integrator output and the second integrator output; and a controller. The controller may be configured to control the operation of the first plurality of switches to switch the active input between the first integrator input and the second integrator input, and control the operation of the first plurality of switches to switch the passive input between the first integrator input and the second integrator input.

Abstract: A reader electro-optically reads symbols by image capture to obtain read data, and a controller processes symbol images of the symbols captured by the reader, and decodes the read data to obtain symbol data indicative of the associated products. The controller also collects time-to-decode metadata by determining the decode time periods that are taken for the symbol data to be successfully decoded, associates the decode time periods with the symbol images, stores the longest decode time period and its associated symbol image, and displays the stored symbol image associated with the stored longest decode time period to determine a cause of the reading performance of the reader.

Abstract: An information processing system includes an information bearing medium and an information reading unit. The information bearing medium has a two-dimensional array of unit data zones. Marks are provided on some of the unit data zones so as to form a digital code. Mark patterns of any two Y-directional adjacent unit data zone strings based on the arrangement of marks in an X-direction differ from each other. The information reading unit generates a data string on the basis of a unit signal formed from a plurality of signals output from a group of detection units that detect the marks in synchronization and recognizes the digital code of the information bearing medium on the basis of a group of the data strings sequentially obtained from the array of the unit data zones.

Abstract: A method is provided for interaction of a portable data carrier with an end device. The data carrier comprises a transducer arrangement having at least one or a set of capacitive transducer elements which are arranged on or in the data carrier at defined positions in relation to the geometry of the data carrier, at least one contactless interface, and a dedicated energy supply. The end device comprises a capacitive display screen having a touch-sensitive display, wherein the data carrier generates via the capacitive transducer elements signals which, when the data carrier is placed onto the display screen, are picked up by the display screen of the end device and evaluated as input signals through the end device.