Abstract: We propose a method that uses formatting options of Font, Font Size, Font Color, Shading, Font Style, Font Effects, Font Underline, Character Effects, Picture coloring, as a part of user passwords, credentials, electronic signature, challenge for user authentication and captcha verification. User personalizes user name and or password or text by choosing combination of proposed factors for each character or word in password. Method includes optional time range where user would have different password and factor combinations for each time range. We also propose a method to use these factors for multi-factor authentication where user is required to format given text as per remotely sent instructions. We propose variation of proposed method that would send text and the instruction to format it using different factors through separate communication channels. For user verification, our method asks user to format the given text or given picture as instructed using different formatting options.

Abstract: Systems and methods are provided for provisioning access rights to physical computing resources using an IAM system implementing an IAM data model. The IAM data model may identify logical and physical computing resources. An access request handler may receive an access request and identify a set of logical permissions based on the access request. The access request handler may derive a set of logical entitlements based on the set of logical permissions. An entitlement translator may translate the set of logical entitlements to a physical entitlement specification based on a set of physical permission specifications associated with the set of logical permissions. A physical permission specification may be obtained by mapping a logical permission to one or more physical permissions. An access control manager may then provision access rights to at least one physical computing resource indicated in the physical entitlement specification.

Abstract: Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a cyber-attacker. An end-user device interacts and communicates with a server of a computerized server (a banking website, an electronic commerce website, or the like). The interactions are monitored, tracked and logged. User Interface (UI) interferences or irregularities are introduced; and the server tracks the response or the reaction of the end-user to such interferences. The system determines whether the user is a legitimate user, or a cyber-attacker or automated script posing as the legitimate user. The system utilizes classification of users into classes or groups, to deduce or predict how a group-member would behave when accessing the service through a different type of device. The system identifies user-specific traits that are platform-independent and thus can be further monitored when the user switches from a first platform to a second platform.

Abstract: The disclosure relates to machine-learning behavioral analysis to detect device theft and unauthorized device usage. In particular, during a training phase, an electronic device may generate a local user profile that represents observed user-specific behaviors according to a centroid sequence, wherein the local user profile may be classified into a baseline profile model that represents aggregate behaviors associated with various users over time. Accordingly, during an authentication phase, the electronic device may generate a current user profile model comprising a centroid sequence re-expressing user-specific behaviors observed over an authentication interval, wherein the current user profile model may be compared to plural baseline profile models to identify the baseline profile model closest to the current user profile model.

Abstract: Disclosed are techniques and apparatuses for implementing device-based application security. These techniques enable a computing device to assign a security level from a hierarchy of security levels to an application. Once the security level is assigned to the application, authentication techniques associated with the security level can be initiated in response to a request to launch the application. When an indication is received that the security level for the application has been satisfied, the application can then be launched, availing a user of the application's full functionality.

Abstract: An approach is provided for providing single sign-on for computation closures. A single sign-on management platform determines to create a single sign-on computation closure in response to an initiation of a single sign-on authentication session. The single sign-on management platform also determines one or more computation entities that are to execute at least one other computation closure under the single sign-on authentication session. The single sign-on management platform further causes, at least in part, a transfer of the single sign-on computation closure to the one or more computation entities.

Abstract: Representative implementations of devices and techniques provide dynamic secure sharing of resources. A resource module can be partitioned into a plurality of functional blocks, which may be allocated to non-secure and secure applications. A security monitor can monitor processor activity and determine when secure resources may be accessed.

Abstract: An automatic train operation system includes a first control system configured to run a first software for controlling a first vehicle subsystem and a second control system configured to run a second software for controlling a second vehicle subsystem. The automatic train operation system also includes a software verification controller. The software verification controller is configured to identify a first identifier of the first software and a second identifier of the second software as a software configuration and determine whether the software configuration is preapproved. The software verification controller is also configured to, if the software configuration is preapproved, authorize the first control system and the second control system to run the first and second software.

Abstract: A method is provided for attack detection and protection of a set of virtual machines in a system, which includes at least one first host server hosting said set of virtual machines. The method includes: receiving an attack detection message regarding a virtual machine, triggering a first migration of the virtual machine from the first host server toward a security system, and receiving an attack treatment message regarding the migrated virtual machine.

Abstract: In one aspect, an integrated circuit (IC) includes a secure router configured as a trust anchor, a non-volatile random access memory (RAM) direct memory access (DMA) channel coupled to the secure router, a first DMA coupled to the secure router and configured to receive data with a first classification and a second DMA coupled to the secure router and configured to receive data with a second classification. The IC also includes a secure boot/key controller coupled to the secure router and configured as a trust anchor to boot the IC securely and a processor coupled to the secure router and configured to encrypt data, to store protocols, to store instructions to detect malicious intrusions on the IC and to provide key management.

Abstract: A system that safely executes a native code module on a computing device. During operation, the system receives the native code module, which is comprised of untrusted native program code expressed using native instructions in the instruction set architecture associated with the computing device. The system then loads the native code module into a secure runtime environment, and proceeds to execute a set of instructions from the native code module in the secure runtime environment. The secure runtime environment enforces code integrity, control flow integrity, and data integrity for the native code module. Furthermore, the secure runtime environment moderates which resources can be accessed by the native code module on the computing device and/or how these resources can be accessed. By executing the native code module in the secure runtime environment, the system facilitates achieving native code performance for untrusted program code without a significant risk of unwanted side effects.

Abstract: According to one embodiment, in response to a request received from an application by a launch module hosted by an operating system and executed by a processor to dynamically load a library, a library validation module hosted by the operating system extracts a first team identifier (ID) from the application, where the first team ID identifies an application provider that provides the application. The library validation module extracts a second team ID from the library, where the second team ID identifies a library provider that provides the library. The first team ID and the second team ID are compared to determine whether the first team ID matches the second team ID. In response to determining that the first team ID matches the second team ID, the launch module launches the library to allow the application communicate with the library; otherwise, the request is denied.

Abstract: A communication protocol and system is disclosed for network communications between a data service residing on a client that provides network communications between one or more mobile applications on a source and a network based on a process number. The shared data service communicates with a data service plug-in on the server side associated with the process number, in order to handle requests from the mobile applications that access the network through the data service. Predetermined network connection, priority, and additional rules can be used to control what plug-in can be reached through what type of network connection.

Abstract: Embodiments relate to an isolated program execution environment. An aspect includes receiving, by the isolated program execution environment on a computer comprising a processor and a memory, a request to run a program. Another aspect includes wrapping program code corresponding to the program as a function. Another aspect includes cloning a real global object of the isolated program execution environment to create a fake global object. Another aspect includes passing the fake global object to the function. Another aspect includes executing the function, such that the function executes the program.

Abstract: One example method for securing data on untrusted devices includes the steps of identifying, by a first process, a command in a command queue, the command from a second process and comprising an action on secure data; determining whether the command is permitted based on the action and a user credential; and responsive to determining the command is not permitted, removing, by the first process, the command from the command queue.

Abstract: Described systems and methods enable a computer security module to protect a set of guest virtual machines against computer security threats. In some embodiments, the computer security module receives introspection notifications from the protected VM, each such notification indicating that a particular trigger event (e.g., a system call) has occurred during execution of guest software within the respective VM. In some embodiments, delivering a notification comprises suspending execution of guest software and switching the processor to executing a notification handler forming part of the computer security module. In some embodiments, the computer security module may indicate to the processor a selected subset of events which trigger introspection notifications.

Abstract: In a data management system, examination of first data for malicious content by a malicious content scanner is initiated in response to a request to write first data to a data storage device. In response to the examination revealing no malicious content in the first data, the first data, a first signature representative of a version of the malicious content scanner at a time of the examination of the first data, and second data linking the first signature to the first data as read-only data are written to the data storage device.

Abstract: A circuit arrangement is provided, the circuit arrangement including a processor; a memory circuit connected to the processor, wherein the processor is configured to access the memory circuit; a blocking circuit configured to generate one or more random wait state signals which prevent the processor from accessing the memory circuit; and an integrity checking circuit configured to check the memory circuit during a wait state period of the one or more random wait state signals.

Abstract: Systems, methods, and computer program products are described for controlling malicious activity detection with respect to information technology assets based on behavioral models associated with the respective information technology assets. Protection rules and corresponding sensitivities associated with the behavioral models are applied by protection services to detect malicious activity with respect to the information technology assets.

Abstract: Disclosed are systems and methods for enabling secure execution of code in hypervisor mode. An exemplary method comprises: loading a hypervisor configured to check integrity of protected virtual memory pages; loading a trusted program configured to make hypercalls to the hypervisor; making by the trusted program a first hypercall to the hypervisor; responsive to the first hypercall, generating by the hypervisor a token, which is used by the hypervisor to identify the trusted program during subsequent hypercalls; allocating a memory page for storing the token and a memory address of the hypervisor; and returning the allocated memory page address to the trusted program.

Abstract: A method for detecting memory modifications includes allocating a contiguous block of a memory of an electronic device, and loading instructions for detecting memory modifications into the contiguous block of memory. The electronic device includes a plurality of processing entities. The method also includes disabling all but one of a plurality of processing entities of the electronic device, scanning the memory of the electronic device for modifications performed by malware, and, if a memory modification is detected, repairing the memory modification. The method also includes enabling the processing entities that were disabled. The remaining processing entity executes the instructions for detecting memory modifications.

Abstract: To defend a computer against malware, first executable code, of the computer, that includes a signature that identifies an address, in the computer's memory, of a respective data structure that is potentially vulnerable to tampering, is identified. The first executable code is copied to provide second executable code that emulates the first executable code using its own respective data structure. The first executable code is modified to jump to the second executable code before accessing the data structure, and also so that the signature identifies the address of a guard page.

Abstract: According to one embodiment, a system comprises one or more counters; comparison logic; and one or more hardware processors communicatively coupled to the one or more counters and the comparison logic. The one or more hardware processors are configured to instantiate one or more virtual machines that are adapted to analyze received content, where the one or more virtual machines are configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period.

Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.

Abstract: Software code of a software system (e.g., a software stack) may be verified as conforming to a specification. A high-level language implementation of the software system may be compiled using a compiler to create an assembly language implementation. A high-level specification corresponding to the software system may be translated to a low-level specification. A verifier may verify that the assembly language implementation functionally conforms to properties described in the low-level specification. In this way, the software system (e.g., a complete software system that includes an operating system, device driver(s), a software library, and one or more applications) may be verified at a low level (e.g., assembly language level).

Abstract: A system and methods are disclosed for securely booting a processing system using a three step secure booting process. Several embodiments are presented, wherein upon power-on-reset, the first boot step uses a secure boot device comprising of a programmable device or an FPGA which boots up first, validates its configuration file and then validates the processor(s) configuration data before presenting the configuration data to the processor(s). This enables validation of ‘pre-boot’ information, such as the Reset Control Word and pre-boot processor configuration data. The second and third boot steps validate the internal secure boot code and external boot code respectively using one or more of secure validation techniques, such as encryption/decryption, Key mechanisms, privilege checking, pointer hashing or signature correlation schemes.

Abstract: A computer system for booting a confidential image on a trusted computer system. A trusted computer system loads an encrypted client image key onto a protected area on the trusted computer system. The trusted computer system loads an encrypted boot image onto a secure logical partition on the trusted computer system. The trusted computer system decrypts the encrypted client image key to obtain a client image key in the protected area. The trusted computer system decrypts, with the client image key, the encrypted boot image to obtain a boot image and a client data key. The trusted computer system starts the boot image, and the boot image mounts the encrypted client data onto the secure logical partition. The client data key is used by the boot image to decrypt data read from the encrypted client data and to encrypt data written to the encrypted client data.

Abstract: A system and method for managing business intelligence data is described. In some example embodiments, the system extracts data and metadata from a business intelligence file, generates a data bundle of the data and metadata, generates an application bundle based on the date bundle, and generates an interactive document using the data bundle and application bundle.

Abstract: Methods and apparatus for displaying visual content on a display such that the content is comprehensible only to an authorized user for a visual display system such as a computer, a television, a video player, a public display system (including but not limited to a movie theater), a mobile phone, an automated teller machine (ATM), voting booths, kiosks, security screening workstations, tactical displays and other systems where information is displayed for viewing.

Abstract: A retrieving system for retrieving information concealed within a sequence of symbols. The system includes a decoder configurable using rule information and operable when so configured to retrieve the information concealed within the sequence of symbols by applying to the sequence of symbols at least one decoder rule determined by the configuration of the encoder.

Abstract: An information processing apparatus includes an accepting unit that accepts from a user a command relating to security; a setting unit that makes a setting relating to security of the information processing apparatus based upon the command from the user accepted by the accepting unit; a recording unit that performs the following operation in a case where the accepting unit has accepted a command for changing a security-related setting that has already been made by the setting unit: before the setting unit changes the security-related setting, the recording unit records an event, among events that occur in the information processing apparatus, the content of which will be different between a case where the security-related setting is changed and a case where the security-related setting is not changed; and a notification unit that notifies the user based upon the event that has been recorded by the recording unit.

Abstract: In one embodiment a controller comprises logic configured to establish a pairing with a remote processor in a second electronic device, create a first secure communication channel with the remote processor, transmit a first portion of a processing task to the remote processor via the first secure channel, receive, via a second communication channel, an input from the first portion of the processing task, and complete at least a second portion of the processing task using the input. Other embodiments may be described.

Abstract: Disclosed are systems and methods for controlling access to data on mobile devices using an accessibility API for users with disabilities.

Abstract: A method receives authentication credentials for a user from a client device and receives a request from the user for content stored on a remote storage system. A portion of the content is encrypted and a corresponding decryption key is available only at the computer system. The remaining portion of the content is unencrypted. The method retrieves the content from the remote storage system and uses the received credentials to determine whether the user is authorized to view the encrypted portion. When the user is not authorized, the method forms alternative content by replacing the encrypted portion with a substitute element and transmits the alternative content to the client device. When the user is authorized, the method decrypts the encrypted portion of the content using the decryption key, and combines the decrypted portion with the unencrypted portion to form updated content. The updated content is transmitted to the client device.

Abstract: Methods and systems for vendor independent and secure cloud storage distribution and aggregation are provided. According to one embodiment, an application programming interface (API) is provided by a cloud storage gateway device logically interposed between third-party cloud storage platforms and users of an enterprise. The API facilitates storing of files, issuing of search requests against the files and retrieval of content of the files. A file storage policy is assigned to each user, which defines access rights, storage diversity requirements and a type of encryption to be applied to files. Responsive to receiving a request to store a file, (i) searchable encrypted data is created relating to content and/or metadata of the file based on the assigned file storage policy; and (ii) the searchable encrypted data is distributed among the third-party cloud storage platforms based on the storage diversity requirements defined by the assigned file storage policy.

Abstract: Various embodiments are provided for managing a global cache coherency in a distributed shared caching for a clustered file system (CFS). The CFS manages access permissions to an entire space of data segments by using the DSM module. In response to receiving a request to access one of the data segments, a calculation operation is performed for obtaining most recent contents of one of the data segments. Most recent contents are determined if ownership of the one of the data segments is possessed by a remote DSM module and the request to access one of the data segments is for shared permission and exists in the local external cache. The most recent contents are transported within the response if the response is in a remote external cache and has a valid permission for the one of the data segments otherwise reading from the one of the data segments.

Abstract: An approach is provided for providing data access via multi-user views. An access management platform determines at least one view of data, wherein the at least one view is created based on one or more queries with one or more projections in one or more monadic elements to the data. The access management platform further determines one or more policies for accessing the data, wherein the one or more policies specify at least one or more access capabilities. The access management platform also causes storage of the one or more policies, the one or more access capabilities, or a combination thereof in the one or more monadic elements. The access management platform further causes granting of access to the at least one view by one or more requesting devices, wherein the granting of the access is determined by processing of the one or more monadic elements.

Abstract: The present invention is directed to a system and method for restricting data, or portions thereof, to specific display devices when accessed by a user. Furthermore, the system and method of the invention are directed, in part, to evaluating in real time, the access level of a device and restricting the availability of sensitive information on the device according to the access level as determined by device location and hardware configuration.

Abstract: Disclosed is a method and system for enabling multi-party and multi level authorizations for accessing confidential information. A first set of access privilege levels, a first set of credentials, a second set of access privilege levels and a second set of credentials are configured corresponding to a plurality of services. A service consumer may be identified using an identifier and thereafter authorized to issue a request for a service based upon authentication of the service consumer using an access privilege level of the first set of access privilege levels and a credential of the first set of credentials. After the authentication, an OTAT is generated. A service provider may be authenticated using the OTAT, an access privilege level of the second set of access privilege levels and a credential of the second set of credentials. The service provider is then authorized to access the confidential information of the service consumer.

Abstract: A privacy processing system may use privacy rules to filter sensitive personal information from web session data. The privacy processing system may generate privacy profiles or privacy metadata that identifies how often the privacy rules are called, how often the privacy rules successfully complete actions, and the processing time required to execute the privacy rules. The privacy profiles may be used to detect irregularities in the privacy filtering process that may be associated with a variety of privacy filtering and web session problems.

Abstract: A method, system and computer program product for administering a secure data repository. Rather than using a specific database, an application may use an existing hierarchical file structure, such as provided by conventional operating systems, to store structured data in a number of files. To detect unauthorized, malicious or inadvertent changes to these files, either within one or more files, or by deletion, replacement or movement of files in their entirety, each file incorporates a last change timestamp and the contents of the file are digitally signed. Furthermore, every file in the secure repository is logged in an index file together with its respective change date stamp, and the index file as a whole is also digitally signed. Unauthorized changes can be identified by comparison of the file date stamps with the content of the index as well as verifying the validity of each digital signature.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

Abstract: A hardware Secure Processing Unit (SPU) is described that can perform both security functions and other information appliance functions using the same set of hardware resources. Because the additional hardware required to support security functions is a relatively small fraction of the overall device hardware, this type of SPU can be competitive with ordinary non-secure CPUs or microcontrollers that perform the same functions. A set of minimal initialization and management hardware and software is added to, e.g., a standard CPU/microcontroller. The additional hardware and/or software creates an SPU environment and performs the functions needed to virtualize the SPU's hardware resources so that they can be shared between security functions and other functions performed by the same CPU.

Abstract: In an embodiment, to deter or delay counterfeiting/cloning of a replacement component of a host device, the replacement component is provided with a code value. The code value is generated from a value of at least one physical parameter of the replacement component and is stored on the replacement component. The host device determines whether the replacement component is authentic if the stored code value matches a reference code value.

Abstract: According to an embodiment, an information processing apparatus includes a main processor, a secure operating system (OS) module, a non-secure OS module, a secure monitor memory setting module, a timer, and an address space controller. When receiving a notification of an interrupt from the timer, a secure monitor instructs the secure OS module to execute certain processing. The secure OS module is configured to execute certain processing instructed by the secure monitor and store data of a result of the processing in a first memory area.

Abstract: Described is system for secure mobile proactive multi-party computation. The system securely evaluates a circuit in the presence of an adversary. The circuit receives secret inputs comprising secret values from a set of servers. Sharings of random values for the random and input gates are generated. For each input gate, a sharing of a random value associated with the input gate is opened toward a server Pi. A sum of the server Pi's secret values and the random value is broadcast to the set of servers. Each server uses the sum to adjust its sharing of the random value, generating a sharing of server Pi's secret values. The secret values are re-randomized to preserve privacy of the secret values. A sharing of the secret values is determined for each output gate, and each sharing of secret values is revealed to an intended recipient.

Abstract: In a method for unlocking an electronic device with a touch screen and a distance sensor, a triggering signal to unlock the electronic device is received. Objects within a predetermined distance of the distance sensor is determined. The touch screen is activated to display an unlocking area if no object is detected within the predetermined distance of the distance sensor. Touch signals are received from the unlocking area to determine whether an unlocking operation is performed. A time duration that the touch screen has been activated is calculated to determine whether the unlocking operation is performed within a preset time period from activation of the touch screen. The electronic device is unlocked if the unlocking operation is performed within a preset time period from activation of the touch screen, and a predetermined application is executed when the electronic device is unlocked.

Abstract: Examples disclose a cable to secure data transmission. Examples of the cable include a connector to connect to a computing device for data transmission. Further, the examples of the cable include an active component coupled to the connector and embedded in the cable. The active component is to at least perform one of encrypt and decrypt the data transmitted on the cable.

Abstract: Systems and methods for reading Radio Frequency Identified (RFID) tags. In an embodiment, an enclosure having, within it, an antenna and processor is provided. The processor may be configured to record tag observations for tag identifiers received by the antenna from RFID tags. For one or more time intervals, tag observations may be identified which satisfy a tag filter, and a confidence that RFID tags satisfying the tag filter were in the field of view of the antenna during the time interval may be computed based on the identified tag observations. According to an embodiment, reports for tag filters may be then generated using the computed confidences, and these reports may be transmitted to an external system over a network.

Abstract: A card reader performing a wireless communication with a card includes a first pulse generation unit generating a first detection pulse for detecting the card, a second pulse generation unit generating a plurality of second detection pulses for detecting the card, or a plurality of communication pulses for communicating with the card, and a card detection unit for sensing a card being detected by the first detection pulse or the second detection pulses. In the case that the card is not sensed through the first detection pulse, the second pulse generation unit generates the second detection pulses using the communication pulses and senses the card using the second detection pulses.