Abstract: Processing in an asymmetrically distributed file system may include storing first data representative of the content of the files in a file system volume among a plurality of storage nodes. Second data representative of attributes of the files in the file system volume may be stored in only one of the storage nodes. Time-limited leases allow clients direct access to the plurality of storage node in order to access portions of the file system volume. The time-limited leases may be provided to client lessors. Snapshots of the file system volume may be generated after sending a revocation to the client lessors to revoke time-limited leases provided to the client lessors and having received the acknowledgements of the revocations or after the leases have expired for non-responding lessors, to ensure that changes are not made to the file system volume during snapshot processing.

Abstract: When a license management server according to the present exemplary embodiment receives a request for changing a license of a first version to a license of a second version from a license operation server that leases a license to a client, the license management server changes an expiration date of the license of the first version to a predetermined period of time later, and issues the license of the second version. Then, the license of the first version of which expiration date has been changed to the predetermined period of time later and the issued license of the second version are transmitted to the license operation server.

Abstract: According to an exemplary embodiment of the present invention, in a case where a first start request is received, an application determines whether a license management unit has already acquired a license, and in a case where the application determines that the license management unit has not yet acquired the license, the application acquires a license from a license server and switches the application to a state where a user can use the application. Then, in a case where the license management unit has not yet been started, the application makes a second start request to start license management unit.

Abstract: Disclosed is a manufacturing process and feature licensing system for provisioning personalized (device-unique) licenses to devices, with the following characteristics. The system is secure in that it uses a secure key wrapping mechanism to deliver the LSK to LPS. Another feature is that various network communication links are secured using standard security protocol. Further, application messages, license templates, licenses are digitally signed. The system is also flexible because it is configured to allow multiple manufacturers and to allow various feature configurations via the use of License Template. The system is also scalable, as it is possible to use multiple LPS hosts to serve multiple programming stations. The system is available in that the delegation of license signing capability from CLS to LPS eliminates the dependency on unreliable Internet connections. Redundant LPS hosts provide high level of availability required for high volume license provisioning.

Abstract: A system, method, and device includes a platform data storage that stores a wrap that secures an executable controller and executable sensors. The wrap is verified, optionally through a downloaded authentication driver. After verifying the wrap, the wrap is opened and a sister of the executable controller is installed into the platform memory to cooperate with the executable controller. Additionally or alternatively, the authentication driver may cooperate with the executable controller. The executable controller allows the platform processor to access data secured in a vault and/or verify the platform to create a connection to an application server.

Abstract: Mobile Health Interface (mHi) Platform systems and methods of evaluating mobile applications include establishing evaluation criteria for mobile applications within a given industry; receiving mobile applications with associated Application Programming Interfaces (APIs) for the given industry; classifying, via the APIs, each of the mobile applications into discreet packages; certifying and accepting the discreet packages for each of the mobile applications based upon the evaluation criteria, via processing circuitry of a single interoperable platform with data integration capability and associated virtual machine; authenticating a user access to the certified discreet packages for a set trial period of time; receiving trial sequence data indicating the user's preference via scoring for each of the certified discreet packages for the set period of time; ranking the certified discreet packages based upon the received trial sequence data; and receiving a selected bundle of certified and ranked discreet packages.

Abstract: A configuration in which a reliable source of illegal copy content is analyzed using content in which a reproduction path can be set is realized. Content which has a segment area including a plurality of items of variation data which can be decrypted using different keys and in which a reproduction path corresponding to the selected variation data can be set is used. Each item of variation data is configured such that embedded information such as a digital watermark can be acquired from decrypted data. Each item of variation data includes a 192-byte source packet or a 6144-byte aligned unit. A reproduction device selects and reproduces one item of variation data from each segment area on the basis of a variation data identifier recorded in the variation data.

Abstract: Embodiments of the present invention provide an authenticating service of a chip having an intrinsic identifier (ID). In a typical embodiment, an authenticating device is provided that includes an identification (ID) engine, a self-test engine, and an intrinsic component. The intrinsic component is associated with a chip and includes an intrinsic feature. The self-test engine retrieves the intrinsic feature and communicates it to the identification engine. The identification engine receives the intrinsic feature, generates a first authentication value using the intrinsic feature, and stores the authentication value in memory. The self-test engine generates a second authentication value using an authentication challenge. The identification engine includes a compare circuitry that compares the first authentication value and the second authentication value and generates an authentication output value based on the results of the compare of the two values.

Abstract: A method and apparatus for performing authentication may comprise: determining a first value of a dynamic password applicable for a first scenario, the dynamic password having a plurality of values for a plurality of scenarios defined by at least one parameter; authenticating a user in the first scenario by a device based on the first value of the dynamic password; determining a second value of the dynamic password applicable for a second scenario; and authenticating the user in the second scenario by the device based on the second value of the dynamic password.

Abstract: A device includes a memory and a processor. The memory is configured to store a threshold. The processor is configured to authenticate a user based on authentication data. The processor is also configured to, in response to determining that the user is authenticated, generate a correlation score indicating a correlation between a first signal received from a first sensor and a second signal received from a second sensor. The processor is also configured to determine liveness of the user based on a comparison of the correlation score and the threshold.

Abstract: An information processing apparatus includes: a radio communication unit configured to start emission of radio waves for performing radio communication with a radio tag, and obtain specific information from the radio tag, at least after a time point at which a user in a predetermined range is detected by a detecting unit; a first authentication unit configured to execute first authentication for the radio tag, based on the specific information obtained by the radio communication unit; a second authentication unit configured to execute second authentication for a user included in an image acquired by an imaging unit, based on feature information of the image; and an apparatus authentication unit configured to authorize the user to use the information processing apparatus, if a user of the radio tag authenticated by the first authentication is the same as the user authenticated by the second authentication.

Abstract: System for ex post facto upgrading of at least one Legacy personal communication device including a legacy modem and lacking at least one desired wireless communication feature, the system comprising an up-graded communication device including an auxiliary modem physically connected via an ex post facto physical connection to a Legacy personal communication device having at least one legacy wireless output channel which has been neutralized or disabled.

Abstract: An example method includes receiving a digital certificate corresponding to a user at a stylus device. The method includes transmitting the digital certificate and associated digital ink data to a touch device to authenticate the user based at least on the digital certificate and the associated digital ink data in response to detecting that the stylus device is within a threshold range of the touch device.

Abstract: An interface, system and method of password entry in a computing device/system including a graphical user interface including a plurality of password characters displayed on a screen according to a location-based structure and selectable by a pointing device; a scrambling module that scrambles where at least a portion of the password characters are positioned within the location-based structure when triggered; and a triggering module to trigger the scrambling module. The location-based structure may be a 3-dimensional object. There is a password manager module that allows a user to upload password characters that are user customized images. Alpha-numeric characters are not scrambled.

Abstract: A terminal device, an authentication information management method, and an authentication information management system for securing a security level of authentication information while maintaining the convenience for a user. A mobile device determines whether communication with a wearable device is possible and determines whether the mobile device is able to communicate with an authentication server. When it is determined that communication between the mobile device and the wearable device is possible and communication between the mobile device and the authentication server is possible, the mobile device transmits identification information corresponding to the wearable device to the authentication server, requests the authentication server to transmit authentication information, receives the authentication information from the authentication server in response to the transmission request, and transmits the received authentication information to the wearable device.

Abstract: Constraining authorization tokens via filtering in one example implementation can include generating a first authorization token that provides a first level of access to first data matching a first set of criteria. A filter can be applied to constrain a second authorization token that provides a second level of access to second data matching a second set of criteria. The first authorization token and the second authorization token can have a subset relationship where the first level of access is greater than the second level of access, and the relationship between the first and second authorization token can be maintained.

Abstract: In some implementations, after one or more users have each been granted a respective access token allowing access to a resource device, revocation data is received by the resource device. The revocation data indicates that the previously granted access to the resource device should be revoked. For example, the revocation data may indicate (i) a user, role, or permission level for which access is revoked and (ii) a duration that access to the resource device was allowed. After receiving the revocation data, the resource device receives token data derived from an access token that allows access to the resource device. The resource device determines that the access token relies on authorization of the user, role, or permission level indicated by the revocation data, and in response, the resource device denies access.

Abstract: Biometric data are obtained from biometric sensors on a stand-alone computing device, which may contain an ASIC, connected to or incorporated within it. The computing device and ASIC, in combination or individually, capture biometric samples, extract biometric features and match them to one or more locally stored, encrypted templates. The biometric matching may be enhanced by the use of an entered PIN. The biometric templates and other sensitive data at rest are encrypted using hardware elements of the computing device and ASIC, and/or a PIN hash. A stored obfuscated PassWord is de-obfuscated and may be released to the authentication mechanism in response to successfully decrypted templates and matching biometric samples. A different de-obfuscated password may be released to authenticate the user to a remote or local computer and to encrypt data in transit. This eliminates the need for the user to remember and enter complex passwords on the device.

Abstract: An information processing device (1) includes: a Syscall instruction monitoring part (313) configured to monitor at least an instruction to pass processing to a kernel (35) of an OS among instructions issued to a CPU (11) ; and an exclusive loader (201) configured to load a monitoring software (31) functioning as the Syscall instruction monitoring part (313) at region A in a RAM (30), the monitoring software set at ring 0 that is higher than ring (2) set for the kernel (35) of the OS. Even when an access is tried to a resource by executing a malicious program, the access can be detected and intrusion of the malicious program to the kernel can be blocked.

Abstract: Code intended to operate in an operating system without an isolation mechanism is executed in isolation. The present system enables synthetic transactions to be executed in isolation without affecting other client data and files. Isolation may be outsourced to a separate set of servers that have an operating system which does support isolation. A handshake or other protocol is utilized to maintain secure data and communication. Untrusted script code provided by a customer is isolated in one or more remote servers. To execute the script on a client machine, a key is provided to access this script. A machine at which the script is to be run is provided with the key and the address of the script code on the remote server. A secure connection is established between the client machine and the script code server and script is executed on the client machine.

Abstract: A malware detection method and a malware detection apparatus are provided. The method includes running to-be-detected software in a sandbox, and recording at least one operation; and in a process of recording the at least one operation, when it is detected that any interface that has a delay attribute in the sandbox is called, determining whether delay duration corresponding to a first delay length parameter of the called interface is greater than preset duration. If the delay duration corresponding to the first delay length parameter is greater than the preset duration, delay duration of delay execution is reduced to enable the malicious behavior to be executed in the process of recording the at least one operation executed within the preset duration after the to-be-detected software starts to run, and accordingly, the malicious behavior may be exposed in advance.

Abstract: Example embodiments disclosed herein relate to determining permissible activity in an application. Application programming interfaces (APIs) of an application are monitored using a runtime agent. Information about the APIs is provided to a rules engine. A set of rules describing permissible activity is received from the rules engine.

Abstract: Various implementations provide a framework for behavior-based network management and monitoring. A behavior model including various expected behaviors, actions, and actors may be associated with a digital culture. Behavior within a digital culture that does not conform to the behavior model may be detected and categorized. When an abnormal behavior is categorized as malicious, a security protocol or procedure may be activated. In other cases, abnormal behavior may be categorized as benign. A CRK framework of concepts, actors, actions, etc. may provide a platform enabling implementation of behavior-based network management and monitoring.

Abstract: There are provided measures for enabling the detection of a malware-usable clean file or, stated differently, the detection of malware using a clean file. Such measures could exemplarily include identifying a vulnerable clean file in a computer system, which does not constitute malware but is vulnerable for usage by malware, checking the vulnerable clean file for its threat of usage by malware, and detecting the vulnerable clean file as malware-usable clean file on the basis of a result of said checking of its threat of usage by malware.

Abstract: Disclosed herein is a method for detection of a cyber-threat to a computer system. The method is arranged to be performed by a processing apparatus. The method comprises receiving input data associated with a first entity associated with the computer system, deriving metrics from the input data, the metrics representative of characteristics of the received input data, analysing the metrics using one or more models, and determining, in accordance with the analysed metrics and a model of normal behaviour of the first entity, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat. A computer readable medium, a computer program and a threat detection system are also disclosed.

Abstract: A system, method and computer-readable storage devices for providing protection mechanisms to a server motherboard prior to its booting. A system configured according to this would, upon receiving power at a motherboard, and prior to booting the motherboard: generate a nonce, send the nonce to a first component on the motherboard, and send the nonce to a second component on the motherboard. The system then receives a response from at least one of the first component on the motherboard and the second component on the motherboard, wherein the response is based on a communication protocol between the first component and the second component, the communication protocol utilizing the nonce. When the response indicates a correct hardware configuration, the system performs the booting of the motherboard.

Abstract: A method for providing a computer program for a computing unit of an electronic device, in particular a control device of a motor vehicle or of a household appliance, wherein the method includes: evaluation of properties of the electronic device relating to a susceptibility to side channel attacks and/or fault attacks, as a result of which an evaluation result is obtained, selection of at least one influencing parameter that has an influence on the susceptibility of the electronic device to side channel attacks and/or fault attacks, in particular as a function of the evaluation result, use of the at least one influencing parameter to diversify the computer program for the computing unit.

Abstract: Example embodiments disclosed herein relate to determining whether a protective measure meeting criteria has been performed on data. Execution of an application under test (AUT) is monitored. A message that a field of the AUT should be considered sensitive is received. Data is determined to be entered into the field. The data is monitored during execution of the AUT to determine whether the protective measure that meets the criteria has been performed on the data.

Abstract: Example embodiments disclosed herein relate to determining a secure activity of an application under test (AUT). Execution of an application under test is monitored. During an attack vector, an application programming interface associated with a secure activity is determined. A message is sent to a security test that secure activity occurred.

Abstract: In one implementation, a static analysis system can include an operator engine to identify a modification operation on a string based on a structural comparison of program code to a static analysis rule, a label engine to maintain a label with the string based on the static analysis rule, and a sink engine to identify that the label denotes a string property and provide an analysis message associated with the string property based on the label.

Abstract: Example implementations relate to static program analysis. For example, an apparatus includes a processor to perform static program analysis on a set of processor executable instructions associated with an object-relational mapping (ORM) framework. The first set of processor executable instructions includes an object. The processor is also to generate a propagation path of the object based on an execution flow of the object. The propagation path includes a first node and a second node. The first node corresponds to a first ORM operation to store the object in a database. The second node corresponds to a second ORM operation to retrieve the object from the database. The second node is linked to the first node based on a common attribute of the object. In response to a determination that the propagation path includes a sink, the processor is to output a security risk warning.

Abstract: In remediating a computer vulnerability, operations to be performed to correct the vulnerability are identified. Remediation processors are scheduled to perform the operations. Whether the vulnerability has been corrected is determined by: determining whether the operations have been performed successfully; and determining whether the operations have been performed by authorized remediation processors.

Abstract: A method and structure for a secure object, as tangibly embodied in a computer-readable storage medium. The secure object includes a cryptographically protected region containing at least one of code and data, an initial integrity tree that protects an integrity of contents of the cryptographically protected region; and an unprotected region that includes a loader, an esm (enter secure mode) instruction, and one or more communication buffers.

Abstract: Systems and methods are provided herein for enabling a plurality of users in a closed environment, such as an environment where users cannot access the Internet, to share media while retaining ownership rights to their media, and while ensuring that processing power of their devices is not unduly burdened by the sharing. For example, using the systems and methods described herein, users may be able to establish a group (e.g., by way of a wireless network hotspot), and may be able to transfer media amongst one another to expand their entertainment options. Access controls may be implemented to ensure that the media is returned to its rightful owner when a network supporting the group is about to be torn down.

Abstract: A method and related system obtains consent from an individual for computer-aided delivery of compliance information. Initially, a computer-readable data storage device is provided to the individual. The device stores the compliance information and computer-executable instructions. By inserting the device into a computer, the instructions are executed and the individual is prompted by the computer to consent to the computer-aided delivery of additional compliance information. Once consent is indicated, it is communicated from the individual's computer to another computer such as a server over, for example, a modern connection. Having secured the individual's consent, the additional compliance information can be delivered to the individual's computer as, for example, a file attachment to an email message.

Abstract: An input monitoring agent detects storage of a security record by a security scanning application, encrypts a copy of the security record, and deletes the security record. A secure transfer queue decrypts the encrypted security record, translates the security record for use by a security monitoring application, and encrypts the translated security record. An output monitoring agent predicts when a security monitoring application will attempt to import a new security file, decrypts and stores the encrypted translated security record as the new security file, and deletes the new security file when the security monitoring application has completed importation.

Abstract: A facility for performing contingent redaction of one or more portions of a document is described. The facility receives a request to materialize an identified document that identifies an entity for which the identified document is to be materialized. For a portion of the document identified by the request, the facility retrieves a criterion that must be satisfied to include the portion in a materialization of the document identified by the request. The facility evaluates the criterion for the entity identified by the request with respect to a present time. The facility causes the document identified by the request to be materialized for the entity identified by the request in a manner consistent with the result of the evaluation.

Abstract: A server in a digital rights management system implements version control for the digital documents being managed. Each document belongs to a document series and has a version number. The server maintains a version control database table that stores, for each document, the document series name and version number, and parameters indicating whether the document is obsoleted or deleted. When registering a new document, based on auto-obsolete and auto-delete parameters inputted by the user, the server automatically obsoletes or deletes certain older version documents that belong to the same series as the new document. The server controls access to the documents so that obsoleted documents will not be accessible to users even if they still have local copies of such documents. When a user requests access to an older version document that is not obsoleted, the server may allow access to the latest version document instead.

Abstract: An information computer system is provided for securely releasing time-sensitive information to recipients via a blockchain. A submitter submits a document to the system and a blockchain transaction is generated and submitted to the blockchain based on the document (e.g., the document is included as part of the blockchain transaction). An editor may edit the document and an approver may approve the document for release to the recipients. Each modification and/or approval of the document is recorded as a separate transaction on the blockchain where each of the submitter, editor, approver, and recipients interact with the blockchain with corresponding unique digital identifiers—such as private keys.

Abstract: In some embodiments, an apparatus includes a memory and a processor. The processor is configured to receive a set of images associated with a video recorded by a moving or a non-moving camera. The processor is configured to detect a structure of a region of interest from a set of regions of interest in an image from the set of images. The processor is configured to classify the structure into a geometric class from a set of predefined geometric classes using machine learning techniques. The processor is configured to alter the region of interest to generate an altered image when the geometric class is associated with an identity of a person, such that privacy associated with the identity of the person is protected. The processor is configured to send the altered image to a user interface or store the altered image in a standardized format.

Abstract: One embodiment provides a method comprising receiving general private data identifying at least one type of privacy-sensitive data to protect, collecting at least one type of real-time data, and determining an inference privacy risk level associated with transmitting the at least one type of real-time data to a second device. The inference privacy risk level indicates a degree of risk of inferring the general private data from transmitting the at least one type of real-time data. The method further comprises distorting at least a portion of the at least one type of real-time data based on the inference privacy risk level before transmitting the at least one type of real-time data to the second device.

Abstract: Embodiments of the invention relate to systems and methods for providing an anonymization engine. One embodiment of the present invention relates to a method comprising receiving a message directed at a recipient computer located outside a secure area by a privacy computer located within a secure area. The privacy computer may identify private information using a plurality of privacy rules and anonymize the message according to the plurality of privacy rules. Another embodiment may be directed to a method comprising receiving a request for sensitive data from a requesting computer. An anonymization computer may determine a sensitive data record associated with the request and may anonymize the sensitive data record by performing at least two of: removing unnecessary sensitive data entries from the sensitive data record, masking the sensitive data entries to maintain format, separating the sensitive data entries into associated data groupings, and de-contexting the data.

Abstract: Example implementations relate to an information exchange gateway. For example, a computing device may include a processor. The processor may receive a request to provide specified information to a requesting entity. The specified information may be associated with a user of the information exchange gateway managing information of the user. The processor may verify that the requesting entity is authorized by the user to receive the specified information. The processor may identify a source entity managing the specified information and may access the specified information from the source entity using an identifier identifying the user with respect to the source entity. The processor may provide the specified information to the requesting entity.

Abstract: The present invention is capable of determining the rights to a file based on providing a descriptor. The descriptor can be calculated using an algorithm, which may be cryptographic and/or non-cryptographic. The descriptor may further be based on the file contents, metadata of the file, other file data, or any combination thereof to uniquely identify the file in a shared file repository. Since the descriptor is generated based on file data it will be the same regardless of which user generates it. Accordingly, only one copy of the file needs to be maintained in the shared file repository, thereby reducing the amount of network bandwidth required to assure the file is backed up and further reducing the amount of storage required to backup the files. This results in a vastly more efficient method of backup in terms of processing time, network bandwidth, and storage requirements.

Abstract: The present invention prevents unauthorized functions from being installed to a predetermined storage unit in the background through a communication function that is being used for authorized communication operations and further prevents confidential information from being read out and stolen from the predetermined storage unit. A semiconductor device adopts an exclusive control unit that exclusively controls communication performed by a communication unit capable of communicating with the outside and access to a predetermined storage unit. For example, the communication status of the communication unit is determined based on whether a communication clock is active or inactive, and the exclusive control is exercised based on the determination result.

Abstract: A secure provisioning manifest used to authenticate and securely communicate with peripherals attached to a computer is provided with techniques to learn about a new peripheral not authorized to be attached to the computer and possibly gain authorization for the peripheral. A secure I/O module, that is separate from an operating system and transaction software executed by a processor of the computer, uses the secure provisioning manifest to authenticate and establish a secure encrypted session for communicating with each peripheral authorized to be attached to the computer. When an unauthorized peripheral is found, identifying information for the peripheral is transmitted to an enterprise provisioning server with a request to authorize the peripheral.

Abstract: A system, method, and computer-readable medium are disclosed for providing enhanced security to a wireless monitor, comprising: establishing a connection between the wireless monitor from a first device; generating a session identification for a human interface design (HID) input after the connection is established, the session identification enabling activities of an I/O device to be accepted by the wireless monitor; encrypting the activities of the I/O device to provide encrypted I/O device activities; providing the encrypted I/O device activities to the first device; and, decrypting the encrypted I/O device activities at the first device.

Abstract: A USB media storage device includes a housing and USB flash drive mounted in the housing. A faceplate is mounted to the housing to indicate the content stored on the USB flash drive. The media stored on the USB flash drive is copy protected.

Abstract: A counter to monitor an amount of tool use that includes a fluid passage (23) with an inlet (21) and an outlet (22). A piston (30) and sensor target (50) (e.g., magnet) are positioned along the passage and are biased towards a first position by a biasing member (40). When the tool is not in operation, the piston and sensor target are located at a first position due to the biasing force. When the tool is in operation, fluid moves along the fluid passage. A force applied by the moving fluid on the piston and sensor target overcomes the force applied by the biasing member and moves the piston and sensor target along the fluid passage to a second position. A sensor is configured to sense the sensor target at the second position. A processing circuit (62) determines the tool usage based on the detection of the sensor target at the second position by the sensor.

Abstract: A magnetic stripe reader including a base element defining a first spring seat, a magnetic module support element arranged for limited pivotable motion relative to the base element and defining a second spring seat, a generally truncated conical spring having a first, relatively large diameter end seated in the first spring seat and a second, relatively small diameter end seated in the second spring seat and a magnetic module fixedly mounted onto the magnetic module support element.