Abstract: Implementations provide for extending an authentication protocol to dynamically create a per user end to end encryption over a multi-hop path for data traffic, which provides an automatic triggering of authentication on each hop of a path when a client joins the network. A device includes a processor that is configured to, in response to receipt of a request for authentication from an end device, perform an authentication protocol to authenticate with an authentication server via an authenticator device. When the authentication protocol is successfully performed, the processor is configured to receive a message indicating that the device was successfully authenticated by the authentication server. The processor is configured to create a pairwise master key (PMK) from the parameters, and derive a pairwise temporary key (PTK) from a key derivation function seeded by the PMK. The processor is configured to encrypt, using the PTK, a message from the end device.

Abstract: An electronic device has an operational unit for communication. The operational unit is provided with a first interface unit for secure communication and a second interface unit for insecure communication. To provide electronic devices, in which the manipulation of information that is transmitted via the first interface unit is made at least more difficult, the operational unit is separated into a secure operational block and an insecure operation block and has only a first transmitter unit, the first interface unit being arranged in the secure operational block and the second interface unit being arranged in the insecure operational block, and the first transmitter unit is designed for transmitting first signals only from the secure operational block via a first signal path to the insecure operational block.

Abstract: Disclosed are devices and methods for processing an image document in a client-server environment such that privacy of text information contained in the image document is preserved. Specifically, in a client-server environment, an image document can be processed using a local computerized device of a client to create an obfuscated document by identifying word images in the image document and scrambling those word images. The obfuscated document can be received by a server of a service provider over a network (e.g., the Internet) and processed by previously trained software (e.g., a previously trained convolutional neural network (CNN)) to recognize specific words represented by the scrambled images in the obfuscated document without having to reconstruct the image document. Since the image document is neither communicated over the network, nor reconstructed and stored on the server, privacy concerns are minimized.

Abstract: Disclosed herein are systems and methods for protecting user privacy in networked data collection. One embodiment takes the form of a method that includes obtaining a user-data request that is associated with a requesting party. The method also includes preparing a first candidate response to the user-data request, where the first candidate response is based at least in part on data that is associated with a first user. The method also includes receiving additional candidate responses that are respectively based on data that is respectively associated with a plurality of additional users. The method also includes determining a privacy level of the first candidate response based at least in part on the received plurality of additional candidate responses. The method also includes determining that the privacy level exceeds a privacy threshold, and responsively sending, to the requesting party, a user-data response associated with the user-data request.

Abstract: A network device and a peripheral device for attachment with a medical imaging device provides for the encryption and conversion of a medical image into a secure and standardized image file format as well as the communication of the encrypted and/or converted image to a secure server on a remote network. The devices may monitor all medical image files generated on the medical imaging device and encrypt and convert selected medical image files for transmission to a remotely connected device on another network, such as a server or a mobile device. An encryption and conversion unit may be incorporated within the hardware and software of a medical imaging device or another network device in order to provide the capability for encrypting a medical image for transmission to a remote network and for converting the medical image to a format that is compatible with a destination device or network.

Abstract: A decoder deployed in one or more terminals, includes a computer readable storage medium storing program instructions, and a processor executing the program instructions, the processor configured to receiving a noisy message and a noisy hash from the network, searching for a pair of matching candidates for the hash and message from two row spaces of noisy message vectors using a shared secret with an encoder, and outputting, by the decoder, a decoded message if the searching is successful.

Abstract: A network system comprising a first network element and a second network element. The first network element is programmed to provide the step of first, communicating to the second network element a plurality of configuration parameter sets. Each configuration parameter set corresponds to a respective frame fragment and comprises a parameter value that differs in value from the parameter value in another configuration parameter set in the plurality of configuration parameter sets. The first network element also is programmed to provide the step of second, communicating a frame, to the second network element, in a plurality of frame fragments, wherein each frame fragment in the plurality of frame fragments is communicated according to a respective parameter value in the plurality of configuration parameter sets.

Abstract: According to one embodiment, an electronic device includes a content transmitter. The content transmitter is configured to output a content item including first data and second data to one transmission path, by applying a first copyright protection system to copyright protection of the first data and applying a second copyright protection system to copyright protection of the second data. The first copyright protection system involves encryption of data to be copyright-protected. The second copyright protection system involves no encryption of data to be copyright-protected.

Abstract: A method is provided to enhance efficiency of sensor event data transmission over network. Specifically, a method is described to buffer a set of sensor data, to group one or more of the set of sensor data having a same type for batch processing. The batch processing includes compressing and securing operations on the grouped sensor data, and restore the original message sequence of the grouped sensor data.

Abstract: An electronic device is provided. The electronic device includes at least one processor that is configured to execute a first application in an REE, to execute a second application in a TEE, and to execute an agent that performs data transmission between the first application and the second application, a communication circuit configured to communicate with a server, and a secure memory area that is accessible by the TEE. The at least one processor is configured to obtain a random value from the server, to transmit a response message including the random value to the server through the communication circuit, to receive encrypted SIM data from the server, to obtain a SIM profile from the encrypted SIM data using a private key corresponding to the public key, and to store the obtained SIM profile in the secure memory area.

Abstract: To decrease a load on a network and a storage system, encryption operations can be offloaded to a server locally connected to the storage system. The server receives requests to perform encryption operations, such as LUN encryption or file encryption, for a host. The server obtains an encryption key unique to the host and performs the encryption operation using the encryption key. The server then notifies the host that an encrypted LUN or encrypted file is available for use. The host is able to utilize the encrypted data because the encryption was performed with the host's unique key. Since the server is locally connected to the storage system, offloading encryption requests to the server reduces the load on a network by reducing the amount of traffic transmitted between a host and the storage system.

Abstract: A security system makes secure exchanges between a services platform and a communicating thing, which includes a control device. The system further includes a server, referred to as a “mediation” server, which receives a message, referred to as a “first” message, from the services platform, encrypts the first message, and sends the encrypted first message to the communicating thing. The communicating thing is also fitted with an IC card that is distinct from the control device and that decrypts the encrypted first message and sends the decrypted first message to the control device. The encryption and decryption operations are performed by at least one secret key shared between the mediation server and the IC card.

Abstract: An apparatus for user authentication based on tracked activity includes an activity tracker module, a challenge module, and an authentication module. The activity tracker module is configured to electronically track one or more activities of a user. Electronically tracking the one or more activities includes obtaining information about at least one activity from an electronic device of the user. The challenge module is configured to present an authentication challenge to the user via a user interface for the electronic device. The authentication challenge is based on the one or more electronically tracked activities for the user. The authentication module is configured to determine whether to authenticate the user for access to one or more resources via the electronic device, based on the user's response to the authentication challenge.

Abstract: Systems and methods of matching identifiers between multiple datasets are described herein. A system can transmit a first identifier vector to a third party server. The first identifier vector can include a first identifier, first parameters, and second parameters. The system can receive, from the third party server, the first identifier vector encrypted based on a third-party encryption. The system can receive, from the third party server, a second identifier vector encrypted based on the third-party encryption associated with the third party server. The second identifier vector can include a second identifier, third parameters, and fourth parameters. The system can determine a correlation count between the first identifier vector and the second identifier vector. The system can determine that the first identifier corresponds to the second identifier based on the correlation count. The system can generate one identifier key for both the first identifier and the second identifier.

Abstract: Methods and apparatuses are provided for automatic wireless connection to a digital device in a portable terminal. A phone number and an Electronic Serial Number (ESN) of the portable terminal are obtained. A Wireless Local Area Network (WLAN) is set to an Ad-hoc mode. A Service Set Identifier (SSID) of the WLAN is automatically generated using the phone number and the ESN of the portable terminal. A security key of the WLAN is automatically generated using the phone number and the ESN of the portable terminal. An Internet Protocol (IP) address for the WLAN is automatically generated using the phone number and the ESN of the portable terminal. The digital device is wirelessly connected to using the IP address for the WLAN.

Abstract: Technologies for secure mediated reality content publishing includes one or more mediated reality servers, multiple mediated reality listeners, and multiple mediated reality creators. The mediated reality server performs an attestation procedure with each listener based on a pre-provisioned attestation credential of that listener and provisions a session encryption key to each validated listener. The attestation procedure may validate a trusted execution environment of each listener. The mediated reality server generates aggregated mediated reality content based on protected mediated reality content received from the creators and generates an associated license that defines one or more content usage restrictions of the aggregated mediated reality content. The server sends the aggregated mediated reality content to the listeners, protected by the corresponding session encryption key.

Abstract: Methods and systems of providing verification of the identity of a digital entity are provided, including receiving information and a public key of the digital entity, wherein the information has been previously attested to in an attestation transaction stored within a centralized or distributed ledger at an attestation address, the centralized or distributed ledger providing a record of transactions; deriving an attestation address using the information and the public key of the digital entity; verifying the existence of the attestation transaction at the attestation address in the centralized or distributed ledger and verifying that the attestation transaction has not been revoked; receiving at the processor associated with the user a cryptographic challenge nonce signed by the digital entity's private key; and verifying the digital entity's identity with the cryptographic challenge nonce signed by the digital entity's key.

Abstract: An improved system and method are disclosed for peer-to-peer communications. In one example, the method enables endpoints to securely send and receive messages to one another within a hybrid peer-to-peer environment.

Abstract: Presented herein are techniques for remotely releasing bootstrap credentials to a cloud management proxy device. In particular, a cloud management proxy device that is associated with a cloud system commences a boot operation. The cloud management proxy device then initiates a remote credential release process to obtain the bootstrap credentials, which are useable by the cloud management proxy device to complete the boot operation. Upon completion of the remote credential release process, the bootstrap credentials are received from a remote credential manager system.

Abstract: Embodiments of the invention are directed to systems and methods of user authentication for data services. The data services may include accessing a tax return at the IRS, accessing or completing a student loan application, accessing a credit report, etc. User authentication data is collected by a data provider and provided to a server computer, and user device data is collected by the server computer after the user device accesses a resource identifier (e.g., URL) associated with the server computer. The user authentication data and/or user device data is analyzed and a risk score is generated.

Abstract: A method and corresponding computer system for authenticating a network resource are disclosed. The method comprises receiving an input at a computer system over a network, the input comprising a network resource identifier and information indicative of an authentication entity associated with the network resource; automatically identifying stored data using the information indicative of the authentication entity, the stored data comprising contact information associated with the authentication entity; automatically transmitting an electronic message to the authentication entity using the identified contact information, the electronic message providing the authentication entity with the network resource identifier and means for authenticating the network resource; and automatically storing the network resource identifier. A search engine for authenticated network resources and a method and corresponding computer system for authenticating an entity are also disclosed.

Abstract: An information processing system performing highly secure broadcast authentication while reducing a delay until authentication, a communication amount, and a computation amount is provided. A server (100) generates authentication information for transmission data by combining a tag relating to the transmission data and a chain value associated in a chain with transmission order of the transmission data. The tag relating to the transmission data is generated by using a common key. The chain is generated by using a one-way function. A node (200) verifies whether a chain value associated with transmission order of data received in the past is generated or not by applying the one-way function to a chain value extracted by using a tag relating to the received data and authentication information for the received data. The tag relating to the received data is generated by using the common key.

Abstract: A method for alerting Internet content providers of the age or other personal information of a computer user, which includes receiving a reverse DNS lookup query from an Internet content provider; and providing the age information of the computer user, in addition to a host name, from a reverse map zone file in response to the request. The personal information may be used by the content provider to select appropriate content for the requesting host, for example for complying with content restrictions. A system of alerting an Internet content provider of the age or other personal information of a computer user is also provided.

Abstract: A method and apparatus for authenticating a communication device is disclosed. An system that incorporates teachings of the present disclosure may include, for example, an authentication system having a controller element that receives from a communication device over a packet-switched network a terminal ID and a request to authenticate said communication device, generates a first registration ID, stores the first registration ID and a first communication identifier, transmits the first registration ID to the communication device, receives from an interactive response system a second communication identifier and a second registration ID that the interactive response system received during a communication session with the communication device over a circuit-switched network, and authenticates the communication device in response to detecting a match between the first and second communication identifiers and the first and second registration IDs. Additional embodiments are disclosed.

Abstract: In an approach, a target computing device receives a pairing request from a controller computing device, the pairing request including controller credentials that were previously received by the controller computing device from an authentication server computer and encrypted under a service key. The target computing device forwards the pairing request to the authentication server, the authentication server computer being configured to return a pairing response based at least in part on the controller credentials. The target computing device receives the pairing which includes a shared secret encrypted under a target device key and the same shared secret encrypted under a controller key. The target computing device decrypts the shared secret encrypted under the target device key and forwards the shared secret encrypted under the controller key to the controller device. Using the decrypted shared secret, the target computing device establishes a secure connection to the controller computing device.

Abstract: The embodiments discussed herein relate to updating and encrypting passwords for one or more computing devices. The computing devices can be associated with a common user account. According to the embodiments discussed herein, the user the can update a password of the user account at one computing device, and log into another computing device using the updated password without having to provide the current password for the other computing device. The embodiments incorporate a variety of encryption and key generation methods in order to safely transmit password updates between local computing devices. Specifically, the embodiments set forth methods and apparatus for generating and storing breadcrumbs that allow for decrypting a current password of a computing device using a new password.

Abstract: An identification system for identifying a user accessing a website hosted by a web server with a user device comprising a user database arranged to store data of a plurality of registered users. A device identifier arranged to receive from the web server user device data indicative of user device accessing the website, the device identifier being further arranged to compare the received user device data with the device identification data entries stored in the user database to determine if the user device corresponds to registered user device and if it is a registered user device, the device identifier being arranged to identify user score from the data stored in the database associated with the identified registered user device. An indication setter arranged to indicate one status of plurality of defined statuses to user via user device accessing the website, wherein the indicated status corresponds to the user's score.

Abstract: A user of a client device establishes a secure connection to a server (or other) device without using public keys or third-party certification by entering only a subset of characters in a username associated with the user and a one-time-use password at the client device; an application on the client device collects information regarding the hardware, software, or network information related to the client device or biometric information related to the user. Data sent between the client and server is encrypted (and thereafter transmitted) using, the subset of characters, one-time-use password, and collected information. Communications between the client and server may be monitored to detect a man-in-the-middle attacker, and a security strength may be varied accordingly.

Abstract: Protecting application passwords using a secure proxy. A request is received by a proxy from a client to access a protected resource located on a target server. A secure session is initiated between the proxy and client. The access request is forwarded by the proxy to the target. A response is received from the target that is a credential form. The proxy server injects into each required credential field a credential field tag and is sent to the client computer. Target credentials mapped by the credential field tags are retrieved by the proxy server from a protected datastore. The form is completed and sent to the target. If the credentials are invalid, the target credentials are updated and stored in the protected data store without client computer intervention, and sent by the proxy server to the target. The client computer is then allowed to access the protected resource.

Abstract: A method and an apparatus for distinguishing humans from computers and for controlling access to network services. One intended application of the method is a CAPTCHA technique, deployed using a shared Trusted Computing technology over a trusted network of a user terminal, a network server, and a Trusted Party, any of which may be at a Decision Point. The method distinguishes a human user making a legitimate request for network access from a programmed computer making undesired requests, by detecting unusually high network access request frequencies made by an identifiable user and/or a trusted module from the user terminal. The CAPTCHA function is further used to improve the method for controlling access to network services. The information transmitted between the members of the trusted network may be encrypted.

Abstract: Disclosed is a user authentication method including at least: (1) performing a primary conversion to generate a first common authentication key and performing a secondary conversion to provide an encrypted first common authentication key, and registering the encrypted first common authentication key; (2) generating a first server authentication key, and performing an OTP operation on the first server authentication key to generate first server authentication information; (3) performing a primary conversion to generate a second common authentication key, performing a secondary conversion to generate an encrypted second common authentication key, generating a first user authentication key, and performing an OTP operation on the first user authentication key to generate first user authentication information; and (4) performing a user authentication or an authentication of the authentication server for determining a genuineness of the authentication server, based on coincidence of the first server authentication

Abstract: A system for automatic authentication of service requests includes authentication of a remote access device. This authentication may be accomplished automatically prior to text or audio communication between a customer and a service agent. In some embodiments, authentication is accomplished automatically by authentication of the remote access device or accomplished by asking the customer questions. A single authentication of the remote access device may be used to authenticate a service request transferred between service agents. The authentication of the remote device may include, for example, use of a personal identification number, a fingerprint, a photograph, and/or a hardware identifier. Some embodiments include an intelligent pipeline configured for managing queues of customer service requests and/or customer service agent control over a customer's access device. Some embodiments include logic configured to manage and enhance communication channels between devices.

Abstract: The disclosed embodiments illustrate methods for voice-based user authentication and content evaluation. The method includes receiving a voice input of a user from a user-computing device, wherein the voice input corresponds to a response to a query. The method further includes authenticating the user based on a comparison of a voiceprint of the voice input and a sample voiceprint of the user. Further, the method includes evaluating content of the response of the user based on the authentication and a comparison between text content and a set of pre-defined answers to the query, wherein the text content is determined based on the received voice input.

Abstract: Method and system for authenticating a session on a communication device. One method includes determining a use context of the communication device and an authentication status of the communication device. The method further includes determining a predetermined period of time based on at least one of the use context and the authentication status. The method further includes generating biometric templates based on at least one of the use context and the authentication status. The method further includes selecting a matching threshold for the biometric templates based on at least one of the use context and the authentication status. The method further includes comparing a match score of each of the biometric templates to the matching threshold to determine a passing amount of biometric templates with match scores that meet or exceed the matching threshold. The method further includes authenticating the session on the communication device.

Abstract: A user authorizes cross-platform interlinking or user data. The cross-platforms are mined for user-authorized data. The data is processed into graph data and metrics data. The graph data is presented as an interactive graph interface to a user that responds to user selections/directions to provide user-defined views and levels of detail.

Abstract: Technologies for supporting and implementing multiple digital rights management protocols on a client device are described. In some embodiments, the technologies include a client device having an architectural enclave which may function to identify one of a plurality of digital rights management protocols for protecting digital information to be received from a content provider or a sensor. The architectural enclave select a preexisting secure information processing environment (SIPE) to process said digital information, if a preexisting SIPE supporting the DRM protocol is present on the client. If a preexisting SIPE supporting the DRM protocol is not present on the client, the architectural enclave may general a new SIPE that supports the DRM protocol on the client. Transmission of the digital information may then be directed to the selected preexisting SIPE or the new SIPE, as appropriate.

Abstract: A flexible content sharing system may comprise a network based application built on a client device using information from dissociated user experience component (UXC), application logic and execution layer (ALEL), and content distribution system (CDS) payloads. An ALEL engine may communicate a request from the network based application to a CDS module. The CDS module may interface the ALEL engine and a CDS server. The ALEL engine can act as a gate keeper and securely communicates requests from client devices to the CDS server. The CDS server is configured to manage and alert the ALEL of any enterprise policies that may be applicable to the client devices connected to the ALEL engine which, in turn, notifies the client devices to comply with the enterprise policies. The CDS server may synchronize any change made to the content by any of the client devices running network based applications.

Abstract: A system and machine-implemented method of wireless network access are provided. An authentication request comprising credentials for a user account of a cloud-based service is received from a wireless client device. The authentication request is forwarded to a server associated with the cloud-based service for authentication of the user account credentials. A list of one or more network identifiers corresponding to networks for which access by the user account of the cloud-based service is authorized is received from the server. The received list of one or more network identifiers is sent to the wireless client device, wherein the received list of one or more network identifiers is sent to the wireless client device prior to the wireless client device being associated with the wireless local area network.

Abstract: A user may be authenticated to access an account, computing device, or other resource using gaze tracking. A gaze-based password may be established by prompting a user to identify multiple gaze targets within a scene. The gaze-based password may be used to authenticate the user to access the resource. In some examples, when the user attempts to access the resource, the scene may be presented on a display. In some examples, the scene may be a real-world scene including the user's real-world surroundings, or a mixed reality scene. The user's gaze may be tracked while the user is viewing the scene to generate login gaze tracking data. The login gaze tracking data may be compared to the gaze-based password and, if the login gaze tracking data satisfies the gaze-based password, the user may be authenticated to access the resource.

Abstract: Described herein are various technologies pertaining to generating an activity feed for an entity hosted at a file hosting server. The activity feed includes a plurality of entries that are representative of activities undertaken with respect to the entity over time.

Abstract: Autocompleting into an invite box for purposes of sharing an executable computing resource such as an application or portion thereof. However, the autocomplete is populated with potential sharees of multiple tenants or with identities that are not registered with the tenant directory of the user. Thus, potentially any potentially sharee worldwide may be populated within the list of potential sharees. As the desired potential sharee comes into view, that potential sharee may be selected, and added to a list of one or more selected sharees. At some point, a control may be selected to allow the executable computing resource to be shared with the selected sharees within the list.

Abstract: An example technique may include determining a change in an assignment state for a network resource that is shared among a plurality of sharing partners in a wireless network, and determining, for one or more of the sharing partners, information access authorization for access to the resource information related to the network resource based on the determining the change in assignment state for protecting the resource information.

Abstract: Current discovery mechanisms lack capabilities, such as capabilities related to permissions associated with a given registrant for example. In an example embodiment, a registrant of a service layer can communicate with a network node that hosts the service layer. The network node may receive a discovery request for a resource from the registrant. The discovery may request include various context. For example, the context of the discovery request may be indicative of an operation that the registrant intends to perform on the resource, a role that the registrant intends to assume if the registrant accesses the resource, a location in which the registrant intends to access the resource, or a subscription plan that the registrant intends to use if the registrant accesses the resource. Based on the context of the discovery request, the network node may determine whether one or more resources at the service layer satisfy the discovery request.

Abstract: In one embodiment, a method includes receiving, from a client device of an author of a message, a request for a restricted ideogram to be inserted into a message; accessing social-networking information for the author; determining, based on the social-networking information for the author, whether the author is authorized to access the restricted ideogram; accessing social-networking information for a recipient user; determining, based on the social-networking information for the recipient user, whether the recipient user is authorized to access the restricted ideogram; and if the author and the recipient user are authorized to access the restricted ideogram, then sending, to the client device of the author, information to insert the restricted ideogram into the message.

Abstract: Access level and security group information can be updated for a data instance without having to take down or recycle the instance. A data instance created in a data environment will have at least one default security group. Permissions can be applied to the default security group to limit access via the data environment. A control security group can be created in a control environment and associated with the default security group. Permissions can be applied and updated with respect to the control security group without modifying the default security group, such that the data instance does not need to be recycled or otherwise made unavailable. Requests to perform actions with respect to the control security groups are made via the control environment, while allowing native access to the data via the data environment.

Abstract: A method for analyzing a software library may include obtaining the software library, identifying a candidate security-sensitive entity in the software library, and generating a control flow graph that includes execution paths. Each execution path may include a public entry node corresponding to a public entry and a candidate security-sensitive entity node corresponding to the candidate security-sensitive entity. The public entry is a point where an application program external to the software library may access the software library. The method may further include determining whether each execution path in the control flow graph includes a permission check node between the respective public entry node and the candidate security-sensitive entity node in the respective execution path. Each permission check node may correspond to a permission check in the software library.

Abstract: A database activity monitoring service, operating independent of a database server, in response to intercepting a database server response issued by the database server comprising a result set associated with a dynamic database query, extracts a first selection of data from the result set, the first selection of data identifying one or more dynamic query elements of the dynamic database query as constructed by the database server at runtime. The database activity monitoring service determines whether the one or more dynamic query elements comply with one or more security policies. The database activity monitoring service, in response to determining that the one or more dynamic query elements fail to comply with at least one of the one or more security policies, issues a security alert.

Abstract: A method for managing a private wireless network includes a processor that generates the private wireless network within a part of a coverage area of a local wireless network, the local wireless network established as overlay to a part of an existing wireless network; detects wireless devices within the part of the coverage area; locks each of the detected wireless devices to the processor; establishes an identity of each locked wireless device; allows a first class of identified wireless devices access to the private wireless network; and denies a second class of identified wireless devices access to the private wireless network.

Abstract: A computer-implemented method for controlling a connection between a virtual machine and a physical device comprises receiving a connection request for connecting the physical device to the virtual machine and determining whether the virtual machine satisfies a first connection permission condition and whether the physical device satisfies a second connection permission condition. In response to a determination that the virtual machine does not satisfy the first connection permission condition, a configuration of the virtual machine is changed to satisfy the first connection permission condition. In response to a determination that the physical device does not satisfy the second connection permission condition, a configuration of the physical device is changed to satisfy the second connection permission condition.

Abstract: Methods, apparatuses, and storage mediums are provided for acquiring a legitimate installation package the field of computer technology. The method includes: acquiring characteristic information of a first installation package; sending the characteristic information to an authentication server; receiving a differential package fed back by the authentication server; and combining the differential package with the first installation package to obtain a legitimate installation package. The present disclosure solves the problem in the prior art that a user can only download a legitimate installation package of an application again to re-install the application when the user finds that malicious codes are implanted in an installed installation package of the application.