Abstract: Systems and methods of determining image characteristics are provided. More particularly, a first image having an unknown characteristic can be obtained. The first image can be provided to a plurality of user devices in a verification challenge. The verification challenge can include one or more instructions to be presented to a user of each user device. The instructions being determined based at least in part on the first image. User responses can be received, and an unknown characteristic of the first image can be determined based at least in part on the received responses. Subsequent to determining the unknown characteristic of the first image, one or more machine learning models can be trained based at least in part on the determined characteristic.

Abstract: Systems and methods for sequential matching during user authentication are disclosed. A process for authenticating includes acquiring a first set of biometric data during a first authentication attempt and comparing the first set of biometric data with a set of enrollment data. The process further includes acquiring a second set of biometric data during a second authentication attempt, the second authentication attempt being subsequent to the first authentication attempt; comparing the second set of biometric data with the set of enrollment data; and forming a match score based analysis of the first set of biometric data, the second set of biometric data and the set of enrollment data. The process authenticates the user when sufficient confidence of a match exists.

Abstract: A fingerprint recognition method and device for a touch screen, and a touch screen. The fingerprint recognition method for a touch screen includes: determining a fingerprint code input by a user; and comparing the fingerprint code input by the user with at least two pre-set fingerprint codes, and when the fingerprint code input by the user is the same as a fingerprint code in the at least two pre-set fingerprint codes, executing an operation corresponding to the fingerprint code. The fingerprint recognition method and device and the touch screen can improve the security of the touch screen, so as to ensure the personal and property safety of a user.

Abstract: There is provided a fingerprint authentication method. The method includes a first step of acquiring measurement data for a part of a fingerprint, a second step of calculating a matching rate by comparing the measurement data with at least one of a plurality of registration data, a third step of determining whether the matching rate is equal to or greater than a threshold and whether the measurement data has been previously processed for an authentication, a fourth step of calculating a security level accumulation value based on a result of the third step, and a fifth step of determining whether the security level accumulation value is equal to or greater than a threshold. If NO in the fifth step, processes of the first to fifth steps are repeated. If YES in the fifth step, a success of the authentication is determined and outputted.

Abstract: Techniques are provided for determining two or more user-specific parameters that can be measured or obtained using various methods, and using values of the two or more user-specific parameters to uniquely identify or authenticate an individual. Examples of the user-specific parameters may include biometric parameters, textual-based parameters, a combination of biometric parameters and textual-based parameters, and the like.

Abstract: A system that incorporates teachings of the subject disclosure may include, for example, obtaining a group of facial objects detected from an image captured by a camera coupled with a media device where the facial objects correspond to a plurality of users, determining authentication information for each of the plurality of users based on the facial objects, and providing the authentication information to a group of content service systems for enabling the media device to access aggregated media services from the group of content service systems. Other embodiments are disclosed.

Abstract: An approach is provided for configuring one or more mobile devices to one or more services associated with at least one structure based on various contexts, access criteria, and/or security levels. The access platform determines proximity information of one or more devices with respect to at least a first access point, a second access point, or a combination thereof associated with at least one structure. The access platform next processes and/or facilitates a processing of the proximity information to determine one or more roles, one or more accesses, one or more rights, or a combination thereof. The access platform then determines one or more services to make available based, at least in part, on the one or more roles, the one or more accesses, the one or more rights, or a combination thereof.

Abstract: The method disclosed herein provides for performing device authentication based on the of proximity to another device, such as a key device. When a key device is not near a mobile communications device, an unlock screen is allowed to be presented on a display screen. Based on the mobile communications device receiving a first code to unlock the mobile communications device, the mobile communications device is unlocked in a first mode.

Abstract: There are provided systems and methods for visual data processing of mimed images for authentication. Authentication may be required for a user and/or an account of the user, for example, to verify the identity of the user or allow the user to access and use the account of the user. As an additional factor to authentication, increased authentication may be accomplished through who and what the user is, such as through facial recognition and biometrics of the user. During authentication, the user may be presented with a set of images or icons, such as digital emojis, that convey and emotion or idea. The user may be asked to mimic the emojis during authentication, where the user's facial expression is recorded. To authenticate the user, the recorded data may be compared to past data through facial recognition processing and image analysis to find similarities.

Abstract: A determination is made if user selected graphic elements, from a set of graphic elements, matches designated security criteria. Data is received where such data represents the selection of graphic elements by a user from a set of graphic elements. A determination is made by a security system if the selected graphic elements have at least one at least one physical characteristic and at least one spatial characteristic that match a security criteria. When the selected graphic elements match the security criteria defined by a profile, the user is granted access to a secured system.

Abstract: An information handling system has a secure data storage partition allocation. Access to the secure storage partition is limited to a set of authorized functions authorized to access the secure storage partition. The authorization of a function may be determined by a unique identification corresponding to the function or a reverse trace.

Abstract: A self-adaptive security framework for a device is disclosed. A first security level for a device is set wherein the first security level comprises procedures that authenticate a user and allow the user to access the device. Input from sensors associated with the device may be received at a contextual sensing engine, wherein the input at least includes location data, and wherein at least a portion of the input is related to a physical setting where the device is located. A threat level for the device is determined in the physical setting via the contextual sensing engine based on analyzing the input. The first security level is altered to a second security level to provide an altered threat response for the device based on the threat level wherein the second security level has different procedures to authenticate the user compared to the first security level.

Abstract: A fine grained permission method and system that parameterizes permissions based on an objective criterion. The method includes accessing libraries of application programs requiring a permission, automatically extracting types of the parameters and respective corresponding fields read by the libraries requiring the permission, filtering the extracted types of parameters and fields based on a usage criteria to determine a filtered type of parameter and field for the permission and storing the filtered type parameter and field for the permission in a database. A request for a permission is passed to a fine grained permission module which obtains the filtered type of parameter and field for the permission, determines a specific parameter for the permission based on the filtered type of parameter and field and parameterizes the permission using the specific parameter. Downloading of the application program is completed by limiting the permission based on the specific parameter.

Abstract: In one embodiment, a file comprising a disk image and a key blob is prepared. The file is attached to a virtual machine configuration. A virtual machine based on the virtual machine configuration is launched. A kernel is paired to the key blob by a kernel driver paired to the key blob reading secret comprising identity information into the kernel of the virtual machine. The identity information is registered with a kernel service. The attached file is ejected from the virtual machine configuration. The identity information is accessed by an application running on the virtual machine, wherein the identity information is used by the application when the kernel service requires identity information. Related hardware and systems are also described.

Abstract: Systems and methods for determining trust levels for components of a computing application including a development framework, a trust matrix, a trust level calculation module, a visual design subsystem, and a deployment subsystem, where trust levels are associated with components, combinations of components, graphs, and blueprints, where trust levels relate to categories of use.

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for virtualization-based intra-block workload isolation. The system may include a virtual machine manager (VMM) module to create a secure virtualization environment or sandbox. The system may also include a processor block to load data into a first region of the sandbox and to generate a workload package based on the data. The workload package is stored in a second region of the sandbox. The system may further include an operational block to fetch and execute instructions from the workload package.

Abstract: A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secured software agent is provided for embedding within the abstraction layer forming the operating system. The secured software agent is configured to limit access to the abstraction layer by either blocking loadable kernel modules from loading, blocking writing to the system call table or blocking requests to attach debug utilities to certified applications or kernel components.

Abstract: A method and apparatus for detecting kernel data structure tampering are disclosed. In the method and apparatus, a memory region of a computer system is scanned for one or more characteristics of a kernel data structure of an operating system kernel. It is then determined, based at least in part on identifying whether the one or more characteristics are found in the memory region, whether the kernel data structure is stored in the memory region of the computer system for tampering with the kernel data structure.

Abstract: Examples of techniques for detecting harmful applications prior to installation on a user device are disclosed. In one example implementation according to aspects of the present disclosure, a computer-implemented method includes: analyzing, by a processing device, a plurality of reviews for each version of a plurality of versions of an application to determine, based on each of the plurality of reviews, whether each version of the plurality of versions is harmful; and responsive to determining that a particular version of the plurality of versions is harmful, preventing a user from installing the particular version.

Abstract: An electronic device is provided. The electronic device includes a memory configured to store an application and first unique information of the application, and at least one processor operatively connected with the memory. The at least one processor is configured to divide code of the application into a plurality of segments, select at least one segment among the plurality of segments, create second unique information in relation to the at least one segment, compare the first unique information and the second unique information, and determine whether the code of the application has been tampered with, based on a result of the comparison of the first unique information and the second unique information.

Abstract: Apparatus for identifying the functionality and structure of an executable, for examining and classifying the executable, consisting of a computerized hardware device being in communication with a computer and comprising: a first memory for storing characterizing patterns obtained offline; a second memory for temporary storing a file or a data stream to be tested; a processor, adapted to upload the characterizing patterns to the first memory, upon receiving an executable data stream to be tested from the computer; receive the data stream from the computer and store it in the second memory; compare the HASH or XOR result of the tested data stream to the stored characterizing patterns; copy the region in the tested data stream which is about the size of a function is to a temporary storage region in the second memory; replace the RVA fields with a predetermined constant value or a predetermined sequence; check the values in the RVA fields to verify whether they are compatible with the type of the required CPU a

Abstract: The present disclosure discloses an information processing method, including the steps of acquiring at least one executable file of a specified type; extracting a first operation instruction from the at least one executable file of the specified type; determining the first operation instruction as a feature instruction if a preset policy is met; extracting a feature value of the feature instruction; constructing a virus classification model based on the feature value of the feature instruction for obtaining a virus structural feature parameter; extracting a second operation instruction from at least one to-be-analyzed file when the at least one to-be-analyzed file is identified according to the virus classification model; and identifying the to-be-analyzed file as a virus file if the feature value of the second operation instruction corresponds to the virus structural feature parameter.

Abstract: A system, method and computer program for a scanning service is presented. A scanning service compatible with a cloud storage system is configured to receive notifications from a cloud storage service about storage event activity and to access data in the cloud storage service. The scanning service receives a notification regarding storage activity related to a file in the data. After the completion of the storage activity, the scanning service receives the file from the cloud storage service and scans the file. When a determination is made based on the scan that at least a portion of the file should not be distributed then an action is taken with respect to the cloud storage service based on the determination that at least a portion of the file should not be distributed.

Abstract: In some embodiments, a processor can receive an input string associated with a potentially malicious artifact and convert each character in the input string into a vector of values to define a character matrix. The processor can apply a convolution matrix to a first window of the character matrix to define a first subscore, apply the convolution matrix to a second window of the character matrix to define a second sub score and combine the first subscore and the second subscore to define a score for the convolution matrix. The processor can provide the score for the convolution matrix as an input to a machine learning threat model, identify the potentially malicious artifact as malicious based on an output of the machine learning threat model, and perform a remedial action on the potentially malicious artifact based on identifying the potentially malicious artifact as malicious.

Abstract: A method and system of determining a vulnerability of software. Libraries are downloaded and stored in a database. For each library, a set of features are extracted and stored in a library index table of the database. For each library, it is determined whether it poses a security concern and flagged accordingly in the library index table. Applications are downloaded and stored in the database. For each application a set of features are extracted and stored in an application index table of the database. For each application, the set of features of the application of the application are compared to the set of features of each of the libraries in the library index table to identify which libraries in the library index table are associated with the application. For each application, a name of the application and names of the associated libraries are stored in a vulnerability reference table in the database.

Abstract: A computer system is securely booted by executing a boot firmware to locate a boot loader and verify the boot loader using a first key that is associated with the boot firmware. Upon verifying the boot loader, computer system executes the boot loader to verify a system software kernel and a secure boot verifier using a second key that is associated with the boot loader. The secure boot verifier is then executed to verify the remaining executable software modules to be loaded during boot using a third key that is associated with the secure boot verifier.

Abstract: A computer system is securely booted by executing a boot firmware to locate a boot loader and verify the boot loader using a first key that is associated with the boot firmware. Upon verifying the boot loader, computer system executes the boot loader to verify a system software kernel and a secure boot verifier using a second key that is associated with the boot loader. The secure boot verifier is then executed to verify the remaining executable software modules to be loaded during boot using a third key that is associated with the secure boot verifier. During boot, state data files of the computer system are mounted in a namespace that is isolated from the namespaces in which the executable software modules are mounted.

Abstract: A computer system is rebooted upon crash without running platform firmware and without retrieving all of the modules included in a boot image from an external source and reloading them into system memory. The reboot process includes the steps of stopping and resetting all of the processing units, except one of the processing units that detected the crash event, selecting the one processing unit to execute a reboot operation, and executing the reboot operation to reboot the computer system.

Abstract: Technologies for configuring a launch enclave include a computing device having a processor with secure enclave support. A trusted execution environment (TEE) of the computing device stores a launch enclave hash in a launch enclave hash table in secure storage and provisions the launch enclave hash to platform firmware at runtime. The TEE may receive the launch enclave hash via trusted I/O. The platform firmware sets a configure enclave launch bit and resets the computing device. On reset, the TEE determines whether the launch enclave hash is allowed for launch. The TEE may evaluate one or more launch configuration policies and may select a launch enclave hash based on the launch configuration policies. If allowed, the platform firmware writes the launch enclave hash to a model-specific register of the processor, and the launch enclave may be loaded and verified with the launch enclave hash. Other embodiments are described and claimed.

Abstract: As disclosed herein a computer-implemented method includes receiving a request to perform selective data encryption on captured content corresponding to a computing device. The method further includes determining whether the captured content includes encoded printable characters, and responsive to determining that the captured content includes the encoded printable characters, encrypting the encoded printable characters within the captured content to provide encrypted captured content. A computer program product and a computer system corresponding to the above method are also disclosed herein.

Abstract: A cloud based system for providing data security, the system having a processor which creates a source data file; wherein the source data file is split into at least one fragments; an encryption key associated with the at least one fragments; and wherein the at least one fragments is encrypted by the encryption key; a plurality of cloud storage providers; wherein the at least one fragments is distributed among the plurality of cloud storage providers whereby no single cloud storage provider possesses all of the at least one fragments; a pointer file which is created on a local computer; wherein the pointer file stores the location of the at least one fragments; and wherein the pointer file is accessed; the encryption key authenticates the plurality of cloud storage providers; the at least one fragments are transferred from the plurality of cloud storage providers to the local computer; and wherein the at least one fragments are reassembled; and the source data file is deleted.

Abstract: As disclosed herein a computer-implemented method includes receiving a request to perform selective data encryption on captured content corresponding to a computing device. The method further includes determining whether the captured content includes encoded printable characters, and responsive to determining that the captured content includes the encoded printable characters, encrypting the encoded printable characters within the captured content to provide encrypted captured content. A computer program product and a computer system corresponding to the above method are also disclosed herein.

Abstract: Embodiments of the present invention disclose methods and systems which receive a user credential corresponding to a user, a task to be performed by the user, a security policy including a user role, and sensitive information. These methods and systems dynamically provision virtual machines including un-redacted information from received sensitive information. Furthermore, a set of tools process the redacted information, based on the user credential, the task to be performed, and the security policy.

Abstract: A system and method for executing privileged code in a process are described. The method includes establishing, by an authorized library, a privileged function. The privileged function has a first privilege level used by a processor that is executing the privileged function, while preserving a different privilege level for a process invoking the privileged function. The method includes communicating, to a computer process, access information of the privileged function, to allow the computer process to invoke the privileged function. The method includes executing the privileged function for the computer process. Executing the privileged function includes setting a processor that is being used by the computer process to use the first privilege level associated with the privileged function, executing the privileged function with that processor at the first privilege level, then restoring that processor to a previous privilege level, and returning control of that processor to the computer process.

Abstract: A sending processing environment establishes a connection with a receiving processing environment for purposes of providing data during a communication session from the sending environment to the receiving environment. The communication session is monitored and the data being sent is intercepted. The data is rendered from a first format that the data was sent in into an innocuous format that is incapable of being executed on any computing device. The data in the innocuous format is then provided to the receiving environment where the data can only be viewed.

Abstract: The invention relates to a transaction method, the method including the steps of: providing a tenninal including a main processor, a graphic processor controlling a display, and a control member, the graphic processor including a memory bank which cannot be accessed from the outside; creating a link between the graphic processor and a secure processor , the link being secured by means of an encryption key shared only by the graphic processor and the secure processor; presenting first data to the user; to collecting second data from commands entered by the user by means of the control member, in connection with the first data; transmitting the second data to the secure processor; and, if the user has been authenticated from the second data, carrying out the transaction, the secure link being used to transmit the first and/or second data, and/or to carry out the transaction.

Abstract: A printing system includes: a program of a printer drive; and printers, wherein the printing system encrypts part of a print job and transmits the print job to the printer, the printer includes a setting unit configured to receive a setting of a new encryption key, a storage unit, an encryption unit configured to generate new encryption key information, a search unit configured to search a network for a printer, a transmission unit configured to transmit the new encryption key information to the printer, a notification unit configured to notify the printer driver of apparatus information, a receiving unit configured to receive the new encryption key information, a decryption unit configured to decrypt the new encryption key information, and a change unit configured to change an encryption key, and the program of the printer driver acquires the new encryption key, and changes an encryption key to the new encryption key.

Abstract: A first data encryption key is stored on a storage device. The first data encryption key, a first key encryption key obtained from first information received from a host system, and second information that is received from a source other than the host system are used to generate a second data encryption key that can be used to encrypt and decrypt data stored on the storage device. The second information may be sent from the source to the storage device only if a condition is satisfied.

Abstract: An assumed use permission range storage stores a predetermined assumed use permission range. An unavailable state storage stores an information asset in an unavailable state by encryption. An available state storage stores an information asset in an available state by decryption. A leakage-concerned state storage stores an information asset in a leakage-concerned state. When use of an information asset in the unavailable state is requested by an application corresponding to the assumed use permission range, a state changing part decrypts the information asset into the available state. When use of the information asset in the available state by the application ends, the state changing part encrypts the information asset into the unavailable state. When use of an information asset in the unavailable state is requested by an application not corresponding to the assumed use permission range, a state monitoring part puts the information asset in the leakage-concerned state.

Abstract: Provided is a data management method and system. A data management method executed by an electronic device configured as a computer may include setting a first password for allowing access to data stored on the electronic device; setting a second password for deleting the data or blocking access to the data; providing a user interface for inputting a password; and processing the input password by allowing access to the data in response to an input of the first password through the user interface or by deleting the data or blocking access to the data in response to an input of the second password through the user interface.

Abstract: Lightweight trusted execution technologies for internet-of-things devices are described. In response to a memory request at a page unit from an application executing in a current domain, the page unit is to map a current virtual address (VA) to a current physical address (PA). The policy enforcement logic (PEL) reads, from a secure domain cache (SDC), a domain value (DID) and a VA value that correspond to the current PA. The PEL grants access when the current domain and the DID correspond to the unprotected region or the current domain and the DID correspond to the secure domain region, the current domain is equal to the DID, and the current VA is equal to the VA value. The PEL grants data access and denies code access when the current domain corresponds to the secure domain region and the DID corresponds to the unprotected region.

Abstract: A system and method for virtual portioning of content on a mobile device, comprising assigning each content of the plurality of content stored on the mobile device one or more tags based on a predefined environment information, identifying, a surrounding environment surrounding the mobile device in real time, associating a tag with the identified surrounding environment wherein the tag is one of the one or more tags assigned to each of the plurality of content; and controlling access to the plurality of content stored on the mobile device wherein access is granted to a portion of the content when at least one of the one or more tags assigned to each of the portion of the content matches the tag associated with the identified environment.

Abstract: A computing system for redacting and/or tokenizing non-public information of electronic documents obtained from monitored communications includes a data redaction computing device and/or a data tokenization computing device, a communications network, and a database storing computer executable instructions for analyzing information associated with a plurality of electronic documents stored communicated via the computing network. The computer executable instructions may cause the data redaction/tokenization computing device to identify non-public information in one or more of the plurality of electronic documents and/or at least one of a document type, a source of the electronic document, and a destination to which the electronic document is to be communicated. Based on this analysis, the data redaction/tokenization computing device may modify the electronic document to redact and/or tokenize the non-public information based on the computer executable instructions retrieved from the second database.

Abstract: A method for sharing identity information is disclosed. The method is performed at one or more devices. The one or more devices obtain identity information of a user and facilitate storing, at a first device, a document that includes the identity information of the user. The document is stored in one or more encrypted containers. The one or more devices receive, from a second device of a third party, a request for at least a part of the identity information of the user. A request is sent to a client device, requesting authorization to release the requested part of the identity information to the third party. Device authorization to release the requested part of the information to the third party is received from the client device. In response to receiving the authorization, the one or more devices facilitate sending the requested part of the information to the third party.

Abstract: An information processing system including an information processing apparatus, a terminal, and a determination apparatus, wherein the information processing apparatus is configured to generate first information and second information based on first decryption information and specified condition information, an encrypted data file is decrypted by using the first decryption information, transmit the first information to the terminal, and transmit the second information to the determination apparatus, wherein the terminal is configured to receive the first information, and transmit the first information and input information to the determination apparatus when the terminal requests the decryption of the encrypted data file, and wherein the determination apparatus is configured to generate second decryption information based on the first information, the second information and the input information, and transmit the generated second decryption information, the transmitted second decryption information being used

Abstract: The system may comprise receiving a data element, and receiving an encryption key and an associated encryption key identifier from an encryption keystore database. The system may further comprise transmitting the data element to an encryption module for encryption using the encryption key to form an encrypted data element. The system may also comprise receiving the encrypted data element from the encryption module and concatenating the encryption key identifier with the encrypted data element to form a protected data field entry.

Abstract: In one aspect, a computerized Encrypted Drive System (EDS) server useful for keyword extraction and indexing server of includes a computer store containing data, wherein the data. The data includes an unencrypted document file and a computer processor in the EDS server. The computer processor obtains the unencrypted document file from the computer store. The computer processor extracts a keyword information from the unencrypted document file. The keyword information comprises of a set of keywords appearing in the unencrypted document file. The computer processor includes one or more colors from the color-set of each keyword into a document color-index of the unencrypted document file. The computer processor generates a Bloom filter encoding a set of keywords stored in a metadata field and the unencrypted document file, and wherein the Bloom filter is used to represent the set of keywords in the unencrypted document file.

Abstract: Privacy violation detection of a mobile application program is disclosed. Regular histories of the mobile application are mined. A call-graph representation of the mobile application program can be created and sequences of events of interest according to the platform specification of the mobile application can be collected. A plurality of learnable features are extracted from the regular histories. The plurality of learnable features are combined into a single feature vector which is fed into a machine-learning-based classification algorithm. Whether the mobile application program includes one or more permissions for accessing unauthorized privacy data of a mobile application user is determined based on a machine learning classification of the single feature vector. The collected sequences can be reduced into a plurality of feature vectors which can include at least one of a happens-before feature and a multiplicity of occurrences feature.

Abstract: Systems and methods are disclosed for preserving patient privacy while transmitting health data from one geographic region to another geographic region for data analysis. One method includes receiving patient-specific health data including patient privacy information at a first region; removing the patient privacy information from the patient-specific health data to generate anonymous health data; storing the patient privacy information at the first region; and transmitting the anonymous health data to a second region for analysis.

Abstract: A method, at a terminal in a digital communications network, comprising: establishing direct or indirect communication access and linkage between the user-operated terminal and at least one remote computer(s) on which are stored, or by which access is available to prevent legible display of, stored user account object data; displaying indicia, or broadcasting data, representative of or indicating one or more predetermined criteria for selecting a subset of the stored user account object data; collecting data, representative of, or indicating, only the subset of the stored user account object data; and transmitting instructions to prevent legible display of the subset of the stored user account object data, according to the collected data representative of, or indicating, the one or more predetermined criteria for selecting the subset of the stored user account object data, from the terminal to the at least one remote computer(s). A terminal, system, and computer readable medium are also disclosed.