Abstract: A method for measuring biometrics of an object includes receiving an image of an object, modeling the object to identify a portion of the object, and measuring biometrics of the object based on a modeling result the object.

Abstract: In a method and system for populating multi-segment layouts with related multimodal medical images, a relationship is determined between subsets of the multimodal medical images. The relationship is used to determine selected subsets initially selected for display in respective segments of a segmented display. Appropriate images relating to selected subsets are used to populate the remaining display segments.

Abstract: A system for automated conversion and delivery of medical images, comprising: a communication interface; a data storage system configured to store data relating to the medical images; a server coupled with the data storage system and the communication interface, the server configured to: receive a medical image file via the communications interface, the medical image file comprising medical data and meta data, determine what fields are present in the meta data, correlate the determined fields with a modality in order to determine a modality associated with the medical image file, determine whether the data recorded in the fields has been altered, identify a recipient associated with the medical image file based on the meta data, and transmit a message to the recipient via the communication interface.

Abstract: This invention relates to a method of healthcare data handling by a trusted agent possessing or having an access to decryption keys for accessing healthcare data. A request is received from a requestor requesting accessing healthcare data. A log is generated containing data relating to the request or the requestor or both. Finally, the requestor is provided with an access to the healthcare data.

Abstract: A method for measuring physician efficiency and patient health risk stratification is disclosed. Episodes of care are formed from medical claims data and an output process is performed. Physicians are assigned to report groups, and eligible physicians and episode assignments are determined. Condition-specific episode statistics and weighted episode statistics are calculated, from which physician efficiency scores are determined.

Abstract: An example embodiment provides a method, including: receiving, at a tag affixed to a moveable object, a signal to wake the tag affixed to a moveable object; receiving, at the tag affixed to a moveable object, a request from at least one receiver for presence information associated with the moveable object; providing, from the tag affixed to a moveable object, identification information associated with the moveable object; transmitting, from the tag affixed to a moveable object, location data to the at least one receiver; transmitting, from the tag affixed to a moveable object, use state information associated with the moveable object; and returning the tag affixed to a moveable object to a sleep state. Related systems are also provided herein.

Abstract: Devices, systems, methods and arrangements are implemented in variety of manners. In a specific instance, a computer arrangement implements the following operations for a transaction involving a plurality of merchant offerings that are parseable by merchant offering identifiers. For a plurality of identified buyer accounts from which monetary payables (e.g., cash, credit and/or debit limits) are tracked, stored data sets are accessed that are indicative of types of merchant offerings to be associated with particular ones of the plurality of buyer accounts. Payment is facilitated for the items as a function of at least one of the plurality of buyer accounts. Payment is tracked for the items as a function of the merchant offering identifiers.

Abstract: Methods, apparatuses, and computer program products are described herein that are configured to provide remote access to a workstation operating in a medical domain via a zero configuration protocol. In some example embodiments, a method is provided that comprises activating a viewing application that is configured to connect to a remote workstation, via a zero configuration protocol, and enable a view of medical application data. The method of this embodiment may also include receiving an indication of a current patient context. In some example embodiments, the current patient context identifies the medical application data that is currently being viewed at the remote workstation relating a particular patient that is available for viewing in the viewing application. The method of this embodiment may also include accessing the medical application data in the viewing application based on the current patient context.

Abstract: Methods and systems for patient participatory care and monitoring are provided for applications including respiratory care, ECG monitoring, capnography, infusion pump alarm prevention/management, pressure sore prevention, incentive spirometry, consciousness monitoring during sedation, pain management and other care and monitoring modalities. A patient in-the-loop system includes an input interface for receiving data acquired from a monitoring, controlling or sensing device, a storage device for storing the data at a first location, and a processor for analyzing artifacts in the data and determining whether the patient provided a deliberate action with respect to the device as a response to a prompt or query. The processor can further initiate a variety of prompts and/or output queries stored in the storage device at a second location to the patient.

Abstract: A medical general intelligence computer system and computer-implemented methods analyze morpho-physiological numbers for determining a risk of an emergent disease state, determining an emergent disease state, predicting a pre-emergent disease state, determining a pre-emergent disease state, and/or predicting a risk of a pre-emergent disease state.

Abstract: The present invention relates to the identification of a person having risk for developing type 2 diabetes (T2D) by determining the presence or absence of specific genes, gene clusters, genera or species of bacteria in the person's gastrointestinal microbiota. More specifically the invention relates to a model to identify an individual having or at risk of developing type 2 diabetes (T2D) using metagenomic clusters (MGCs), wherein said model is characterized by using different metagenomic clusters for different population groups. Also provided is the use of such a model in the identification of a person having risk for developing type 2 diabetes (T2D).

Abstract: Provided are computer implemented method and systems for providing and monitoring patient compliance with a patient healthcare treatment plan. The method includes receiving, from a healthcare provider over a network, application features for generating a patient application including patient instructions for using a medical therapy, and generating an application for a patient. The application includes at least an input for the user to input data for use in evaluating patient compliance with a treatment plan. In addition, the method includes receiving, from the healthcare provider over the network, a prescription for the application for the patient, and activating the application after the patient receives training on use of the application. The method also may include receiving patient compliance data from the application over the network based on the input.

Abstract: Provided is a fitting apparatus that accurately and objectively determines an optimal swingability index, which is a swingability index of a golf club suited to a golfer. The fitting apparatus is provided with an acquisition unit, a calculation unit, and a determination unit. The acquisition unit acquires a measurement value obtained by measuring a swing action of a test club by the golfer with a measurement device. The calculation unit calculates a swing index indicating a feature amount of the swing action, based on the measurement value. The determination unit determines the optimal swingability index, according to a magnitude of the swing index.

Abstract: A method for digital content protection comprises generating a plurality of frame keys, retrieving a plurality of frames from digital content, and at least one of encrypting and decrypting the digital content with a different frame key that dynamically changes for each frame of the plurality of frames. A storage device comprises a computer-readable medium including encrypted digital content stored thereon, wherein the encrypted digital content is encrypted with a frame key that is different for each frame of the encrypted digital content. A content player comprises a computer-readable medium including instructions stored thereon, that when executed cause a processor to decrypt encrypted digital content by reconstructing a plurality of frame keys that are different from each other that are used to decrypt each frame of the encrypted digital content.

Abstract: Managing and accessing media items, including: a plurality of domains configured to provide access to media items; a plurality of clients associated with the plurality domains, and providing a pathway for accessing the media items; and a spanning application configured to track and aggregate accessible media items from the plurality of domains based on authentication and registration information and associated rights of the plurality of clients and the plurality of domains, wherein the spanning application enables accessing of the media items across the plurality of domains.

Abstract: A method for preventing digital content misuse can include receiving, by a client-side computing device, digital content from a remote computing system; periodically presenting sonic signals to confirm that a mobile computing device of a user authorized with the client-side computing device is within a desired geographic distance of the client-side computing device; receiving, by the client-side computing device, a notification that a number of unconfirmed sonic signals exceeds a threshold number of allowable unconfirmed sonic signals, wherein the number of unconfirmed sonic signals indicates a number of sonic signals presented by the client-side computing device that the mobile computing device did not confirm detecting; and in response to receiving the notification that the number of unconfirmed sonic signals exceeds the threshold number of allowable unconfirmed sonic signals, executing a remedial action.

Abstract: A computer system for providing software over a network includes: a computer system for providing software over a network is provided. The system includes: a control unit configured to reside at a site, the control unit including a control unit identification (ID) that uniquely identifies the control unit to the network; a copy of the software, the software including sets of features; a license generator configured to create a features activation file containing the control unit ID and identifying at least one set of features to be activated by the control unit; a computer configured to download the features activation file to the control unit; and, the control unit configured for activating one of the sets of features according to the features activation file. A method and a computer program product are disclosed.

Abstract: An apparatus, method, and system for curtailing and investigating software piracy is provided. The method includes spawning user applications on a computer without use of a file on the file system. A protected application data source is retrieved by an operating system of the computer from a server and placed into a portion of memory not accessible by at least one application. The operating system also prevents the protected application data source from being written to the file system. In this manner there is no file subject to unauthorized distribution. The protected application data may also be watermarked by ordering at least one of executable functions, function call parameters, and program data according to a license identifier so that any two versions execute the same, but carry an identifier which can be used to trace piracy to the source.

Abstract: A method, an apparatus, and a computer program product for wireless communication are provided in connection with providing private expression protection in a wireless communications network. In one example, a UE is equipped to internally receive a request (e.g., from an application running on the UE) to announce a private expression and/or at least a reference to an expression-code associated with the private expression, and determine whether the reference to the expression-code and/or the expression-code matches a stored instance of the expression-code. In an aspect, the UE may be equipped to announce the at least one of the private expression or the expression-code when stored instance of the expression-code corresponds to the expression-code received with the request. In another aspect, the UE may be equipped to prohibit announcement of any information associated with the private expression when stored expression-code does not correspond to the expression-code received with the request.

Abstract: As disclosed herein a method, executed by a computer, includes receiving a deployed computer application to be staged, where the deployed computer application includes monitored items corresponding to a downloaded code package, verifying the integrity of the downloaded code package included in the deployed computer application, and staging the deployed computer application to provide a staged computer application. The method further includes monitoring the staged computer application for usage of monitored items corresponding to the downloaded code package and billing a customer according to usage of the monitored items. A computer system, and a computer program product corresponding to the method are also disclosed herein.

Abstract: An indication of a change in a right to use a service or feature is received. For example, this can be based on an administrator granting access to a previously installed service or feature. In response, a notification is sent to a user of the change of the right to use the service or feature. The notification requests the user to provide a credential to approve the change of the right to use the service or feature. For example, a link may be provided in an email or text message that the user can click on to provide a password/user name. The credential is received and verified. In response to validating the credential, access is allowed according to the change of the right to use the service or feature. The user then has access to the service/feature without the administrator having to know the user's credential.

Abstract: An authenticating device employing an authenticating method of the invention is disclosed. In the method, a candidate character set is divided into several candidate character subsets so that at least one subset contains two or more elements. Then, these subsets are provided to the user to select. Before a first password character, or each time the user inputs a password character, the elements of the candidate character set are randomly arranged to produce the candidate character subsets. Based on which candidate character subsets are selected by the user, the characters in the selected subsets are compared with the password characters, thus completing the authentication process. By dynamically randomly generating the candidate character subsets to be selected by the user, password operation complexity is increased. This may comprehensively improve security and convenience of the authentication process.

Abstract: A method includes receiving, from a user via an electronic device, input representing a password to be utilized for an account; automatically determining, utilizing a processor, a complexity value for the input password; automatically determining, based on the determined complexity value, security settings for the account; receiving, from a user via an electronic device, input representing an attempt to login to the account, the input representing an attempt to login to the account including an attempted password; automatically determining that the attempted password does not match the password to be utilized for the account; and determining a course of action to take in response to the determination that the attempted password does not match the password to be utilized for the account, the course of action being determined based at least in part on the automatically determined security settings for the account.

Abstract: The present invention is to enable a user to input authentication information without burden, such that the user only has to memorize part of the authentication information even when inputting lengthy authentication information in order to ensure high-level security. When an operation of inputting and arranging authentication information in an information arrangement region is performed in a state where an arrangement status of a specified portion in the information arrangement region is set in advance as partial-authentication reference information in a reference authentication information memory, a CPU detects an arrangement status of the specified portion from an overall arrangement status in the information arrangement region, and performs, as partial authentication, processing of matching the detected arrangement status of the specified portion and the arrangement status of the specified portion set as the partial-authentication reference information.

Abstract: Methods, systems, and products authenticate users for access to devices, applications, and services. Skills of a user are learned over time, such that an electronic model of random subject matter may be generated. The user is prompted to interpret the random subject matter, such as with an electronic drawing. The user's interpretation is then compared to the electronic model of the random subject matter. If the user's interpretation matches the electronic model, the user may be authenticated.

Abstract: A method for verifying the integrity of platform software of an electronic device is provided, the method comprising accessing a module of said platform software, obtaining a signature (S), obtaining a verification key (VK), said verification key (VK) corresponding to a signing key (SK), verifying if said signature (S) was derived by signing said platform software module with said signing key (SK), by using said verification key (VK), and establishing a positive verification of said platform software module if said verification is successful. The invention also provides a method for providing a platform software module to perform the aforementioned method, and a device on which the aforementioned method can be performed.

Abstract: Devices, methods and products are described that provide for selective system or root level access for applications on an information handling device. One aspect provides a method comprising determining whether an application has system privileges on an information handling device; and executing privileged code from the application on said information handling device responsive to determining that the application has system privileges through one or more native services operating on said information handling device. Other aspects and embodiments are also described herein.

Abstract: The invention is directed to systems and methods for detecting the loss, theft or unauthorized use of a device and/or altering the functionality of the device in response. In one embodiment, a device monitors its use, its local environment, and/or its operating context to determine that the device is no longer within the control of an authorized user. The device may receive communications or generate an internal signal altering its functionality, such as instructing the device to enter a restricted use mode, a surveillance mode, to provide instructions to return the device and/or to prevent unauthorized use or unauthorized access to data. Additional embodiments also address methods and systems for gathering forensic data regarding an unauthorized user to assist in locating the unauthorized user and/or the device.

Abstract: Methods, systems and media are shown for detecting a heap spray event involving examining user allocated portions of heap memory for a process image, determining a level of entropy for the user allocated portions, and, if the level of entropy is below a threshold, performing secondary heuristics, and detecting a heap spray event based on results of the secondary heuristics. In some examples, performing the secondary heuristics may include analyzing a pattern of memory allocation for the user allocated portions, analyzing data content of the user allocated portions of heap memory, or analyzing a heap allocation size for the user allocated portions of heap memory.

Abstract: A hardware-assisted technique may protect a system log from attackers, regardless of an attacker's acquired privileges at the host system. In some embodiments, the technique may employ specialized hardware, e.g., in the form of an add-on peripheral card. The hardware may be connected to a commodity server through a standard bus. Said hardware may stores log files from a host system while permitting only read and append operations from the host system. Thus, even if the attacker obtains root privileges at the host system, removal through the host system of logs may be prevented because the asymmetric interface does not support such commands from the host system. In some embodiments, an existing log file storage path at the host system may be maintained, reducing the required change to implement the disclosed techniques within existing server setups. Further, any performance degradation due to the techniques may be small to negligible.

Abstract: Systems, methods and media are shown for automatically detecting a use-after-free exploit based attack that involve receiving crash dump data relating to a fault event, determining whether the fault event instruction is a call type instruction and, if so, identifying a UAF attack by checking whether it includes a base address in a first register that stores a pointer to free memory and, if so, generating a UAF alert. In some examples, generating a use-after-free alert includes automatically sending a message that indicates a UAF attack or automatically triggering a system defense to the UAF attack. Some examples may include, for a call type faulting instruction, identifying a UAF attack, checking whether a base address in the first register includes a pointer in a second register to a free memory location associated with the base address.

Abstract: Detecting heap spraying on a computer by determining that values of characteristics of a plurality of requests to allocate portions of heap memory are consistent with benchmark values of the characteristics, wherein the benchmark values of the characteristics are associated with heap spraying; and performing a computer-security-related remediation action responsive to determining that the values of the characteristics are consistent with the benchmark values of the characteristics.

Abstract: Described systems and methods allow conducting computer security operations, such as detecting malware and spyware, in a bare-metal computer system. In some embodiments, a first processor of a computer system executes the code samples under assessment, whereas a second, distinct processor is used to carry out the assessment and to control various hardware components involved in the assessment. Such hardware components include, among others, a memory shadower configured to detect changes to a memory connected to the first processor, and a storage shadower configured to detect an attempt to write to a non-volatile storage device of the computer system. The memory shadower and storage shadower may be used to inject a security agent into the computer system.

Abstract: A mechanism for controlling the execution of Option ROM code on a Unified Extensible Firmware Interface (UEFI)-compliant computing device is discussed. A security policy enforced by the firmware may be configured by the computing platform designer/IT administrator to take different actions for different types of detected expansion cards or other devices due to the security characteristics of Option ROM drivers associated with the expansion card or device. The security policy may specify whether authorized signed UEFI Option ROM drivers, unauthorized but signed UEFI Option ROM drivers, unsigned UEFI Option ROM drivers and legacy Option ROM drivers are allowed to execute on the UEFI-compliant computing device.

Abstract: In one embodiment, a method is executed by a computer system. The method includes receiving information related to a platform-portable workload, the information comprising a data security policy expressed as digitally signed metadata. The data security policy specifies one or more data security features that any platform executing the platform-portable workload should implement. The method further includes validating the digitally signed metadata as originating from an issuer of the platform-portable workload. In addition, the method includes, responsive to successful validation of the digitally signed metadata, automatically determining whether a particular platform can satisfy the data security policy based, at least in part, on a comparison of the digitally signed metadata with data security attributes of the particular platform.

Abstract: A method for installing embedded firmware is provided. The method includes generating one or more firmware file instances and generating one or more digital certificate instances that are separate instances from the firmware file instances. The method includes associating the one or more digital certificate instances with the one or more firmware file instances to facilitate updating signature-unaware modules with signature-aware firmware or to facilitate updating signature-aware modules with signature-unaware firmware.

Abstract: A system on chip is provided. The system on chip includes a first memory to store a plurality of encryption keys, a second memory, a third memory to store an encryption key setting value, and a CPU to decrypt encrypted data which is stored in an external non-volatile memory using an encryption key corresponding to the encryption key setting value from among the plurality of encryption keys, to store the decrypted data in the second memory, and to perform a boot using data stored in the second memory. Accordingly, security of a boot operation can be improved.

Abstract: A mechanism for automatically enrolling option ROMs into the system security database used for a UEFI Secure Boot is discussed. A request is received by a computing device to auto-enroll one or more option ROMs for one or more respective devices on the next boot of the system. Upon receiving the request, a flag or other type of indicator indicative of an auto-enroll status is changed to an active mode. The indicator is stored in non-volatile memory and may be stored as a UEFI Authenticated Variable. Following the changing of the indicator, the system is either reset or shut down. During the next boot only, after identifying the indicator indicative of an active mode auto-enroll status, the signatures for the option ROMs of all discovered devices whose signatures do not exist in the system security database are calculated (hashed) and added to the UEFI Secure Boot database without user interaction.

Abstract: Methods and systems are disclosed including transmitting, by processor of a server computer, image raster content of a geo-referenced aerial image to an operator user device without the geo-referencing information of the geo-referenced aerial image; receiving, by the processor of the server computer from the operator user device, image coordinates, which may be in the form of pixel row/column, representing an object or region of interest selected within the image raster content of the geo-referenced aerial image by a data processing operator of the operator user device; and translating the image coordinates into real-world geographic coordinates. The processor may calculate measurements based on the real-world geographic coordinates and may store real-world geographic coordinates and/or measurements. The geo-referenced aerial image may be isolated such that a data processing operator may not be able to pan or zoom outside of the isolated geo-referenced aerial image.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for securing data. One of the methods includes receiving, by the map reduce framework, data for analysis. The method includes identifying, by the map reduce framework, private data in received data. The method includes encrypting the private data. The method includes storing the encrypted private data in a location separate from the received data. The method includes obfuscating the private data by adding a reference to the location of the encrypted private data in the received data.

Abstract: Security system for protecting a vehicle electronic system by selectively intervening in the communications path in order to prevent the arrival of malicious messages at ECUs, in particular at the safety critical ECUs. The security system includes a filter which prevents illegal messages sent by any system or device communicating over a vehicle communications bus from reaching their destination. The filter may, at its discretion according to preconfigured rules, send messages as is, block messages, change the content of the messages, request authentication or limit the rate such messages can be delivered, by buffering the messages and sending them only in preconfigured intervals.

Abstract: An approach is provided in which a knowledge manager generates a knowledge structure that includes security annotation tokens and term tokens. Each of the security annotation tokens are stored in a parallel field and align to at least one of the term tokens. The knowledge manager matches security policies corresponding to a search request to one or more of the security annotation tokens and, in turn, generates search results based upon obfuscation of one or more of the term tokens aligned to the matched security annotation tokens.

Abstract: Sanitizing a virtual machine image of sensitive data is provided. Labeling dependencies and sanitization dependencies between a plurality of software components in the virtual machine image are identified based on labeling execution policies located in a labeler module and sanitization execution policies located in a sanitizer module, respectively. The labeler module and the sanitizer module are inserted in the virtual machine image. A sensitivity level label of a plurality of sensitivity labels is attached to identified sensitive data from the sensitive data contained in the virtual machine image based on the identified labeling dependencies. In response to receiving an input to perform a sanitization of the identified sensitive data having attached sensitivity level labels contained in the virtual machine image, the sanitization of the identified sensitive data having the attached sensitivity level labels contained in the virtual machine image is performed based on the identified sanitization dependencies.

Abstract: Sanitizing a virtual machine image of sensitive data is provided. Labeling dependencies and sanitization dependencies between a plurality of software components in the virtual machine image are identified based on labeling execution policies located in a labeler module and sanitization execution policies located in a sanitizer module, respectively. The labeler module and the sanitizer module are inserted in the virtual machine image. A sensitivity level label of a plurality of sensitivity labels is attached to identified sensitive data from the sensitive data contained in the virtual machine image based on the identified labeling dependencies. In response to receiving an input to perform a sanitization of the identified sensitive data having attached sensitivity level labels contained in the virtual machine image, the sanitization of the identified sensitive data having the attached sensitivity level labels contained in the virtual machine image is performed based on the identified sanitization dependencies.

Abstract: A data processing system may have a strict separation of processor tasks and data categories, wherein processor tasks are separated into software loading and initialization (loading processor) and data processing (main processor) and data categories are separated into address data, instructions, internal function data, target data of the main processor and target data of the loading processor. In this way, protection is provided against malware, irrespective of the transmission medium and of the type of malware, and also against future malware and without performance losses in the computer system.

Abstract: A method for authenticating file operations on files and folders stored in a database file system where the database file system can authenticate a client-user request based upon the client-user's database credentials. The database file system has the capability of storing file permissions based on database credentials. Once a client requests a certain file operation, the client's operating system first determines whether the client has sufficient privileges to perform the requested file operation. If the client has privileges, the client operating system forwards the file operation request to the database file system. The database file system then authenticates the client, based on his database credentials, to determine whether or not to perform the requested file operation.

Abstract: Information regarding one or more sensing devices in an environment is broadcasted. The broadcasted information is received by a user application running on a user device in the environment. The broadcasted information comprises information regarding presence of the one or more sensing devices in the environment and at least one of a capacity profile and an activity profile of the one or more sensing devices.

Abstract: In one embodiment, a method is performed by a computer system. The method includes monitoring events in relation to files stored at multiple network nodes and, responsive to the monitoring, detecting that a new file has been created from an existing file. The method further includes accessing a stored file-family model of the existing file, the stored file-family model comprising interconnected nodes, wherein the interconnected nodes represent a plurality of overlapping file variants such that one of the interconnected nodes represents the existing file. In addition, the method includes logically connecting the existing file and the new file in the stored file-family model. The method also includes determining a primary file variant in the stored file-family model and, responsive to a determination that the existing file is not the primary file variant, notifying one or more users.

Abstract: A method, a data processing system, and a computer program product for managing cryptographic information. A determination is made as to whether a first time stamp of when cryptographic information was created is more recent than a second time stamp of a backup of the cryptographic information in response to receiving a request for the cryptographic information from a requester. The cryptographic information is used to encrypt data. The cryptographic information is prevented from being provided to the requester in response to a determination that the first time stamp of cryptographic information creation is more recent than the second time stamp of the backup of the cryptographic information.

Abstract: A metadata layer management system is presented. Layers of metadata objects can be constructed where each metadata layer object comprises a rights policy. As entities interaction with the metadata layer objects, possibly by navigating links among the objects, each entity's access rights to the objects are governed by the rights policy. Further, the disclosed techniques provide for resolving rights conflicts among the rights policies of the metadata layer objects.