Abstract: A character input device is provided with an operation unit that accepts key input and displays and accepts selection of a prediction candidate according to the result of the key input, and a character input determining unit that determines an input character, using the result of the key input or the selection result of the prediction candidate. Also, the character input determining unit executes fingerprint authentication at the time of accepting the key input or the time of selecting the prediction candidate.

Abstract: A weapon is equipped with processing capabilities and can include, inter alia, communication technology, geographic positioning systems, a camera, memory and the ability to enable or disable the weapon remotely. Through the application of various protocols (e.g., access, monitor, control, programming), a weapon can be designated for one or more authorized users, and will not operate when not being used by an authorized user. Other implementations include smart ammunition that can also be programmed for a specific user, or more preferably for a specific weapon, such that the weapon and/or the ammunition would not work without the other, and only by the registered authorized user of the same.

Abstract: A method and an apparatus for invoking a fingerprint identification device are provided. The method includes the following. When a request of a current application to invoke a fingerprint identification device is detected, whether the fingerprint identification device is occupied by a historical application is determined. When the fingerprint identification device is occupied by the historical application, whether the current application meets a preset invoking condition is determined, and then the fingerprint identification device is controlled to process the request of the current application according to the determination result.

Abstract: A method and a terminal for unlocking a screen of a terminal having fingerprint sensors are provided. The method includes the following. A press instruction on a designated unlocking area of the terminal is acquired. A press interrupt request is initiated according to the press instruction and fingerprint data are collected at a press position corresponding to the press instruction. The fingerprint data are compared with fingerprint verification data pre-stored in the terminal. Based on a determination that the fingerprint data and the fingerprint verification data are matched, a screen interface of the terminal is enabled and the screen of the terminal is lit up when a response instruction of the press interrupt request is received.

Abstract: A method for improving unlocking speed and a mobile terminal are provided. The method is applicable to the mobile terminal in a screen-off state and equipped with a metal dome array. The method includes the follows. A first thread is executed when a current unlock mode of the mobile terminal is press-to-trigger fingerprint unlock in the screen-off state, and a second thread is executed during the execution of the first thread. The first thread includes the following. An operation. instruction is received when a user touches a fingerprint module, a fingerprint image is acquired, the fingerprint image acquired is compared with a preset fingerprint image, and unlock after a successful match. The second thread includes the following. An operation instruction is received when the user presses the metal dome array, and wait for unlocking success and then a display screen is lit up.

Abstract: A method for controlling unlocking is provided. A password matching process is performed on a screen unlock password, an interrupt request is triggered and an original fingerprint image is acquired, and a fingerprint identification process is performed on the original fingerprint image, when a terminal device is in a screen-off state and the screen unlock password input by a user and a touch-press operation of the user on a fingerprint identification module of the terminal device are detected. A screen of the terminal device is lit up, when the password matching process is successful and the fingerprint identification process is successful.

Abstract: An information processing system includes multiple information processing apparatuses for providing a multitenant service. The information processing system is configured: to store a user account for each user belonging to one of a plurality of tenants provided by the multitenant service, the user account including a tenant ID of the tenant, and a role representing privilege of the user; to store license information assigned to each of the tenants, the license information including a license type representing a type of task allowed to be performed by the tenant; to receive a first request, from a first user belonging to a first tenant, for performing a task concerning a second tenant; and to determine, based on the role of the first user and the license information assigned to the first tenant, whether the performing of the task concerning the second tenant is allowed.

Abstract: A system for automating a data device login procedure having a network, a system backend communicable with the network having a backend processor configured to control a simplified login procedure and a database of login information accessible by the backend processor, a data reader communicable with the system backend configured to receive a credential data from an identification device, and a fungible portable data device communicable with the backend configured to receive a login information from the system backend for completing a login procedure. The data reader is configured to initiate the login procedure upon receipt of the credential data from the identification device and communicate the credential data to the backend. The backend is configured to determine the login information associated with the credential data comprising personalization information for the fungible portable data device and the system backend completes the login procedure to the fungible portable data device.

Abstract: Access to devices can be controlled dynamically. A device control driver can function as an upper filter driver so that it can intercept I/O requests that target a particular device. The device control driver can be configured to communicate with a device control server to dynamically determine whether the current user is allowed to access the particular device. The device control server can employ policy or administrator input to determine whether access should be allowed and can then notify the device control driver accordingly. When access is granted, the device control driver can pass I/O requests down the device driver stack. Otherwise, the device control driver can block the I/O requests. Also, when access is granted, the device control server can specify a permission expiration time after which the device control driver should again resume blocking I/O requests.

Abstract: A computing device has first and second operating systems with access to first and second memories, respectively. The second memory is provided for secure computing resources and is not accessible by applications in the first operating system. A software module executable within the first operating system receives requests for secure computing resources, adds access credentials and passes the requests to a software module in the second operating system.

Abstract: The present invention provides a web-based electronic document service apparatus, which is capable of authenticating the edit of a document, and an operating method thereof, in which when a predetermined authentication token is randomly issued and transmitted to a client terminal accessing for editing an electronic document based on a web, and then an editing command and an authentication token corresponding to the editing command are received from the client terminal, it is determined whether the received authentication token corresponds to the previously issued authentication token, so that it is possible to confirm whether the editing command received from the client terminal is the editing command generated by the true user, thereby providing a security mechanism.

Abstract: Systems and methods detect suspicious application overlays on a device. An overlay detection unit can detect if a first foreground application has been replaced, within a threshold amount of time, by a second foreground application. If the replacement time is below a threshold amount of time, a suspicious overlay detection can be triggered to alert the user to a possible phishing attempt by the second foreground application.

Abstract: According to some illustrative embodiments, a method for blending the data of an execution environment and the data of the protected application includes modifying the data values of the protected application using the values of the execution environment in a semantically-neutral manner or modifying the data values of the execution environment using the values of the protected application in a semantically-neutral manner.

Abstract: A method is supplied for operating a computer unit, wherein on the computer unit an application can be executed which can access the functions of a crypto API, wherein the functions of the crypto API can be supplied by at least one crypto implementation on the computer unit. The method therein includes the following steps of: executing the application on the computer unit; checking what crypto implementations are available on the computer unit; and selecting one of the available crypto implementations as that crypto implementation which supplies the functions of the crypto API.

Abstract: Systems and methods are provided that allow a secure processing system (SPS) to be implemented as a hard macro, thereby isolating the SPS from a peripheral processing system (PPS). The SPS and the PPS, combination, may form a secure element that can be used in conjunction with a host device and a connectivity device to allow the host device to engage in secure transactions, such as mobile payment over a near field communications (NFC) connection. As a result of the SPS being implemented as a hard macro isolated from the PPS, the SPS may be certified once, and reused in other host devices without necessitating re-certification.

Abstract: Provided herein are systems and methods for generating policies for a new application using a virtualized environment. Prior to allowing a new application to operate on a host system, the new application may be installed in a virtual environment. A first program execution restrictor of the virtualized environment may determine a set of policies for the new application. The set of policies may allow the new application to add specific program elements during installation and execution in the virtualized environment. The first program execution restrictor may verify an absence of malicious behavior from the new application while the new application executes in the virtualized environment. The new application may be executed on the host system responsive to the verification. The host system may have a second program execution restrictor that applies the set of policies when the new application is allowed to execute on the host system.

Abstract: A method and apparatus for improving security of a Java sandbox is provided. The method includes performing a permission check on a to-be-checked code, determining whether a method bypassing the permission check exists in a call stack of the code, and if a method bypassing the permission check exists, determining whether methods in the call stack have a signature. The method also includes determining that the to-be-checked code has a security problem if the methods have no signature.

Abstract: The subject matter of this specification generally relates to data security. In some implementations, a method includes receiving, from data owners, a first cryptographically secure representation of data to be monitored for data breaches. Each first cryptographically secure representation can include a cryptographically secure data structure that represents a plurality of first data records maintained by the data owner. One or more second cryptographically secure representations of second data records are received from a user. A number of the second cryptographically secure representations that match a corresponding portion of the first cryptographically secure representation received from a data owner is determined. A determination is made that a data breach occurred for the data owner based on the number of the second cryptographically secure representations that match the corresponding portion of the first cryptographically secure representation received from the data owner.

Abstract: Examples relate to protection against database injection attacks. The examples disclosed herein enable intercepting a current database query prior to being executed by a database management system (DBMS). The examples disclosed herein further enable determining whether the current database query is suspected of having a security threat of a database injection attack by comparing the current database query with past database queries that have been intercepted prior to the interception of the current database query, and in response to determining that the current database query is not suspected of having the security threat of the database injection attack, storing the current database query in an allowed query list.

Abstract: Examples relate to identifying malicious activity using data complexity anomalies. In one example, a computing device may: receive a byte stream that includes a plurality of bytes; determine, for a least one subset of the byte stream, a measure of complexity of the subset; determine that the measure of complexity meets a predetermined threshold measure of complexity for a context associated with the byte stream; and in response to determining that the measure of complexity meets the threshold, provide an indication that the byte stream complexity is anomalous.

Abstract: In some implementations, a method includes receiving files provided for analysis by users, generating, from the received files, a batch including multiple files, and scanning each of the files in the batch using each of multiple different antivirus software programs to generate an antivirus output for each of the files. The scanning includes, for each of multiple computing units, generating a replica of the batch for the computing unit, and scanning, by the computing unit, each file in the replica of the batch using an antivirus software program assigned to the computing unit to generate a respective program-specific antivirus output for the antivirus software program for each file of the batch of files. The method includes generating, for each file in the batch, the antivirus output for the file from the program-specific antivirus outputs for the file, and outputting the generated antivirus outputs for presentation to the users.

Abstract: A virus detection method, a terminal, and a server are provided. The method includes performing preprocessing on an obtained to-be-processed file according to a preset policy, to obtain a part that is in the to-be-processed file and whose stability is greater than a first threshold as effective information. The effective information is calculated to obtain a first characteristic parameter value. The first characteristic parameter value is transmitted to a server for performing detection by means of virus comparison, and a detection result of the virus comparison is received. Virus scanning is performed on a local file according to the detection result.

Abstract: Examples relate to identifying a signature for a data set. In one example, a computing device may: receive a data set that includes a plurality of data units; iteratively determine a measure of complexity for windows of data units included in the data set, each window including a distinct portion of the plurality of data units; identify, based on the iterative determinations, a most complex window of data units for the data set; and identify the most complex window as a data unit signature for the data set.

Abstract: Examples relate to identifying signatures for data sets. In one example, a computing device may: for each of a plurality of first data sets, obtain a data set signature; generate a first data structure for storing each data set signature that is distinct from each other data set signature; for each of a plurality of second data sets, obtain at least one data subset; generate a second data structure for storing each data subset; remove, from the first data structure, each data set signature that matches a data subset included in the second data structure; and for each data set signature removed from the first data structure, identify each first data set from which the data set signature was obtained; and for each identified first data set, obtain a new data set signature.

Abstract: Disclosed are devices, systems, apparatus, methods, products, media and other implementations, including a method that includes obtaining current hardware performance data, including hardware performance counter data, for a hardware device executing a first process associated with pre-recorded hardware performance data representative of the first process' normal behavior, and determining whether a malicious process is affecting performance of the first process based on a determination of an extent of deviation of the obtained current hardware performance data corresponding to the first process from the pre-recorded hardware performance data representative of the normal behavior of the first process.

Abstract: Systems and methods of disarming malicious code in protected content in a computer system having a processor are provided. The method includes determining that a received input file intended for a recipient is protected, the recipient may be connected to a network; accessing a credential associated with the intended recipient for accessing the protected input file; accessing the content of the protected input file based on the credential; modifying at least a portion of digital values of the content of the input file configuring to disable any malicious code included in the input file, thereby creating a modified input file; and protecting the modified input file based on the credential associated with the intended recipient. The method also includes forwarding the protected modified input file to the intended recipient in the network.

Abstract: A device for securing USB or Firewire port interconnections includes a microcontroller comprising a processor; a first connector/lead in communication with the microcontroller and configured to be coupled with a USB or Firewire external device; and a second connector/lead in communication with the microcontroller and configured to be coupled with a protected host. An optional user interface communicates with the microcontroller. When the microcontroller detects that the external device is coupled to the first connector/lead, the processor is configured to display a prompt on the user interface for a user to initiate inputs prior to the external device being allowed to connect with the protected host; or is configured to automatically prevent the external device from being connected with the protected host if the external device is on a blacklist of devices known to have device handlers in the protected host at a BIOS level, without modifying the protected host.

Abstract: Systems and methods for continued runtime authentication of Information Handling System (IHS) applications. In an illustrative, non-limiting embodiment, an IHS may include one or more processors and a memory coupled to the one or more processors, the memory including program instructions stored thereon that, upon execution by the one or more processors, cause the IHS to: receive a command to execute an application; initially verify a plurality of tokens, where a first token is provided by the application, a second token is provided by an application manager, and a third token is provided by a hardware component within the IHS; and execute the application in response the initial verification being successful.

Abstract: A method to enforce secure boot policy in an IHS configured with a plurality of virtual machines. The method includes detecting a request for a virtual machine to access a service processor. In response to detecting the request, the method includes triggering a handshake request between a hypervisor boot emulator and the service processor to initiate a sequence of authentication steps to access a corresponding secure partition of memory from among a plurality of secure partitions of memory associated with the service processor. Each secure partition of memory has a corresponding virtual platform key for preserving secure access to the corresponding secure partition of memory stored in a secure platform. The method further includes dynamically generating unlock keys, derived in part by the corresponding virtual platform key, to authenticate a requesting virtual machine as a valid virtual machine to obtain access to a corresponding secure partition of memory.

Abstract: Methods and systems for performing an authenticated boot; performing a continuous data protection; performing automatic protection and optionally a consolidation; and performing other defenses and protection of a protected computing device (such as a computer system) are provided. The aspects include integrating security mechanisms (which may include a “call home” function, role and rule-based policies, validating technologies, encryption and decryption technologies, data compression technologies, protected and segmented boot technologies, and virtualization technologies. Booting and operating (either fully or in a restricted manner) are permitted only under a control of a specified role-set, rule-set, and/or a controlling supervisory process or server system(s). The methods and systems make advantageous use of hypervisors and other virtual machine monitors or managers.

Abstract: A management apparatus includes an assignment unit, a receiver, and a storage unit. The assignment unit assigns issuance privilege key information representing privilege to issue document IDs to one or more processing apparatuses. Each of the one or more processing apparatuses is located on one of local networks and is configured to execute a protection process to generate a protected document from a document. The receiver receives from the one or more processing apparatuses document IDs issued for protected documents by the one or more processing apparatuses. The storage unit stores the document IDs received by the receiver. Each of the document IDs includes the issuance privilege key information assigned by the assignment unit to the one or more processing apparatuses, and information indicating identity of a document ID issued by one of the one or more processing apparatuses.

Abstract: Approaches presented herein enable dynamic security policies through a plurality of application profiles. More specifically, a mobile device can open a profile of a plurality of profiles, each associated with an unlock credential and a security scope, in response to an unlock credential associated with that profile. All these profiles can be opened in a single user session and can be swapped within the session in response to an unlock credential corresponding to the desired profile. When the mobile device receives a request to open a digital item, the digital item is compared to a security scope of the opened profile to determine whether access to the digital item is permitted, and, in response to the determination, access to the digital item is permitted or denied. A list of digital items permitted to be accessed in each profile can be synchronized to a list received from a mobile device manager.

Abstract: A method for the display of an image in a display area, the method comprising: requesting, from a server, a scrambled image file using an image identifier, the scrambled image file containing the image in a scrambled form; receiving the scrambled image file; dividing the scrambled image file into a plurality of image fragments, the image fragments having a first order within the scrambled image file; and rendering the image fragments on to the display area in a second order derived from the image identifier to display the image in unscrambled form.

Abstract: A blockchain of transactions may be referenced for various purposes and may be later accessed by interested parties for ledger verification and information retrieval. One example method of operation may include identifying a number of data parameters to extract from a blockchain based on a request for analytic data, creating one or more queries based on the data parameters, executing the one or more queries and retrieving the data parameters from the blockchain, identifying one or more permissions of a user account associated with the request for analytic data, and populating an interface with analytic figures based on the data parameters retrieved from the blockchain.

Abstract: A blockchain of transactions may be referenced for various purposes and may be later accessed by interested parties for ledger verification and information retrieval. One example method of operation may include identifying one or more analytic processes to process blockchain data, determining a primary type of data analytic to be performed by the one or more analytic processes, selecting a type of data store to use for performing the one or more data analytic processes based on the primary type of data analytic, accessing the blockchain data, applying the one or more analytic processes, and storing results of the applied analytic processes in a database, file or dashboard. The analytic data may be realized in any manner or preference requested.

Abstract: Location based security rules are provided for preventing unauthorized access to a device, application, system, content, and/or network, etc. The location-based security rules enable a user, computing device, system, etc. to access the requested item or information when the user provides proper identification information. The proper identification information is based in part on the location of the user and/or the user's access request.

Abstract: Implementations include providing a database system that a plurality of tenant systems interact with, providing a shared database schema and a plurality of tenant database schemas, the shared database schema including a shared table, and each tenant database schema being assigned to a respective tenant and including a view into the shared table, which includes a tenant specification field, and a row visibility field, the tenant specification field indicating a tenant, to which a respective row is assigned, and the row visibility field indicating visibility of a respective row to respective tenants.

Abstract: A document management system includes a management apparatus and plural processing apparatuses. Each of the plural processing apparatuses includes an acquisition unit and a transmitter. The acquisition unit acquires a document and information on a destination to which the document is transmitted. The transmitter transmits metadata of the document to the management apparatus and transmits a protected document generated from the document to the destination. The metadata includes the information on the destination. The management apparatus includes a memory and a response unit. The memory stores metadata of documents received from the plural processing apparatuses. The response unit responds to a request for metadata corresponding to a document by returning metadata of the document which is stored in the memory.

Abstract: A computing device has first and second operating systems with access to separate first and second memories. The second operating system hosts containers which provide separate execution environments. The containers have secure computing resources. A software module in the second operating system receives access requests from applications in the first operating system and selectively passes the requests based on rules for accessing the containers.

Abstract: A document management system includes one or more processing apparatuses and a management apparatus. Each processing apparatus is located on one of local networks, and executes a protection process to generate a protected document from a document. The management apparatus is located on an external network connected to the local networks, and manages the processing apparatus(es). Each processing apparatus includes a transmitter and a generator. The transmitter transmits a status of the processing apparatus to the management apparatus. The generator executes the protection process on an input document and generates a protected document upon being permitted by the management apparatus to execute the protection process. The management apparatus includes a receiver and a controller. The receiver receives, from the processing apparatus(es), statuses of the processing apparatus(es).

Abstract: Techniques for identifying permitted illegal access operations in a module system are disclosed. An operation, expressed in a first module, that attempts to access a module element of a second module is identified. Based on a module declaration associated with the second module, the module element is determined inaccessible to the first module. Additionally or alternatively, based on an access modifier associated with the module element, the module element is determined inaccessible to the operation. The operation is determined as an illegal access operation. The illegal access operation is permitted to access the module element. A warning corresponding to the illegal access operation is generated.

Abstract: A method and system for file content protection and policy-based access control in a networked environment are provided. It includes an endpoint module which runs on endpoint devices and a key store module which runs on key stores servers. The endpoint computing device where files are created and used generates a content encryption key and unique file identifier (UFI), which are different for each file. The file is encrypted with the content key and attaches the UFI to the encrypted file to create a protected file. The coupled UFI and content key are sent to the key store servers to be stored. To accesses the protected file, end point module reads the UFI and sends it to the key store which responses with the permission as the outcome of evaluation of associated policies and the content key if permission is granted so the file can be decrypted.

Abstract: A device (e.g., a phone) can be provided by an entity (e.g., a business) to a user (e.g., an employee). The device includes a profile manager that allows the user to configure a personal profile comprising any of applications, settings, and stored data. The device is also configurable with an entity profile determined by the entity that also may include applications, settings, and stored data. The user can select from operating modes comprising at least a personal mode, and a unity mode; an entity mode also may be available for selection. The profile manager, based on the selected mode, determines whether entity profile data and applications are available to the user, and which applications from either profile may conduct user-perceptible activities. The profile manager may periodically verify entity profile rights with a server, and if verification fails, then the profile manager can restrict entity profile data and applications access, regardless of operating mode.

Abstract: To identify whether a content item is prohibited, a content management system can generate a content item fingerprint for the content item and then compare the generated content item fingerprint to a blacklist of content item fingerprints for prohibited content items. If the generated content item fingerprint matches any of the content item fingerprints included in the blacklist, the content management system can determine that the content item is prohibited. The content management system can deny requests to share prohibited content items and/or requests to assign prohibited content items to a user account on the content management system. The content management system can generate the content item fingerprint using the content item as input in a fingerprinting algorithm that was used to generate the content item fingerprints on the blacklist.

Abstract: A system, method, and computer readable storage medium configured for storing encrypted data in a blockchain. To write additional data in a blockchain, a request is received at a computing node. The request is typically cryptographically signed by a user system to include a new transaction with additional data in the blockchain. The additional data is previously encrypted with an encryption key. A new block that records the new transaction with additional data in the blockchain is added. To read the additional data in a blockchain, a request is received at a computing node with a transaction identifier and a decryption key from a user system to access data journaled as part of the blockchain in the transaction database. The transaction database is searched using the identifier. In response, to finding the corresponding block in the blockchain, the data is decrypted using the decryption key.

Abstract: Systems and methods are provided for context-module-based personal data protection. Systems and methods provide a user device's user interface with two or more context modules associated with a respective set of applications. Upon receiving a user input to launch an application, the application is executed using data permissions associated with the context from which the user launches the application. Permission for application requests for data are determined based on the data permissions associated with the launch context. For some embodiments, the context may be selected automatically based on sensor data or a user device's context or location. For some embodiments, the context may be changed between two contexts. Such context changes may occur without changing user accounts. For some embodiments, a third user may execute a third application using the data permissions associated with the first context module.

Abstract: An information management terminal device includes a health information acquisition means, a health information storage means that stores health information and a health information passbook, and a storage medium, in which the storage medium includes a concealed region accessible only by a specific program and a normal region accessible also by programs other than the specific program, the health information acquisition means adds a date/time record as the health information passbook, the health information storage means sequentially stores the health information and the health information passbook in the normal region, and that the concealed region holds a data alteration detection parameter for detecting alteration of the health information and/or the health information passbook.

Abstract: An efficient and secure process by which users may enter sensitive information into an electronic information system. When information is required from a user, the electronic information system may be configured to generate a unique access link (uniform resource locator, or URL) for that user. The link may be sent to the user via electronic communication, such as a text message or email. When the user follows the link with a web browser, the system prompts the user to enter an additional piece of personal information that is not known to the general public. Once identity is verified, the user may be required to electronically sign agreements. The user is then prompted to enter the required information. This may allow a user to deposit sensitive information into the system without requiring the user to provide full login credentials.

Abstract: User events of a platform are processed to extract aggregate information about users of the platform at an event processing system. A query relating to the user events is received at the system and at least one query parameter is determined from the query. Various privacy controls are disclosed for ensuring that any information released in response to the query cannot be used to identify users individually or to infer information about individual users.

Abstract: User events of a platform are processed to extract aggregate information about users of the platform at an event processing system. A query relating to the user events is received at the system and at least one query parameter is determined from the query. Various privacy controls are disclosed for ensuring that any information released in response to the query cannot be used to identify users individually or to infer information about individual users.