Abstract: Techniques for administering a care plan. Embodiments receive the care plan specifying observation metrics to monitor biometric data collected from a patient. At least one monitoring device available is identified and embodiments receive biometric data collected using the at least one monitoring device, where the biometric data is initially classified as a first type of event by the at least one monitoring device. Additionally, embodiments analyze the received biometric data to reclassify the first event as an occurrence of a second type of even, and, upon determining that the occurrence of the second type of event satisfies at least one threshold condition specified in the care plan, initiate at least one treatment plan specified in the care plan and corresponding to the satisfied at least one threshold value.

Abstract: Methods and systems for determining a set of control molecules for use in a combinatorial approach for the treatment of medical conditions, including providing one or more sets of control molecules, where each control molecule within the set acts on a set of targets and the number of control molecules within the one or more sets of control molecules is fewer than the number of targets within the sets of targets; and searching within the sets of control molecules to identify a subset of control molecules that together with a subset of targets form an artificial system to produce a biological effect through the modulation of the subset of targets.

Abstract: Systems and methods for payload encoding and decoding are disclosed. An example method to decode audio data includes receiving audio data having protected information embedded in the audio data; receiving a license file containing a first portion of a set of information required to access the protected information embedded in the audio data; processing the license file to obtain at least one of decoding information, message codes, a decoding algorithm or diagnostic information; producing a stream of symbol values for each code symbol included in the received audio signal; accumulating the stream of symbol values in a storage device; detecting the presence of an encoded message; outputting the detected message.

Abstract: A method includes: receiving a blacklist identifying piracy threatening items that pose a piracy threat such that, if installed and active with playback of the digital media content on the client, the piracy threatening items facilitate unauthorized use of the digital media content, the piracy threatening items on the blacklist having associated priority values; identifying first and second subsets of piracy threatening items in the blacklist responsive to the associated priority values; determining whether one or more piracy threatening items associated with the first subset are present on the client; performing a DRM transaction provisioning the digital media content for playback responsive to determining that no piracy threatening items associated with the first subset are present on the client; and determining whether to play back the digital media content responsive to determining whether one or more piracy threatening items associated with the second subset are present on the client.

Abstract: A license manager includes a processor and non-transitory computer readable media having encoded thereon a set of instructions executable by the at least one processor to receive a request, from a virtual machine, to reserve an individual license of the set of authorized licenses for a vendor software instance, determine the availability licenses for the requested vendor software, register a unique identifier of the virtual machine in association with an available individual license, grant the individual license to the virtual machine, and prevent the granted individual license from concurrent use by other virtual machines or devices.

Abstract: A method and system for generating a protected version of the digital content is disclosed. The method includes obfuscating the digital content to yield a functionally equivalent obfuscated digital content, encrypting the obfuscated digital content using at least one device or non-device parameter, generating a decryption logic to be used for generating a decryption key based upon the at least one device or non-device parameter, and concatenating the encrypted digital content and the decryption logic to generate the protected version of the digital content.

Abstract: Unauthorized use of computer programs is made difficult by compiling a processor rather than just compiling a program into machine code. The way in which the processor should respond to machine instructions, i.e. its translation data, is computed from an arbitrary bit string B and a program P as inputs. The translation data of a processor are computed that will execute operations defined by the program P when the processor uses the given bit string B as a source of machine instructions. A processor is configured so that it will execute machine instructions according to said translation data. Other programs P? may then be compiled into machine instructions B? for that processor and executed by the processor. Without knowledge of the bit string B and the original program P it is difficult to modify the machine instructions B? so that a different processor will execute the other program P?.

Abstract: System, method and apparatus for securely distributing content via an encrypted file wherein a Publisher Key (PK) associated with an authorized publisher enables presentation of the content by the authorized user via a Limited Capability Viewer (LCV), the LCV lacking the capability to forward, print, copy or otherwise disseminate the content to be presented unless available advanced permissions are granted to the authorized user.

Abstract: Programming interfaces and other means of invoking operations on a hosted service may perform operations having similar semantic meaning, including cases where the operations act upon different objects. Tags may be associated with programming interfaces having similar semantic meaning. A user may be authorized to invoke programming interfaces associated with the tag. A user may be authorized to invoke new programming interfaces when they are deployed without additional authorization.

Abstract: On-line course offerings can be made available to users using computational techniques that reliably authenticate the identity of individual student users during the course of the very submissions and/or participation that will establish student user proficiency with course content. Authentication methods and systems include applications of behavioral biometrics.

Abstract: An operation method of an electronic device is provided. The operation method includes registering, as reference signature data, at least one handwritten signature inputted into the electronic device by a user input means, authenticating an inputted handwritten signature by comparing data of the inputted handwritten signature with the registered reference signature data when the handwritten signature is inputted by the user input means, and further registering, as reference signature data, handwritten signature data regarding the inputted handwritten signature when the inputted handwritten signature is authenticated normally as a result of the authentication.

Abstract: In a computing device, when a user requests to carry out an operation, the device determines the type of operation requested and the time period since the user was last authenticated. The operation is enabled only if the determined time period does not exceed a threshold for the requested operation.

Abstract: A method for ensuring that an individual is authorized to conduct an activity is provided. The method includes conducting, using a processor, an authentication transaction with authentication data captured from an individual desiring to conduct an activity, and determining whether the captured authentication data is legitimate when the individual is successfully authenticated. Moreover, the method includes determining the individual is authorized to conduct the activity when the captured authentication data is legitimate, and conducting, using the processor, a subsequent authentication transaction with authentication data captured from the individual at a subsequent time.

Abstract: In an approach for automated vehicle authorization. A processor receives a first set of credentials from at least a first near field communication device, wherein the first set of credentials indicates information about a person. A processor receives a second set of credentials from at least a second near field communication device, wherein the second set of credentials indicates information about a vehicle. A processor compares the first set of credentials to the second set of credentials. A processor determines whether the person indicated by the first set of credentials has authority to operate the vehicle, based on, at least, the comparison of the first set of credentials to the second set of credentials.

Abstract: Code upgrades for computer components. After being powered on, a central processing unit (CPU) of a computer system loads a start-up authenticated code module (start-up ACM) to an authenticated code execution area (ACEA) within the CPU to be authenticated. When the start-up ACM passes authentication, the CPU executes the start-up ACM to connect to a server and receive a code upgrade file for a computer component of the computer system from the server.

Abstract: A communication device may receive a first specific signal not including authentication information from a first terminal device via an NFC interface, change an operation mode of the NFC interface from a first operation mode to a third operation mode, supply first authentication information to the NFC interfac, store first authentication information in a predetermined area, change the operation mode of the NFC interface from the third operation mode to the first operation mode, receive a second specific signal including the first authentication information from the first terminal device via the NFC interface and execute an authentication using the first authentication information by determining whether the first authentication information included in the second specific signal is stored in the predetermined area without changing the operation mode of the NFC interface from the first operation mode in a case where the second specific signal is received.

Abstract: The present disclosure provides a challenge-response testing systems for distinguishing between human users and bots. When a user requests to access an electronic resource on a computing device, the computing device identifies a challenge-response test for the user to complete. As part of the test, the computing device renders a first view of a 3D environment on a digital display. The computing device notifies the user of a test condition to complete. To satisfy the test condition, the user has to provide input that will effect a specified change to the view of the 3D environment seen on the display. Once the user provides electronic input, the computing device updates the viewing perspective of the 3D environment and renders an updated view on the digital display. When the user submits an indication that the test has been completed, the computing device verifies whether the test condition has been satisfied.

Abstract: Various embodiments of the invention provide for secure data communication in industrial process control architectures that employ a network of sensors and actuators. In various embodiments, data is secured by a secure serial transmission system that detects and authenticates IO-Link devices that are equipped with secure transceivers circuits, thereby, ensuring that non-trusted or non-qualified hardware is prevented from connecting to a network and potentially compromising system behavior.

Abstract: The present invention prevents a maintenance tool for carrying out maintenance work of an electronic control unit (ECU) from being abused by a third person. In an authentication system according to the present invention, an authentication apparatus authenticates an operator of an operation terminal (equivalent to the maintenance tool), and the operation terminal forwards an authentication code generated by the authentication apparatus to the ECU. By using the authentication code, the ECU determines whether or not to permit the operation terminal to carry out a maintenance operation.

Abstract: Disclosed are various embodiments for validating that relying parties of a federated identity provider have correctly implemented sign-out functionality. In one approach, a network page is received from a network site that is operated by a relying party of a federated identity provider. It is then determined whether the network page includes code that properly implements a sign-out from the federated identity provider. An action is initiated in response to determining that the network page does not include code that properly implements the sign-out from the federated identity provider.

Abstract: Securing invocation of stored procedures is provided herein. A first database management system (DBMS) can include a first database with first tables, a first user management module configured to manage privileges of database users (DB-users) of the first DBMS, and at least one first stored procedure. A second DBMS can include a second database with second tables, a second user management module configured to manage privileges of DB-users of the second DBMS, and at least one second stored procedure, the at least one second stored procedure configured to perform a computational task in the second DBMS. A synchronization mapping can map at least a portion of the first tables to respective ones of the second tables. Thus, a transfer of data of at least some of the first tables to the respective ones of the second tables in accordance with the synchronization-mapping can be performed.

Abstract: A system for executing code with blind hypervision mechanism comprises: at least one addressable physical memory, a processor operating in at least two modes, a mode termed initialization making it possible to define at least one partition in the memory and at least one second mode termed nominal, a memory bus linking the processor to the memory, a memory partitioning unit positioned on the memory bus, the unit being adapted for restricting memory access to the partition currently executing when the processor is in a mode other than the initialization mode.

Abstract: Provided is a method of identifying a computing resource requiring monitoring for a security purpose in a cloud-based data center during creation of a service template involving the computing resource. The identified computing resource is depicted in the service template. Upon receipt of a request for creating a service instance based on the service template, the service instance is created based on the service template and the identified computer resource is simultaneously monitored for the security purpose.

Abstract: A remote server dispatches an instruction packet to a node in a network through a linear communication orbit formed by a collection of nodes. The instruction packet propagates from node to node along the linear communication orbit until reaching the node. The instruction packet includes instructions for establishing a direct duplex connection between the node and the remote server. After dispatching the instruction packet to the node through the linear communication orbit, the remote server receives, from the node, a request for establishing the direct duplex connection. In response to receiving the request from the node, the remote server establishes the direct duplex connection. After establishing the direct duplex connection, the remote server issues instructions to the node to upload local data from the node to the remote server through the direct duplex connection.

Abstract: Disclosed are a system and method for protecting computers from unauthorized remote administration. One exemplary method includes: intercepting events occurring in the computer system including a first event and a second event associated with data transfer with an application executing in the computer system; determining that the first intercepted event is dependent on the second intercepted event based on parameters of the first intercepted event and the second intercepted event; generating a rule defining a dependency of at least one parameter of the first intercepted event on at least one parameter of the second intercepted event; responsive to determining a degree of similarity of the generated rule and a previously created rule exceeds a threshold value, identifying at least one application as a remote administration application that created the first and second identified intercepted events; and blocking the identified remote administration application from exchanging data with the computer system.

Abstract: A system configured to generate a risk score for a threat activity including a digital device. The digital device configured to extract one or more threat events on a network based on metadata for one or more targeted digital devices on the network. Further, the digital device is configured to detect one or more incidents based on a correlation between at least a first threat event of the one or more threat events and a second threat event of the one or more threat events. And, the digital device is configured to generate a risk score for each of said one or more incidents.

Abstract: For an antivirus scan during a data scrub operation, the antivirus scan is concurrently performed as an overlap with the data scrub operation, wherein the data scrub operation periodically inspects and corrects memory errors. The antivirus scan concurrently performing as an overlap with the data scrub operation is increased if a reduction in disk access by a host application is detected.

Abstract: An apparatus is provided for protecting a basic input/output system (BIOS) in a computing system. The apparatus includes a BIOS read only memory (ROM), an event detector, and a tamper detector. The BIOS ROM has BIOS contents that are stored as plaintext, and an encrypted message digest, where the encrypted message digest comprises an encrypted version of a first message digest that corresponds to the BIOS contents, and where and the encrypted version is generated via a symmetric key algorithm and a key. The event detector is configured to generate a BIOS check interrupt that interrupts normal operation of the computing system upon the occurrence of an event, where the event includes one or more occurrences of an APIC access.

Abstract: A method, system and computer-usable medium for generating a security analysis effort, cost and process scope estimates, comprising: analyzing a software system; identifying a complexity level of a security analysis, the complexity level of the security analysis comprising identification of an effort level for the security analysis; and, generating the security analysis effort estimate, the security analysis effort estimate comprising an estimate of an effort expenditure to perform a security analysis on the software system at the identified complexity level.

Abstract: A virtual machine creation method and apparatus are disclosed. The method includes: acquiring a first installation package of a first application; determining essential environmental data corresponding to the first installation package; obtaining a simplified operating system via compilation according to the essential environmental data; packaging the simplified operating system and the first installation package to obtain a virtual machine installation package; and running the virtual machine installation package to create a virtual machine.

Abstract: The present disclosure is directed to a system, method, and computer program for detecting and assessing security risks in an enterprise's computer network. A behavior model is built for a user in the network based on the user's interactions with the network, wherein a behavior model for a user indicates client device(s), server(s), and resources used by the user. The user's behavior during a period of time is compared to the user's behavior model. A risk assessment is calculated for the period of time based at least in part on the comparison between the user's behavior and the user's behavior model, wherein any one of certain anomalies between the user's behavior and the user's behavior model increase the risk assessment.

Abstract: A method begins by a set of storage units of a dispersed storage network (DSN) storing a plurality of encoded data slices, where each storage unit stores a unique sub-set of encoded data slices. The method continues with each storage unit dispersed storage error encoding at least a recovery threshold number of encoded data slices to produce a local set of encoded recovery data slices. In response to a retrieval request, the method continues with a device identifying a storage unit of an initial recovery number of storage units having a rebuilding issue and determining whether the rebuilding issue is correctable at a DSN level. When the rebuilding issue is correctable at the DSN level the method continues with the device selecting another storage unit to replace the storage unit to produce a recovery number of storage units and sending retrieve requests to the recovery number of storage units.

Abstract: Systems, methods, and programs of processing and transmitting information between devices are disclosed. A receiving device may generate a key. A transmitting device may scan the key. The transmitting device may transmit information to a file management system in response to scanning the key. A user associated with the receiving device may indicate a location to store the information. The user may access the information from the file management system.

Abstract: Systems and methods for securing or encrypting data or other information arising from a user's interaction with software and/or hardware, resulting in transformation of original data into ciphertext. Generally, the ciphertext is generated using context-based keys that depend on the environment in which the original data originated and/or accessed. The ciphertext can be stored in a user's storage device or in an enterprise database (e.g., at-rest encryption), or shared with other users (e.g., cryptographic communication). Use of context-based encryption keys enables key association with individual data elements, as opposed to public-private key pairs, or use of conventional user-based or system-based keys. In scenarios wherein data is shared by a sender with other users, the system manages the rights of users who are able to send and/or access the sender's data according to pre-defined policies/roles.

Abstract: System and method for accessing a distributed storage system uses a storage-level access control process at a distributed file system that interfaces with the distributed storage system to determine whether a particular client has access to a particular first file system object using an identifier of the particular client and storage-level access control rules in response to a file system request from the particular client to access a second file system object in the particular first file system. The storage-level access control rules are defined for a plurality of clients and a plurality of first file system objects of the distributed storage system to allow the particular client access to the second file system object in the particular first file system object only if the particular client has been determined to have access to the particular first file system object according to the storage-level access control rules.

Abstract: Systems and methods are provided herein for enabling a user to access a blocked media asset. These systems and methods allow a user to request that a parent, or another user, who can approve access to the blocked media asset approve access to the blocked media asset for viewing. The request may be transmitted as a notification to a mobile phone or another suitable device, such that the parent the other user can approve the request, even though they may be remote from the requesting user. Both the requesting user and the user whose approval is required to unblock the media asset (i.e., the approver), are identified by the system based on an identifier associated with each user. This informs the approver which user submitted the request. Additionally, this also adds a layer of security, since the approver must enter an identifier to authenticate their identity to the system before being able to unblock the program for the requesting user.

Abstract: The present disclosure provides systems and methods for authenticating photographic data. In one embodiment, a method comprises providing an image authentication application for use on a client device, the application configured to control image capture and transmission; receiving an image data file from the application at the authentication server comprising a photographic image captured by the application and metadata associated therewith; applying a watermark to the photographic image to create a watermarked image; applying date and time information to the tagged image; applying location information to the tagged image; creating a web address associated with the image data file; uploading the photographic image, the tagged image, or both to the web address; and transmitting an authenticated image file to the client device, the authenticated image file comprising one or more of: the watermarked image, the photographic image, the date and time information, geographic information, and the web address.

Abstract: Provided is a process including: obtaining, with a network controls engine, network traffic, wherein: the network traffic is sent across the network between source computing devices and destination computing devices; at least one of the source or destination computing devices are on a network carrying the network traffic; and the network has a plurality of computing devices causing the network traffic and which are assigned addresses on the network; applying, with the network controls engine, a plurality of rules to the network traffic to identify rules with criteria satisfied by the network traffic; and causing, with the network controls engine, one or more actions prescribed by one or more identified rules with criteria satisfied by the network traffic.

Abstract: The present technology pertains to a organization directory hosted by a synchronized content management system. The corporate directory can provide access to user accounts for all members of the organization to all content items in the organization directory on the respective file systems of the members' client devices. Members can reach any content item at the same path as other members relative to the organization directory root on their respective client device. In some embodiments novel access permissions are granted to maintain path consistency.

Abstract: A method generates, in a higher security domain (SD), public and secret keys using a first homomorphic encryption scheme (HES), passes the public key to a first shared security zone (SSZ) between the higher SD and a lower SD and through the first SSZ to a second entity in the lower SD, passes a plain text query from the higher SD to the first SSZ, encrypts the plain text query using a second HES, passes the encrypted plain text query to the second entity, performs an oblivious query to generate an encrypted result, and passes that from the lower SD to a second SSZ located between the higher and lower SDs, passes the secret key from the higher SD to the second SSZ, and decrypts the encrypted result using the secret key to generate a plain text result, and passes the plain text result to the higher SD.

Abstract: A method includes generating a database query in a database; receiving a first request to execute the database query on behalf of a first user; in response to the first request, executing the database query to generate a first set of results such that the first set of results is limited to data with which there is a semantic relationship in the database to a first datum representing the first user; receiving a second request to execute the database query on behalf of a second user; in response to the second request, executing the database query to generate a second set of results such that the second set of results is limited to data with which there is a semantic relationship in the database to a second datum representing the second user, where the first set of results and the second set of results are at least partially non-overlapping.

Abstract: In one embodiment, a method for securing data on a semi-trusted server is implemented on a computing device and includes: receiving at least a current session key from a user device for use during a current session, where the current session key is suitable for encrypting data and for decrypting data encrypted with the current session key, decrypting communications received from the user device during the session with said session key, encrypting with the session key at least one of communications to be sent to said user device and personal data generated during the session, storing the encrypted personal data, and discarding the current session key upon completion of the session, thereby limiting possible access to the stored encrypted personal data other than during the session. Related apparatus and methods are also described.

Abstract: A method and system for automatically identifying and protecting privacy vulnerabilities in data streams includes indexing data values for each attribute of the data stream received by local virtual machines based on a schema of each data stream, classifying the data attributes of the plurality of data streams into known data types, integrating the local virtual machine indexes into a global index data structure for the data streams including single attribute data values, identifying privacy vulnerabilities in the data as attributes that are direct identifiers based on the attribute data values stored in the global index and combinations of attributes that are quasi-identifiers based on the low frequency of certain combinations of attribute data value pairs by computing the frequency based on the single attribute data values stored in the global index and providing privacy protection to the data streams by applying data transformations on the discovered direct identifiers and the quasi-identifiers.

Abstract: A system and method for using customer information in electronic commerce using the Internet are provided. The system includes a customer information database (DB) for storing a unique number for each customer, an integrated customer information DB for storing actual customer information corresponding to the unique number in an integrated manner, and a management server for providing the unique number stored in the customer information DB and providing the actual customer information corresponding to the unique number under a security condition when an external terminal requests customer information. Actual customer information can be effectively prevented from being easily leaked by hackers or malicious programs and customer information can be utilized without a security issue.

Abstract: Digital communication messages processed by each specific one of a plurality of client computers are tracked and indexed. A query made by a first client computer against a base of digital communication messages of the organization is received by the client computers. The indexed communication messages are searched based on the query, and a search result is obtained. Relevance between the query and the search result is determined. Users operating client computers are prompted to indicate whether to respond to the query responsive to determining that the relevance meets a criterion. An indication to respond to the query is received by one or more client computers of the plurality. One or more responses are generated by the one or more client computers and transmitted to the first client computer.

Abstract: A system for verifying applications for Real-Time Execution (RTE) devices is provided. The system includes a memory, at least one processor coupled to the memory, and a simulation component executable by the at least one processor. The simulation component may be configured to receive device simulation information for an RTE device, the device simulation information including device configuration information, application information, and targeted performance information, configure a virtual device simulator to simulate performance of the RTE device, run the virtual device simulator to process one or more simulated events, and output simulation results.

Abstract: A node associated with an organization may receive a storage identifier for new credit data associated with an individual. A distributed ledger and distributed data sources may be used to share the new credit data with a network of nodes. The node may update a smart contract with the storage identifier for the new credit data. The node may receive, from a particular device associated with the organization, a request for the new credit data. The node may obtain the storage identifier for the new credit data from the smart contract. The node may obtain the new credit data by using the storage identifier to search the distributed data sources. The node may provide the new credit data to the particular device. The node may perform actions to obtain additional new credit data from the distributed data sources or provide the additional new credit data to the distributed data sources.

Abstract: An integrated circuit includes a control circuit, a one-time programmable circuit, and a security feature. The control circuit determines if the one-time programmable circuit is programmed in response to a request by a user of the integrated circuit to access the security feature. The control circuit generates a signal to indicate to the user of the integrated circuit that the security feature has been previously accessed if the control circuit determines that the one-time programmable circuit has been programmed to indicate a previous access to the security feature. The control circuit causes the one-time programmable circuit to be programmed in response to the request if the control circuit determines that the one-time programmable circuit has not been programmed.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

Abstract: An apparatus includes an interface and a processor. The interface is configured for communicating over a bus. The processor is configured to disrupt on the bus a transaction in which a bus-master device attempts to access a peripheral device without authorization, by forcing one or more dummy values on at least one line of the bus in parallel to at least a part of the transaction.