Abstract: A computing device includes a housing, a processor, memory, a human interface device (i.e., a keyboard or a trackpad), and a biometric sensor integrated into the housing. The biometric sensor is configured for capturing biometric data (i.e., heartbeat data or a vein scan) from one or more of hands of a user of the device while the user's fingers are interacting with the human interface device. The memory stores executable instructions that, when executed by the at least one processor, cause the computing device to: compare the captured biometric data to one or more records of biometric data associated with the user; determine, based on the comparison, whether the captured biometric data satisfies a matching condition with the one or more records of biometric data; and authenticate the user, when the captured biometric data satisfies the matching condition.

Abstract: The purpose of the present invention is to provide a portable terminal and an application software start-up system whereby the application software that is started up is limited depending on the state of a user, thereby providing an improved ease of use. For this purpose, an application software start-up method for an information processing device comprises: performing identity authentication based on static biological information; determining the state of the user by comparing dynamic biological information acquired from the body of the user with previously measured dynamic biological information; and limiting the application software that is started up in accordance with the determined state of the user and on the basis of a permission level that is set in advance for each application software item.

Abstract: An authentication method. The method comprises comparing user voice data received via an electronic device to a stored voice template to determine a voice authentication parameter. A voice authentication threshold is determined and the voice authentication parameter is compared to the voice authentication threshold to determine whether to authenticate the user. Determining the voice authentication threshold comprises determining a current value of an enrollment counter, then comparing the current value of the enrollment counter to an enrollment counter threshold and determining whether the stored voice template is fully enrolled according to the result. If the stored voice template is fully enrolled, the voice authentication threshold is set to a first voice authentication threshold. If the stored voice template is not fully enrolled then a device attribute received from the electronic device is compared to a stored device attribute.

Abstract: An unlocking control method includes the follows. A password matching process is performed on a screen unlock password, an interrupt request is triggered, an original fingerprint image is acquired, and a fingerprint identification process is performed on the original fingerprint image, when a terminal device is in a screen-off state and the screen unlock password input by a user and a press operation of the user on a fingerprint identification module of the terminal device are detected. A screen of the terminal device is lit up, when the password matching process is matched and the fingerprint identification process is successful.

Abstract: An electronic device and a method for improving iris recognition for providing access to the electronic device. The electronic device includes an iris scanner, an ambient light sensor, a memory and a processor. The memory includes computer program code for providing access control to the electronic device to a user by iris recognition of the user's iris. The processor causes the electronic device to prompt the user to provide iris samples of the user's iris to the iris scanner in a particular lighting condition measured by the ambient light sensor in occurrence of at least one of first event and second event. The first event occurs if the processor determines a missing information associated with an iris sample in the particular lighting condition in the electronic device. The second event occurs if the processor detects an unsuccessful iris recognition attempt for accessing the electronic device in the particular lighting condition.

Abstract: Systems and methods are provided for calculating authenticity of a human user. One method comprises receiving, via a network, an electronic request from a user device, instantiating a video connection with the user device; generating, using a database of questions, a first question; providing, via the network, the generated question to the user device; analyzing video and audio data received via the connection to extract facial expressions, calculating, using convolutional neural networks, first data and second data corresponding predetermined emotions based on facial expressions and audio data; generating candidate emotion data using the first and second data; determining whether the candidate emotion data predicts a predetermined emotion, and generating a second question to collect additional data for aggregating with the first and second data or determining the authenticity of the user and using the determined authenticity to decide on the user request.

Abstract: Disclosed are systems and methods for establishing secure communication between virtual machines, and, more particularly, to a system and method for establishing secure communication channels between two or more homogenous virtual machines. An exemplary method includes generating, by a first virtual machine, an encryption key compatible with a symmetric encryption algorithm and storing the encryption key in a memory of the first virtual machine; generating a second virtual machine by performing a virtual machine forking operation on the first virtual machine, wherein a memory of the generated second virtual machine contains the encryption key; receiving, by one of the at least two virtual machines, a communication transmitted by another of the at least two virtual machines, wherein the communication comprises data encrypted using the encryption key; and decrypting the data, by the recipient virtual machine, using the encryption key.

Abstract: Entities of an organization may have difficulties generating and remembering strong passwords. A password management service may generate passwords with high entropy and aid entities in remembering generated passwords. The password management service may generate a list of passwords based on a seed value provided by the entities. The entities may then select a password from the list of passwords to be used at the entities' password. Furthermore, the entities may be allowed to save the list of passwords to aid the entities in remembering their selected password from the list of passwords.

Abstract: Systems and methods for password-based authentication are described. A password hardening method may include a step of receiving input provided by a user, wherein the user-provided input includes a password provided by the user for an application, and wherein at least a portion of the application is protected by a password-based authentication service. The method may also include a step of obtaining a hardened password for the user for the application, wherein the hardened password is based, at least in part, on the user-provided password, identification data associated with the application, and at least a portion of an entropy datastore associated with the user. The method may also include a step of providing the hardened password to the password-based authentication service, wherein the authentication service grants the user access to the password-protected portion of the application based, at least in part, on the provided hardened password.

Abstract: In one aspect of the embodiments, malicious instructions executed or to be executed by a processor in a computing device are identified and preventive action is taken in response to that detection, thereby preventing harm to the computing device and the user's data by the malicious instructions. In another aspect of the embodiments, a thread context monitor determines which thread are active within an operating system at any given time, which further enhances the ability to determine which thread contains malicious instructions.

Abstract: Described herein are techniques for dealing with the problem of security vulnerabilities in computer software due to undefined behavior that may be exploited by attackers. A way of dealing with this problem is to remove an essential capability for most advanced attacks, Turing completeness. That is, a piece of software is provided the ability to specify that it does not need Turing completeness (i.e., backward computation) in order to perform a given task such as parsing. During this stage, attackers are prevented from abusing the system by performing, for example, return oriented programming.

Abstract: Software self-checking mechanisms are described for improving software tamper resistance and/or reliability. Redundant tests are performed to detect modifications to a program while it is running. Modifications are recorded or reported. Embodiments of the software self-checking mechanisms can be implemented such that they are relatively stealthy and robust, and so that they are compatible with copy-specific static watermarking and other tamper-resistance techniques.

Abstract: Described is a system for synthesis of cryptographic software from specification. During operation, the system generates a first level formalization code of a cryptographic protocol based on a user input protocol specification and a library of transformation rules. A second level formalization code is then generated by implementing communication protocols to the first level formalization code. A third level formalization code subsequently generated by implementing cryptographic primitives to the second level formalization code. Finally, the third level formalization code is encoded on a computer readable medium as an executable code.

Abstract: A method is disclosed for providing sanitized log data to a threat detection system. The sanitized log data is derived from a log table with continuous columns, themselves having continuous entries with continuous values. First, a retention probability parameter and an accuracy radius parameter are selected. Next, a probability distribution function is initialized with the retention probability parameter and the accuracy radius parameter. For each continuous value, the probability distribution function is applied, resulting in perturbed continuous values of a perturbed continuous columns Finally, the perturbed continuous columns are provided as the sanitized log.

Abstract: There is disclosed in one example a computing apparatus, including: an interface to a backup source in a current state; a backup storage having stored thereon a first backup version of a previous state of the source; and a backup engine to: compute a delta between the current state and the previous state; save via the backup storage a second backup version sufficient to reconstruct the current state; and assign the second backup version a reputation relative to one or more previous backup versions.

Abstract: Methods and apparatus to recover a processor state during a system failure or security event are disclosed. An example apparatus to recover data includes a processor including a local memory and a system monitor in communication with the processor. The system monitor is to copy processor backup data to a non-volatile memory in response to a processor backup event. The processor backup data includes contents of the local memory.

Abstract: Provided is a more versatile technique that makes it possible to input dummy information in response to an attacker seeking to collect normal information that cannot be replaced with dummy information. In the present invention, a dummy information insertion device inserts dummy information into a second location that is determined using: first location information indicating a first location that contains normal information, from among all normal information in a computer, which cannot be replaced with other information; and insertion condition information that indicates conditions for determining the second location into which dummy information is to be inserted, with such dummy information resembling the normal information that cannot be replaced and not being present in the computer or in a local network connected to the computer.

Abstract: Embodiments for scanning data within and between distributed computing components by a processor. Data scanning functionality is allocated through an object storlet located at a local node of the distributed computing components. The data scanning functionality is performed using computational components of the object storlet on local data contained within the local node to alleviate transfer of the local data outside of the local node to be scanned.

Abstract: In accordance with one embodiment of the present disclosure, a method for determining the similarity between a first data set and a second data set is provided. The method includes performing an entropy analysis on the first and second data sets to produce a first entropy result, wherein the first data set comprises data representative of a first one or more computer files of known content and the second data set comprises data representative of a one or more computer files of unknown content; analyzing the first entropy result; and if the first entropy result is within a predetermined threshold, identifying the second data set as substantially related to the first data set.

Abstract: Cybersecurity systems and techniques are described. A cybersecurity method may include generating a process fingerprint of a process, wherein the process fingerprint identifies the process based, at least in part, on dynamic features of the process. Generating the process fingerprint may include performing a cryptographic hash operation on data representing dynamic features of the process. The method may further include comparing the process fingerprint to a plurality of process fingerprints, and based, at least in part, on a result of the comparison, performing a data reduction operation on data associated with the process and/or determining whether the process is a malware process.

Abstract: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.

Abstract: A computerized method for identification of suspicious processes executing on an end-point device communicatively connected to network, the network communicatively connected to a server, the method comprising receiving, by the server, a record of at least one process, initiated by and executing on by the end-point device. One or more parameters associated with the at least one process are identified. A first time pointer is identified corresponding to the identified one or more parameters, a first time pointer. A second time pointer at which a user associated with the end-point device initiated a user dependent process is identified. Whether the second time pointer occurred before the first time pointer is identified. It is determined whether the at least one process was initiated by the user based on identification of user dependent processes and corresponding attribution. An action is performed based on the above determination.

Abstract: Some embodiments provide a method for preventing stressed end machines from being scanned for security check on a host machine that executes several different end machines scheduled to be scanned for security check. The method collects, at one of the end machines, a set of measurement data from a set of resources of the end machine. The method then determines whether a measurement data collected from a particular resource has exceeded a threshold. When the measurement data has exceeded the threshold, the method tags the end machine as a stressed machine so that the end machine will not participate in any future security check scans.

Abstract: A device runs a hypervisor and a virtual machine. The virtual machine includes a virtual security module, which can be a virtual trusted platform module (TPM). The virtual security module for the virtual machine is encrypted, and in order for the hypervisor to run the virtual machine the virtual security module is decrypted using a security module key. If a host guardian service is accessible, then the hypervisor obtains the key to decrypt the virtual security module from the host guardian service. However, if the host guardian service is inaccessible, then the hypervisor uses a key securely stored in a key cache of the device to decrypt the virtual security module. In one or more embodiments, the hypervisor can obtain the key from the key cache only if a health certificate indicating that the host guardian service trusts the device has been previously obtained from the host guardian service.

Abstract: A system and method for identifying exploitable code sequences. In one implementation, a first processing device identifies an executable portion of a program and a set of registers of a second processing device, and stores a set of addresses in the set of registers. The first processing device allocates a region of memory populated with a set of values, and sets a stack pointer of the second processing device to point to a first location within the region of memory. The first processing device emulates an execution by the second processing device of an instruction at a first address of the executable portion. In response to determining that, after the emulating of the instruction at the first address, an address of a next instruction to execute after the instruction at the first address is in the set of addresses or the set of values, a signal is generated that indicates a potential exploitable code sequence.

Abstract: Example embodiments disclosed herein relate to an approach for installing a runtime agent during a security test. A security test is initiated or performed on an application under test executing on a server. An application vulnerability associated with the application under test is determined. The application vulnerability is exploited to install the runtime agent on the server. The security test is continued using the runtime agent to receive additional information about the application under test.

Abstract: The disclosure provides a method, a checking device and a system for determining security of a processor. The method comprises: setting an initial running state of the checking device according to initial running state information of the processor during the target running process, and taking input information of the processor during the target running process as input information of the checking device; causing the checking device to execute a task of the target running process in a manner conforming to predefined behavior to obtain at least one of output information and final running state information of the checking device, wherein the predefined behavior is a standard of hardware behavior of the processor; and determining whether the processor is secure during the target running process according to at least one of the output information and the final running state information of the checking device when the checking device completes the task of the target running process.

Abstract: According to an example, to authenticate a user of a computing device, a user login request with at least one primary credential is received from a computing device. At least one primary credential is validated to authenticate the user, and a first device token is created and transmitted to the computing device. A secondary credential is received from the computing device, and a server token and a reference to the server token is created. The server token is encrypted and stored and the server token reference is sent to computing device for use in a subsequent authentication with the secondary credential.

Abstract: Managing access to confidential content is provided. An indication of an identity of a teleconference participant is received via a voice communication headset that includes a skull conduction speaker and microphone. A database is analyzed to identify confidential information the teleconference participant is not authorized to hear. Voice communication content is provided in real time to the teleconference participant. The identified confidential information the teleconference participant is not authorized to hear is muted in the voice communication content.

Abstract: An authenticated print session allows a mobile device to authenticate an encrypted file for printing at a print device sent by a base computer. The base computer authorizes the mobile device to release printing when in close proximity to the print device. The authenticated print session uses the mobile device to authenticate the owner of the encrypted file, and to authorize the release of the file at the print device over a non-secure communication channel.

Abstract: A method for integrating a new secure datacenter into a data storage network is provided. The method detects, by an accessible datacenter connected to the data storage network, the new secure datacenter connected to the data storage network, wherein the new secure datacenter includes a high security level that prevents user access, and wherein the accessible datacenter includes a decreased security level that permits user access; expands a storage layer in the accessible datacenter, by increasing available storage hardware of the accessible datacenter; connects a data pipeline from the new secure datacenter to the storage layer in the accessible datacenter, wherein the data pipeline comprises dedicated servers configured to buffer data, orchestrate a cluster of servers, and push data from the new secure datacenter to the accessible datacenter; and provides end user access to the storage layer.

Abstract: Provided are exemplary systems and methods for secure intelligent networked architecture, processing and execution. Exemplary embodiments include an intelligent networked architecture comprising an intelligent agent, a secure cloud of a plurality of specialized intelligent historical agents, a plurality of secure cloud based specialized insight servers configured to transform secure digital data into a scrubbed situational deployment trigger, and an intelligent operational agent configured to receive the scrubbed situational deployment trigger.

Abstract: Computer systems and methods are provided for distributing a data bookmark. An interface of a device that is secured in a private network receives a scope definition. The scope definition includes information that defines a scope of access to data that corresponds to data stored by one or more databases that are secured in the private network. A pointer is generated for the data bookmark. The data bookmark is generated using the pointer and the scope definition. A device that is secured in the private network stores the generated data bookmark. Information about the data bookmark, including the pointer for the data bookmark, is transmitted to at least one remote device at a remote location that is outside of the private network.

Abstract: Embodiments of the present disclosure provide a technique for establishing data security over an Internet of Things (IoT) network. According to an embodiment, a method includes performing by at least one host entity implemented in a network, tracking distribution of data in the network by maintaining a data location file that includes plurality of parameters of each of plurality of data subsets. The data subsets are distributed in plurality of devices of the network such as key servers, host entities and client entities. The data subsets include any or a combination of an encryption key, a key identifier, a header, an authorization information, a decryption key, a control message, a computer program, a config file, data generated by any client entity of the one or more client entities, and data processed by any host entity of the one or more host entities.

Abstract: System and method to produce an anonymized cohort, members of the cohort having less than a predetermined risk of re-identification. The method includes receiving a data query of requested traits to request in an anonymized cohort, querying a data source to find records that possess at least some of the traits, forming a dataset from at least some of the records, and calculating an anonymity histogram of the dataset. For each patient record within the dataset, the method anonymizes the dataset by calculating using a threshold selector whether a predetermined patient profile within the dataset should be perturbed, calculating using a value selector whether a value within the indicated patient profile should be perturbed, and suppressing an indicated value within the indicated patient profile. The anonymized dataset then is returned.

Abstract: Techniques are disclosed relating to securely storing data in a computing device. In one embodiment, a computing device includes a secure circuit configured to maintain key bags for a plurality of users, each associated with a respective one of the plurality of users and including a first set of keys usable to decrypt a second set of encrypted keys for decrypting data associated with the respective user. The secure circuit is configured to receive an indication that an encrypted file of a first of the plurality of users is to be accessed and use a key in a key bag associated with the first user to decrypt an encrypted key of the second set of encrypted keys. The secure circuit is further configured to convey the decrypted key to a memory controller configured to decrypt the encrypted file upon retrieval from a memory.

Abstract: A private key of a public-private key pair with a corresponding identity is written to an integrated circuit including a processor, a non-volatile memory, and a cryptographic engine coupled to the processor and the non-volatile memory. The private key is written to the non-volatile memory. The integrated circuit is implemented in complementary metal-oxide semiconductor 14 nm or smaller technology. The integrated circuit is permanently modified, subsequent to the writing, such that further writing to the non-volatile memory is disabled and such that the private key can be read only by the cryptographic engine and not off-chip. Corresponding integrated circuits and wafers are also disclosed.

Abstract: Systems, computer-readable media and methods for enabling secure computation on spreadsheet software. A secure spreadsheet is implemented as an add-in to an existing spreadsheet program, or as a new spreadsheet program/web application, to allow secure computations on private input data (and also optionally with private functions) without the parties learning anything about them, via the familiar spreadsheet interface and its formula language. Automatic conversion of previous spreadsheet data and formulas is provided whenever possible, or assisted via a helper. The secure computation can be executed between the computers of the involved parties, or outsourced to a third-party—cloud computing system (FIG. 4)—: the secure cryptographic calculation module automatically optimizes for the best performing technique of secure computation (for example, homomorphic encryption, garbled circuits, oblivious transfers, secret sharing, oblivious random access machines and/or a combination of the previous crypto-primitives).

Abstract: Methods and systems for masking certain cryptographic operations in a manner designed to defeat side-channel attacks are disclosed herein. Squaring operations can be masked to make squaring operations indistinguishable or less distinguishable from multiplication operations. In general, squaring operations are converted into multiplication operations by masking them asymmetrically. Additional methods and systems are disclosed for defeating DPA, cross-correlation, and high-order DPA attacks against modular exponentiation.

Abstract: An analog circuit design is described that solves Linear Programming (LP) or Quadratic Programming (QP) problems.

Abstract: Embodiments herein describe RFID systems that include multiple RFID tag readers that each use a different frequency to communicate with an RFID tag. For example, each of the tag readers may transmit a tag query command using different modulated frequencies. In one embodiment, the RFID tag includes multiple receivers each tuned to one of the different frequencies generated by the tag readers. For example, one receiver in the tag is tuned to receive 200 MHz signals while another receiver is tuned to receive 900 MHz signals. To provide location information, the RFID tag compares power values associated with the received signals to determine which of the RFID tag readers is closest to the tag. The RFID tag conveys this location information to the tag readers by selecting one of the frequencies of the tag readers to use when generating a reply message.

Abstract: An RFID-enabled retail carriage basket, which may be placed within a retail carriage or may be integrated into a retail carriage, such as a shopping cart. The RFID-enabled retail carriage basket may have a base with a near-field radio-frequency antenna, and sidewalls arranged around the perimeter of the base. RF-reflecting material may be attached to the lower part of the carriage basket, on the outside of the base and along the lowest parts of the sidewalls. RF-mitigating material may be attached to the remaining parts of the sidewalls. The RFID-enabled retail carriage basket may be connected to a host device, which may control scanning of the basket that may be performed by the antenna. If desired, the RFID-enabled retail carriage basket may be provided in the lower basket of a double-basket shopping cart and configured to scan both the upper and the lower basket with the antenna.

Abstract: In some embodiments, apparatuses and methods are provided herein useful to monitoring a plurality of RFID tags in a remote location. In some embodiments, a garment for monitoring a plurality of RFID tags in a remote location comprises a garment body, an RFID reader attached to the garment body, the RFID reader configured to read the plurality of RFID tags in the remote location, an antenna attached to the garment body, and a control circuit attached to the garment and configured to receive, from the RFID reader, one or more identifiers, wherein the one or more identifiers are associated with the plurality of RFID tags, generate, based on the one or more identifiers, emulated identifiers, determine that the garment is within a designated area separate from the remote location, and in response to determining that the garment is within the designated area, cause the emulated identifiers to be transmitted.

Abstract: A tag reader includes: a phase calculation section that sequentially calculates a phase of a reception wave; a phase difference calculation section that calculates a phase difference as a difference of phases calculated at two time points; and a tag angle calculation section that calculates a tag angle between a straight line connecting an antenna and the wireless tag and a line on which the wireless tag is moving. The phase difference calculation section calculates two values of the phase difference. The tag angle calculation section calculates a first tag angle and a second tag angle. The tag reader comprises a tag distance calculation section that calculates an antenna-tag minimum distance as a minimum distance from the line to the antenna.

Abstract: A contact image sensor having an illumination source; a first SBG array device; a transmission grating; a second SBG array device; a waveguiding layer including a multiplicity of waveguide cores separated by cladding material; an upper clad layer; and a platen. The sensor further includes: an input element for coupling light from the illumination source into the first SBG array; a coupling element for coupling light out of the cores into output optical paths coupled to a detector having at least one photosensitive element.

Abstract: A method for unlocking a mobile terminal may include the follows. A set of feature points are acquired. The set of the feature points are acquired via a scanning partition of a fingerprint recognition sensor. The fingerprint recognition sensor includes M scanning partitions, the number of sensing electrodes within each of the M scanning partitions is greater than a first preset threshold, and M is a positive integer greater than 1. The mobile terminal is unlocked when the set of the feature points are successfully matched with a template stored in advance in the mobile terminal.

Abstract: An apparatus comprises a fingerprint sensor having a set of capacitive elements configured for capacitively coupling to a user fingerprint. The fingerprint sensor may be disposed under a control button or display element of an electronic device, for example one or more of a control button and a display component. A responsive element is responsive to proximity of the user fingerprint, for example one or both of a first circuit responsive to motion of the control button, and a second circuit responsive to a coupling between the fingerprint and a surface of the display element. The fingerprint sensor is disposed closer to the fingerprint than the responsive element. The control button or display component may include an anisotropic dielectric material, for example sapphire.

Abstract: A method for controlling unlocking is provided. When a touch operation of a finger of a user on a fingerprint recognition module of a terminal device is detected, N first fingerprint images are received according to N capacity auto control (CAC) parameters corresponding to a wet finger, and M second fingerprint images are received according to M CAC parameters corresponding to fingerprint stabilization, where N is an integer greater than or equal to 1, and M is an integer greater than 1; a fingerprint image having the best clarity is selected from among the N first fingerprint images and the M second fingerprint images; the selected fingerprint image is compared; the terminal device is unlocked when the selected fingerprint image is matched.

Abstract: Systems and methods may be used by an automatic fingerprint identification system to estimate ridge flow maps in latent fingerprints. A latent fingerprint image and a plurality of reference ridge flow maps may initially be obtained. A latent ridge flow map for the obtained latent fingerprint image may be computed. One or more characteristics associated with the latent ridge flow map may be compared to one or more characteristics associated with each of the plurality of reference ridge flow maps. A similarity score between the latent ridge flow map and a particular reference ridge flow map may be computed for each of the reference ridge flow maps. The top closely matched ridge flow maps are used to improve the latent ridge flow map to enhance the latent fingerprint image to extract better set of minutia points to improve latent to ten-print matching accuracy.

Abstract: An apparatus for detecting false fingerprints, comprising: an optical element having a detection surface on which at least one body is intended to be positioned, of which cutaneous imprints are intended to be detected, an anti-fake illuminator configured to generate at least one bright zone and at least one dark zone on said detection surface, an optical sensor arranged to capture light radiation reflected/diffused by said detection surface.