Abstract: Systems and methods provide logic that validates a code generated by a user, and that executes a function of a programmatic interface after the user code is validated. In one implementation, a computer-implemented method performs a multifactor authentication of a user prior to executing a function of a programmatic interface. The method includes receiving, at a server, a user code through a programmatic interface. The server computes a server code in response to the user code, and compares the user code to the server code to determine that the user code corresponds to the server code. The server validates the user code and executes a function of the programmatic interface, after the user code is validated.

Abstract: A cryptography service allows for management of cryptographic keys in multiple environments. The service allows for specification of policies applicable to cryptographic keys, such as what cryptographic algorithms should be used in which contexts. The cryptography service, upon receiving a request for a key, may provide a referral to another system to obtain the key.

Abstract: Disclosed are system and method for detecting malicious code in address space of a process. An exemplary method comprises: detecting a first process executed on the computer in association with an application; intercepting at least one function call made by the first process to a second process; determining one or more attributes associated with the at least one function call; determining whether to perform malware analysis of code associated with the at least one function call in an address space associated with the second process based on application of one or more rules to the one or more attributes; and upon determining to perform malware analysis of the code, determining whether the code in the address space is malicious.

Abstract: A hypervisor associates a combined register space with a virtual device to be presented to a guest operating system of a virtual machine, the combined register space comprising a default register space and an additional register space. Responsive to detecting an access of the additional register space by the guest operating system of the virtual machine, the hypervisor performs an operation on behalf of the virtual machine, the operation pertaining to the access of the additional register space.

Abstract: A computing platform for on-demand I/O channels, which enable secure application to dynamically connect to diverse peripheral devices of untrusted commodity OSes.

Abstract: According to an embodiment of the present disclosure, there is provided an information processing device including an activation control unit configured to transmit first information that includes information read through near field communication to a server device, to acquire second information transmitted from the server device according to the first information, and to control activation of an application of the information processing device itself based on the acquired second information.

Abstract: According to one embodiment, a system comprising a dynamic analysis server comprising one or more virtual machines is disclosed, wherein the one or more virtual machines may be configured to execute certain event logic with respect to a loaded module. The virtual machines may be communicatively coupled to a virtual machine manager and a database; and rule-matching logic comprising detection logic, wherein the detection logic is configured to determine (1) whether an access source is attempting to access a protected region such as a page guarded area; and (2) determine whether the access source is from the heap. The system further comprises reporting logic that is configured to generate an alert so as to notify a user and/or network administrator of a probable application-execution hijacking attack.

Abstract: Disclosed are an authentication method performed by a radio access network (RAN) node in a wireless communication system and an apparatus thereof. In the present disclosure, a first message indicating initiation of an authentication procedure of the RAN node for multiple user equipments (UEs) used for a specific purpose to attach to a network is transmitted, an authentication request message including first security information for authenticating the network is received from the first network node, second security information for authenticating the RAN node is transmitted to the first network node, and a complete message indicating completion of the authentication procedure is received from the first network node.

Abstract: A method for implementing zone-restricted behavior of a computing device includes identifying wireless access points using the computing device, determining a number of authorized wireless access points from the wireless access points identified by the computing device, determining that the computing device is located within a restricted access zone when the number of authorized wireless access points identified by the computing device exceeds a predetermined threshold of authorized wireless access points identified, and enabling a zone mode of the computing device when the computing device is determined to be located within the restricted access zone.

Abstract: A system comprises client devices that include user interfaces that comprise workspaces that can be used to display a live history of a multimedia collaboration session. The workspaces can be private and can be configured to display information representative of media elements that can be shared within the multimedia collaboration session, but that are only viewable to a participant associated with a particular client device. The private workspaces can be used to preview information before publishing it to other participants or to view a live history of the multimedia collaboration session.

Abstract: Methods, systems, and computer program products are provided for protecting stored data. A user interface module enables a data sensitivity level, a data protection response, and a contextual trigger to be associated with data stored in a computing device. The user interface is configured to enable the data protection response to be selected from a plurality of data protection responses that includes a soft delete and a hard delete. A contextual trigger monitor is configured to monitor for an occurrence of the contextual trigger. A data protection enactor is configured to enact the data protection response associated with the data when an occurrence of the contextual trigger is detected.

Abstract: Methods and systems for making effective use of system resources. A plurality of requests for access to a resource are received. Each request has an associated group of features. The group of features for each request is analyzed to collect observations about the plurality of requests. A function to predict an outcome of a subsequent request is generated based on the observations. Resources are allocated to service the subsequent request based on the function.

Abstract: Secure key derivation within a virtualized execution environment may involve a key derivation module executing within a platform layer of the execution environment. An application executing within an application layer of the execution environment may access the key derivation module in order to generate a cryptographic key according to a key derivation function. Instead of being returned to the application, the derived key may be stored within a secure storage area of the execution environment without being stored, even temporarily in the application layer, or other non-secure areas, of the execution environment. The application may receive a reference to the derived key usable by other cryptographic processes. The application may pass the key reference to a method of a cryptographic module and the cryptographic module may use the key reference to access the derived key from the secure storage for use in performing any of various cryptographic processes.

Abstract: A system for layered-based image updates is disclosed. In the system, a server may receive information corresponding to a modification to an image made by a user; generate a layer that includes the modification to the image; store the layer; and publish the image as an updated image, including the layer, to cause a user device to display the updated image, information identifying the user, and an indication that the user is associated with the layer.

Abstract: A storage controller that is coupled to a plurality of storage clouds is maintained. The storage controller determines security requirements for performing a selected operation in the plurality of storage cloud. A subset of storage clouds of the plurality of storage clouds that are able to satisfy the security requirements are determined. A determination is made as to which storage cloud of the subset of storage clouds is most responsive for performing the selected operation. The selected operation is performed in the determined storage cloud that is most responsive.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining a network security threat response. A data structure that represents communication events between computing devices of two or more network domains is received. The data structure is analyzed and a threat scenario that is based on a chain of communication events that indicates a potential attack path is determined. The chain of communication events include a sequence of communication events between computing devices proceeding from an originating computing device to a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains. Attack pattern data, for the threat scenario and from a threat intelligence data source, that is associated with communications between computing devices that occurred during one or more prior attacks is received.

Abstract: An enhanced electronic health record system. A user device having a display accesses electronic health records and clinic note templates stored on digital storage segments. A template selection screen is presented on the display of the user device. The template selection screen has at least two view modes. One view mode is a grid view, in which icon representations of various clinic note templates are displayed, each icon representation having a number of secondary icons providing additional functionality and information to the user. Also available is a list view, which also contains a vertical listing of available clinic note templates, each list element also having secondary icons. Upon selection of a template, the user is presented with a formatted clinic note. Additional functionality is available to the user to aid in the efficient capture of information.

Abstract: A method for automatically establishing a wireless connection, a gateway device and a client device for internet of things (IoT) using the same are provided. According to the provided method, SSID of the gateway device can be composed of an encrypted access password and an index, so that the client device may identify the gateway device to be connected according to the index within the SSID string and acquire the encrypted access password from the SSID string. Therefore, the client device can decrypt the encrypted access password. Accordingly, the wireless connection between the client device and the gateway device can be automatically established since the client device acquires the access password from the SSID of the gateway device.

Abstract: A method that includes receiving a data entity by the computer; storing the data entity in a first sector of the memory; wherein the first sector is isolated from another memory sector and executable code in the first sector is prevented from performing a write action to the other memory sector; generating, by the processor, an intermediate representation of the data entity; searching, by the processor, for an executable code that was not expected to be included in the data entity in the intermediate representation of the data entity; and when finding the executable code that was not expected to be included in the data entity then preventing a copying of the data entity to the other memory sector.

Abstract: Systems and methods are provided for authenticating a user of a computing device. An example system includes a memory storing instructions, and a processor configured to execute the instructions to receive an authentication request from a user of a computing device, determine a context of the authentication request, determine a physical location of the user, and perform, based on the context of the authentication request and the physical location of the user, an associate proximity detection. The associate proximity detection includes steps to identify an associate based on at least one of the context of the authentication request or the physical location of the user, determine a physical location of the identified known associate, and determine a proximity of the user to the identified known associate. The authentication request may be approved when the determined proximity is within a threshold.

Abstract: A system and method for managing and analyzing security requirements in reusable models. At least one functional model, at least one security implementation model, at least one requirement model, and meta models of the models are read by a reader. A correspondence between the functional model, security implementation model, and the requirements model is analyzed, whereby the correspondence indicates that compliance/security/accreditation requirements defined in the requirement model match with security objectives implemented by controls defined by the security implementation model. Next, it is determined whether correspondence is or is not given based on the analysis of the correspondence and then evidence is generated based on the analysis of the correspondence and the determination and the impact of changes is analyzed.

Abstract: Systems and arrangements for performing biometric facial recognition in order to provide access to a device and/or process one or more events are provided. In some examples, one or more images of a user may be received by an entity and pre-processed to obtain a mean pixel value and variance of each image. These values may be stored in association with the image and/or identifying information associated with the user. Upon receiving a request to access a device, the device may capture an image of the user requesting access. The captured image may be processed similarly to the pre-stored images to determine a mean pixel value and variance. The system may compare the determined mean pixel value and variance for the pre-stored images to the captured image to obtain a similarity score. If the similarity score is at or above a predetermined threshold value, the images may be considered a match.

Abstract: A system for managing sessions between a client and multiple servers includes: a receiver for receiving, as a proxy for each of the servers, a request from the client to any of the servers; a determination unit for determining, upon receipt of the request from the client to any of the servers, whether sessions established between the client and the multiple servers are maintained; a disconnection unit for disconnecting, on condition that a session between the client and any of the multiple servers is already disconnected, the sessions established between the client and the servers different from the disconnected server; and a forward unit for forwarding, on condition that the sessions established between the client and all of the multiple servers are maintained, the received request to the destination server for the request.

Abstract: A text management system may include a text message transmission server that transmits a message received from a first device to a second device. The text message transmission server may include a device manager that manages device information of the second device, a receiver that receives a message from the first device, a message manager that determines a transmission path of the message to the second device based on the device information of the second device, and a transmitter that transmits, to the second device, the message along the determined transmission path.

Abstract: A memory protection system includes a memory, one or more physical processors, a hypervisor, and a virtual machine including a guest OS executing on the one or more processors. The hypervisor notifies the guest OS of a first location of a first device and a second location of a second device. The hypervisor specifies a first protection level for the first device and a second protection level for the second device. The hypervisor notifies the virtual machine of the first protection level and the second protection level. The guest OS maps a first memory page accessible by the first device and a second memory page accessible by the second device. The guest OS specifies a first trust level for the first device and a second trust level for the second device. The guest OS compares the trust levels and the protection levels associated with each device.

Abstract: In general, certain embodiments of the present disclosure provide techniques or mechanisms for automatically filtering network messages in an aviation network for an aircraft based on a current system context. According to various embodiments, a method is provided comprising receiving a network message transmitted from a source avionic device to a destination avionic device via one or more network packets within the aviation network. A current system context, indicating an aggregate status of avionic devices within the aviation network, is determined based on monitoring the avionic devices. The network message is analyzed by identifying a plurality of attributes corresponding to header and data fields of the one or more network packets corresponding to the network message. The acceptability of the network message within the current system context is determined based on one or more filter rules that specify what attributes are allowed within a particular system context.

Abstract: An image processing apparatus capable of reducing the frequency of a user's inputting work for authentication information to improve the convenience. When the number of the logged-in users is one, the logged-in user is set as an executor of the predetermined function, and when the number of the logged-in users is two or more, the user is caused to select one of the logged-in users to set the selected one as the executor of the predetermined function.

Abstract: Systems and methods are described herein for extrapolating trends in trust scores. A trust score may reflect the trustworthiness, reputation, membership, status, and/or influence of the entity in a particular community or in relation to another entity. An entity's trust score may be calculated based on data from a variety of data sources, and this data may be updated periodically as data is updated and new data becomes available. However, it may be difficult to update a trust score for an entity due to a scarcity of information. The trust score for such entities may be updated based on trends observed for the updated trust scores of other entities over a similar period of time. In this manner, trust scores may be updated for entities for which updated data is not available.

Abstract: An apparatus and security method are provided. The apparatus includes at least one communication interface and a controller. The controller is configured to discover, using the at least one communication interface, an external electronic device available for a communication connection with the apparatus, the discovering including receiving information from the external electronic device, adjust a security level for the apparatus based at least in part on the information, and control at least part of the apparatus using the adjusted security level.

Abstract: A network can achieve compliance by defining and enforcing a set of network policies to secure protected electronic information. The network can monitor network data, host/endpoint data, process data, and user data for traffic using a sensor network that provides multiple perspectives. The sensor network can include sensors for networking devices, physical servers, hypervisors or shared kernels, virtual partitions, and other network components. The network can analyze the network data, host/endpoint data, process data, and user data to determine policies for traffic. The network can determine expected network actions based on the policies, such as allowing traffic, denying traffic, configuring traffic for quality of service (QoS), or redirecting traffic along a specific route. The network can update policy data based on the expected network actions and actual network actions. The policy data can be utilized for compliance.

Abstract: The present invention provides a terminal single sign-on configuration, authentication method, and system. The terminal single sign-on authentication method includes obtaining a VPN login information for accessing a private virtual network, where the application service system is installed on a mobile terminal; and uploading the VPN login information to a server for verification. When the VPN login information is successfully verified, a recorded script associated with the VPN login information is obtained from the server, the recorded script containing a plurality of operations and login parameters corresponding to input controls in a user interface of the application service system for authentication. The method further includes according to the recorded script, automatically replaying the plurality of operations to input the login parameters to the corresponding input controls in the user interface, such that an authentication process for the application service system is completed automatically.

Abstract: A distributed system and process for sharing a spreadsheet model. A spreadsheet to be shared is configured by defining input fields, processing parameters for the input fields, and output fields, and a template including the input and output fields is created. The template is shared with a remote user, who enters data into the input fields of the template. The input data is transferred for processing, after which results are provided to the remote user in the defined output fields of the template.

Abstract: The invention relates to a device for interconnecting at least two data-communication networks, connecting a first network qualified as a high-security network and at least one second network qualified as a low-security network, the device including a one-way channel referred to as downlink channel between the high-security network and the low-security network, and a one-way channel referred to as uplink channel between the low-security network and the high-security network, the uplink channel being configured, in accordance with at least one predetermined data model from the low-security network or a dedicated loading channel, such as to transmit a return signal towards the high-security network whenever an uplink data stream sent from the low-security network to the high-security network includes all or part of the predetermined data model, the return signal being transmitted together with a transmission of the uplink data stream or at the end of a transmission of the uplink stream towards the high-security

Abstract: Accessing a security enabled application may require certain access privileges that are not readily available or associated with the application at the time a user is seeking access via a login operation. In operation, an access attempt to a security enabled application may include identifying user credentials associated with the access attempt, generating a query based on the user credentials to identify whether the user credentials are associated with a predetermined group membership. A response to the query may be received that includes group information corresponding to the user and the group information may be compared to a set of predetermined rules to determine whether the group information includes privilege rules used to grant access to the access attempt.

Abstract: A streaming environment includes at least a first processing element of a first compute node and a second processing element of a second compute node. A tuple encryption operation is determined of the first processing element and the second processing element. The first processing element includes a first encryption key for encrypting the tuples as the leave the first processing element. An encryption workload is measured of the tuple encryption operation of a processing workload of the use of the first encryption key of a transfer of the stream of tuples. A threshold of the tuple encryption operation is determined. The second processing element is migrated to the first compute node and fused to the first compute node with the first processing element. The tuple encryption operation is removed from the first processing element.

Abstract: A streaming environment includes at least a first processing element of a first compute node and a second processing element of a second compute node. A tuple encryption operation is determined of the first processing element and the second processing element. The first processing element includes a first encryption key for encrypting the tuples as the leave the first processing element. An encryption workload is measured of the tuple encryption operation of a processing workload of the use of the first encryption key of a transfer of the stream of tuples. A threshold of the tuple encryption operation is determined. The second processing element is migrated to the first compute node and fused to the first compute node with the first processing element. The tuple encryption operation is removed from the first processing element.

Abstract: Systems for controlling access to a database are provided. A system may include a computing platform that may receive a request to access a database from a computing device. A unique identifier of the computing device may be compared to pre-registered device identifiers to determine whether the computing device is authorized to access the database. If not, the computing platform may prevent the computing device from accessing the database. If the computing device is authorized to access the database, the system may receive credentials from a user associated with the computing device. The system may determine whether the credentials of the user match credentials of a user authorized to access the database. If not, the system may prevent the user from accessing the database. If the user authorized to access the database, the system may determine one or more types of data the user is authorized to access.

Abstract: A method for computer system forensics includes receiving an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers. Messages transmitted by the host computers are monitored so as to detect, for each monitored message, a respective process that initiated the message. Responsively to the identification, a forensic indicator is extracted of the respective process that initiated the anomalous message.

Abstract: A computer-implemented method, a computer system, and a computer program product are provided for enforcing multi-level security (MLS) on a message transmitted over a network that may be insecure. The method includes the processor obtaining a request from a source to send a message to a target, where the request includes the message and a context indicating a requested security level for the message. The processor encrypts the message based on ascertaining the message received in the request is a plaintext. The processor authenticates the encrypted message based on ascertaining the encrypted message is a ciphertext, where the target is enabled to trace the authenticated ciphertext back to the source. The processor transmits the authenticated encrypted message to the target across the network.

Abstract: A terminal device includes: a memory unit to store a lock program for locking the terminal device; a condition checking unit to determine whether the terminal device is in a state of a preset condition for terminal protection when the lock program is executed; a lock control unit to allow the terminal device to be locked by the lock program when the terminal device is determined to be in a state of the preset condition for terminal protection; and a information deleting unit to delete an unlock key for use in unlocking the locked terminal device from the memory unit after the terminal device is locked.

Abstract: The embodiments herein provide a method for converting data in an electronic device. The method includes determining a plurality of parameters associated with a user and a zone. Further, the method includes generating a key using the plurality of parameters associated with the user and the zone. Further, the method includes converting the data in the electronic device from a first format to a second format using the key. Further, the method includes performing at least one action on the data in the second format.

Abstract: A method for controlling display of content, the content including a plurality of display pages of a sequence, the method comprising: displaying a first display page on the display screen, receiving a first user input for changing from the first display page to a second display page of the content, the second display page being a neighboring display page of the first display page in the sequence, detecting the second user input when the second display page is a locked display page, extracting the fingerprint information from the second user input when the second user input is detected, and displaying the second display page when the second display page is accessible based on the fingerprint information or a third display page when the second display page is not accessible based on the fingerprint information.

Abstract: A streaming environment includes at least a first processing element of a first compute node and a second processing element of a second compute node. A tuple encryption operation is determined of the first processing element and the second processing element. The first processing element includes a first encryption key for encrypting the tuples as the leave the first processing element. An encryption workload is measured of the tuple encryption operation of a processing workload of the use of the first encryption key of a transfer of the stream of tuples. A threshold of the tuple encryption operation is determined. The second processing element is migrated to the first compute node and fused to the first compute node with the first processing element. The tuple encryption operation is removed from the first processing element.

Abstract: A system and associated method for controlling access to features of a device are provided. The system includes a feature access component that maintains an access control register configured to store an access control parameter indicating whether a user has access to a feature of the device. Responsive to receiving a request to modify the access control register to enable or disable access to the feature, an access authentication parameter is set to an authentication key of the request and an access parameter is set to a value of the request (e.g., 1 “Enable”). The access authentication parameter and access parameter are evaluated utilizing an authentication algorithm. Responsive to successfully authenticating the request, the access control register is modified based upon the value of the access parameter, such as to indicate that the user is now authorized to read and/or modify a parameter and/or invoke a service to execute.

Abstract: Sharing content includes classifying content perceived by a sharing user, determining a set of recipient candidates likely to be interested in the content based upon the classification of the content and prior sharing activity of the recipients with respect to content of the same or similar classification, and presenting to the sharing user one or more members of the set of recipient candidates for sharing the content being perceived by the sharing user.

Abstract: In an approach for providing auditable retrieval of privileged credentials in a privilege identity management (PIM) system, a processor invokes a checkout of a PIM credential, based on, at least, a determination that a PIM server cannot be accessed. A processor receives a request to access the PIM credential by a user. A processor receives validation of the request to access the PIM credential and an identity of the user. A processor retrieves the PIM credential from a database, wherein the database stores a plurality of PIM credentials owned by a system owner.

Abstract: Disclosed is a system for escalating security protocol requirements. The system typically includes a processor, a memory, and a security protocol module stored in the memory.

Abstract: A system on chip having two or more responder units and two or more protection units is provided. Each of the responder units comprises a set of responder elements. Each of the protection units is associated with and protects one of the responder units and is arranged to provide a group mapping. The group mapping assigns one or more group identifiers to each of the responder elements of the respective responder unit.

Abstract: Systems and methods for discovering content sources and/or delivering content to applications resident on mobile devices are described. In some embodiments, the systems and methods transmit information identifying one or more applications resident on a mobile device to a server, receive, from the server, information associated with content items available for retrieval from a content server and associated with the identified one or more applications, and cause the mobile device to retrieve at least one of the content items available for retrieval from the content server.

Abstract: A cryptography service allows for management of cryptographic keys in multiple environments. The service allows for specification of policies applicable to cryptographic keys, such as what cryptographic algorithms should be used in which contexts. In some contexts, the cryptography service, upon receiving a request for a key, provides a referral to another system to obtain the key.