Abstract: Various embodiments of the present technology include methods of assessing risk of a cyber security failure in a computer network of an entity. Various embodiments also include automatically determining, based on the assessed risk, a change or a setting to at least one element of policy criteria of a cyber security policy, automatically recommending, based on the assessed risk, computer network changes to reduce the assessed risk, and providing one or more recommended computer network changes to reduce the assessed risk. Various embodiments further include enactment by the entity of at least one of the one or more of the recommended computer network changes to reduce the assessed risk to the entity, determining that the entity has enacted at least a portion of the recommended computer network changes, and in response, automatically reassessing the risk of a cyber security failure based on the enacted recommended computer network changes.

Abstract: A decoding device that includes a decoding engine implemented by a processor connected to a memory. The decoding engine is configured to receive an encoded signal. The encoding engine is further configured to determine an encoded signal byte value at an encoded signal byte location in the encoded signal. The encoded signal byte location is mapped to a key map byte location in a key map. The decoding engine is further configured to determine a key map byte value at the key map byte location in the key map. The decoding engine is further configured to set a decoded signal byte value with the encoded signal byte value at the decoded signal byte location in a decoded signal. The decoding engine is further configured to output the decoded signal.

Abstract: In one embodiment, a method is performed by a computer system. The method includes receiving a request to authenticate a user of an enterprise computing system. The method further includes, responsive to the request, selecting a set of previous user-initiated events of the user on the enterprise computing platform. Further, the method includes accessing user-specific event information related to the selected set of previous user-initiated events. In addition, the method includes generating, from at least a portion of the user-specific event information, a user-specific authentication sequence comprising a plurality of event-information requests. Additionally, the method includes administering the user-specific authentication sequence to the user, the administering comprising requiring the user to provide a valid response to each of the event-information requests as a precondition to successful authentication.

Abstract: Methods, systems, apparatus, and non-transitory computer readable media are described for identifying users who are likely to have unauthorized access to secure data files in an organizational network. Various aspects may include presenting the identified users on a display for a system administrator and/or security analyst to resolve. For example, the display may include a graph data structure with users represented as nodes and connections between users represented as edges. Each connection may be a pair of users belonging to the same security group. Nodes of the graph data structure may be clustered to indicate that each of the users in the cluster belong to the same security group. Moreover, the users who are connected to multiple clusters may be identified as a potential risk of having unauthorized access to secure data files. The authorized access may then be remedied or taken away.

Abstract: An encoding device that includes an encoding engine implemented by a processor connected to a memory. The memory stores a key map that encodes a data signal with a noise signal. The encoding engine is configured to obtain a data signal and generate a noise signal. The encoding engine is further configured to determine a key map byte value at a key map byte location in the key map. The key map byte value indicates a data signal byte location in the data signal. The encoding engine is further configured to determine a data signal byte value at the data signal byte location in the data signal and overwrite a noise signal byte value with the data signal byte value at a noise signal byte location in the noise signal. The encoding engine is configured to transmit the encoded signal.

Abstract: A processing device such as a router or other network device implements a locator-identifier mapping system associating identifiers of respective endpoints with respective locators in accordance with a locator-identifier separation protocol. A first one of the endpoints comprises a storage server associated with a storage array. In conjunction with reconfiguration of the storage server, the locator-identifier mapping system updates a particular one of the locators corresponding to the endpoint identifier of the storage server. The reconfiguration of the storage server may comprise, for example, a migration of the storage server within a given data center, or from a first data center to a second data center. The locator of the storage server illustratively specifies a subnet of the storage server. The processing device may comprise a router operating as at least one of an ingress tunnel router and an egress tunnel router in accordance with the locator-identifier separation protocol.

Abstract: An electronic platform is disclosed that helps extend the lifespan of relationships, for example, between a salesperson and their client. The platform allows the user to have an account in which the user can store content which may be provided to a second user in an exclusive session through a generated unique URL. The platform is configured to selectively share only what one user wants to a particular recipient. A user interface connected through the unique URL is only accessible by the two users. The interface may provide each user with a section of the display from which to interact with the other user by using selectable features that are shared by both users on the interface. A duality of use is achieved through two-way communication through the page of the interface which helps build the relationship by each side providing feedback to the other side.

Abstract: Systems and methods are provided for authenticating a user of a computing device. An example system includes a memory storing instructions, and a processor configured to execute the instructions to receive an authentication request from a user of a computing device, determine a context of the authentication request, determine a physical location of the user, and perform, based on the context of the authentication request and the physical location of the user, an associate proximity detection. The associate proximity detection includes steps to identify an associate based on at least one of the context of the authentication request or the physical location of the user, determine a physical location of the identified known associate, and determine a proximity of the user to the identified known associate. The authentication request may be approved when the determined proximity is within a threshold.

Abstract: Methods and systems provide application platform security enforcement. A distributed system communicates between a plurality of remote devices and at least one secured server to facility providing a secured service. The distributed system may comprise a remote communication server and a plurality of security layer components where the plurality of remote devices connect through respective ones of the security layer components. Upon detection of a security breach by a first remote device, the distributed system determines potential devices at risk from the plurality of remote devices, analyzing risk factors for commonalities. A lock down of the first remote device and the devices at risk is instructed. Analysis of risk factors examines whether the first remote device and other remote devices communicate via a same security layer component, are geographically proximate; and/or are associated at the user level, for example are proximate users in a social network graph. Reactivation is also provided.

Abstract: An improved social media or messaging platform can be provided, retaining in large measure both the immediacy and engagement of video conferencing, while not sacrificing benefits more characteristic of email and similar messaging platforms, such as asynchronous scheduling, bandwidth efficiency, and various administrative record-keeping benefits. Audio data and associated gesture data (for example, panning and zooming) is recorded by users in associating with image data, and shared with other users in a conversational thread, permitting a video-like experience without associated bandwidth overhead.

Abstract: Various embodiments of the present technology include methods of assessing risk of a cyber security failure in a computer network of an entity. Various embodiments also include automatically determining, based on the assessed risk, a change or a setting to at least one element of policy criteria of a cyber security policy, automatically recommending, based on the assessed risk, computer network changes to reduce the assessed risk, and providing one or more recommended computer network changes to reduce the assessed risk. Various embodiments further include enactment by the entity of at least one of the one or more of the recommended computer network changes to reduce the assessed risk to the entity, determining that the entity has enacted at least a portion of the recommended computer network changes, and in response, automatically reassessing the risk of a cyber security failure based on the enacted recommended computer network changes.

Abstract: A non-transitory computer readable medium causing a computer to execute a process, the process includes: acquiring coordinate information indicating a boundary between an operable region and an inoperable region in the operation screen of a server; acquiring, from an operating system of the computer, an arrangement coordinate of a first window displaying the operation screen of the server including a first mouse cursor; detecting positions of the operable region and the inoperable region from the acquired coordinate information and the acquired arrangement coordinate; and interrupting notifying the first window of a coordinate of a second mouse cursor when the coordinate of the second mouse cursor acquired from the operating system of the computer is included in the inoperable region.

Abstract: The present invention provides a system, method and apparatus for increasing relevance of a content provided to a visitor by a content provider by providing one or more server computers and at least one data storage communicably coupled to the one or more server computers, receiving at least a portion of a visitor token and at least a portion of a content provider token at the one or more server computers from a content provider device, determining whether a release of an anonymous unfilled demand for the visitor is authorized based on the visitor token, the content provider token and one or more preferences stored in the at least one data storage, and sending at least a portion of the anonymous unfilled demand for the visitor to the content provider device when the release is authorized.

Abstract: Techniques are provided that allow users to collaborate in relationship to data views, application displays, applications or events. A user can type in a text view related to a specific view in an application display, and the information is shared with other users that take part in sharing that view. A user that expresses an interest in an event is notified about the event and has the capability to interact, in relation to the event, with other users (e.g. by text). The particular form of interaction (and sharing) can be selectively specified. This interaction is comparable to a dynamic bulletin board where the subject is event driven. In the case of an event interest(s), users specify their interest (e.g. in other user application events or system events) and the system automatically alerts them to the occurrence of the event.

Abstract: Techniques for identifying unused privileges are provided. Database accesses are monitored to generate privilege usage data. Privilege usage data for each database access may indicate a user, a utilized privilege, an object that is the target of the privilege, and a role to which the privilege is granted. The privilege usage data is compared to database authorization data that indicates all (or a subset) of granted privileges. A result of the comparison is unused privilege data that indicates what granted privileges were not utilized. A role graph may be generated that indicates one or more privileges that were utilized and one or more privileges that were not utilized along with role paths providing the privileges.

Abstract: Systems and methods provide logic that validates a code generated by a user, and that executes a function of a programmatic interface after the user code is validated. In one implementation, a computer-implemented method performs a multifactor authentication of a user prior to executing a function of a programmatic interface. The method includes receiving, at a server, a user code through a programmatic interface. The server computes a server code in response to the user code, and compares the user code to the server code to determine that the user code corresponds to the server code. The server validates the user code and executes a function of the programmatic interface, after the user code is validated.

Abstract: A cryptography service allows for management of cryptographic keys in multiple environments. The service allows for specification of policies applicable to cryptographic keys, such as what cryptographic algorithms should be used in which contexts. The cryptography service, upon receiving a request for a key, may provide a referral to another system to obtain the key.

Abstract: Disclosed are system and method for detecting malicious code in address space of a process. An exemplary method comprises: detecting a first process executed on the computer in association with an application; intercepting at least one function call made by the first process to a second process; determining one or more attributes associated with the at least one function call; determining whether to perform malware analysis of code associated with the at least one function call in an address space associated with the second process based on application of one or more rules to the one or more attributes; and upon determining to perform malware analysis of the code, determining whether the code in the address space is malicious.

Abstract: A hypervisor associates a combined register space with a virtual device to be presented to a guest operating system of a virtual machine, the combined register space comprising a default register space and an additional register space. Responsive to detecting an access of the additional register space by the guest operating system of the virtual machine, the hypervisor performs an operation on behalf of the virtual machine, the operation pertaining to the access of the additional register space.

Abstract: A computing platform for on-demand I/O channels, which enable secure application to dynamically connect to diverse peripheral devices of untrusted commodity OSes.

Abstract: According to an embodiment of the present disclosure, there is provided an information processing device including an activation control unit configured to transmit first information that includes information read through near field communication to a server device, to acquire second information transmitted from the server device according to the first information, and to control activation of an application of the information processing device itself based on the acquired second information.

Abstract: Disclosed are an authentication method performed by a radio access network (RAN) node in a wireless communication system and an apparatus thereof. In the present disclosure, a first message indicating initiation of an authentication procedure of the RAN node for multiple user equipments (UEs) used for a specific purpose to attach to a network is transmitted, an authentication request message including first security information for authenticating the network is received from the first network node, second security information for authenticating the RAN node is transmitted to the first network node, and a complete message indicating completion of the authentication procedure is received from the first network node.

Abstract: According to one embodiment, a system comprising a dynamic analysis server comprising one or more virtual machines is disclosed, wherein the one or more virtual machines may be configured to execute certain event logic with respect to a loaded module. The virtual machines may be communicatively coupled to a virtual machine manager and a database; and rule-matching logic comprising detection logic, wherein the detection logic is configured to determine (1) whether an access source is attempting to access a protected region such as a page guarded area; and (2) determine whether the access source is from the heap. The system further comprises reporting logic that is configured to generate an alert so as to notify a user and/or network administrator of a probable application-execution hijacking attack.

Abstract: A method for implementing zone-restricted behavior of a computing device includes identifying wireless access points using the computing device, determining a number of authorized wireless access points from the wireless access points identified by the computing device, determining that the computing device is located within a restricted access zone when the number of authorized wireless access points identified by the computing device exceeds a predetermined threshold of authorized wireless access points identified, and enabling a zone mode of the computing device when the computing device is determined to be located within the restricted access zone.

Abstract: A system comprises client devices that include user interfaces that comprise workspaces that can be used to display a live history of a multimedia collaboration session. The workspaces can be private and can be configured to display information representative of media elements that can be shared within the multimedia collaboration session, but that are only viewable to a participant associated with a particular client device. The private workspaces can be used to preview information before publishing it to other participants or to view a live history of the multimedia collaboration session.

Abstract: Methods and systems for making effective use of system resources. A plurality of requests for access to a resource are received. Each request has an associated group of features. The group of features for each request is analyzed to collect observations about the plurality of requests. A function to predict an outcome of a subsequent request is generated based on the observations. Resources are allocated to service the subsequent request based on the function.

Abstract: Methods, systems, and computer program products are provided for protecting stored data. A user interface module enables a data sensitivity level, a data protection response, and a contextual trigger to be associated with data stored in a computing device. The user interface is configured to enable the data protection response to be selected from a plurality of data protection responses that includes a soft delete and a hard delete. A contextual trigger monitor is configured to monitor for an occurrence of the contextual trigger. A data protection enactor is configured to enact the data protection response associated with the data when an occurrence of the contextual trigger is detected.

Abstract: Secure key derivation within a virtualized execution environment may involve a key derivation module executing within a platform layer of the execution environment. An application executing within an application layer of the execution environment may access the key derivation module in order to generate a cryptographic key according to a key derivation function. Instead of being returned to the application, the derived key may be stored within a secure storage area of the execution environment without being stored, even temporarily in the application layer, or other non-secure areas, of the execution environment. The application may receive a reference to the derived key usable by other cryptographic processes. The application may pass the key reference to a method of a cryptographic module and the cryptographic module may use the key reference to access the derived key from the secure storage for use in performing any of various cryptographic processes.

Abstract: A system for layered-based image updates is disclosed. In the system, a server may receive information corresponding to a modification to an image made by a user; generate a layer that includes the modification to the image; store the layer; and publish the image as an updated image, including the layer, to cause a user device to display the updated image, information identifying the user, and an indication that the user is associated with the layer.

Abstract: A storage controller that is coupled to a plurality of storage clouds is maintained. The storage controller determines security requirements for performing a selected operation in the plurality of storage cloud. A subset of storage clouds of the plurality of storage clouds that are able to satisfy the security requirements are determined. A determination is made as to which storage cloud of the subset of storage clouds is most responsive for performing the selected operation. The selected operation is performed in the determined storage cloud that is most responsive.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining a network security threat response. A data structure that represents communication events between computing devices of two or more network domains is received. The data structure is analyzed and a threat scenario that is based on a chain of communication events that indicates a potential attack path is determined. The chain of communication events include a sequence of communication events between computing devices proceeding from an originating computing device to a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains. Attack pattern data, for the threat scenario and from a threat intelligence data source, that is associated with communications between computing devices that occurred during one or more prior attacks is received.

Abstract: An enhanced electronic health record system. A user device having a display accesses electronic health records and clinic note templates stored on digital storage segments. A template selection screen is presented on the display of the user device. The template selection screen has at least two view modes. One view mode is a grid view, in which icon representations of various clinic note templates are displayed, each icon representation having a number of secondary icons providing additional functionality and information to the user. Also available is a list view, which also contains a vertical listing of available clinic note templates, each list element also having secondary icons. Upon selection of a template, the user is presented with a formatted clinic note. Additional functionality is available to the user to aid in the efficient capture of information.

Abstract: A method for automatically establishing a wireless connection, a gateway device and a client device for internet of things (IoT) using the same are provided. According to the provided method, SSID of the gateway device can be composed of an encrypted access password and an index, so that the client device may identify the gateway device to be connected according to the index within the SSID string and acquire the encrypted access password from the SSID string. Therefore, the client device can decrypt the encrypted access password. Accordingly, the wireless connection between the client device and the gateway device can be automatically established since the client device acquires the access password from the SSID of the gateway device.

Abstract: Systems and methods are provided for authenticating a user of a computing device. An example system includes a memory storing instructions, and a processor configured to execute the instructions to receive an authentication request from a user of a computing device, determine a context of the authentication request, determine a physical location of the user, and perform, based on the context of the authentication request and the physical location of the user, an associate proximity detection. The associate proximity detection includes steps to identify an associate based on at least one of the context of the authentication request or the physical location of the user, determine a physical location of the identified known associate, and determine a proximity of the user to the identified known associate. The authentication request may be approved when the determined proximity is within a threshold.

Abstract: A method that includes receiving a data entity by the computer; storing the data entity in a first sector of the memory; wherein the first sector is isolated from another memory sector and executable code in the first sector is prevented from performing a write action to the other memory sector; generating, by the processor, an intermediate representation of the data entity; searching, by the processor, for an executable code that was not expected to be included in the data entity in the intermediate representation of the data entity; and when finding the executable code that was not expected to be included in the data entity then preventing a copying of the data entity to the other memory sector.

Abstract: A system and method for managing and analyzing security requirements in reusable models. At least one functional model, at least one security implementation model, at least one requirement model, and meta models of the models are read by a reader. A correspondence between the functional model, security implementation model, and the requirements model is analyzed, whereby the correspondence indicates that compliance/security/accreditation requirements defined in the requirement model match with security objectives implemented by controls defined by the security implementation model. Next, it is determined whether correspondence is or is not given based on the analysis of the correspondence and then evidence is generated based on the analysis of the correspondence and the determination and the impact of changes is analyzed.

Abstract: Systems and arrangements for performing biometric facial recognition in order to provide access to a device and/or process one or more events are provided. In some examples, one or more images of a user may be received by an entity and pre-processed to obtain a mean pixel value and variance of each image. These values may be stored in association with the image and/or identifying information associated with the user. Upon receiving a request to access a device, the device may capture an image of the user requesting access. The captured image may be processed similarly to the pre-stored images to determine a mean pixel value and variance. The system may compare the determined mean pixel value and variance for the pre-stored images to the captured image to obtain a similarity score. If the similarity score is at or above a predetermined threshold value, the images may be considered a match.

Abstract: A system for managing sessions between a client and multiple servers includes: a receiver for receiving, as a proxy for each of the servers, a request from the client to any of the servers; a determination unit for determining, upon receipt of the request from the client to any of the servers, whether sessions established between the client and the multiple servers are maintained; a disconnection unit for disconnecting, on condition that a session between the client and any of the multiple servers is already disconnected, the sessions established between the client and the servers different from the disconnected server; and a forward unit for forwarding, on condition that the sessions established between the client and all of the multiple servers are maintained, the received request to the destination server for the request.

Abstract: A text management system may include a text message transmission server that transmits a message received from a first device to a second device. The text message transmission server may include a device manager that manages device information of the second device, a receiver that receives a message from the first device, a message manager that determines a transmission path of the message to the second device based on the device information of the second device, and a transmitter that transmits, to the second device, the message along the determined transmission path.

Abstract: A memory protection system includes a memory, one or more physical processors, a hypervisor, and a virtual machine including a guest OS executing on the one or more processors. The hypervisor notifies the guest OS of a first location of a first device and a second location of a second device. The hypervisor specifies a first protection level for the first device and a second protection level for the second device. The hypervisor notifies the virtual machine of the first protection level and the second protection level. The guest OS maps a first memory page accessible by the first device and a second memory page accessible by the second device. The guest OS specifies a first trust level for the first device and a second trust level for the second device. The guest OS compares the trust levels and the protection levels associated with each device.

Abstract: In general, certain embodiments of the present disclosure provide techniques or mechanisms for automatically filtering network messages in an aviation network for an aircraft based on a current system context. According to various embodiments, a method is provided comprising receiving a network message transmitted from a source avionic device to a destination avionic device via one or more network packets within the aviation network. A current system context, indicating an aggregate status of avionic devices within the aviation network, is determined based on monitoring the avionic devices. The network message is analyzed by identifying a plurality of attributes corresponding to header and data fields of the one or more network packets corresponding to the network message. The acceptability of the network message within the current system context is determined based on one or more filter rules that specify what attributes are allowed within a particular system context.

Abstract: An image processing apparatus capable of reducing the frequency of a user's inputting work for authentication information to improve the convenience. When the number of the logged-in users is one, the logged-in user is set as an executor of the predetermined function, and when the number of the logged-in users is two or more, the user is caused to select one of the logged-in users to set the selected one as the executor of the predetermined function.

Abstract: An apparatus and security method are provided. The apparatus includes at least one communication interface and a controller. The controller is configured to discover, using the at least one communication interface, an external electronic device available for a communication connection with the apparatus, the discovering including receiving information from the external electronic device, adjust a security level for the apparatus based at least in part on the information, and control at least part of the apparatus using the adjusted security level.

Abstract: Systems and methods are described herein for extrapolating trends in trust scores. A trust score may reflect the trustworthiness, reputation, membership, status, and/or influence of the entity in a particular community or in relation to another entity. An entity's trust score may be calculated based on data from a variety of data sources, and this data may be updated periodically as data is updated and new data becomes available. However, it may be difficult to update a trust score for an entity due to a scarcity of information. The trust score for such entities may be updated based on trends observed for the updated trust scores of other entities over a similar period of time. In this manner, trust scores may be updated for entities for which updated data is not available.

Abstract: The present invention provides a terminal single sign-on configuration, authentication method, and system. The terminal single sign-on authentication method includes obtaining a VPN login information for accessing a private virtual network, where the application service system is installed on a mobile terminal; and uploading the VPN login information to a server for verification. When the VPN login information is successfully verified, a recorded script associated with the VPN login information is obtained from the server, the recorded script containing a plurality of operations and login parameters corresponding to input controls in a user interface of the application service system for authentication. The method further includes according to the recorded script, automatically replaying the plurality of operations to input the login parameters to the corresponding input controls in the user interface, such that an authentication process for the application service system is completed automatically.

Abstract: A network can achieve compliance by defining and enforcing a set of network policies to secure protected electronic information. The network can monitor network data, host/endpoint data, process data, and user data for traffic using a sensor network that provides multiple perspectives. The sensor network can include sensors for networking devices, physical servers, hypervisors or shared kernels, virtual partitions, and other network components. The network can analyze the network data, host/endpoint data, process data, and user data to determine policies for traffic. The network can determine expected network actions based on the policies, such as allowing traffic, denying traffic, configuring traffic for quality of service (QoS), or redirecting traffic along a specific route. The network can update policy data based on the expected network actions and actual network actions. The policy data can be utilized for compliance.

Abstract: The invention relates to a device for interconnecting at least two data-communication networks, connecting a first network qualified as a high-security network and at least one second network qualified as a low-security network, the device including a one-way channel referred to as downlink channel between the high-security network and the low-security network, and a one-way channel referred to as uplink channel between the low-security network and the high-security network, the uplink channel being configured, in accordance with at least one predetermined data model from the low-security network or a dedicated loading channel, such as to transmit a return signal towards the high-security network whenever an uplink data stream sent from the low-security network to the high-security network includes all or part of the predetermined data model, the return signal being transmitted together with a transmission of the uplink data stream or at the end of a transmission of the uplink stream towards the high-security

Abstract: A distributed system and process for sharing a spreadsheet model. A spreadsheet to be shared is configured by defining input fields, processing parameters for the input fields, and output fields, and a template including the input and output fields is created. The template is shared with a remote user, who enters data into the input fields of the template. The input data is transferred for processing, after which results are provided to the remote user in the defined output fields of the template.

Abstract: Accessing a security enabled application may require certain access privileges that are not readily available or associated with the application at the time a user is seeking access via a login operation. In operation, an access attempt to a security enabled application may include identifying user credentials associated with the access attempt, generating a query based on the user credentials to identify whether the user credentials are associated with a predetermined group membership. A response to the query may be received that includes group information corresponding to the user and the group information may be compared to a set of predetermined rules to determine whether the group information includes privilege rules used to grant access to the access attempt.

Abstract: A streaming environment includes at least a first processing element of a first compute node and a second processing element of a second compute node. A tuple encryption operation is determined of the first processing element and the second processing element. The first processing element includes a first encryption key for encrypting the tuples as the leave the first processing element. An encryption workload is measured of the tuple encryption operation of a processing workload of the use of the first encryption key of a transfer of the stream of tuples. A threshold of the tuple encryption operation is determined. The second processing element is migrated to the first compute node and fused to the first compute node with the first processing element. The tuple encryption operation is removed from the first processing element.