Abstract: Techniques for sorting encrypted data within a software as a service (SaaS) environment. Data is encrypted on a per symbol basis with a symbol based encryption module. Sort and search functionality preserving encryption that allows other modules to sort tokens and to search for tokens is provided. Encrypted tokens that have been encrypted by the symbol based encryption module are stored in a database. Access to the encrypted tokens is provided through the SaaS environment.

Abstract: Various examples are directed to systems and methods for executing a web application with client-side encryption. A web application may execute in a web browser at a client computing device. The web browser may generate a document comprising a secure display element. The web browser may request to render the document at the client computing device. A cryptographic tool of the web browser may decrypt the first encrypted value to generate a first clear value. The web browser may render the document at an output device of the client computing device using the clear value. The web browser may also be programmed to prevent the web application from accessing the first clear value.

Abstract: An approach is provided in which a system analyzes a first set of data to derive a first distribution output that is based on a first conjugated distribution corresponding to the first set of data and a domain class model. The system utilizes the first distribution output as a baseline input to generate a second conjugated distribution corresponding to a second set of data and the domain class model. Next, the system derives a second distribution output of the second set of data based on the second conjugated distribution. The second distribution output identifies at least one personally identifiable information (PII) data field corresponding to the second set of data that was not identified as a PII data field in the domain class model. In turn, the system tags at least a portion of the second set of data as PII based on the derived second distribution output.

Abstract: An authentication control method, system, and computer program product, includes performing an initial calibration to login to a registered device by detecting a plurality of biological signals, biometric signals, and idiosyncratic signals of a user and selecting a combination of the plurality of biological signals, biometric signals, and idiosyncratic signals to use in an initial calibration-authentication score, computing a login-authentication score at a time of the login based on a user input of signals corresponding to the signals of the initial calibration-authentication score, and allowing the login to the registered device if the login-authentication score is within a predetermined threshold of the initial calibration-authentication score.

Abstract: A non-transitory computer-readable storage medium storing a control program that causes a computer to execute a process including receiving specified information generated in response to reception of an acquisition request of data from a terminal device that decrypts an encrypted data corresponding to the data, and identification information on the terminal device, determining whether or not the specified information is stored, in a storage unit, in association with the received identification information on the terminal device that has sent the acquisition request, the storage unit storing the specified information to be generated in association with the identification information on a terminal device for which a data acquisition is permitted for each of the plurality of pieces of data, and transmitting information that permits decryption of the encrypted data corresponding to the data to the terminal device when the specified information is stored in association with the received identification information.

Abstract: A system includes a read/write controller removably coupled to a storage drive. Responsive to detection of a coupling between the read/write controller and the storage drive, the read/write controller retrieves key information from the storage drive, uses the key information to locate adaptives associated with the primary storage medium, and loads the adaptives into volatile memory to configure read/write settings for access to the primary storage medium.

Abstract: A method, an apparatus, and a system for authenticating a WI-FI network, where a terminal sends, to an associated authentication center when the WI-FI network exists in an area in which the terminal is located, a request message that carries a user identifier, receives access verification information allocated to a user represented by the first user identifier from the associated authentication center, sends, to a WI-FI authentication center, a login request that carries the access verification information, receives authentication information obtained and fed back by the WI-FI authentication center carrying a user identifier corresponding to the access verification information, and determines that the WI-FI network is a secure network when the user identifier carried in the authentication information is the same as the user identifier carried in the request message.

Abstract: An information processing apparatus, including a function of mandatory access control, includes a storage unit that stores a security policy for managing access by the mandatory access control, an obtaining unit that obtains information on vulnerability of an application, and an updating unit that updates the security policy by a function of a kernel thread in accordance with the information obtained by the obtaining unit.

Abstract: Described is a system for secure database searching. The system comprises a client-server architecture which allows a client to securely search a database of records possessed by a server. A database query is generated by the client and transmitted to the server. The database query is processed by the server using a privacy-preserving search protocol. An encrypted match result is produced by the server without decrypting the database query. The encrypted match result is sent to the client, and the client decrypts the encrypted match result to obtain a set of block identifiers representing blocks of records in the database that match the database query. The client obtains a block of encrypted records containing match results using only the set of block identifiers. The match results are decrypted by the client using a key obtained from the server. The unencrypted match results to the database query are then output.

Abstract: The present disclosure describes a system for saving metadata on files and using attribute data files inside a computing system to enhance the ability to provide user interfaces based on actions associated with non-executable attachments like text and document files from untrusted emails, to block execution of potentially harmful executable object downloads and files based on geographic location, and to a create a prompt for users to decide whether to continue execution of potentially harmful executable object downloads and files. The system also records user behavior on reactions to suspicious applications and documents by transmitting a set of attribute data in an attribute data file corresponding to suspicious applications or documents to a server. The system interrupts execution of actions related to untrusted phishing emails in order to give users a choice on whether to proceed with actions.

Abstract: Techniques are described for sampling across trusted and untrusted distributed components. In accordance with embodiments, a first computing device receives a request from a second computing device, the first request including an operation identifier (ID) and a sampling ID that was generated by transforming a telemetry scope ID from a first value in a first domain to a second value in a second domain. The transformation may serve to anonymize and compress the telemetry scope ID. The first computing device determines whether or not to sample by comparing a ratio between the sampling ID and a size of the second domain with a sampling rate associated with the first computing device. The first computing device records telemetry about its processing of the first request in response to determining to sample and does not record any telemetry about its processing of the first request in response to determining not to sample.

Abstract: A computing device stores code associated with a computing function in a protected computing environment, such as a trusted execution environment, wherein the computing function is attested by a code measurement service associated with the protected computing environment. The computing device links the computing function to a secret stored in a hardware security module (HSM), the secret to enable execution of the computing function in the protected computing environment.

Abstract: Network and/or application resources can be dynamically instantiated based on service attributes and/or network capabilities. In one aspect, a customized and/or localized core slice can be selected that can deliver the requested service with target performance parameters. According to an aspect, dynamic selection, control, and/or management reporting can be provided for core network slices. Moreover, optimal core network slice selection can be performed to reduce network transport costs and efficiently deliver various services using an optimal core slice that matches a service profile being requested by an end user and/or device.

Abstract: Embodiments include apparatuses, methods, and systems including a wireless display system to provide digital right management secure content to a display receiver device. The display transmitter device may determine to provide a decryption and presentation license for the display receiver device based on the DRM credential and the DRM scheme of the display receiver device. The display transmitter device may further pass through the secure DRM content to the display receiver device based on provision of the decryption and presentation license, wherein the secure DRM content is passed through the display transmitter device without transcription by the display transmitter device. Other embodiments may also be described and claimed.

Abstract: A provisioning system provisions a mobile software application to one or more remotely-located mobile computing devices. The remotely-located mobile computing devices may each have a native operating system. The mobile software application may include executable program code and a structured document such that the executable program code and structured document together instantiate at least a portion of the functionality provided by the mobile application. Moreover, in some embodiments, when the requested and sent mobile application is executed by a requesting mobile device, the structured document is parsed into a Document Object Model tree structure which when updated, updates at least in part the running state of the mobile application.

Abstract: Systems and methods are provided executing jobs immediately upon receipt of a notification. The systems and methods may include receiving, at a cloud compute service, a notification that a sensitive file comprising sensitive data has been received at a file receipt location, the sensitive file being sent by a client device; generating, by the cloud compute service, a container instance in response to the notification; retrieving, by the container instance, the sensitive file from the file receipt location; generating, by the container instance, a stripped file by stripping the sensitive data from the sensitive file based on a configuration file; transmitting, by the container instance, the stripped file to a storage location; deleting the sensitive file and associated file pointers from the file receipt location; and terminating the container instance, wherein terminating the container instance comprises deleting files comprising sensitive data and associated file pointers.

Abstract: A method for execution by a dispersed storage and task (DST) client module includes obtaining a data identifier for slice location identification. A source name corresponding to the data identifier is identified. A plurality of data segments are identified based on the source name. A set of slice names are generated for each of the plurality of data segments. A set of DST execution units are identified based on the sets of slice names. A set of query requests are generated for each data segment for transmission to the set of DST execution units. Query responses are received from the set of DST execution units. A storage record is generated that includes storage location information of the query responses. Migration of at least some encoded data slices associated with the sets of slice names is facilitated when the storage record compares unfavorably to a storage record requirement.

Abstract: In accordance with embodiments, there are provided mechanisms and methods for facilitating dynamic end-to-end integrity for data repositories in an on-demand services environment, where a database system-implemented method includes receiving, by the database system, a content file and metadata to be submitted to a data repository of the database system. The content file may include content, where the metadata may include identifying data associated with at least one of the content and a user associated with the content. The method may include verifying, by the database system, the identifying data of the metadata. The verification of the identifying data represents authentication of at least one of the user and the content. The method may include submitting, by the database system, the content file and the metadata to the data repository, upon authentication of at least one of the user and the content via successful verification of the identifying data.

Abstract: Techniques for in-line filtering of insecure or unwanted mobile components or communications (e.g., insecure or unwanted behaviors associated with applications for mobile devices (“apps”), updates for apps, communications to/from apps, operating system components/updates for mobile devices, etc.) for mobile devices are disclosed. In some embodiments, in-line filtering of apps for mobile devices includes intercepting a request for downloading an application to a mobile device; and modifying a response to the request for downloading the application to the mobile device. In some embodiments, the response includes a notification that the application cannot be downloaded due to an application risk policy violation.

Abstract: An execution of a data object is identified by a computing device. In response to identifying the execution of the data object, it is determined that the data object has requested a sensitive action of the computing device before interacting with a user of the computing device. In response to determining that the data object has requested the sensitive action, the data object is classified as a high-risk data object.

Abstract: Providing an electronic message includes constructing a first digital signature of the message and a personal secret known only to a sender of the message, constructing a second digital signature of the first digital signature and the message, and sending to a receiver the message, the first digital signature, and the second digital signature. The personal secret may be initially generated by the sender. The personal secret may be a pseudo-random number. The receiver may archive the message, the first signature, and the second signature. In response to a challenge, the message and the first and second signatures sent with the message may be compared using first and second signatures reconstructed by the sender. In response to at least one of the message and the first signature not matching, the message may be repudiated. Otherwise, the message may be validated. The sender may be a cell phone.

Abstract: The technology disclosed describes systems and methods for optimizing delivery of form factor specific content for users in different environments, such as desktop computer browsers and mobile device applications. The technology further discloses systems and methods for providing support for developers whose goal is to render specific implementations of a user interface to deliver distinct user interface experiences.

Abstract: Methods, computer program products, and systems are presented. The method computer program products, and systems can include, for instance: recording position data for a mobile device over time, the position data being associated to an identifier of the mobile device; outputting to a user an identification code associated to the identifier; receiving input data from a user, the input data including the identification code and user identifying information from a user; responsively to the receiving the input data from a user associating the identification code and the user identifying information; based on the associating processing the position data and user profile data associated to the user identifying information; sending a message to the user based on a result of the processing.

Abstract: Disclosed are a system and techniques for identity and electronic signature verification that utilizes blockchain technology. An enterprise system enables computing devices to engage the enterprise and prospective users for the purposes of executing a document or a smart contract. Users may obtain a computer application from an enterprise system and may utilize the computer application to retrieve a document or select a smart contract. The identity of all users who execute the document may be verified based on an authentication by a trusted independent system. Information related to the respective signers, the document or smart contract, and the authentication may be stored as transactions in a blockchain. The transactions may be stored in the blockchain under a user's address, a document or smart contract address, or a digital wallet, if available.

Abstract: Examples herein involve fault tolerance in a shared memory. In examples herein, a metadata store of a shared memory indicating versions of data partitions of a resilient distributed dataset and a valid flag for the partitions of the resilient distributed dataset are used to achieve fault tolerance and/or recover from faults in the share memory.

Abstract: Technologies for performing security monitoring services of a network functions virtualization (NFV) security architecture that includes an NVF security services controller and one or more NFV security services agents. The NFV security services controller is configured to transmit a security monitoring policy to the NFV security services agents and enforce the security monitoring policy at the NFV security services agents. The NFV security services agents are configured to monitor telemetry data and package at least a portion of the telemetry for transmission to an NFV security monitoring analytics system of the NFV security architecture for security threat analysis. Other embodiments are described and claimed.

Abstract: A system and method for performing runtime de-obfuscation of obfuscated malicious software code in a virtual machine is described. According to one embodiment, the method involves enumerating a first physical page associated with a first virtual address space of a first piece of analyzed software code. Herein, the first virtual address space is a portion of a virtual address space associated with the virtual machine. Thereafter, the first physical page is set a non-writable permission. Hence, upon detection of a write to the first physical page by the first piece of analyzed software code, a determination can be made that the first piece of analyzed software code may be categorized as malicious software code.

Abstract: The disclosed method and system allow a user to conveniently access a webpage using a short code without typing a web address. To solicit a user to see a webpage, the user will be given a short code that is easy to remember instead of a full web address. Later, the user will send the code to a directing server, where a corresponding relationship between the short code and the intended web address has been previously recorded, and the user will be directed to the webpage. The supply of easy-to-memorize short codes is limited by the possible number of combinations of a few digits; however, this method and system can be universally used without feeling the lack of available codes because each short code is designed to be valid only in a limited geographic area and for a limited time frame.

Abstract: Methods and apparatus for providing authentication of information of a user are described. Upon validation of this information, a first hash function is applied to the user's information to create a hash. A public attest key is generated by combining the hash of the user's information with one or more public keys. An attestation address is generated based on the public attest key. A signed transaction which includes the attest key is communicated for storage in a centralized or distributed ledger at the attestation address.

Abstract: A method of providing access to content at a first device, the method comprising: receiving an item of content, wherein at least part of the item of content is encrypted, the encrypted at least part of the item of content being decryptable using at least one decryption key; in a first software client: obtaining a transformed version of the at least one decryption key; performing a decryption operation on the encrypted at least part of the item of content based on the at least one decryption key to obtain an intermediate version of the at least part of the item of content, wherein said performing the decryption operation uses a white-box implementation of the decryption operation that forms part of the first software client and that operates using the transformed version of the at least one decryption key; and performing an encryption operation on at least a portion of the intermediate version based on at least one encryption key to obtain re-encrypted content, wherein said performing the encryption operation

Abstract: The present disclosure relates to aggregating and sharing wellness data. The wellness data can be received by a user device from any number of sensors external or internal to the user device, from a user manually entering the wellness data, or from other users or entities. The user device can securely store the wellness data on the user device and transmit the wellness data to be stored on a remote database. A user of the device can share some or all of the wellness data with friends, relatives, caregivers, healthcare providers, or the like. The user device can further display a user's wellness data in an aggregated view of different types of wellness data. Wellness data of other users can also be viewed if authorizations from those users have been received.

Abstract: System and method for resource management are disclosed. These include receiving, by a virtualized network function (VNF) manger (VNFM) entity, from a network functions virtualization orchestrator (NFVO) entity a granting indication including a granting granularity in which the NFVO entity permits the VNFM entity to perform multiple VNF management operations for one or more VNFs, determining, by the VNFM entity, that a first VNF management operation is in a scope of permission based on the granting indication upon the first VNF management operation being triggered, and sending, by the VNFM entity, a first resource allocation request for the first VNF management operation to a virtual infrastructure manager (VIM) entity.

Abstract: Disclosed is a cyber-security system that is configured to aggregate and unify data from multiple components and platforms on a network. The system allows security administrators can to design and implement a workflow of device-actions taken by security individuals in response to a security incident. Based on the nature of a particular threat, the cyber-security system may initiate an action plan that is tailored to the security operations center and their operating procedures to protect potentially impacted components and network resources.

Abstract: A device may receive, by a kernel of the device and from a loadable kernel module of the device, information that instructs the kernel to invoke a callback function associated with the loadable kernel module based on an execution of a hook of the kernel. The device may receive, by the kernel of the device and from an application of the device, a socket application programming interface (API) call. The socket API call may include control information. The device may execute, by the kernel of the device, the hook based on receiving the socket API call. The device may invoke, by the kernel of the device, the callback function associated with the loadable kernel module based on executing the hook to permit a functionality associated with the callback function to be provided. The kernel may provide the control information, associated with the socket API call, to the callback function as an argument.

Abstract: The present disclosure describes techniques for configuring and participating in encrypted audio calls, audio conferences, video calls, and video conferences. In particular, a call initiator generates a meeting identifier and a first meeting key, which are encrypted using a first encryption key and distributed to one or more participants of the call. The one or more participants decrypt the meeting identifier and the first meeting key, and use that information to participate in the encrypted call. Further, participants respond to the encrypted communication data by encrypting their reply data with the first meeting key. The call initiator decrypts the reply data using the first meeting key.

Abstract: Examples of the present disclosure describe systems and methods for enhancing the privacy of a personal search index. In some aspects, a personal cleartext document may be used to generate an encrypted document digest and an encrypted document on a first device. A second device may decrypt the document digest, build a personal search index based on the decrypted document digest, and store the encrypted document in a data store. The first device may subsequently receive a cleartext search query that is used to query the personal search index on the second device for encrypted documents.

Abstract: A method for execution by a dispersed storage and task (DST) client module includes obtaining a data identifier for slice location identification. A source name corresponding to the data identifier is identified. A plurality of data segments are identified based on the source name. A set of slice names are generated for each of the plurality of data segments. A set of DST execution units are identified based on the sets of slice names. A set of query requests are generated for each data segment for transmission to the set of DST execution units. Query responses are received from the set of DST execution units. A storage record is generated that includes storage location information of the query responses. Migration of at least some encoded data slices associated with the sets of slice names is facilitated when the storage record compares unfavorably to a storage record requirement.

Abstract: Methods and apparatus for ensuring protection of transferred content. In one embodiment, content is transferred while enabling a network operator (e.g., MSO) to control and change rights and restrictions at any time, and irrespective of subsequent transfers. This is accomplished in one implementation by providing a premises device configured to receive content in a first encryption format and encodes using a first codec, with an ability to transcrypt and/or transcode the content into an encryption format and encoding format compatible with a device which requests the content therefrom (e.g., from PowerKey/MPEG-2 content to DRM/MPEG-4 content). The premises device uses the same content key to encrypt the content as is used by the requesting device to decrypt the content.

Abstract: Techniques for access privilege analysis for a securable asset are described. According to various embodiments, a securable asset represents an object that is subject to access control. Generally, embodiments discussed herein can be employed to identify a principal that can be leveraged to obtain an access privilege to a securable asset, whether or not the principal is expressly granted an access privilege to the securable asset.

Abstract: The present disclosure provides a detailed description of techniques used in systems, methods, and in computer program products for building and operating a match cooperative without handling personally identifiable information. The various embodiments address the problem of discovering attributes pertaining to a particular user without sharing personally identifiable information pertaining to that particular user. More specifically, the claimed embodiments are directed to approaches for receiving online and offline PII and NPII associated with various users, obfuscating (e.g., hashing) the PII, and matching the obfuscated PII to the NPII based on various data (e.g., common attributes, etc.) and methods (e.g., deterministic matching, probabilistic matching, etc.). The matched NPII attributes can then be used to target the user associated with the obfuscated PII in online advertising campaigns.

Abstract: A method for building and managing send jobs with restricted information, the method comprising constructing at least one email with at least one reference to a restricted information and injecting each of the at least one emails to one or more send centers, wherein each of the one or more send centers is authorized to receive the restricted information.

Abstract: Computationally implemented methods and systems include acquiring data regarding a device having a particular protected portion for which the device is configured to selectively allow access, facilitating presentation of an offer to carry out at least one service, said at least one service at least partly related to the device, in exchange for access to the particular protected portion of the device, and facilitating performance of at least a portion of the at least one service that is at least partly related to the device, in response to a grant of access to the particular protected portion of the device. In addition to the foregoing, other aspects are described in the claims, drawings, and text.

Abstract: On-demand application permissions is described, including obtaining one or more consents associated with one or more functions of an application, where the application does not allow using the functions without associated consents; receiving, from a user, a consent associated with a function; activating to allow that function to be executed; when a request from the user to use another function is received, determining that the another function requires an associated consent to activate; determining that there is no consent from the user associated with the another function; prompting for a consent associated with the another function; receiving the consent associated with another function; and activating to allow the another function to be executed.

Abstract: In an approach for determining a physical address for object access in an object-based storage device (OSD) system, a processor divides a first data object into one or more partitions, including at least a first partition, and providing each partition for storage as individual stored objects in an OSD system. A processor adds a first entry in a page table, the first entry representing the first partition without an indication of a physical address. A memory management unit (MMU) of the OSD system receives a first request of the first partition. Responsive to receiving the first request of the first partition, a MMU identifies that the first entry of the page table represents the first partition. A MMU obtains a physical address of the first partition from one of a hardware component and a firmware component.

Abstract: The present invention provides an incremental upgrade method and system for a file. The method comprises: reading ZIP data information of an APK file, the ZIP data information being a ZIP data header and/or a ZIP directory table; acquiring an APK eigenvalue of the APK file according to the read ZIP data information; and performing incremental upgrade on an APK base file corresponding to the APK eigenvalue according to the APK eigenvalue. By means of the present invention, the efficiency of incremental upgrade can be improved while the calculation amount for acquiring an APK eigenvalue is reduced.

Abstract: A system and method may be used to manipulate secure content on a first computing device through the use of a software developer's kit. The method may include defining a secure container as a subset of a data store of the first computing device. First instructions of the software developer's kit may be executed to retrieve the secure content from a first content source of a plurality of content sources managed by a plurality of different entities. The secure content may be stored in the secure container. At an input device, user input may be received to initiate manipulation of the secure content in a manner that avoids storage of any of the secure content on a portion of the data store outside the secure container.

Abstract: Computationally implemented methods and systems include acquiring obscured data, said obscured data including property data regarding at least one property of one or more devices, wherein said obscured data has been obscured to avoid uniquely identifying the one or more devices, acquiring one or more services configured to be carried out on the one or more devices, said acquiring at least partly based on the acquired obscured data including the property data regarding at least one property of the one or more devices, and offering the one or more services in exchange for access to identifying data configured to uniquely identify the one or more devices associated with the property data. In addition to the foregoing, other aspects are described in the claims, drawings, and text.

Abstract: A mobile system and method are provided for securely sending, receiving and signing documents remote from a home office. A mobile unit capable of connecting to a home corporate network where documents are stored relating to a transaction is used as part of the system. While in route to or at the remote signing location, the mobile unit connects to the corporate network and prints the documents, or the home office sends the documents through a secure wireless connection to the mobile unit. The transaction is conducted at a remote location, and the executed documents are scanned and sent securely to the corporate network. The housing and mobile unit may be moved to a subsequent location and the mobile unit connects, while in route to or at the subsequent location, prints the documents for the subsequent transaction.

Abstract: Methods, computer program products, and systems are presented. The method computer program products, and systems can include, for instance: recording position data for a mobile device over time, the position data being associated to an identifier of the mobile device; outputting to a user an identification code associated to the identifier; receiving input data from a user, the input data including the identification code and user identifying information from a user; responsively to the receiving the input data from a user associating the identification code and the user identifying information; based on the associating processing the position data and user profile data associated to the user identifying information; sending a message to the user based on a result of the processing.

Abstract: In an approach for determining a physical address for object access in an object-based storage device (OSD) system, a processor divides a first data object into one or more partitions, including at least a first partition, and providing each partition for storage as individual stored objects in an OSD system. A processor adds a first entry in a page table, the first entry representing the first partition without an indication of a physical address. A memory management unit (MMU) of the OSD system receives a first request of the first partition. Responsive to receiving the first request of the first partition, a MMU identifies that the first entry of the page table represents the first partition. A MMU obtains a physical address of the first partition from one of a hardware component and a firmware component.