Abstract: Examples herein involve fault tolerance in a shared memory. In examples herein, a metadata store of a shared memory indicating versions of data partitions of a resilient distributed dataset and a valid flag for the partitions of the resilient distributed dataset are used to achieve fault tolerance and/or recover from faults in the share memory.

Abstract: Technologies for performing security monitoring services of a network functions virtualization (NFV) security architecture that includes an NVF security services controller and one or more NFV security services agents. The NFV security services controller is configured to transmit a security monitoring policy to the NFV security services agents and enforce the security monitoring policy at the NFV security services agents. The NFV security services agents are configured to monitor telemetry data and package at least a portion of the telemetry for transmission to an NFV security monitoring analytics system of the NFV security architecture for security threat analysis. Other embodiments are described and claimed.

Abstract: A system and method for performing runtime de-obfuscation of obfuscated malicious software code in a virtual machine is described. According to one embodiment, the method involves enumerating a first physical page associated with a first virtual address space of a first piece of analyzed software code. Herein, the first virtual address space is a portion of a virtual address space associated with the virtual machine. Thereafter, the first physical page is set a non-writable permission. Hence, upon detection of a write to the first physical page by the first piece of analyzed software code, a determination can be made that the first piece of analyzed software code may be categorized as malicious software code.

Abstract: The disclosed method and system allow a user to conveniently access a webpage using a short code without typing a web address. To solicit a user to see a webpage, the user will be given a short code that is easy to remember instead of a full web address. Later, the user will send the code to a directing server, where a corresponding relationship between the short code and the intended web address has been previously recorded, and the user will be directed to the webpage. The supply of easy-to-memorize short codes is limited by the possible number of combinations of a few digits; however, this method and system can be universally used without feeling the lack of available codes because each short code is designed to be valid only in a limited geographic area and for a limited time frame.

Abstract: Methods and apparatus for providing authentication of information of a user are described. Upon validation of this information, a first hash function is applied to the user's information to create a hash. A public attest key is generated by combining the hash of the user's information with one or more public keys. An attestation address is generated based on the public attest key. A signed transaction which includes the attest key is communicated for storage in a centralized or distributed ledger at the attestation address.

Abstract: A method of providing access to content at a first device, the method comprising: receiving an item of content, wherein at least part of the item of content is encrypted, the encrypted at least part of the item of content being decryptable using at least one decryption key; in a first software client: obtaining a transformed version of the at least one decryption key; performing a decryption operation on the encrypted at least part of the item of content based on the at least one decryption key to obtain an intermediate version of the at least part of the item of content, wherein said performing the decryption operation uses a white-box implementation of the decryption operation that forms part of the first software client and that operates using the transformed version of the at least one decryption key; and performing an encryption operation on at least a portion of the intermediate version based on at least one encryption key to obtain re-encrypted content, wherein said performing the encryption operation

Abstract: The present disclosure relates to aggregating and sharing wellness data. The wellness data can be received by a user device from any number of sensors external or internal to the user device, from a user manually entering the wellness data, or from other users or entities. The user device can securely store the wellness data on the user device and transmit the wellness data to be stored on a remote database. A user of the device can share some or all of the wellness data with friends, relatives, caregivers, healthcare providers, or the like. The user device can further display a user's wellness data in an aggregated view of different types of wellness data. Wellness data of other users can also be viewed if authorizations from those users have been received.

Abstract: System and method for resource management are disclosed. These include receiving, by a virtualized network function (VNF) manger (VNFM) entity, from a network functions virtualization orchestrator (NFVO) entity a granting indication including a granting granularity in which the NFVO entity permits the VNFM entity to perform multiple VNF management operations for one or more VNFs, determining, by the VNFM entity, that a first VNF management operation is in a scope of permission based on the granting indication upon the first VNF management operation being triggered, and sending, by the VNFM entity, a first resource allocation request for the first VNF management operation to a virtual infrastructure manager (VIM) entity.

Abstract: Disclosed is a cyber-security system that is configured to aggregate and unify data from multiple components and platforms on a network. The system allows security administrators can to design and implement a workflow of device-actions taken by security individuals in response to a security incident. Based on the nature of a particular threat, the cyber-security system may initiate an action plan that is tailored to the security operations center and their operating procedures to protect potentially impacted components and network resources.

Abstract: A device may receive, by a kernel of the device and from a loadable kernel module of the device, information that instructs the kernel to invoke a callback function associated with the loadable kernel module based on an execution of a hook of the kernel. The device may receive, by the kernel of the device and from an application of the device, a socket application programming interface (API) call. The socket API call may include control information. The device may execute, by the kernel of the device, the hook based on receiving the socket API call. The device may invoke, by the kernel of the device, the callback function associated with the loadable kernel module based on executing the hook to permit a functionality associated with the callback function to be provided. The kernel may provide the control information, associated with the socket API call, to the callback function as an argument.

Abstract: The present disclosure describes techniques for configuring and participating in encrypted audio calls, audio conferences, video calls, and video conferences. In particular, a call initiator generates a meeting identifier and a first meeting key, which are encrypted using a first encryption key and distributed to one or more participants of the call. The one or more participants decrypt the meeting identifier and the first meeting key, and use that information to participate in the encrypted call. Further, participants respond to the encrypted communication data by encrypting their reply data with the first meeting key. The call initiator decrypts the reply data using the first meeting key.

Abstract: Examples of the present disclosure describe systems and methods for enhancing the privacy of a personal search index. In some aspects, a personal cleartext document may be used to generate an encrypted document digest and an encrypted document on a first device. A second device may decrypt the document digest, build a personal search index based on the decrypted document digest, and store the encrypted document in a data store. The first device may subsequently receive a cleartext search query that is used to query the personal search index on the second device for encrypted documents.

Abstract: A method for execution by a dispersed storage and task (DST) client module includes obtaining a data identifier for slice location identification. A source name corresponding to the data identifier is identified. A plurality of data segments are identified based on the source name. A set of slice names are generated for each of the plurality of data segments. A set of DST execution units are identified based on the sets of slice names. A set of query requests are generated for each data segment for transmission to the set of DST execution units. Query responses are received from the set of DST execution units. A storage record is generated that includes storage location information of the query responses. Migration of at least some encoded data slices associated with the sets of slice names is facilitated when the storage record compares unfavorably to a storage record requirement.

Abstract: Methods and apparatus for ensuring protection of transferred content. In one embodiment, content is transferred while enabling a network operator (e.g., MSO) to control and change rights and restrictions at any time, and irrespective of subsequent transfers. This is accomplished in one implementation by providing a premises device configured to receive content in a first encryption format and encodes using a first codec, with an ability to transcrypt and/or transcode the content into an encryption format and encoding format compatible with a device which requests the content therefrom (e.g., from PowerKey/MPEG-2 content to DRM/MPEG-4 content). The premises device uses the same content key to encrypt the content as is used by the requesting device to decrypt the content.

Abstract: The present disclosure provides a detailed description of techniques used in systems, methods, and in computer program products for building and operating a match cooperative without handling personally identifiable information. The various embodiments address the problem of discovering attributes pertaining to a particular user without sharing personally identifiable information pertaining to that particular user. More specifically, the claimed embodiments are directed to approaches for receiving online and offline PII and NPII associated with various users, obfuscating (e.g., hashing) the PII, and matching the obfuscated PII to the NPII based on various data (e.g., common attributes, etc.) and methods (e.g., deterministic matching, probabilistic matching, etc.). The matched NPII attributes can then be used to target the user associated with the obfuscated PII in online advertising campaigns.

Abstract: Techniques for access privilege analysis for a securable asset are described. According to various embodiments, a securable asset represents an object that is subject to access control. Generally, embodiments discussed herein can be employed to identify a principal that can be leveraged to obtain an access privilege to a securable asset, whether or not the principal is expressly granted an access privilege to the securable asset.

Abstract: A method for building and managing send jobs with restricted information, the method comprising constructing at least one email with at least one reference to a restricted information and injecting each of the at least one emails to one or more send centers, wherein each of the one or more send centers is authorized to receive the restricted information.

Abstract: Computationally implemented methods and systems include acquiring data regarding a device having a particular protected portion for which the device is configured to selectively allow access, facilitating presentation of an offer to carry out at least one service, said at least one service at least partly related to the device, in exchange for access to the particular protected portion of the device, and facilitating performance of at least a portion of the at least one service that is at least partly related to the device, in response to a grant of access to the particular protected portion of the device. In addition to the foregoing, other aspects are described in the claims, drawings, and text.

Abstract: On-demand application permissions is described, including obtaining one or more consents associated with one or more functions of an application, where the application does not allow using the functions without associated consents; receiving, from a user, a consent associated with a function; activating to allow that function to be executed; when a request from the user to use another function is received, determining that the another function requires an associated consent to activate; determining that there is no consent from the user associated with the another function; prompting for a consent associated with the another function; receiving the consent associated with another function; and activating to allow the another function to be executed.

Abstract: In an approach for determining a physical address for object access in an object-based storage device (OSD) system, a processor divides a first data object into one or more partitions, including at least a first partition, and providing each partition for storage as individual stored objects in an OSD system. A processor adds a first entry in a page table, the first entry representing the first partition without an indication of a physical address. A memory management unit (MMU) of the OSD system receives a first request of the first partition. Responsive to receiving the first request of the first partition, a MMU identifies that the first entry of the page table represents the first partition. A MMU obtains a physical address of the first partition from one of a hardware component and a firmware component.

Abstract: The present invention provides an incremental upgrade method and system for a file. The method comprises: reading ZIP data information of an APK file, the ZIP data information being a ZIP data header and/or a ZIP directory table; acquiring an APK eigenvalue of the APK file according to the read ZIP data information; and performing incremental upgrade on an APK base file corresponding to the APK eigenvalue according to the APK eigenvalue. By means of the present invention, the efficiency of incremental upgrade can be improved while the calculation amount for acquiring an APK eigenvalue is reduced.

Abstract: A system and method may be used to manipulate secure content on a first computing device through the use of a software developer's kit. The method may include defining a secure container as a subset of a data store of the first computing device. First instructions of the software developer's kit may be executed to retrieve the secure content from a first content source of a plurality of content sources managed by a plurality of different entities. The secure content may be stored in the secure container. At an input device, user input may be received to initiate manipulation of the secure content in a manner that avoids storage of any of the secure content on a portion of the data store outside the secure container.

Abstract: Computationally implemented methods and systems include acquiring obscured data, said obscured data including property data regarding at least one property of one or more devices, wherein said obscured data has been obscured to avoid uniquely identifying the one or more devices, acquiring one or more services configured to be carried out on the one or more devices, said acquiring at least partly based on the acquired obscured data including the property data regarding at least one property of the one or more devices, and offering the one or more services in exchange for access to identifying data configured to uniquely identify the one or more devices associated with the property data. In addition to the foregoing, other aspects are described in the claims, drawings, and text.

Abstract: A mobile system and method are provided for securely sending, receiving and signing documents remote from a home office. A mobile unit capable of connecting to a home corporate network where documents are stored relating to a transaction is used as part of the system. While in route to or at the remote signing location, the mobile unit connects to the corporate network and prints the documents, or the home office sends the documents through a secure wireless connection to the mobile unit. The transaction is conducted at a remote location, and the executed documents are scanned and sent securely to the corporate network. The housing and mobile unit may be moved to a subsequent location and the mobile unit connects, while in route to or at the subsequent location, prints the documents for the subsequent transaction.

Abstract: Methods, computer program products, and systems are presented. The method computer program products, and systems can include, for instance: recording position data for a mobile device over time, the position data being associated to an identifier of the mobile device; outputting to a user an identification code associated to the identifier; receiving input data from a user, the input data including the identification code and user identifying information from a user; responsively to the receiving the input data from a user associating the identification code and the user identifying information; based on the associating processing the position data and user profile data associated to the user identifying information; sending a message to the user based on a result of the processing.

Abstract: A network interface controller includes a host interface, which is configured to be coupled to a host processor having a host memory. A network interface is configured to receive data packets from a network, each data packet including a header, which includes header fields, and a payload including data. Packet processing circuitry is configured to process one or more of the header fields and at least a part of the data and to select, responsively at least to the one or more of the header fields, a location in the host memory. The circuitry writes the data to the selected location and upon determining that the processed data satisfies a predefined criterion, asserts an interrupt on the host processor so as to cause the host processor to read the data from the selected location in the host memory.

Abstract: In an approach for determining a physical address for object access in an object-based storage device (OSD) system, a processor divides a first data object into one or more partitions, including at least a first partition, and providing each partition for storage as individual stored objects in an OSD system. A processor adds a first entry in a page table, the first entry representing the first partition without an indication of a physical address. A memory management unit (MMU) of the OSD system receives a first request of the first partition. Responsive to receiving the first request of the first partition, a MMU identifies that the first entry of the page table represents the first partition. A MMU obtains a physical address of the first partition from one of a hardware component and a firmware component.

Abstract: A system and method for generating a signature for a document using an identity verification token. The identity verification token receives a request that includes a set of credential data from a signatory, obtains a document identifier that identifies the document to a service provider, and obtains a token identifier that identifies the identity verification token to the service provider. The identity verification token generates the signature based at least in part on the obtained document identifier, the received set of credential data, and obtained the token identifier, and provides the signature.

Abstract: In accordance with the teaching described herein, systems and methods are provided for providing secure access to a software application on a computing device. The software application may include a security framework having a set of predetermined security requirements. Prior to enabling access to the software application by a user, the computing device may, (i) verify installation of a device security configuration profile on the computing device, wherein the device security configuration profile certifies that the software application includes the set of predetermined security requirements, (ii) receive identifying information from the user via a user interface, (iii) verify the identifying information with an authentication server, and (iv) based on a successful verification of the identifying information, receive and store a security token. Access to the software application on the computing device may be provided for a specified period identified by the security token.

Abstract: Systems, methods, and media for the automated removal of private information are provided herein. In an example implementation, a method for automatic removal of private information may include: receiving a transcript of communication data; applying a private information rule to the transcript in order to identify private information in the transcript; tagging the identified private information with a tag comprising an identification of the private information; applying a complicate rule to the tagged transcript in order to evaluate a compliance of the transcript with privacy standards; removing the identified private information from the transcript to produce a redacted transaction; and storing the redacted transcript.

Abstract: Methods and arrangements for protecting enterprise data with respect to a hybrid application in a mobile device that accesses a global computer information network using enterprise infrastructure. A hybrid application is recognized in a mobile device, the hybrid application being configured to communicate with an enterprise network and a non-enterprise network. There are provided, in communication with the hybrid application, controls for segregating data flows from the enterprise network and non-enterprise network. A policy service is provided, which applies a policy for the segregating and governed routing of data flows from the enterprise network and the non-enterprise network. Other variants and embodiments are broadly contemplated herein.

Abstract: An approach is provided for managing a message in a transfer from a computer. A level of security protecting the transfer of the data is determined. The level of security is determined to satisfy or not satisfy a threshold level. If the level of security satisfies the threshold level, the computer is connected and the message is transferred using the level of security. If the level of security does not satisfy the threshold level, then based on the level of security, an action to change the level of security is determined so that the changed level of security satisfies the threshold level. The action changes a method of network layer encryption for the transfer and/or a protocol specifying whether application layer encryption is utilized for the transfer. The action is executed to connect the computer and transfer the message using the changed level of security.

Abstract: A method and system for updating a table of correspondence between a logical address associated to a user unit in a communication network and a unique identification number associated to one of a group of user units managed by a management center, a method where messages are exchanged between said management center and a specific user unit of said group by using said communication network, these messages being forwarded to the logical address of the specific user in said network, the method including searching in said table for the logical address of the user unit in said communication network corresponding to the unique identification number of the specific user unit; sending of messages to the user unit having the concerned unique identification number, to the logical address corresponding to said communication network; and if the messages are received incorrectly, sending a request containing an identifier of said specific user unit.

Abstract: The present invention relates to a passcode operating system, to a passcode apparatus, and to a super-passcode generating method, which are capable of protecting user authentication information from external hacking. The passcode apparatus of the present invention comprises: one or more processors; a memory; and one or more programs stored in the memory and configured to be executed by the one or more processors. The program includes: a data safekeeping module for storing user-specific passcode data; an input window module for displaying an input window on which multiple icons are arranged; and a passcode-generating module for checking, when icons are selected through the input window module, the character string corresponding to each selected icon on a virtual keyboard contained in the passcode data, generating a seed passcode in which the checked character strings are combined, and generating a super-passcode for each website using the seed passcode and a site code.

Abstract: Computationally implemented methods and systems include acquiring an offer to facilitate execution of one or more services that utilize a particular portion of a device, in exchange for access to the particular portion of the device, determining whether to accept the offer to facilitate execution of the one or more services and grant access to the particular portion of the device, and facilitating access to the particular portion upon a determination to accept the offer to facilitate the execution of the one or more services. In addition to the foregoing, other aspects are described in the claims, drawings, and text.

Abstract: Techniques for sorting encrypted data within a software as a service (SaaS) environment. Data is encrypted on a per symbol basis with a symbol based encryption module. Sort and search functionality preserving encryption that allows other modules to sort tokens and to search for tokens is provided. Encrypted tokens that have been encrypted by the symbol based encryption module are stored in a database. Access to the encrypted tokens is provided through the SaaS environment.

Abstract: A system that permits authentication based on a partial password, in which a risk score is assigned to an authentication request, and a minimum partial password size is generated based on the risk score. User-entered password characters are compared to one or more partial passwords having lengths equal to or greater than the minimum partial password size. If a match is found, the user is authenticated. A password similarity threshold for the request may also be generated based on the risk score, indicating a minimum level of similarity required between the user-entered password characters and the characters in a partial password, in order for there to be a match. When the user-entered password characters match a partial password, and the requesting user is authenticated, the system may stop inputting user-entered password characters, and/or transmitting the user-entered password characters to a server computer.

Abstract: An operation at a mobile device is authenticated by using a random visual presentation displayed at the device for the authentication. The mobile device generates and displays the random visual presentation which is optically captured (e.g., by a camera) at a capturing device. The capturing device uses the captured random visual presentation to generate an authentication value (e.g., a hash) based on a defined security protocol. The authentication value is compared to an expected value and if the values match the mobile device executes the operation.

Abstract: To validate a user's identity a network validation server receives a smartphone image of a preexisting user credential, including both a user biometric and a unique identifier associated with the credential and stores them in a database. The validation server also receives the unique identifier from a registrar network device seeking to validate the user, and in response transmits a validation code to the user's smartphone for display by the user's smartphone and/or the registrar's network device for display by the registrar's network device. The validation server additionally receives confirmation from the registrar's network device that a validation code displayed on the user's smartphone is the transmitted validation, thereby confirming that the user has been validated by the registrar.

Abstract: Disclosed are various embodiments for active data, such as active decoy data. The active decoy data includes instructions that, when executed by a particular device, cause the particular computing device to determine whether the particular computing device is a target computing device. The particular computing device initiates a predefined action in response to determining that the particular computing device is not the target computing device. The approaches described herein may also be useful in wrapping and distributing digital content.

Abstract: A method and apparatus for partially up/downscaling an image encoded on a macroblock basis. The method and apparatus performs operations of: storing the encoded image; creating map data from bitstream of the encoded image to decode at a least one macroblock of the encoded image, creating a shrunken image of a predetermined size based on resolution of a display device, storing the map data and the shrunken image so as to relate with the encoded image; outputting the shrunken image related with the encoded image to be displayed based on a control request received from an input device; determining at least one macroblock to be decoded based on a display area of the shrunken image; partially decoding the encoded image for the determined macroblock using the map data; and outputting to the display device, the image data of the display area of the partially decoded image.

Abstract: Methods and systems for generating or validating compact certificates include receiving a first format of the certificate. Moreover, obtain a signature for the certificate in the first format. For each field of the certificate decode the field to obtain a value for the field from the first format and encoding the value for the field into a second format. Decoding and encoding for each field is done incrementally in the same order of the fields as the first format. In other words, a next field is not decoded from the first format until the field is encoded in the second format. Furthermore, a security envelope is encoded using the signature in the first format and the fields.

Abstract: A package identifier for a package from which an application is installed on a computing device is obtained. The package identifier is assigned to each of one or more processes created for running the application and, for each of the one or more processes, whether the process is permitted to access a resource of the computing device is determined based at least in part on the package identifier.

Abstract: An exemplary method includes an application management system 1) detecting a request provided by a user to install an application on a user device, 2) identifying a plurality of privacy attributes of the application, 3) determining, based on the identified privacy attributes, a compliance level of the application with respect to a privacy profile associated with the user, the compliance level representing a degree to which the application complies with the privacy profile associated with the user, and 4) directing, prior to the installation of the application, the user device to present a graphic that represents the determined compliance level of the application. Corresponding methods and systems are also disclosed.

Abstract: A linker or loader, and associated method, is described, whereby the application of security transformations to object-code modules can be deferred until link or load-time, through, for example, memory relocation, selection from diverse instances of a module, and late-binding of constants. This provides several benefits over conventional source-to-source security transformations. These deferred security transformations can be applied in a very light-weight manner and create many opportunities for diversity in the resulting executable program, enhancing security, while at the same time minimizing the impact on execution performance and correctness, and reducing the complexity of debugging.

Abstract: An information processing apparatus provided with an extension unit, the extension unit comprises a unit that performs control to download an introduction program that provides information about an extension program for extending functionality which can be downloaded and to install the introduction program; a unit that obtains, from the installed introduction program, information about an extension program which can be downloaded; a unit that performs control to download the extension program that can be downloaded and install the extension program that can be downloaded, based on the information obtained from the introduction program, in response to receiving an instruction to install the extension program which can be downloaded; and a unit that performs control to uninstall the installed extension program, based on limitation information for the extension program, which is included in the information obtained from the introduction program.

Abstract: Embodiments of the present invention manage multiple requests to allocate real world resources in a multi-user environment. A request for interacting with a database environment comprising records of allocations of a plurality of resources is received from a user in a plurality of users. The database environment is shared between the plurality of users. A set of action choices available for the request is provided to the user via the user interface. A set of resources required by each action choice is identified. The set of resources is associated with a decision context. The decision context exists for a period of time. The set of resources are allocated to the user for a duration of the decision context. The allocating prevents the set of resources from being allocated to other users for the duration of the decision context irrespective of a set of actions performed by the other users.

Abstract: Methods and apparatus for ensuring protection of transferred content. In one embodiment, content is transferred while enabling a network operator (e.g., MSO) to control and change rights and restrictions at any time, and irrespective of subsequent transfers. This is accomplished in one implementation by providing a premises device configured to receive content in a first encryption format and encodes using a first codec, with an ability to transcrypt and/or transcode the content into an encryption format and encoding format compatible with a device which requests the content therefrom (e.g., from PowerKey/MPEG-2 content to DRM/MPEG-4 content). The premises device uses the same content key to encrypt the content as is used by the requesting device to decrypt the content.

Abstract: Techniques for in-line filtering of insecure or unwanted mobile components or communications (e.g., insecure or unwanted behaviors associated with applications for mobile devices (“apps”), updates for apps, communications to/from apps, operating system components/updates for mobile devices, etc.) for mobile devices are disclosed. In some embodiments, in-line filtering of apps for mobile devices includes intercepting a request for downloading an application to a mobile device; and modifying a response to the request for downloading the application to the mobile device. In some embodiments, the response includes a notification that the application cannot be downloaded due to an application risk policy violation.

Abstract: Access to a privileged account is managed by first requiring authentication of a user logging into the account and then performing a policy evaluation to determine whether the identified user is allowed to log in using the privileged identity. Preferably, the authentication is a two factor authentication. The policy evaluation preferably enforces a policy, such as a role-based access control, and a context-based access control, a combination of such access controls, or the like. Thus, according to this approach, the entity is provided access to the privileged account if the user's identity is verified and a policy is met. In the alternative, the entity is denied access to the privileged account if either the authentication fails, or (assuming authentication does not fail) policy criteria for the user is not met.