Abstract: The disclosed embodiments relate to systems and methods for secure and efficient resource access using distributed directory caching techniques. Techniques include obtaining, from a directory service, client directory data associated with a client; providing the client directory data to a computing device associated with the client for caching on the computing device; identifying a request from the client; receiving, from the computing device, the client directory data that was cached on the computing device; and evaluating the request based on the received client directory data.

Abstract: A root key processing method and an associated device are disclosed. The root key processing method is performed by a processor connected to a memory configured with an RPMB section, and includes the following steps. The processor detects whether a root key of the RPMB section is already written in the memory after the processor is powered on. If not, in a secure activation process of the processor, the root key of the RPMB section is written to the memory, wherein the secure activation process is that the processor does not activate a non-secure operation system. The method is capable of preventing leakage of the root key from the memory.

Abstract: A method of providing application-oriented software for a desired application-oriented functionality within a computer system includes transferring configuration data to the computer system, wherein the configuration data predefine a functionality of an application-oriented software to be created, using one or more program components from a plurality of program components stored locally within the computer system depending on the functionality predefined by the configuration data, creating the application-oriented software by the locally used program components depending on the functionality defined by the configuration data, and embedding the created application-oriented software in an operating environment in the computer system to provide the desired application-oriented functionality.

Abstract: The disclosed technology relates to a system configured to compute a difference between a remote tree data structure representing a server state for content items associated with an account on a content management system and a sync tree data structure representing a known synchronization state between the content management system and the computing system. The system is configured to generate, based on the difference, a set of operations that when performed on the computing system update the content items stored on the client device to converge a file system state on the computing system and the server state.

Abstract: A technique is disclosed for remotely managing isolated domains on mobile devices. A request is received from the mobile device to instantiate a managed domain. A managed domain configuration is determined and comprises a security policy controlling access to content of the managed domain of the subscribing mobile device, a content specification identifying the content to be downloaded by the subscribing mobile device into the managed domain, and a content configuration identifying a configuration of the content on the subscribing mobile device. The managed domain configuration is sent to the subscribing mobile device to instantiate a secure, managed domain whose policy, content and content configuration is remotely controlled. The technique is useful for advertising and brand promotion on mobile devices as it simultaneously enables detailed control over the presentation of content by a curator while ensuring privacy and security protection of the other apps, accounts and data on the mobile device.

Abstract: The present invention relates to an electrocardiogram-based face recognition security system and method using a smart watch, and more particularly, to a security system and a method for enhancing security by simultaneously performing biometric human identification based on an electrocardiogram and biometric human identification using face recognition for user identification in a portable PTT communication device such as smart watch.

Abstract: Parental control of child's web-based digital content experience, which can be applied to other contexts such as education, the workplace or other organizations. Trust relationships authorize specified users or organizations to permit access to content or resources by other users. Collection curation including content reputation and age appropriate ratings disclosed.

Abstract: One embodiment provides a method, including: assigning a machine learning model signature to a machine learning model, wherein the machine learning model signature is generated using (i) data points and (ii) corresponding data labels from training data; receiving input comprising identification of a target machine learning model; acquiring a target signature for the target machine learning model by generating a signature for the target machine learning model using (i) data points from the assigned machine learning model signature and (ii) labels assigned to those data points by the target machine learning model; determining a stolen score by comparing the target signature to the machine learning model signature and identifying the number of data labels that match between the target signature and the machine learning model signature; and classifying the target machine learning model as stolen based upon the stolen score reaching a predetermined threshold.

Abstract: A method and associated circuits protect data stored in a secure data circuit of a telecommunication device equipped with a near-field communication (NFC) router, a microcontroller, and the secure data circuit. In the method, each message received with the NFC router is parsed to retrieve a communication pipe identifier and an instruction code. The communication pipe identifier and the instruction code are compared to corresponding information in a filter table. Instruction codes of particular messages that attempt to modify a communication pipe by reassigning one end of the communication pipe from the port of the NFC router to a different circuit are acted upon. These messages are blocked from reaching the secure data circuit when the instruction code is not authorized in the filter table, and these messages are permitted when the instruction code is authorized in the filter table.

Abstract: A method and system for connecting a power tool with a mobile device. The mobile device receives a user request to connect to a power tool and transmits a short-range advertisement. The power tool receives the short-range advertisement and transmits a signal. The mobile device receives the signal from the power tool and determines a signal strength. The mobile device compares the signal strength to a predetermined signal strength value. When the signal strength value exceeds the predetermined signal strength value, the mobile device connects with the power tool.

Abstract: A computing device includes: a trusted execution environment with access to a memory storing a deletable root key, the memory inaccessible by a second execution environment; and at least one processor operable in the trusted execution environment, wherein when operating in the trusted execution environment, the at least one processor is configured for: based on requests from the second execution environment, performing a root key operation on an encryption key utilized by the second execution environment to secure data the second execution environment; and deleting the root key upon detection of a security event.

Abstract: Disclosed are various embodiments for an authentication service. A unique identifier is associated with a device access token for a client to be authenticated. An authentication identifier is sent to an authenticated client. The client to be authenticated communicates the authentication identifier and unique identifier to the authentication service to complete authentication.

Abstract: Methods, apparatus, and software are described for using an optically-readable code. The optically-readable code may be caused to be displayed. Data may be received based on the optically-readable code. Content or other items may be determined based on the optically-readable code.

Abstract: The invention comprises a personal data sharing system comprising an aggregator for aggregating data from a plurality of disparate sources and for categorising said aggregated data into discrete groups of data, a platform configured to enable the assignment of an access permission level for each one of said discrete groups of data by allowing the user to configure said access permission level or by automatically assigning said access permission level from a number of pre-determined access permission levels; said platform being further configured to permit access to a discrete group of data dependent upon said access permission level.

Abstract: A method for activating a first terminal from a second terminal, the first terminal and the second terminal being connected via a communication network. The method includes associating the first terminal with the second terminal, detecting an action on an input peripheral device associated with the second terminal, and transmitting a notification to the first terminal, the notification having at least one command suitable for authorizing unlocking of the first terminal.

Abstract: Systems and processes that may be implemented to manage access by software applications to various resources of a user telecommunications device are disclosed. The systems and processes may implement a trust policy which reflects privacy criteria selected by a user of the user telecommunications device, wherein the trust policy overrides registered permissions of the software applications. The user telecommunication device may include a memory that stores a software application has been granted registered permissions to access a input and/or output component of the user telecommunications device as well as a trust policy has been set by the user to proscribe access by that particular software application to the input and/or output component. In implementing the trust policy, the software application may be prevented from accessing the input and/or output component notwithstanding the software application having registered permissions to access the input and/or output component.

Abstract: An electronic device capable of controlling an access right of an application and a controlling method thereof are provided. The controlling method of the electronic device for executing the application includes, in response to an event for inquiring about whether to allow an access right to a function of the electronic device required for executing an application, displaying a user interface (UI) to confirm whether to allow the access right, and in response to a user command being input through the UI, matching and storing a state of the application according to the event and a determination of whether to allow the access right according to the user command.

Abstract: The present application provides identity registration and authorization methods using biometric feature information of user. In one example method, a terminal device receives biometric feature information of a user that is to be verified in association with a service processing request. The terminal device can then match the received biometric feature information to be verified with a pre-stored biometric feature of the user, where the pre-stored biometric feature of the user is associated with a corresponding identifier. In response to matching the received biometric feature information to be verified to a particular pre-stored biometric feature of the user, a private key store is searched for a private key associated with the identified of the particular pre-stored biometric feature of the user. In response to determining that no private is associated with the identifier, a user identity of the user is registered with a server.

Abstract: Techniques for generating a stream processing pipeline are provided. In one embodiment, a method includes generating a plurality of pipeline stages of a stream processing pipeline in accordance with a configuration file. The plurality of pipeline stages includes a first buffer stage designated for a first data service and a second buffer stage designated for a second data service. The method further includes collecting data items; processing the collected data items; and storing at least a portion of the processed data items in the first buffer stage and at least a portion of the processed data items in the second buffer stage. The method further includes transmitting the data items stored in the first buffer stage to the first data service at a first transmission rate; and transmitting the data items stored in the second buffer stage to the second data service at a second transmission rate.

Abstract: A processing system including a host system having a host processor, an associated host memory system, user interface, and a host operating system. The host operating system runs a virtualization program for creating a virtual machine including virtual hardware, a virtual operating system, and a virtual application program running in conjunction with the virtual operating system. The virtual machine instantiates the virtual application program in response to a user request through the user interface to initiate a function. In response to user inputs through the user interface, the virtual machine executes operations with the virtual application in conjunction with the virtual operating system to implement the requested function such that the host system is isolated from an attack initiated during execution of the virtual application program by the virtual machine.

Abstract: Disclosed is a computer implemented method of creating a profile of a user based on user behavior. The method may include receiving a plurality of Universal Resource Locators (URLs) corresponding to a plurality of webpages visited by the user. Further, the method may include retrieving content from each of the plurality of webpages based on the plurality of URLs. Furthermore, the method may include analyzing content from each of the plurality of webpages. Additionally, analyzing content from a webpage may include analyzing content corresponding to each content type present on the webpage. Further, the method may include identifying a plurality of keywords corresponding to the webpage based on the analyzing. Furthermore, the plurality of keywords may be associated with a plurality of affinity values. The plurality of keywords and the plurality of affinity values may constitute the profile of the user.

Abstract: The present invention includes a device for the transmission of a communication transmission with a communication menu facilitating communication between a user and an operator with bespoke information.

Abstract: Case management systems and techniques are disclosed. In various embodiments, a definition is received that associates a descendant case role alias with a first case node at a first hierarchical level of a hierarchical data model, the definition further associating a permission with the descendant case role alias and referencing a referenced case role associated with a second case node at a second hierarchical level of the hierarchical data model. The definition is used to extend the permission to a user assigned to the referenced case role with respect to a case instance comprising the hierarchical data model.

Abstract: In general, the techniques of this disclosure describe a computing device in a secure domain that is configured to receive, via a guard device, an authentication factor from a biometric authentication device in a non-secure domain. The biometric authentication device is in a non-secure domain, and the authentication factor comprises an identifier of a prospective user of the biometric authentication device. The computing device may then determine, based on the received authentication factor, whether the prospective user is a trusted user of the computing device based on the authentication factor. Responsive to determining that the prospective user of the biometric authentication device is the trusted user, the computing device may enable access to one or more applications on the computing device.

Abstract: Concepts and technologies are disclosed herein for mobile network handling of simultaneous data usage session records. A system can include a network session server that has a processor and a memory storing instructions that configure a processor to perform operations. The operations can include obtaining, from a session probe within a core network device, a raw mobile data set associated with a user equipment. The operations can include determining that the user equipment engages in a simultaneous usage session based on the raw mobile data set. The operations can include identifying targeted domains that are present within the raw mobile data set, and creating a raw session record for each of the targeted domains associated with the simultaneous usage session.

Abstract: Provided herein may be a storage device and a method of operating the same. The method of operating a storage device including a replay protected memory block (RPMB) may include receiving a write request for the RPMB from an external host, selectively storing data in the RPMB based on an authentication operation, receiving a read request from the external host, and providing result data to the external host in response to the read request, wherein the read request includes a message indicating that a read command to be subsequently received from the external host is a command related to the result data.

Abstract: This document discloses a system and method for verifying system integrity of an electronic device. The electronic device includes a verifier device provided within a secure environment of the electronic device and a scanner device provided within a normal environment of the electronic device whereby the secure environment comprises hardware that is isolated from the hardware in the normal environment, i.e. these two environments are hardware isolated.

Abstract: Techniques and technologies for protocols for accessing hosts are described. In at least some embodiments, a system includes a processing component, and a host protocol component. The host protocol component is configured to receive at a host a request from a client device, the request including a Uniform Resource Locator (URL) string locating a container or an ecosystem stored by the host; determine using at least a portion of the URL string whether the request is a container-related request or an ecosystem-related request; generate a response at the host including information responsive to the request, the information including the URL string locating the container or the ecosystem, and at least one response parameter corresponding to the request and associated with the container or the ecosystem; and transmit the response from the host to the client device.

Abstract: Systems and methods for performing decoupled authorization, whereby authorizing access permissions of a user to a resource is performed separate and independent from authorizing intent of the user to access the resource. Once both authorizations are successfully completed within a specified timeout interval, the access state of the resource is changed, thereby granting the user access to the resource. The decoupled authorizations are independently performed over different networks, in response to different triggers, or by leveraging different hardware. Access to the resource can therefore be provided prior to the user arriving before the resource, with little to no action by the user, and without comprising security as the resources will remain restricted or locked if the either of the user's intent or access permissions cannot be verified.

Abstract: A system may be configured to receive via a user interface a user-initiated prompt to begin start-up of a computer system firmware via access to a firmware start-up utility. The system may also generate a request for user authentication, and detect a private key for user authentication. The system may also determine whether the private key corresponds to a public key previously registered with the computer system firmware, and initiate, when the private key corresponds to the public key, completion of the start-up of the computer system firmware and allowance of operation of the computer system firmware via access to the firmware start-up utility. When the private key does not correspond to the public key, the system may prevent at least one aspect of an operation associated with the start-up of the computer system firmware.

Abstract: The privilege information management system stores a group tree configured with group nodes each representing a group configured with a member enabled to use a privilege, stores an object tree configured with object nodes each representing a target object to be used with a privilege, stores, in a releasable manner, privilege-valid link information indicating a connection between an arbitrary group node and an arbitrary object node in a privilege-valid mode, and regarding a first group node of the group nodes and a first object node of the object nodes connected by the privilege-valid link information, grants a privilege to use a target object of the first object node and a subordinate object node if there are any under the first object node to a member belonging to the first group node and a subordinate group node if there are any under the first group node.

Abstract: Managing a storage array includes: receiving, by a client-side array services module from a cloud-based security module through data communications on a wide area network, a token representing authentication of user credentials; and managing, by the client-side array services module, a storage array only through data communications on a local area network, including sending, to the storage array, the token with a management instruction.

Abstract: Methods and systems are disclosed for sandbox based internet isolation system in a trusted network. A networked computer system may include a trusted local area network (LAN) and at least one host computer system connected to the trusted LAN. The host computer system may include a host-based firewall, an operating system, a first memory space, and a second memory space. The host-based firewall may be configured to prevent unauthorized communication between the host computer system and one or more other devices on the trusted LAN. The second memory space may be configured to enable storage and/or operation of one or more applications and/or processes associated with a sandboxed computing environment. The host computer system may include a sandbox firewall that enforces a separation of the first and second memory spaces.

Abstract: Exemplary embodiments are disclosed of systems and methods for providing location-based security and/or privacy for restricting user access. In an exemplary embodiment, a system is configured to restrict and condition access to the system and/or data based on a user's selection of location-based data from a plurality of options presented by the system for selection by the user. The plurality of options include the location-based data and one or more other options that are selectable by the user.

Abstract: A first processor that has a trusted relationship with a trusted memory region (TMR) that includes a first region for storing microcode used to execute a microcontroller on a second processor and a second region for storing data associated with the microcontroller. The microcontroller supports a virtual function that is executed on the second processor. An access controller is configured by the first processor to selectively provide the microcontroller with access to the TMR based on whether the request is to write in the first region. The access controller grants read requests from the microcontroller to read from the first region and denies write requests from the microcontroller to write to the first region. The access controller grants requests from the microcontroller to read from the second region or write to the second region.

Abstract: A method for transmitting data in a mobile device includes transmitting, to a reception device, a connection request message comprising information indicating whether the transmission device supports message transmission having temporal correlation; receiving, from the reception device, a connection response message comprising information indicating whether the reception device supports the message transmission in response to the connection request message; and if both the transmission device and the reception device support the message transmission, transmitting, to the reception device, at least two of messages having temporal correlation, the at least two of messages comprising identification information, wherein the identification information indicates that the at least two of messages have temporal correlation.

Abstract: Technologies for providing policy-based secure containers for multiple enterprise applications include a client computing device and an enterprise policy server. The client computing device sends device attribute information and a request for access to an enterprise application to the enterprise policy server. The enterprise policy server determines a device trust level based on the device attribute information and a data sensitivity level based on the enterprise application, and sends a security policy to the client computing device based on the device trust level and the data sensitivity level. The client computing device references or creates a secure container for the security policy, adds the enterprise application to the secure container, and enforces the security policy while executing the enterprise application in the secure container. Multiple enterprise applications may be added to each secure container. Other embodiments are described and claimed.

Abstract: A method including determining occurrence of a virtual information region event, the virtual information region event indicating a change of information that is allocated to a virtual information region that is at least partially beyond a field of view of a head mounted display, the virtual information region having a virtual information region location that is in a direction from the field of view, causing rendering of a non-visual notification that is indicative of the direction from the field of view in response to the virtual information region event, receiving information indicative of a visual notification invocation input, determining a visual notification that is visually descriptive of at least one aspect of the virtual information region event in response to the visual notification invocation input, and causing display of the visual notification on the head mounted display is disclosed.

Abstract: Automatic identification and creation of user profiles is provided. Interaction data for various users within a subscriber account is collected. Unique user profiles are automatically identified and created based on the interaction data. The identified user profiles are then matched against a plurality of available pre-categorized profiles. A unique set of settings and preferences may be applied to the user profile based on the matched pre-categorized profile and the collected interaction data. Personalization may be provided to the user upon establishment of the user profile. After creation of the user profile, additional user actions taken and the user's viewer history may be collected for further use. According to some aspects, when a user accesses a content item, notification is sent to the user to confirm a matched profile as an active profile. Once confirmation is received, associated settings and preferences are set according to the active profile.

Abstract: A secure mobile financial transaction is provided by receiving, over a communication network, a list of protection mechanisms available for implementation by an external terminal. Security-related data is received from one or more sensors and an attack signature is computed based on the security-related data. An appropriate security policy is selected from multiple security policies stored in a database based on the list of protection mechanisms and the attack signature. A secure communication session is established between the external terminal and an internal network component according to the selected security policy. A data message associated with a mobile financial transaction is communicated over the communication network during the communication session.

Abstract: A method and apparatus for storing and using context information in a wireless communication network are provided. Context information is encrypted and transmitted to a mobile device for storage. A cryptographic key usable for decrypting the context information is stored at a radio access node or other node in the network and an indication of the key and the location of the key is stored at the mobile device. The mobile device transmits a message which includes the key identifier and location and the encrypted context information. The message may further include application data and the encrypted context information may include an indication of a further key for encrypting and decrypting application data in transmissions between the mobile device and the communications network. The encrypted context information may include the further key.

Abstract: A vehicle assistance device includes a control device for controlling the display of information and a display for displaying the information. When the control device has determined a state of the vehicle and/or a position of the vehicle, the control device takes the determined state of the vehicle and/or the determined position of the vehicle as a basis for providing information for the driver on the display device. When changing between mobility sections in which different information may be of interest to the driver, the vehicle assistance device can provide a driver with the necessary information for each of the mobility sections.

Abstract: Approaches presented herein enable dynamic security policies through a plurality of application profiles. More specifically, a mobile device can open a profile of a plurality of profiles, each associated with an unlock credential and a security scope, in response to an unlock credential associated with that profile. All these profiles can be opened in a single user session and can be swapped within the session in response to an unlock credential corresponding to the desired profile. When the mobile device receives a request to open a digital item, the digital item is compared to a security scope of the opened profile to determine whether access to the digital item is permitted, and, in response to the determination, access to the digital item is permitted or denied. A list of digital items permitted to be accessed in each profile can be synchronized to a list received from a mobile device manager.

Abstract: Aspects of the present disclosure are directed to methods and systems for protecting sensitive data in a hosted service system. The system includes a host system and the host system includes a key management system (KMS) and a metadata service system (MSS). The KMS and the MSS are communicatively coupled to each other. The system further includes a database management system (DBMS) having a database, a query pre-parser, and a results handler. The query pre-parser and the results handler are communicatively coupled to the KMS and the MSS, and the system also includes a processing application adapted to process at least some data received from a tenant system.

Abstract: A controller for user authentication and access control, configured to: store data representing a graph having: nodes representing data elements associated with accesses made using an access token; and links among the nodes representing connections between the data elements identified in details of the accesses. In response to receiving details of an access made using the access token, the controller updates the graph according to the details and identifies a new connection in the graph resulting from update. The controller communicates with an identity service to verify the association of data elements corresponding to the new connection in the graph. Based on a result of the verification, the controller authenticates the user of the access and/or controls the access.

Abstract: Systems and methods for application identification in accordance with embodiments of the invention are disclosed. In one embodiment, a user device includes a processor and memory configured to store an application, a session manager, an application identifier, and at least one shared library, and the processor is configured by the session manager to communicate the application identifier and the application identifier data to an authentication server and permit the execution of the application in response to authentication of the application by the authentication server.

Abstract: The present disclosure relates to systems and methods for using haptic vibration for inter-device communication. In one implementation, a system for inter-device communication using haptic vibration may include at least one force gauge configured to measure displacements caused by an external device in contact with the at least one force gauge; at least one memory storing instructions; and at least one processor configured to execute the instructions to: receive an identifier associated with a user; retrieve a pattern associated with the received identifier; receive, from the at least one force gauge, one or more measurements over a period of time; assess a degree of difference between the received one or more measurements and the retrieved pattern; and, when the degree of difference is below a threshold, authenticate the user.

Abstract: A system and method for using a Service-Provider password to simulate F-SSO functionality. A processor receives from an F-SSO Identity Provider authentication data for a user who has requested access to a secured service. The service is managed by an F-SSO Service Provider that does not offer F-SSO functionality for that service. Upon receiving the data, the processor redirects the user to an SU-F-SSO portal of the Service Provider, which uses the received authentication data to authenticate the user. The processor sends the user an on-demand password and, when the user uses that password to sign on, the processor matches the entered password with a stored copy of the password that was sent to the user. If they match, the processor grants the user access to the requested service. In some embodiments, the on-demand password may be a single-use password or may be sent to the user via an out-of-band communication.

Abstract: Role based access control (RBAC) identity management tools, computing systems, computer products and methods of abstracting individual users from the role assignment and revalidation process of traditional RBAC. The RBAC tools, products and systems of the present disclosure organize and manage multi-tenanted networks and cloud computing environments by organizing individual users by service providers having a single or unified identity, which are separately managed by the service provider owners. The service provider identities are treated as a single service provider entity applying for one or more roles in the multi-tenant system, allowing for a simplified role revalidation that no longer requires managers of tenants in a multi-tenant network to approve the role assignment of each individual user, because the tenants and tenant managers are unaware of the users identities that make up the service provider identity.

Abstract: A device, system, and method secures executable operations through verification of an operation prior to execution. The method performed at an electronic device comprising a processor in an execution state and a memory representable with a memory map includes receiving a request for the operation from an application installed on the electronic device, the request including a location in the memory map. The method includes determining whether the location is within one of at least one address range included in a security policy register generated prior to the execution phase, the at least one address range respectively corresponding to at least one authorized operation. The method includes, when the location is within one of the at least one address range, servicing the request to perform the operation.