Abstract: A method includes receiving a system call from an application within a container executing on an operating system, the system call comprising a synchronization operation to synchronize memory of the application to storage. The method further includes determining, by the kernel, whether a system call filtering policy associated with the container indicates that the system call is to be prevented. preventing, by the kernel, performance of the synchronization operation in view of the system call filtering policy.

Abstract: An example system places control and choice of managing the usage of private data into the hands of the users themselves. In some examples, the disclosed data privacy management system allows users to select preferences on how their private data is used by the business, both internally and externally. For example, the system may present users with one or more selectable options regarding how the user's private data is used. The system may then use the user's data for purposes that are in line with the user's selected preferences.

Abstract: A system and method are provided for implementing a secure configuration of a networked system for secure communications, the networked system including at least one instrument for performing corresponding tasks and at least one controller for controlling functions of the at least one instrument. The method includes providing a secure instrument configuration (SIC); displaying status provided by the SIC server identifying the controller and the instruments to a user via a user interface; writing controller secure configuration information from the SIC server to the controller through a software agent on the controller, the controller secure configuration information including authentication data for the instruments, and/or credentials of the one controller acceptable by the one instruments for identifying the controller; and communicating with the controller to initiate implementation of the secure configuration.

Abstract: An information processing device according to an embodiment includes a memory and one or more hardware processors. The memory includes a flag table storage area to store a flag table in which file information for individually identifying one or more pieces of software is associated with a flag used for execution control of a corresponding one of the pieces of software. When rewrite of first software is detected, the hardware processors: extract first file information being the file information corresponding to the first software; change a first flag corresponding to the first file information to a first value indicating that verification of integrity of the first software is required; change a file of the first software in an authorized manner; and change the first value, which has been changed, to a second value indicating permission of execution of the first software.

Abstract: The present disclosure relates to techniques for remediating data assets stored on one more software as a service (SaaS) platforms from a centralized security enforcement platform. An integration component is configured to integrate SaaS accounts with the security enforcement platform. The security enforcement platform enables users to create remediation policies that target specified data assets stored on the SaaS accounts. In some scenarios, the automated remediation functions can be executed to perform bulk remediation on large-scale data assets while handling inheritance issues in full.

Abstract: Disclosed is a method and apparatus for securely copying and pasting data between computer applications. The method includes generating alternative data from copied data from a first computer application. The method further includes adding the alternative data to a copy-paste clipboard and detecting an attempt by a user device to paste the copied data into a user interface. In response to the user interface being associated with a computer application from a predefined list of computer applications, the method further includes pasting, by a processing device, the copied data into the user interface. In response to the user interface being not associated with the computer application from the predefined list of computer applications, the method further includes pasting, by the processing device, the alternative data from the copy-paste clipboard into the user interface.

Abstract: A system and method for on-demand data cleansing is disclosed. The system includes a processor and a volatile memory including a data object having a plurality of data fields, each field having a tag and a value. The system also includes a cleansing module stored in the volatile memory and executed by the processor. The cleansing module includes a library having a plurality of tag-operation pairs. The cleansing module is configured to receive a pointer locating the data object within volatile memory, and further configured to, for each data field, look up the tag of the data field among the library tags, and execute the operation paired with the matching library tag on the value of the field, modifying the value of the data field while it is stored in volatile memory. The cleansing module is configured to execute the operation in near real-time, and at runtime.

Abstract: In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include any entity that collects, processes, contains, and/or transfers personal data (e.g., a software application, database, website, server, etc.). A data asset may include any software or device (e.g., server or servers) utilized by a particular entity for such data collection, processing, transfer, storage, etc. The system may then utilize the generated model to fulfil a data subject access request.

Abstract: A user permission system manages and regulates access to secure data at one or more third-party data sites. The system may provide access to one or more databases or other data structures based on user authentication and access rules that have been established, such as by a user associated with the data being accessed at the third party data store. Access may be provided via an API to the third-party data site, along with access credentials of a user with data stored with the third-party data site, allowing the system to access data on behalf of the user.

Abstract: Systems, computer program products, and methods are described herein for dynamic chaffing for log obfuscation based on shifting exposure portfolio. The present invention is configured to receive an event log from one or more sources associated with a resource, wherein the event log comprises one or more event records generated based on one or more action incidences; initiate a chaffing engine on the event log; generate, using the chaffing engine, one or more artificial records based on at least the one or more event records; tag the one or more artificial records and the one or more event records with one or more authentication codes; interleave, using the chaffing engine, the one or more artificial records and the one or more event records to generate an encrypted event log with one or more chaffed event records; and store the encrypted event log in an event database.

Abstract: A decentralized node may generate a network of decentralized nodes individually configured to store, receive, and transmit data based on rules associated with the decentralized nodes. A decentralized node may associate a decentralized identity of an entity with a select decentralized node of the decentralized nodes. A decentralized node may present a user interface including one or more access controls at a edge device, the access controls configuring rules to be applied to third-party access and modification of decentralized identity data associated within the decentralized identity of the entity and stored at the selected decentralized node. A decentralized node may identify the decentralized identity data accessible to the select decentralized node based on the rules. A decentralized node may store the decentralized identity data within the decentralized identity associated with the entity at the select decentralized node.

Abstract: A decentralized node may generate a network of decentralized nodes individually configured to store, receive, and transmit data based on rules associated with the decentralized nodes. A decentralized node may associate a decentralized identity of an entity with a select decentralized node of the decentralized nodes. A decentralized node may present a user interface including one or more access controls at a edge device, the access controls configuring rules to be applied to third-party access and modification of decentralized identity data associated within the decentralized identity of the entity and stored at the selected decentralized node. A decentralized node may identify the decentralized identity data accessible to the select decentralized node based on the rules. A decentralized node may store the decentralized identity data within the decentralized identity associated with the entity at the select decentralized node.

Abstract: Methods and systems of data tokenization are described herein to provide protection for sensitive data. A tokenization service controller may extract sensitive data by determining a schema, the schema identifying which fields contain sensitive data. A token may be generated corresponding to each instance of the extracted sensitive data. The tokenization service controller may then generate a tokenized data set comprising a plurality of tokenized records arranged according to the same format as the original records, wherein the tokenized records use the generated tokens in place of the corresponding sensitive data.

Abstract: A method implemented by at least one server for pushing managed package upgrades comprises receiving a dependency graph from an operating entity via an API call that expresses relationships between a set of software packages. A subscriber set is ingested for subscribers of the software packages via an API call to the operating entity that owns the software packages. A per-subscriber dependency graph is constructed expressing relationships between the individual subscriber's delivery operations. The set of packages is delivered based on dependency order of the per-subscriber dependency graph, while applying one or more rules including: i) push schedule rules that allow the first operating entity to specify time-based gates for the deliveries; ii) subscriber exclusion rules that allow the operating entity to exclude specific subscribers; iii) rules for automatic retries of failed operations; and iv) rules to chunk the push upgrade operations.

Abstract: A first firmware source code portion corresponding to an immutable firmware portion of specific firmware to be deployed with embedded devices is identified. A second different firmware source code portion corresponding to a mutable firmware portion of the specific firmware to be deployed with the embedded devices is identified. The first firmware source code portion is used to generate the immutable firmware portion of the specific firmware. The second firmware source code portion is used to generate the mutable firmware portion of the specific firmware. The immutable firmware portion of the specific firmware is caused to be installed in fixed storage drives of an embedded device in the embedded devices. The mutable firmware portion of the specific firmware is caused to be installed in swappable storage drives of the same embedded device.

Abstract: A mobile terminal privacy protection method includes obtaining an application start instruction, actively obtaining a biometric feature of a user according to the application start instruction, and displaying an encrypted content list and an unencrypted content list of a corresponding application if the obtained biometric feature of the user matches a preset biometric feature. The encrypted content list of the application is generated according to encrypted content in the application, the unencrypted content list of the application is generated according to unencrypted content in the application, and the encrypted content in the application is content that is not presented when the obtained biometric feature of the user does not match the preset biometric feature.

Abstract: A method and apparatus for performing multi-factor authentication of a merchant system by a commerce platform are described. The method may include authenticating the commerce platform to a cloud services provider, the cloud services provider providing a private communications network for use by the commerce platform and the merchant system. The method may also include receiving, by the commerce platform, an authentication request from the merchant system, wherein the request received from the merchant system originates from the private communications network provided by the cloud services provider, and wherein the authentication request uses an encryption key.

Abstract: The present disclosure relates to methods and systems for measuring private information protection across a number of external services. A centralized private information protection service is coupled to external services, accesses data of these external services, aggregates the data and determines a private information protection scoring based upon the aggregated data.

Abstract: Techniques are described for determining and tracking fractional ownership interests in an asset, using a distributed ledger. Shares in an asset, such as a house, may be offered for sale through a marketplace. Sales of the shares, and information regarding the asset, may be tracked using a distributed ledger system, such as one or more blockchains that provide immutable and secure data storage distributed across a plurality of nodes. Embodiments provide individuals with liquidity options and/or pricing options for selling shares in their home, allowing individuals to securitize interest in their own equity in the home and pre-sell shares in some of that equity without selling the entire property and without taking out a loan.

Abstract: An autonomous distributed wise area network (AD-WAN) includes several nodes, where each node connects a local area network to an open wide area network, and provides tunnels over the open wide area network to other nodes in the AD-WAN so that computing resources behind each node can communicate as if they were located on a common intranet. Each node has a blockchain wallet and receives updates to a private permissioned blockchain ledger for that AD-WAN. The updates are provided by a control node. Set up, and subsequent change to the AD-WAN are commenced via a customer portal which provides order information to the control node, where the control node processes the order information and generates a blockchain update that informs the affected nodes in the AD-WAN as to what changes are to be made. As a result, the blockchain provides both control plane and order management operation of the AD-WAN.

Abstract: Methods of verifying an onboard presence of a passenger of a transportation vehicle are provided. A method of verifying an onboard presence of a passenger of a transportation vehicle includes generating, via a wireless electronic device of the passenger while on board the transportation vehicle, different first and second data indicating the onboard presence of the passenger. Moreover, the method includes transmitting the different first and second data indicating the onboard presence of the passenger from the wireless electronic device to a server. Related wireless electronic devices, servers, and computer program products are also provided.

Abstract: An electronic musical instrument, method for a musical sound generation process and a non-transitory computer readable medium that stores an electronic musical instrument program are provided. The program causes a computer provided with a storage part to execute a musical sound generation process using sound data. The program causes the computer to execute: acquiring, from the storage part, first sound data and first user identification information indicating a user who has acquired the first sound data from a distribution server; acquiring second user identification information indicating a user who causes the musical sound generation process to be executed using the first sound data; determining whether or not the first user identification information matches the second user identification information; and inhibiting execution of the musical sound generation process using the first sound data in a case when the first user identification information does not match the second user identification information.

Abstract: A system and method for helping a user carrying a smart device to maintain safe distances from other persons during an epidemic or a pandemic. A portable smart device measures the approximate distance to persons in the vicinity of the user, and notifies the user whenever he or she is too close to other persons. The portable smart device may overlay augmented reality graphics (such as arcs, lines, text, numbers, or other graphics) over images captured by the smart device's camera, to indicate safe distances. The graphics serve to inform and/or warn the user that he or she may be getting too close to other persons.

Abstract: Systems and methods to facilitate synchronized sharing of centralized authentication information to facilitate entity verification and/or risk assessment are disclosed. Exemplary implementations may: obtain user profiles for users being assessed for risk by compliance organizations; obtain requests to verify and assess risk of the users; generate user interface information defining a user interface through which content of the user profiles are accessed; effectuate communication of the user interface information to computing platforms associated with compliance organizations; obtain updates to the user profiles; automatically update the user interface information based on the updates to the user profiles so that the instances of the content displayed in the user interface reflects the updates to the user profiles; and/or perform other operations.

Abstract: An integrated circuit comprises first and second interfaces, an internal addressable space comprising a plurality of address ranges, and a control unit. Each of the first and second interfaces is coupled to the internal addressable space via the control unit. The control unit is configurable in a first state in which the control unit is configured to allow or deny the second interface access to a subset of the plurality of address ranges of the internal addressable space.

Abstract: Techniques are described for auditing print content during printer redirection in a virtual desktop. The ability to audit redirected print content allows an organization to pre-define certain sensitive data and to track whether print redirection requests in the virtual desktop environment contain any such sensitive data. If such sensitive data is contained in a printer redirection request, a file is generated containing information about the sensitive data, as well as a watermark that encodes information about the printer redirection request, such the user identifier of the user who initiated the print request and a timestamp of when the print request occurred. The generated file is transmitted to one or more registered recipients.

Abstract: A system and methods for mitigating golden ticket attacks within a domain is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: A user device receives a first media item that is associated with a second media item. The device determines that a playback state for the device indicates that the device is paired with an alternative playback device. The device sends the playback state in a request for the second media item, receives the second media item in a first format for playback on the user device and in a second format for playback on the alternative playback device. The device determines whether the playback state of the device is the same. The device displays a first graphical representation of the second media item in the first format on the user device if the user device is no longer paired with the alternative playback device and displays a second graphical representation of the second media item in the second format on the user device if the user device is still paired with the alternative playback device.

Abstract: Systems and methods for integrative legacy context management are disclosed herein. An example computer hardware system may include at least one processing unit coupled to a memory, and the memory may be encoded with computer executable instructions that when executed cause the at least one processing unit to receive a set of credentials associated with a user from a user device, cross-reference the set of credentials with a first set of credentials of an agent associated with the user to determine whether the set of credentials is valid; and if the set of credentials is valid, provide a second set of credentials of the agent to the user device in response to a request for the second set of credentials from the user device.

Abstract: Systems, methods, and apparatuses for providing a customer a central location to manage permissions provided to third-parties and devices to access and use customer information maintained by a financial institution are described. The central location serves as a central portal where a customer of the financial institution can manage all access to account information and personal information stored at the financial institution. Accordingly, the customer does not need to log into each individual third-party system or customer device to manage previously provided access to the customer information or to provision new access to the customer information. A user additionally is able to have user data and third-party accounts of the user deleted from devices, applications, and third-party systems via a central portal. Restrictions on how user data is used by devices, applications, and third-party systems can be imposed via a central portal.

Abstract: Techniques and solutions are described for copying data from a source client to a target client. It may be selected, such as by a user, whether a full copy or a partial copy of a set of source client data should be made. If a partial copy is selected, a set of file types is provided. The file types can be used to define files that should be included in, or excluded from, the copy. A data source of the source client is analyzed to determine data associated with a file type that is to be included in a copy, or is associated with a file type that is not indicated as to be excluded from the copy. The determined data is copied from the source client to the target client.

Abstract: A system for detecting and mitigating forged authentication object attacks in federated environments is provided, comprising an event inspector to monitor logs and detect vulnerable events, an authentication object inspector configured to observe a new authentication object generated by an identity provider, and intercept the new authentication object; and a hashing engine configured to calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in the SAML response; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: This disclosure relates to systems and methods for managing protected electronic content that employ relatively efficient messaging schemes. Rights management architectures are described that may, among other things, provide end-to-end protection of content keys from their point of origination at a content creator and/or content service to end user devices. Certain embodiments may further provide for message protocols where fewer messages are sent in connection with a protected content license request process, thereby reducing latency associated with license request and provisioning processes.

Abstract: An example operation may include a method comprising one or more of starting a communication session by a first application container, initiating a poll, by the first application container, when the first application container has data in its queue, responding, by at least one second application container, data, wherein the data includes one or more of an identification, a state, a percentage of utilized resources by type, a list of data elements in a queue of the application container, a list of data elements in a queue, and data that is pre-allocated to be shared, requesting the data, by the at least one second application container, and ending the communication session when one or more of the first application container sends a FIN, and the at least one second application container sends a FIN.

Abstract: Embodiments of the present disclosure relate to electronic lockout of a client device, specifically to managing electronic lockout of a client device associated with a claim process via a device protection program management system and third-party provider. In this regard, embodiments herein may process various data associated with determining whether to authorize a claim under a device protection program, and cause initiation of and/or termination of an electronic lockout of a client device depending on received data and/or lack of received data. In this regard, example embodiments include receiving a device claim request indication associated with a client device, where the client device is associated with a functionality lockout state; initiating a claim associated with the client device; causing initiation of an electronic lockout of the client device; processing the claim to determine whether to authorize the claim; and causing updating of the electronic lockout based on the determination.

Abstract: A mobile robot is configured for operation in a commercial or industrial setting, such as an office building or retail store. The mobile robot can have a motorized base and a robot body on the motorized base, the robot body including a rotatable ring that rotates horizontally around the robot body. A mechanical arm that can contract and extend relative to the robot body is coupled to the rotatable ring and performs a plurality of actions. A controller of the mobile robot provides instructions to the rotatable ring and the mechanical arm and can cause the mechanical arm to open a door, take an elevator to move to a different floor, and test whether a door is locked properly.

Abstract: A method for providing network access to technical data files is provided herein. The method includes receiving a technical data file via a computer network, and securely storing the technical data file in a network-accessible, access-restricted technical data repository. An unstructured policy document corresponding to the technical data file is computer-analyzed with a previously-trained machine-learning model configured to extract one or more policy attributes from unstructured policy documents. Extracted policy attributes are stored in a network-accessible policy library. A user request to access the technical data file is received via the computer network. One or more attributes of the user are recognized.

Abstract: Systems and methods for providing controlled access to a system by a user device include receiving, from a user device, a request including a current context. The method includes receiving a request for access to a computing resource, the request including a current context, the current context defining a user space and a resource space. The user device evaluates the current context against a security policy. The user device determines that the user device is permitted to access the computing resource based on the request in response to the evaluating the current context against the security policy. In response to determining that the user device is permitted to access the computing resource, accessing the computing resource as requested.

Abstract: The present technology can provide a mechanism for providing a team member transfer interface to an administrator user for transferring team member user accounts from one team to another and also a mechanism for transferring the team member user accounts, such as by switching an assignment of one or more user accounts from a first team to another in a single atomic action. The transferring of the team member user accounts may also depend on passing a set of validation checks that check for inconsistencies that could cause an error in the transfer, and also updating access and privileges associated with being members of certain teams.

Abstract: Establishing event-specific trust through data-centric mediation by: generating a mediated covenant of association as an instance of trust among a plurality of entities at an association layer of a multi-layer computer security system; constructing a security model enforceable by the multi-layer computer security system that expresses node-node semantic relationships as links among nodes of the model representing protectable computing resources; and producing an event-specific security model via informatic convolution of elements of the covenant with elements of the security model, so that the event-specific security model is operable to constrain a computing action among computing resources represented by the plurality of entities.

Abstract: Synthesizing a control object for a computing event, the control object for securing a computing resource based on a set of access and privilege information provided through a set of mediated associations that are represented by an enchained set of certificates, portions of which are encrypted including entity-specific paths to entity-specific predecessor certificates and partial decryption keys therefor, wherein the control object is applied to secure the computing resource for performing a computing action indicated by a process-type entity identified in the certificate for the control object.

Abstract: A database system comprising a database having a dynamic schema and comprising a plurality of data storage nodes; and at least one processor configured to, using an encryption process: manage access to plaintext data stored in the plurality of data storage nodes by users employing at least one client-controlled resource in a client access layer; restrict access to the plaintext data by other users, wherein the other users include users with system administration privileges for the database and administrators of processing resources hosting the database; and manage access to encrypted copies of the plaintext data by the users with system administration privileges for the database such that the system administration privileges do not enable access to plaintext versions of the encrypted copies. A method for managing data security for a database. A database system with a dynamic schema architecture, a client access layer, and an operational database layer.

Abstract: Encryption is performed at the field level within a data object, in response to an encryption indicator. Encrypted fields are nulled or zeroed out and the encrypted values are stored in encryption metadata with a path identifying the locations of the encrypted fields. An encrypted data key is appended with a decryption identifier and stored in the encryption metadata. The encrypted data object may be reformatted while encrypted. The encrypted data key is extracted from the encryption metadata and the decryption identifier is used to identify a master key used to decrypt the encrypted data key. The data key is used to decrypt the encrypted values and the decrypted values are stored in the fields identified by the paths.

Abstract: There is a verification application arranged to interact with other applications on an electronic device, the electronic device having a processor, a memory and an operating system controlling operation of the verification application and the other applications on the processor using arbitrary memory locations, where the other applications are enabled to call the verification application to securely determine authenticity of a user of the electronic device. The verification application is arranged to receive verification data for secure determination of authenticity of the user; and provide, upon a call from any of the other applications and a match between the verification data and a verification reference, a trust token to the calling application. A method, electronic device and computer program are also disclosed.

Abstract: Described herein are technologies directed to multipart upload. A cluster coherent unique identifier for a multipart upload can be generated by creating a leaf in a B-tree. The leaf in the B-tree can comprise a key, and the key can comprise an upload identifier and a group identifier associated with a group of multipart uploads. A parts directory can be created for the multipart upload, wherein elements of the parts directory can be identified using the group identifier and the upload identifier. Upload parts can be transmitted from a client device to a server device, and stored in the parts directory. To complete the multipart upload, the upload parts can be concatenated and stored at a target location.

Abstract: A system for validating a write command to a device in a process control system using biometric credentials and relationship attributes. A two user validation process may use biometric inputs of the two users to authenticate the two users and to query for associated profiles to determine whether the two users have a relationship required to release an intercepted write command to the device.

Abstract: A system for real time federation of file permissions for digital content protection is described. The system automatically protects the files as the files leave application boundaries and then ensures that the files can only be used as per the permissions defined on those files while they were inside the application. The system also provides real time federation of policies with the application that generated the file and automatic protection of files as the files leave the application boundary. The system thus creates a single integral platform that is easy to access as well as reliable, and provides ease-of-use, advanced technology, and connectivity that delivers automated file protection.

Abstract: Systems and methods for managing media, such as digital content, using block chain technology are described. In some embodiments, the systems and methods perform multiple digital currency transfers between address nodes to register a collection of rights to a digital content item to a block chain, and perform a digital currency transfer transaction between address nodes to register the collection of rights to the block chain.

Abstract: The method includes receiving a challenge request sent by a first service trusted server and obtaining to-be-verified information of the first service trusted server in the challenge request; sending a verification request to a trusted remote proving server, wherein the verification request includes the to-be-verified information of the first service trusted server; and obtaining a verification response returned by the trusted remote proving server.

Abstract: Techniques for identifying certain types of network activity are disclosed, including parsing network traffic to automatically recognize anonymous identifiers. Such techniques may be used to identify and eliminate malicious and/or undesirable network traffic, and to identify topics relevant to a user of a particular network device so that communications to such a user are more likely to relate to a topic of interest to the user.