Abstract: Disclosed herein are techniques for use in fraud detection. In one embodiment, the techniques comprise a method. The method comprises receiving an encrypted current location associated with a user. The method also comprises obtaining an encrypted historical location associated with the user and an encrypted location sensitivity metric that relates to a distance within which locations are considered to be the same. The method further comprises performing an authentication operation based on the encrypted current location, the encrypted historical location and the encrypted location sensitivity metric.

Abstract: In a method (300) for applying differential policies on at least one digital document (120a-120n) having a plurality of atomic units (122a-122n) among a plurality of workflow participants (110a-110n), in which the atomic units are assigned with at least one of a plurality of the differential policies, the at least one digital document is tessellated (304) to identify the atomic units and the at least one of the differential policies assigned to the atomic units. In addition, the atomic units are aggregated (306) according to the at least one of the differential policies assigned to the atomic units and respective sets of keys are associated (308) to the aggregated atomic units, in which common sets of keys are associated with the aggregated atomic units assigned with the same policies.

Abstract: Systems and methods for performing adaptive bitrate streaming using alternative streams of protected content in accordance with embodiments of the invention are described. One embodiment of the invention includes a processor, and memory containing a client application. In addition, the client application configures the processor to: request a top level index file identifying a plurality of alternative streams of protected content, where each of the alternative streams of protected content are encrypted using common cryptographic information; obtain the common cryptographic information; request portions of content from at least the plurality of alternative streams of protected content; access the protected content using the common cryptographic information; and playback the content.

Abstract: According to one embodiment of the present invention, a system masks data objects across a plurality of different data resources. The system comprises a processor configured to include a plurality of service providers to mask the data objects, wherein each service provider corresponds to a different type of data masking for the data objects. An interface provides access to the plurality of service providers from different data-consumers to mask the data objects according to the corresponding types of data masking, wherein resulting masked data maintains relational integrity across the different data resources. Embodiments of the present invention further include a method and computer program product for masking data objects across a plurality of different data resources in substantially the same manners described above.

Abstract: To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a token of a process. The rule may include an application-criterion set and changes to be made to the groups and/or privileges of the token. The rule may be set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers or users. When a GPO containing a rule is applied to a computer, a driver installed on the computer may access the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule, the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.

Abstract: A system and method for enabling the interchange of enterprise data through an open platform is disclosed. This open platform can be based on a standardized interface that enables parties to easily connect to and use the network. Services operating as senders, recipients, and in-transit parties can therefore leverage a framework that overlays a public network.

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

Abstract: A method for routing object data that defines a 3-dimensional (3D) object to a 3D printer includes receiving the object data at a server and determining, by the server, object attributes associated with the object defined by the object data. The server searches a database that stores 3D printer attributes for one or more 3D printers capable of printing objects that possess the determined object attributes. If one or more capable printers are identified, the server communicates a list that identifies the one or more capable printers to a user.

Abstract: Disclosed herein is a processing device comprising a secured execution environment comprising means for bringing the processing device into a predetermined operational state; and a timer; a communication interface for data communication between the processing device and a remote device management system external to the processing device; wherein the secured execution environment is configured, responsive to an expiry of the timer, to bring the processing device into said predetermined operational state; and responsive to a receipt, from the remote device management system via said communications interface, of a predetermined signal, to restart the timer.

Abstract: A system and method distributing healthcare database access is disclosed. The system and method interpose a data mapping server (DMS) between a data request user server (DRS) and data service user server (DSS) to manage data transfers between the DSS and the DRS such that disparate database characteristics of the DRS/DSS are accommodated in real-time and permit asynchronous healthcare activity to be triggered. The DMS operates with a data access matrix (DAM) having each referenced DRS/DSS intersection pair associated with read/write control processes (RWP) that include read data (RDD) and write data (WRD) processes to permit data access across the disparate DRS/DSS database boundaries. The DAM may have multiple dimensions to accommodate asynchronously activated process threads within an overall patient healthcare plan (PHP) that operate to trigger healthcare provider alarms and other activity associated with the transfer/update of data between the DSS and the DRS.

Abstract: Systems and methods for accessing data secured and encrypted using a file system manager are disclosed. One method includes determining whether a community of interest (COI) key obtained from a security appliance matches a COI key associated with a file structure managed by the file system manager that is the subject of a file system request issued by a caller. The method further includes identifying an entry included in a key bank associated with the COI key and the file structure that is the subject of the file system request, the key bank storing encrypted versions of a metadata key. The method also includes decrypting the metadata key using the COI key, decrypting at least one block encryption key using the metadata key, and decrypting a block of data associated with the at least one block encryption key.

Abstract: According to some aspects disclosed herein, a system for remote assistance and control of user devices subject to one or more remote assistance policies may be provided. In some embodiments, an administrator may request remote control of a managed user device. A managed application launcher may be provided by the user device and may be modified by the user device to remove managed applications or otherwise prevent access to applications that have a policy indicating that remote assistance is not allowed. The administrator may open a managed application included in the launcher and remotely control that application. In other embodiments, a user of the managed user device may initiate a request for remote assistance from within a managed application and/or the managed application launcher. The administrator's control of the user device and access to other applications on the user device may be limited based on the remote assistance policies.

Abstract: To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a token of a process. The rule may include an application-criterion set and changes to be made to the groups and/or privileges of the token. The rule may be set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers or users. When a GPO containing a rule is applied to a computer, a driver installed on the computer may access the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule, the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

Abstract: Methods and structure for Digital Rights Management (DRM) are provided. An exemplary system includes a Digital Rights Management (DRM) licensing server. The DRM licensing server is able to receive authentication information generated by a DRM module of a client device, and to receive a device identifier that uniquely distinguishes the client device from other client devices, wherein the device identifier has been generated by the DRM module. The DRM licensing server is further able to authenticate the DRM module based on the authentication information, to create a signed identifier based on the device identifier responsive to authenticating the DRM module, and to transmit the signed identifier to the client device. The system also includes an application server able to register the client device with an account at the application server, based on the signed identifier.

Abstract: Aspects of the present disclosure are directed towards environmental based location monitoring. Environmental based location monitoring can include collecting, a first set of image data that corresponds to a first set of environmental characteristics existing within a bounded area encompassing a hardware element of the computer and determining an environmental difference based on a difference between a first location corresponding to a geographic position of the hardware element relative to the first set of environmental characteristics and a second location corresponding to an approved geographic position of the hardware element. Environmental based location monitoring can include determining that the environmental difference does not satisfy a threshold and executing a reaction sequence in the computer, in response to determining that the environmental difference does not satisfy the threshold.

Abstract: A retrieving system for retrieving information concealed within a sequence of symbols. The system includes a decoder configurable using rule information and operable when so configured to retrieve the information concealed within the sequence of symbols by applying to the sequence of symbols at least one decoder rule determined by the configuration of the encoder.

Abstract: Disclosed are techniques and apparatuses for implementing device-based application security. These techniques enable a computing device to assign a security level from a hierarchy of security levels to an application. Once the security level is assigned to the application, authentication techniques associated with the security level can be initiated in response to a request to launch the application. When an indication is received that the security level for the application has been satisfied, the application can then be launched, availing a user of the application's full functionality.

Abstract: The method administers an enterprise computing system that includes a plurality of user mobile computing devices. The method includes selecting a pre-written application for inclusion in a menu of enterprise applications downloadable to a user computing device, allowing the user computing device to download the pre-written application, and interposing an application wrapper on the pre-written application before allowing the user computing device to download the pre-written application, the application wrapper being configured to control an operation of the pre-written application.

Abstract: The present invention discloses a system and method for identifying a phishing website. The system comprises: a domain name acquisition unit, a domain name statistic unit and a website identification unit; the domain name acquisition unit being configured to collect all links found in a website to be identified so as to acquire the domain names corresponding to the links; the domain name statistic unit being configured to carry out a statistic on the number of times that the domain names occur in the website to be identified, and finding the domain name which has the most number of occurrences and mark it as a target domain name; and the website identification unit being configured to judge whether the website to be identified is a phishing website on the basis of the target domain name and the domain name of the website to be identified.

Abstract: Systems and methods for computing a checksum are provided. In some aspects, an online application code module is written in a first programming language. The online application code module is configured to implement an online application. A checksum compute module is written in a second programming language different from the first programming language. The checksum compute module is separate from the online application code module. The checksum compute module configured to receive one or more parameters from the online application code module. The checksum compute module configured to determine a checksum for the online application code module based on the received one or more parameters. The checksum compute module configured to provide the checksum to a memory.

Abstract: The present invention provides a method performed on a computer of preventing re-use of compromised keys in a broadcast encryption system. In an exemplary embodiment, the method includes (1) incorporating a particular set of Sequence Keys assigned by a license agency into individual receivers, (2) assigning a Sequence Key Block (SKB) by the license agency to at least one distributed protected file, (3) performing incremental cryptographic testing by the individual receivers to determine if a selected Sequence Key from the set of Sequence Keys is compromised, (4) if the selected Sequence Key is not compromised, decrypting the file, and (5) if the selected Sequence Key is compromised and if a subsequent Sequence Key from the set of Sequence Keys is available, selecting the subsequent Sequence Key.

Abstract: Redacting material in a user interface is provided. A monitoring agent waits for a change in input or output of user content. A change comparator identifies the change for sensitive material. A type comparator identifies the type of sensitive material. A redaction engine redacts the change according to the identified type of sensitive material.

Abstract: An information processing system includes a receiving unit configured to receive from an external device a use initiation request designating user specific information and organization identification information, and an authentication unit configured to issue authentication information indicating that authentication has been completed in a case where the user specific information and the organization identification information designated in the use initiation request are stored in association with each other in a first storage unit that stores one or more sets of user specific information in association with the organization identification information. The authentication unit receives a new authentication information issuance request designating the authentication information and issues new authentication information that can be used even after a user termination request designating the authentication information is made.

Abstract: Systems and methods for establishing a secure file system are disclosed, in which system endpoints such as files and directories in a file system are protected using a security appliance. The security appliance protects each endpoint in the file system from unauthorized access by making those endpoints invisible to unauthorized users. The security appliance organizes users and endpoints into various communities of interest (COI). A user COI groups users such that all users associated with that particular COI have authorization to view the same one or more endpoints located in file storage.

Abstract: Particular embodiments of a method comprise providing one or more ideograms (e.g., written characters, symbols or images that represent an idea or thing) for insertion into a message. A request may be received from a user for a restricted one of the ideograms. A determination may be made as to whether the user is authorized to access the restricted ideogram. This determination may be based on whether the user is a member of a group of authorized users, whether an attribute of the user meets a restriction requirement, or whether the request comprises an authorization code or token. If the user is authorized to access the restricted ideogram, then the restricted ideogram may be displayed to the user in association with the message. Otherwise, a restricted-content response may be generated.

Abstract: An approach for delaying social media messages is provided herein. A first computing device receives user preferences. The first computing device detects a social media message of a user. The first computing device determines that the user is not in the physical location. The first computing device determines whether to delay the posting of the social media message based on a comparison of the content of the social media message with the received user preferences.

Abstract: According to one exemplary embodiment, a method for detecting malware in a network stream to at least one host computer is provided. The method may include initializing a browser profile corresponding with a first website having a first website source and a first plurality of content features. The method may include recording the first plurality of content features and a trusted source based on the first website source. The method may include scanning the network stream for a second content feature within a second plurality of content features associated with a second website. The method may include determining if the second content feature matches a first content feature. The method may include determining if the second plurality of content features is consistent with the first plurality of content features. The method may include determining if a second website source matches the trusted source. The method may include generating an alert.

Abstract: The invention relates to an improved climate control system in which a climate controlling equipment (1) has a control line (2) arranged to be connected to climate influenced impedance means (3). According to the invention, relay means (4) are arranged to disconnect the climate influenced impedance means from the control line under influence from an output (5) of a control unit (6) and to instead connect substituting means (7) providing an impedance controlled by a second output (8) of the control unit. The latter is connected to a processor (9) arranged to receive information from a plurality of climate influenced information means (10, 11, 12) and to process the same in a mathematical model for controlling the impedance of the substituting means via the control unit.

Abstract: Methods, systems, and apparatus for managing labeling privileges. In one aspect, a method includes receiving label data defining a label to be associated with an image of a first user in a photograph, the first user identified by a first user identifier and the label data associated with a submitting user identifier; accessing data defining labeling privileges for the first user identifier, the labeling privileges being for second users identified by respective second user identifiers, and the labeling privileges defining, for each second user, a labeling privilege for the second user to label an image of the first user in a photograph; determining whether the submitting user identifier is included in the second user identifiers; in response to determining that the submitting user identifier is included in the second user identifiers: determining the labeling privileges for the user identified by the submitting user identifier, and processing the label accordingly.

Abstract: Techniques and solutions are described for detecting potential problems with web pages. For example, a web page can be analyzed (e.g., during loading of the web page) to determine statistics, such as size and structure statistics. The web page can be compared, using the statistics, to a statistical model representing the web page to determine if the web page is consistent with the statistical model. The statistical model can be created from previous page loads of the web page. Problems such as web page spoofing can be detected if the same web page content (e.g., content with a high degree of statistical similarity) is obtained from two different web sites. For example, a web page that is retrieved from one web site that matches a statistical model representing the same web page from another web site can indicate a spoofed web page.

Abstract: According to one exemplary embodiment, a method for detecting malware in a network stream to at least one host computer is provided. The method may include initializing a browser profile corresponding with a first website having a first website source and a first plurality of content features. The method may include recording the first plurality of content features and a trusted source based on the first website source. The method may include scanning the network stream for a second content feature within a second plurality of content features associated with a second website. The method may include determining if the second content feature matches a first content feature. The method may include determining if the second plurality of content features is consistent with the first plurality of content features. The method may include determining if a second website source matches the trusted source. The method may include generating an alert.

Abstract: According to one embodiment, a memory system includes a host interface, a first storage unit which stores data in a nonvolatile manner, and a memory controller. The memory controller includes a management information generating unit which generates command information for every command received from a host through the host interface and a digital signature calculating unit which generates a digital signature from the command information using a secret key. The management information generating unit generates management information which contains the command information and the digital signature for the every command.

Abstract: This is directed to providing access to content stored on a local cloud. In particular, a device can direct a librarian service overseeing the operation of a local cloud to provide another device with access to content stored on the local cloud. The librarian service can generate credentials for the other device, and provide the credentials to the other device. Using the credentials, the other device can connect directly to the local cloud and access the content. In addition, the local cloud can validate the credentials of the other before providing access to the content. The credentials can include, for example, a key to install or load on the device. The librarian may not require, however, the user to create credentials or register with the librarian before being permitted to access the content on the local cloud.

Abstract: Systems and methods of performing link setup and authentication are disclosed. A method includes, at an access point, receiving an unprotected authentication request from a mobile device. The method also includes extracting an initiate message from the unprotected authentication request and sending the initiate message to an authentication server. The method further includes receiving an answer message from the authentication server, where the answer message includes a re-authentication master session key (rMSK). The method includes generating an access point nonce (ANonce) and sending an authentication response to the mobile device, where the authentication response includes the ANonce.

Abstract: Location and time based mobile app policies are disclosed. One or more location and time policies are received at a management agent on a device. The policies are calculated by processing user and group information. Policy information in a bus is updated with a current allowed state. Location information is received from the device. The location information includes a new location that is not an allowed location. A use of an application may be blocked by the management agent based at least in part on the received location information.

Abstract: A computer-implemented method includes providing a user interface on an internet-protocol (IP) connected mobile device, the user interface configured to receive a user input corresponding to one or more data privacy parameters for geo-location data, and controlling a transferring of geo-location data to and from each of a plurality of mobile applications on the mobile device based on the user input. A change in one or more of the data privacy parameters can change how geo-location data is provided to each of the plurality of applications and can affect location data accuracy, location data reporting frequency, geo-functions, and more. The user interface can be configured to allow a user to view, manage, and delete a personal location history. Furthermore, one or more profiles can be associated with one or more of the plurality of mobile applications, where each of the one or more profiles is assigned individual data privacy parameters.

Abstract: A method of performing tasks on a production computer includes retrieving a one task description file stored on a task computer and containing a description of a task on a production computer, transferring the task description file from the task computer to a production computer, causing the production computer to check that the file is associated with at least one task stored on the production computer, performing the task associated with the file in the production computer using the file, if the association check was successful, wherein the task computer has open ports and the production computer keeps the ports closed so that access by a user of a first user group to the task computer is arranged, but access by a user of the group to the production computer is prevented while steps above are performed in a predetermined operating state of the production computer.

Abstract: Data is encrypted such that multiple keys are needed to decrypt the data. The keys are accessible to different entities so that no single entity has access to all the keys. At least one key is managed by a service provider. A customer computer system of the service provider may be configured with executable instructions directing the orchestration of communications between the various entities having access to the keys. As a result, security compromise in connection with a key does not, by itself, render the data decryptable.

Abstract: Systems, computer program products and computer program products for facilitating the dynamic addition and removal of operating system components on computing devices based on application or user interaction over time are disclosed. Such systems, computer program products and computer program products provide one or more API intercept layers, a rules engine and a hydrate engine that facilitates the ability to dynamically rehydrate or hydrate operating system components. In an embodiment, a minimal (or core) operating system image on a computing device is deployed. Then, required components may be dynamically added (i.e., “streamed” or “rehydrated”) from storage, a server or cloud service as required by an executing application program on the computing device. In another embodiment, a totally complete operating system image is deployed on a computing device. Then, unused components may be dynamically removed (i.e., “dehydrated”) from the computing device over time based on application or user interaction.

Abstract: A security component may be associated with a network-enabled application. The security component may access a secure store, which may include customization information, which may include one or more graphical user interface customizations defined by a user, and one or more instances of card information. The card information may specify how to authenticate a user's credentials to access a relying party (e.g., web site). The security component may initiate the display of an embedded region of a window drawn by the network-enabled application. At least a part of the appearance of the embedded region of the window may be defined according to the customization information and not by the relying party. The embedded region may provide a user interface for determining user authentication credentials. The customization information and the one or more instances of card information may not be accessible to the relying party.

Abstract: A method and a system for displaying information and content in a lock screen system having a plurality of screens so as to provide a screen lock for preventing an unintended input of a user terminal device, and a computer-readable recording medium. The method includes setting information and content on a plurality of lock screen, displaying the plurality of lock screens, providing a screen movement between the plurality of lock screens, executing an existing external application so as to provide detailed information for the information and content displayed on the plurality of lock screens, unlocking the plurality of lock screens, and posting an advertisement on a part of the plurality of lock screens. Users can easily confirm simple information and content and use the as a new medium and means for expressing themselves by setting the lock screen windows according to the personalities of the users.

Abstract: The disclosed computer-implemented method for capturing input from users to prevent data loss may include (1) intercepting, as part of a data-loss-prevention application, user input intended for a data-processing application that would, if received by the data-processing application, cause the data-processing application to perform an operation on data that may violate a data-loss-prevention policy, (2) upon intercepting the user input, causing the data-processing application to perform an alternative operation on the data that makes the data accessible to the data-loss-prevention application, (3) scanning, while the data-processing application is prevented from performing the operation, the data for compliance with the data-loss-prevention policy, (4) determining, based on a result of the scanning, that the data complies with the data-loss-prevention policy, and (5) causing, in response to determining that the data complies with the data-loss-prevention policy, the data-processing application to perform the

Abstract: Providing media management services includes creating an account record for a first user of the media management services, allocating a first storage space to the first user that is accessible to the first user via user credentials assigned to the first user, creating an account record for a second user of the media management services, and allocating a second storage space to the second user that is accessible to the second user via user credentials assigned to the second user. The media management services also include sharing the second storage space with the first user based on a device identifier of a media recording device that is common to both the first account record and the second account record.

Abstract: Aspects of the present disclosure relates to a virtual desktop deployment system configured to deploy a virtual desktop infrastructure.

Abstract: A system for software license control is described that is particular useful for use in a virtualized system, such as a cloud computing system. A module can be made available for use within the virtualized network, wherein a license fee is payable for use of the module. The module includes a license file that can be located wherever it is required. In addition, a central license file is provided at an administration node. The central license file is configured such that it can only be operated from that administration node, thereby preventing the copying of that file. The license file operating in the virtual network communicates with the central license file. The central license file controls the use of the licensed module.

Abstract: A method for automatic folder ownership assignment, including ascertaining which first folders, among a first multiplicity of folders, have at least one of modify and write permissions to non-IT administration entities, adding the first folders to a list of candidates for ownership assignment, defining a second multiplicity of folders which is a subset of the first multiplicity of folders and not including the first folders and descendents and ancestors thereof, ascertaining which second folders among the second multiplicity of folders, have permissions to non-IT administration entities, adding the second folders to the candidates, defining a third multiplicity of folders, which is a subset of the second multiplicity of folders and not including the second folders and descendents and ancestors thereof, ascertaining which third folders among the third multiplicity of folders are topmost folders, adding the third folders to the candidates, and recommending possible assignment of ownership of the candidates.

Abstract: Embodiments of the invention broadly contemplate a situational application development framework that provides consumable software components that are accessed as services and monitored in a standardized fashion through a mediator service and thus suitable for use in a controlled development environment. At least one embodiment of the invention thus facilitates on the fly application creation using mashup makers in an enterprise setup.

Abstract: Systems and methods are provided for automatically handling multiple levels of encryption and decryption. An electronic file is received to add to encrypted storage. The electronic file is encrypted to generate a new level of encryption for the electronic file using an encryption process that uses encryption data to generate the new level of encryption and to decrypt the new level of encryption. A set of existing encryption data associated with the electronic file is identified, wherein each existing encryption data from the set of existing encryption data is associated with an existing level of encryption already applied to the electronic file. The encryption data is added to the set of existing encryption data associated with the electronic file so that the existing levels of encryption and the new level of encryption can be decrypted.

Abstract: A mechanism for automatically encrypting and decrypting virtual disk content using a single user sign-on is disclosed. A method of embodiments of the invention includes receiving credentials of a user of a virtual machine (VM) provided as part of a single sign-on process to access the VM, referencing a configuration database with the received credentials of the user, determining encryption and decryption policy settings for the VM from the configuration database, and at least one of encrypting or decrypting, by the VM, files of the VM based on the determined encryption and decryption policy settings.