Abstract: Embodiments are described herein for document authentication certification using information stored on a distributed ledger such as a blockchain. A distributed ledger may securely store document data describing the document. Use of a distributed ledger may provide an immutable, readily auditable record of the history of the document. Each user participating in the system may be assigned a unique identifier to be used for conducting transactions on the distributed ledger network. A user may also be provided with a digital security token such as a cryptographic key that is useable to authenticate the user and enable access to the document data stored on the distributed ledger(s).

Abstract: A terminal apparatus 20 includes a sensor data collection unit 21 that collects sensor data from an odor sensor 40 that outputs the sensor data in reaction to a plurality of types of odors, an analyzer acquisition unit 22 that, in the case where an analyzer capable of analyzing a designated odor analysis target is transmitted thereto from a server apparatus 10 that holds a plurality of analyzers for analyzing odor analysis targets by analyzing the sensor data, acquires the analyzer transmitted thereto, an analysis execution unit 23 that executes analysis processing of the designated odor analysis target, by applying the acquired analyzer to the collected sensor data, and an analysis result holding unit 24 that holds information indicating a result of the analysis processing.

Abstract: A system for selective processing of web content wherein a processing unit executes an online application accessible to different users, and includes a first reception module for receiving, for a first user, a web name representing first web content; a first processing module for coupling to the web name the first web content with a coupling logic, a third reception module for receiving a request for access to the online application by a second user, a fourth reception module for receiving a selected web name from a stored list; an access module for accessing the first web content coupled; a second processing module for selectively processing the first web content and processing content received by the first user as a function of the coupling logic, and as a function of the selected web name and interaction content received by the second user.

Abstract: Disclosed are various embodiments for delegating authentication to certificate authorities. A first request for a certificate is received from a client device. Then a certificate request can be created. The certificate request may include a credential identifier for a certificate authority. The credential identifier may uniquely identify an authentication credential to use to request the certificate from certificate authority. The certificate request can then be added to a message queue. Later, a second request from another computing device is received and the message stored in the message queue is provided in response. A certificate is then received from the other computing device and is provided to the client device in response to the first request.

Abstract: A biometrics-based control device includes a biometric sensor that acquires biometric data from a person. A user database contains biometric data items, whereby a biometric data item characterizes an authorized user. A processor causes the biometrics-based control device to execute a control action if biometric data acquired through the biometric sensor corresponds with a biometric data item in the user database. The biometrics-based control device establishes a communication link with an external device through a communication interface. The biometrics-based control device applies an administrator authentication condition for allowing the external device to access the user data base if the user database comprises at least one biometric data item that belongs to an administrator class. The administrator authentication condition consists of an acquisition of biometric data through the biometric sensor that corresponds with a biometric data item in the user database that belongs to the administrator class.

Abstract: Secure communication in mobile digital pages is provided. The system receives an electronic document and validates the electronic document for storage in a cache server. The system receives a request for the electronic document and provides it to a viewer component on a client computing device. The viewer component loads the electronic document in an iframe. The viewer component executes a runtime component to receive, via a secure communication channel, a tag from the electronic document. The system receives the tag and selects a data value for transmission to the viewer component. The viewer components provides the data value to cause the runtime component to execute an action with the data value.

Abstract: A method, system, and computer program product to provide a synthetic device ID for a device is provided herein. The method includes receiving a request from the device to obtain a service from a vendor, where the device is associated with an internal device ID. The method further includes generating the synthetic device ID for the device and associating the device, the internal device ID, the vendor, and the synthetic device ID. The method also includes transmitting the synthetic device ID to the vendor, and internally tracking the request based on the association.

Abstract: A content delivery provider may stream an application to each of a plurality of computing devices. The content delivery provider may transmit an offer to download the application to each of the plurality of computing devices, after a first initial display interval. The provider may receive a number of positive user interactions with the offer after the first initial display interval, and a total number of positive user interactions with the offer. The provider may automatically adjust the initial display interval by a factor proportional to a desired first-display quantile divided by the number of positive user interactions after the first initial display interval. The application may be streamed to a second computing device, and the offer to download the application transmitted to the second computing device, after the adjusted initial display interval.

Abstract: A data protection policy can specify which applications are allowed and/or dis-allowed from accessing cloud data that is subject to a data protection policy (i.e., data that has been assigned a classification and/or an owner.) To enforce that policy, the operating system (or other trusted entity) that stores or caches access credentials only provides these credentials to applications that are allowed by the policy. In this manner, because they are not provided with the credentials required to access the network resource, the dis-allowed applications cannot access the ‘protected’ data thereby helping prevent these dis-allowed (or non-compliant) applications from leaking data.

Abstract: An application performance management system is disclosed. Operational elements are dynamically discovered and extended when changes occur. Programmatic knowledge is captured. Particular instances of operational elements are recognized after changes have been made using a fingerprint/signature process. Metrics and metadata associated with a monitored operational element are sent in a compressed form to a backend for analysis. Metrics and metadata from multiple similar systems may be used to adjust/create expert rules to be used in the analysis of the state of an operational element. A 3-D user interface with both physical and logical representations may be used to display the results of the performance management system.

Abstract: Embodiments are directed to managing documents over a network. A machine learning (ML) engine analyzes a plurality of documents associated with actions that were performed previously. The ML engine determines critical events associated with the performance of the actions based on the plurality documents. The ML engine generates ML models based on the critical events to compute risk values that may be associated with the critical events. In response to a request to compute risk values associated with pending actions, the ML engine determines documents that are associated with the pending actions based on the request. The ML engine determines the critical events associated with pending actions based on the documents. The ML engine employs the ML models to generate the risk values based on the documents and the critical events. The ML engine provides the risk values in response to the request.

Abstract: An authentication system may receive an authentication MAC, an integrity MAC, and data transmitted from a payment application and a payment terminal. A local integrity MAC may be generated using the data as an input to a first cryptographic operation. The system may compare the local integrity MAC to the received integrity MAC to authenticate the received integrity MAC. A local authentication MAC may be generated using a second cryptographic operation and compare the local authentication MAC to the received authentication MAC. The system may authenticate the payment application in response to a successful authentication of at least one of the received authentication MAC or the received integrity MAC.

Abstract: In particular embodiments, in response a data subject submitting a request to delete their personal data from an organization's systems, the system may: (1) automatically determine where the data subject's personal data is stored; (2) in response to determining the location of the data (which may be on multiple computing systems), automatically facilitate the deletion of the data subject's personal data from the various systems; and (3) determine a cause of the request to identify one or more processing activities or other sources that result in a high number of such requests.

Abstract: The invention relates to a building or enclosure termination opening and/or closing apparatus (10) having communication signed or encrypted by means of a key, and to a method for operating such. To allow simple, convenient and secure use by exclusively authorised users, the apparatus comprises: a first and a second user terminal (14, 30), with secure forwarding of a time-limited key from the first to the second user terminal being possible. According to an alternative, individual keys are generated by a user identification (42) and a secret device key (40).

Abstract: A method for multi-tenant authorization includes receiving, from a user account of a multi-tenant computer system, a request for a resource of the multi-tenant computer system. The method further includes determining whether the resource corresponds to a local resource that is local to the user account or to a nonlocal resource that is not local to the user account. The method further includes identifying, by a processing device, a local access control policy of the user account, corresponding to the local resource, or a visiting access control policy of the user account, corresponding to the nonlocal resource. The method further includes determining that the identified access control policy of the user account comprises an access permission corresponding to the resource. The method further includes controlling access to the resource of the multi-tenant computer system based on the access permission.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable media for a customizable cloud-based software platform. A customizable cloud-based software platform provides functionality that enables a user (e.g., individual user, organization, etc., that has created an account with the customizable cloud-based software platform) to modify a base version of a cloud-based software application to the specific user's needs. For example, the customizable cloud-based software platform provides a base version of a cloud-based software application that includes a base set of functionalities, settings, user interfaces, etc., which a user may modify to meet the user's specific needs. A user may therefore use a client device to interact with the customizable cloud-based software platform to access their customized instance of the cloud-based application.

Abstract: In a database system, an archive table data specifies a pre-defined archive time period based on which a periodic archive procedure is performed and a pre-defined purge time period based on which a periodic purge procedure is performed. Based on the periodic archive time period being reached, a new partition is created in a transaction database, which is used as a live partition into which the database stores transaction records which are new; and an expired transaction database partition is moved to the archive database using a database partition feature whereby data in the partition is moved as a whole. Based on the periodic purge time period being reached, an expired archive database partition is removed from the archive database using the database partition feature, wherein data is deleted as a whole from the archive database based on the archive database partition being removed.

Abstract: An apparatus including a processor and a memory configured to provide an SEE and an REE. The processor is configured to provide a client application configured to execute at a user privilege level and a hypervisor configured to execute at a hypervisor privilege level. The user privilege level is more restrictive than the hypervisor privilege level. The processor is further configured to provide a trusted application configured to execute within the SEE. The trusted application provides secure services to the client application. The processor is configured to send a request for secure services from the client application to the trusted application, send a measurement request to the hypervisor, generate within the hypervisor a measured value based on the client application, return the measured value to the trusted application, and determine whether the client application is authorized to access the secure services. The authorization determination is based on the measured value.

Abstract: A network device receives credentials of a user of a client device, and receives an enrollment request from the client device, wherein the enrollment request includes a network address of the client device. The network device generates a token comprising the network address and an identifier of the user, encrypts the token, and sends the encrypted token to the client device. The network device receives, when the client device attempts to access a protected resource or a network service, the encrypted token from the client device for authenticating the client device without further requiring the credentials of the user.

Abstract: An authorization server to issue an access token for accessing a resource provided by a resource server performs operations. A client receives an issuance request having a predetermined parameter identifying a type of access token to be issued. Based on the predetermined parameter, one of a first type or second type of access token to be verified by the resource server is issued. The first type of access token or the second type of access token is transmitted to the client from which the issuance request was received. The second type of access token is verified at the authorization server by receipt of a verification request received together with the second type of access token from the resource server. The received verification request is transmitted from the resource server based on the resource server determining that a request for service from the client includes the second type of access token.

Abstract: A method for preventing malicious software from attacking files of a computer system includes the following steps. Whether a file type of a specific file corresponding to an input/output (I/O) request is a to-be-backed-up file type is checked, wherein the to-be-backed-up file type belongs to one of multiple predetermined file types susceptible to malicious software attack. When the file type of the specific file is the to-be-backed-up file type, a backup already tag in a file context tag structure of the specific file is checked. When the backup already tag shows that the specific file has not been backed up, a backup process is performed for the specific file.

Abstract: A technology is provided for reducing latency in a messaging system. Unprocessed messages in a message queue are consumed via a messaging overflow service launched in response to an alarm triggered by a monitoring service that indicates the message queue has reached a predetermined threshold. The unprocessed messages are processed via the messaging overflow service to generate a processed data store values. The processed data store values are stored in a cache associated with the messaging overflow service.

Abstract: Secure Real Time Communications Service (SRTCS) for audio and video streaming communications and content sharing that securely connects multiple users using a “push-button” WebRTC chat app connection over a Peer-to-Peer (P2P) network. SRTCS uniquely combines advanced security technologies to provide user based permissions control when communicating and sharing rich media content with other users including End-to-End Encryption (E2EE), Hash Technology (DHT), and Digital Rights Protection (DRM). SRTCS has also designed a unique cloud based streamed video storage and sharing platform service for consumers and business video storage and sharing applications.

Abstract: The disclosure herein pertains to a system and method for management of personalization content. The system and method divide the personalization information into offline personalization information and situational personalization information. Offline personalization information is independent of context and predetermined before a content request. A personalization model can dynamically allocate the selection between offline personalization information and situational personalization information.

Abstract: A computer system is configured to receiving a data set from a data provider and automatically save the data set in a quarantine database where copying, moving, and sharing of the data set are restricted until the data set is released by a data provider. The data set is parsed to find and mark portions with potentially sensitive information. At least those parts are reviewed by a data governor, who can confirm, add, edit, or remove markers. Those parts can be visually indicated to the data governor, along with a preview of, metadata about, and analysis of the data set. After reviewing at least the automatically marked portions, the data governor can release the data set to a non-quarantine database where another user can use the data set. The user is restricted from accessing the quarantine database.

Abstract: Systems and methods for managing local data for input capture devices (ICDs) over communication network are disclosed. At least one ICD and at least one user device are connected to a cloud-based analytics platform communicatively over a network. The at least one ICD has at least one visual sensor and built-in storage that captures and stores visual data at the built-in storage. The cloud-based analytics platform accesses to the visual data stored at the built-in storage and performs analytics for the captured visual data and generates analytics data. An authorized user is able to view live visual data and manage stored visual data at the at least one ICD via the at least one user device.

Abstract: An identity verification system may include a contactless card comprising a processor and a memory, and one or more applications comprising instructions for execution on one or more devices. The contactless card may be associated with a first user. A first application may be configured to transmit, after entry of the contactless card into a communication field, identity data. A second application may be configured to receive a notification based on an identity verification process. The notification may comprise an option indicative of requested access to specified information about the first user, the option further including a choice to accept or decline access to the specified information about the first user. The first application may be configured to receive the requested access to specified information about the first user based on selection of the option.

Abstract: Provided is a method and system for transforming a GUID of a database entry into a reduced identifier. The transformation may be performed by a bijective function. In one example, the method may include one or more of receiving a database entry which includes a global unique identifier (GUID) which uniquely identifies the database entry, identifying a transformation function associated with the database entry, transforming the GUID into a reduced identifier based on the transformation function wherein the reduced identifier has a reduced size with respect to a size of the GUID, and storing the database entry based on the reduced identifier.

Abstract: A method and system monitors activity of a user of a data management system and detects a trigger event in the activity of the user. The method and system generates a support case responsive to the trigger event. The support case includes support rules defining what types of the user's personal data will be accessible to an assistance agent when the user requests assistance related to the trigger event. The method and system utilizes machine learning processes to determine what types of user related data should be accessible to assistance agents in support cases.

Abstract: Methods and systems for provisioning computing resource instances among implementation resources based on trust to reduce interference between computing resource instances implemented by the same implementation resources. In an embodiment, a trust rating is determined for a computing resource instance based at least in part on one or more trust factors. The suitability of an implementation resource to implement the given computing resource instance may be evaluated based at least in part on the trust rating of the computing resource instance and a trust rating of the implementation resource. In some embodiments, the trust rating of the implementation resource may be predefined or based on trust ratings of computing resource instances that are currently implemented by the implementation resource. An implementation resource may be selected to implement the computing resource instance based at least in part on its suitability thus determined.

Abstract: Systems and methods may be used to create and modify a co-marketed document. A system and method may include using a template with designated editable regions for each co-marketer, wherein each co-marketer may not edit regions designated for the other co-marketer. The system and method may include selecting regions of the co-marketed document for each co-marketer to determine the percentage of space each co-marketer utilizes on a co-marketed document. The system and method may include providing mechanisms for the determined percentage of space to be verified, approved, and transmitted to a printing service.

Abstract: A secret is securely maintained on a virtualized computer system by configuring a specialized virtual machine to manage and maintain the secret on behalf of an application. When the application requests access to the secret, a controlling domain, in combination with the specialized virtual machine, validates that the application is authorized to make the request and that the application has not been compromised prior to making the request. If the request is validated, the controlling domain and the specialized virtual machine fulfill the request by providing the application with access to the secret.

Abstract: A software-defined media platform having one or more media processing units that may be dynamically instantiated, interconnected and configured according to changes in demand, resource availability, and other parameters affecting system performance relative to demand. In one example media processing method, a source media stream may be received via multicast or unicast. The source media stream may be processed into one or more levels of work product segments having different media characteristics by a plurality of transcoding processing units, as needed. One or more levels of work product segments, or the source media stream, may be packaged (e.g., including resegmenting) into final work product segments having select media characteristics, which may be uploaded to a cloud storage unit for delivery to end users.

Abstract: Disclosed are systems and methods for routing during statistics collection. A method is described of exchanging data in a client/server architecture across a node with an anonymization module situated in a regional network different from the network in which the server is located and not being in the same intranet as the server or the client when making the request.

Abstract: Disclosed are an application security protection method, a terminal, and a storage medium. The method includes the steps of: monitoring whether an application software protection triggering condition is satisfied (S301); if yes, judging whether current application software is malicious software (S302); if yes, providing prompt information indicating that the current application software is malicious software (S303); and when an opening continuing instruction for continuing to open the current application software is received (S304), starting the current application software (S305). The application security protection method, the terminal and the storage medium greatly improve the security when an application program runs at the terminal.

Abstract: The ability to submit and execute secured commands on a device is controlled using an interface authenticator. The interface authenticator includes a processor and physical memory that stores key material. When the interface authenticator is connected to the device the device communicates with the interface authenticator to cryptographically verify that the interface authenticator is valid. If the interface authenticator is valid, the device allows controlled commands to be received. In some examples, the controlled commands are obtained via a sideband data channel pass-through access and executed on a management controller within the device. In some examples, as a result of determining that the interface authenticator is valid, a sideband data channel pass-through access is enabled over which both privileged and uncontrolled commands may be received.

Abstract: An image processing apparatus for displaying, on a display, a plurality of thumbnail images respectively corresponding to a plurality of display data includes an input operation receiver that receives an input operation of entering a setting value for at least one of a position and a magnification of a plurality of thumbnails images, and a display switcher that switches a display of a target thumbnail image out of the plurality of display data to a display of a thumbnail image set based on the entered setting value.

Abstract: It is presented a method performed in a deployment server being configured to deploy a software container. The method comprises the steps of: receiving a trigger to deploy a software container; obtaining an image intended for the software container comprising a set of at least one module; injecting a security module in the image; obtaining a container specification of the image; configuring the security module to forward incoming communication to the set of at least one module in accordance with the obtained container specification; modifying the container specification such that the at least one service is accessed externally only via the security module and that all outgoing communication, from the set of at least one module, is directed via the security module; publishing the modified container specification in a service discovery repository; and deploying the software container on at least one execution server.

Abstract: A method for providing a language agnostic contract execution on a blockchain is provided. The method includes providing a menu comprising multiple execution environments, and selecting, from a suite of virtual machine containers, a virtual machine container that runs an execution environment selected by the developer of the blockchain application. The method also includes enabling one or more functions in the virtual machine container to access a dedicated memory or a state variable in the block producer to run an action in the virtual machine container, the action provided by a server running the blockchain application, providing the action to the blockchain application in the virtual machine container, and writing an output from the action of the blockchain application to a secure ledger in a blockchain. A system and a non-transitory, computer-readable medium storing instructions to perform the above method are also provided.

Abstract: Systems, apparatuses and methods may provide for establishing a hardware-based chain of trust in a computing system and extending the hardware-based chain of trust to a container manager and a containerized application on the computing system. Additionally, the containerized application may be checked for its trust and security while it is launched, via the container manager, on the computing system. In one example, extending the hardware-based chain of trust includes conducting a pre-boot measurement of the container manager, a root of trust measurement agent, and one or more packages associated with the containerized application, and verifying the pre-boot measurement of the platform/host and the application itself prior to the containerized application being launched.

Abstract: Present technology is directed to a system and method for implementing an offline scheme to automatically and efficiently transform a set of conventional IP-based Access Control Entries in a supplied configuration into compressed form that can then be represented as Object-Group based Access Control Entries. The compression is performed on contiguous blocks of the supplied Access Control List having a common prescribed filtering access. The compression is performed by iteratively selecting a data field with mismatching data values across the ACEs and merging the data values into a corresponding data field of the output ACE. The common values of other data fields are then imported to the corresponding data fields of the output ACE. The process is repeated in an iterative manner by assigning a different data field as the selected data field for each iteration round.

Abstract: Methods, systems, and devices for data processing are described. Some systems may support data processing permits and cryptographic techniques tying user consent to data handling. By tying user consent to data handling, the systems may comply with data regulations on a technical level and efficiently update to handle changing data regulations and/or regulations across different jurisdictions. For example, the system may maintain a set of data processing permits indicating user consent for the system to use a user's data for particular data processes. The system may encrypt the user's data using a cryptographic key (e.g., a cryptographic nonce) and may encrypt the nonce using permit keys for any permits applicable to that data. In this way, to access a user's data for a data process, the system may first verify that a relevant permit indicates that the user complies with the requested process prior to decrypting the user's data.

Abstract: The present disclosure describes systems and methods for processing security sensor data that enhances the ability of a user to quickly and efficiently review portions of the sensor data streams.

Abstract: Systems, computer-readable media, and methods for improving data privacy/anonymity and data value, wherein data related to a data subject can be used and stored, while minimizing re-identification risk by unauthorized parties and enabling data related to the data subject to be disclosed to an authorized party by granting access only to the data relevant to that authorized party's purpose, time period, place and/or other criterion via the obfuscation of specific data values. The techniques described herein maintain this level of privacy/anonymity, while still empowering Data Subjects, e.g., consumers or customers of such authorized parties, e.g., business entities, by enabling them to request or specify their desired level of engagement with such business entities. Data Subjects may then receive privacy-respectful, trusted communication, e.g.

Abstract: Embodiments for enhancing privacy and security of an image by a processor. Metadata associated with the image is configured with a usage designation, the usage designation having accompanying notification information for notifying an owner of the usage designation if a condition of the usage designation is met.

Abstract: A user device receives a first media item that is associated with a second media item. The device determines that a playback state for the device indicates that the device is paired with an alternative playback device. The device sends the playback state in a request for the second media item, receives the second media item in a first format for playback on the user device and in a second format for playback on the alternative playback device. The device determines whether the playback state of the device is the same. The device displays a first graphical representation of the second media item in the first format on the user device if the user device is no longer paired with the alternative playback device and displays a second graphical representation of the second media item in the second format on the user device if the user device is still paired with the alternative playback device.

Abstract: In an implementation of identifying related computing devices for automatic user account login, a login request to a user account that includes a unique identification (ID) of a user computing device and an internet protocol (IP) address of the user computing device are received. One or more user computing devices that have logged in to the user account using a same IP address as the user computing device are identified based on a user ID of the user account and the unique ID of the user computing device. Whether one or more unique IDs corresponding to the one or more user computing devices that have logged in to the user account are correlated with the unique ID of the user computing device is determined. If yes, data corresponding to login information used by the one or more user computing devices to log in to the user account to the user computing device for automatic account login are sent.

Abstract: A user device receives a first media item that is associated with a second media item. The device determines that a playback state for the device indicates that the device is paired with an alternative playback device. The device sends the playback state in a request for the second media item, receives the second media item in a first format for playback on the user device and in a second format for playback on the alternative playback device. The device determines whether the playback state of the device is the same. The device displays a first graphical representation of the second media item in the first format on the user device if the user device is no longer paired with the alternative playback device and displays a second graphical representation of the second media item in the second format on the user device if the user device is still paired with the alternative playback device.

Abstract: A GPT-based multi-location data security system includes a first server device coupled to a second server device through a network. The first server device includes a storage device that includes a GPT that identifies a data storage partition on the storage device that stores data, and that includes a security tag that identifies security requirements for the data stored on the data storage partition. A multi-location data security subsystem in the first server device is coupled to the storage device. The multi-location data security subsystem receives a request to transfer the data stored on the data storage partition to the second server device, and determines whether the second server device satisfies the security requirements for the data stored on the data storage partition. If the second server device satisfies the security requirements identified in the security tag, the first server device transfer the data to the second server device.

Abstract: A mobile device includes a file information acquiring unit, a file information display unit that displays the file information acquired on a display unit, a file presence identifying unit that determines whether or not a file specified by file information designated by a user from among the file information displayed on the display unit is stored in a storage unit, a first file transmitting unit that transmits the stored file to another mobile device when the file presence identifying unit determines that the file is stored in the internal storage unit, a file acquiring unit that downloads the file specified by the designated file information from the server when the file presence identifying unit determines that the file is not stored in the internal storage unit, and a second file transmitting unit that transmits the file acquired by the file acquiring unit to the other mobile device.