Abstract: An example method includes receiving a media identifier and a first impression identifier from a media device, the media identifier being indicative of media presented at the media device, receiving the first impression identifier in association with first user information from a first database proprietor as a result of the first database proprietor obtaining a first identifier encrypted with a first encryption key by the media device, and receiving a second impression identifier in association with second user information from a second database proprietor as a result of the second database proprietor obtaining a second identifier encrypted with a second encryption key. The example method further includes identifying the first user information as associated with a user based on the first impression identifier, identifying the second user information as not associated with the user based on the second impression identifier and discarding the second user information.

Abstract: A method for detecting a confirmation of a properly installed software product on a computing device, determining the software product installation properties of the properly installed software product, and storing information relating to at least one or more software product installation properties of the properly installed software product.

Abstract: In one aspect, the present disclosure relates to a method that includes presenting a first user interface (UI) and a second UI on a mobile device. The first UI may include a map display and a control to compose a note. The method may include, in response to a user of the mobile device activating the control to compose the note, presenting a second UI including: an input to receive text for the note, one or more controls to select a picture for the note, and a control to save the note. The method may include, in response to the user activating the control to save the note: determining a location for the note using a geo-location sensor within the mobile device, sending the received text, the selected picture, and the location for the note to a server device, and displaying an indication of the note on the map display based on the location determined for the note.

Abstract: A system and method for mobile peer authentication and asset control. The system and method may be configured to authenticate peer users across any digital network and platform and may allow users to independently control access to content they share with others across the same platforms from their computing devices. Senders may anonymously verify other mobile users according to device, location, behavior, and knowledge contexts, and may independently control or monetize shares with one or more of those peers in real-time across any social, messaging, or electronic communication network, either by value or by reference.

Abstract: A method is provided for secure firmware provisioning of a device. In the method, an integrated circuit (IC) is manufactured by a first entity for use in the device. The IC is provided to a second entity for manufacturing the device using the IC. The IC has a unique identifier (UID) and secret key derivation data (KDD). A secure memory is provided to a third entity. The secure memory has a first key pair, and the secure memory is used with a firmware provisioning toolchain of the second entity. During manufacturing of the device by the second entity, the secure memory is enabled to verify the IC by verifying the UID. The secure memory stores a firmware decryption key, and is enabled to encrypt the firmware decryption key. The encrypted firmware decryption key is then provided to the IC, and the IC decrypts the encrypted firmware decryption key for use by the IC in decrypting the firmware.

Abstract: The disclosed computer-implemented method for selecting questions for knowledge-based authentication based on social entropy may include (1) identifying a potential question to ask a user of a computing system during a KBA process in an attempt to verify the user's identity, (2) determining whether any information suggestive of a correct answer to the potential question is available to anyone other than the user of the computing system, (3) calculating a social entropy of the potential question based at least in part on the determination of whether any information suggestive of the correct answer is available to anyone other than the user, and then (4) selecting the potential question to be asked to the user during the KBA process based at least in part on the social entropy of the potential question. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present invention is directed to an interrogator, method of discerning metal and radio frequency identification (RFID) objects, and an interrogation system employing the same. In one embodiment, the interrogator includes a metal sensing subsystem configured to provide a first signal having a signature representing a presence of a metal object, and a RFID sensing subsystem configured to provide a second signal having a signature representing a presence of a RFID object. The interrogator also includes a control and processing subsystem configured to discern a presence of at least one of the metal and RFID objects from one of the first and second signals.

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. In some embodiments, the secure circuit is configured to generate a public key and a private key for an application, and receive, from the application via an API, a request to perform a cryptographic operation using the private key. The secure circuit is further configured to perform the cryptographic operation in response to the request.

Abstract: A distributed computer system and method for synchronizing content libraries in replication groups uses a synchronization control signal that is transmitted to a subscribed content library management module of each subscribed content library in a replication group from a content library management module of the master content library in the replication group to initiate a synchronization procedure. Using metadata of at least one consumable software item from the master content library, contents of a subscribed content library in the replication group are modified to synchronize its contents to the contents of the master content library.

Abstract: A method for operating a distributed key-value store includes processing a data set comprised of data records each associated with a unique identifier and having one or more values associated with one or more attributes using a private key provided at a client device, thereby partitioning each of the data records based on the identifier and forming a plurality of encrypted identifier-value pairs for distributed storage across a plurality of server nodes operably connectable to the client device. The method also includes building, at the client device, encrypted indexes based on the type of query; and executing a query protocol in response to receiving a query from the client device so as to identify, using the built encrypted indexes, data distributively stored in the server nodes which matches the query. The invention also provides a related system for operating a distributed key-value store.

Abstract: A method for operating a system on chip (SoC) comprising a bootable processor, wherein the method includes executing a bootloader and measuring electrical power consumed by the processor during booting to derive a unique power characteristic data, verifying the unique power characteristic data, and reconstructing an device key from the unique power characteristic data and helper dater derived during an enrollment of the system on chip, where the measured power trace of the processor constitutes a unique signature of the SoC device executing specified software such that the solution secures the running software by itself.

Abstract: Systems and methods for profiling a user include providing a user account to a user and, in response, storing a user account identifier in association with the user account in a database. First user data is then received that is associated with the user account identifier and that includes activity associated with the user account, and the first user data is association with the user account in the database. Subsequent user data is then received that includes information about the user and that is associated with additional user identifiers and the user account identifier and, in response, the additional user identifiers are association with the user account identifier and each other in the database, and the additional user data is associated with the user account in the database. A user profile may then be creating using the first user data, the second user data, and the third user data.

Abstract: Various embodiments provide confidentiality-based file hosting by automatically directing assets in a shared workspace to appropriate storage locations. The storage location can be determined by comparing a security level that is associated with an asset to security levels of multiple possible storage locations. If a security level of the asset is changed in the shared workspace, the asset is automatically directed to an appropriate storage location based on the changed security level. This can include directing the asset to either a more secure or a less secure storage location.

Abstract: A single presentation logic that is independent of a user interface framework is provided. Also provided is a protocol to interface the single presentation logic to the user interface framework. A plurality of user interfaces is configured to be plugged to the single presentation logic.

Abstract: A social networking system associates identification information with combinations of values used to generate a dynamically-created advertisement. Interactions with the dynamically-created advertisement by social networking system users are also associated with the dynamically-created advertisement. The social networking system uses the identification information to present the same combination of values used to generate the dynamically-created advertisement to additional social networking system users. Additionally, information describing interactions with the dynamically-created advertisement is determined from the interactions associated with the identification information, allowing the dynamically-created advertisement to be included in a personalized feed of content items presented to an additional user along with information describing interactions by various users presented with the same combination of values of components in the dynamically-created advertisement.

Abstract: Mechanisms for determining a cluster set of mobile devices are disclosed. A controller node identifies a primary mobile device that has a scheduled transmission for the controller node at a first time. The controller node identifies, from a plurality of mobile devices, a set of eligible assistant (EA) mobile devices. Each EA mobile device in the set is directed to determine a corresponding mobile device-to-mobile device (MD-MD) channel indicator that identifies a quality of a channel between the each EA mobile device and the primary mobile device. The controller node receives from at least one EA mobile device in the set the corresponding MD-MD channel indicator. The controller node then determines a cluster set that includes the primary mobile device and the at least one EA mobile device.

Abstract: Techniques for implementing a node-based access control system are described herein. In an embodiment, a server computer stores a node based policy system wherein each node identifies a resource and a policy for the resource. The server computer identifies a policy for a first node and an identifier of a second node wherein the second node is a parent node to the first node. The server computer maps an effective policy identifier to the policy for the first node and the identifier of the second node. The server computer stores data associating the effective policy identifier with the first node. The server computer identifies a policy for a third node and an identifier of the second node, wherein the second node is a parent node to the third node and wherein the policy for the third node is equivalent to the policy for the first node. The server computer then stores data associating the effective policy identifier with the third node.

Abstract: An apparatus and method for storing security information are provided. The apparatus is generally an electronic device that includes a memory configured to include a secured region to store security information and a processor configured to electrically connect with the memory. The processor is further configured to execute an application program configured to store the security information in a first secured region, to receive a request to store the security information from the application program, and to store the security information in a second secured region different from the first secured region in response to the request.

Abstract: The method for obfuscating a string includes selecting, by a processor, a first string of a first portion of input plain text that does not match a predefined text signature from a set of two or more text signatures. In addition, the method may include identifying, by the processor, a historical string that is similar to the first string from a set of two or more historical strings stored. Further, the method may include generating a first text signature, by the processor, by updating a text signature in the set of two or more text signatures that matches the identified historical string. The first text signature defines a pattern that matches the first string and the identified historical string. The first text signature, by the processor, may be saved to the set of text signatures in the memory.

Abstract: According to some aspects disclosed herein, a system for remote assistance and control of user devices subject to one or more remote assistance policies may be provided. In some embodiments, an administrator may request remote control of a managed user device. A managed application launcher may be provided by the user device and may be modified by the user device to remove managed applications or otherwise prevent access to applications that have a policy indicating that remote assistance is not allowed. The administrator may open a managed application included in the launcher and remotely control that application. In other embodiments, a user of the managed user device may initiate a request for remote assistance from within a managed application and/or the managed application launcher. The administrator's control of the user device and access to other applications on the user device may be limited based on the remote assistance policies.

Abstract: A system and method is disclosed for using encryption algorithms in peer-to-peer encryption mode to restore the integrity of data. An example method is provided for generating a new derivative for a file that has a plurality of existing derivatives that have been stored on servers using an (n,k) algorithm, where the (n,k) algorithm provides that a minimum number k of the derivatives required to restore the file. The method includes accessing, on a server, a first derivative of the existing derivatives and forming a blob for the new derivative based on a modification operation that uses the first derivative. Moreover, the method includes determining a number of times the modification operation has been performed, and if the number of times the modification operation has been performed is equal to the minimum number k, uploading the blob to a server for storage thereon.

Abstract: A data protection policy can specify which applications are allowed and/or dis-allowed from accessing cloud data that is subject to a data protection policy (i.e., data that has been assigned a classification and/or an owner.) To enforce that policy, the operating system (or other trusted entity) that stores or caches access credentials only provides these credentials to applications that are allowed by the policy. In this manner, because they are not provided with the credentials required to access the network resource, the dis-allowed applications cannot access the ‘protected’ data thereby helping prevent these dis-allowed (or noncompliant) applications from leaking data.

Abstract: A method for establishing a connection between a detection device and another device, wherein the detection device is coupled with a remote-sensing motion detection apparatus, the method including acquiring a first motion signature information of a motion object through the remote-sensing motion detection apparatus; and establishing a connection with the other device when the first motion signature information matches with a second motion signature information of the motion object acquired by the other device.

Abstract: A content request communication, e.g., generated using a first processor of a device, can be transmitted to a web server. A response communication including content identifying a first value can be received from the web server. The first processor can facilitate presentation of the content on a first display of the device. A communication can be received at a second processor of the device from a remote server. The communication can include data representing a second value and can be generated at the remote server using information received from the web server. Further, the second processor can produce a secure verification output that can be presented on a separate, second display, representing at least the second value. The presentation on first display can at least partially overlap in time with the presentation on the second display.

Abstract: Techniques are disclosed for accessing computing resources using secure single sign on authentication with a single use access token, including website-to-desktop application delivery and secure transfer of context information from the website to the desktop application once valid security credentials are provided from the same end-user computing device. A user signs onto a web application once using the security credentials. A web-based single use token generator generates a single use access token based on the user-supplied security credentials. A web-based context embedder service dynamically generates a context carrier and transfer application including the single use access token. The context carrier and transfer application is provided to an end-user computing device, which, when executed locally, installs a desktop application onto the end-user computing device. The desktop application utilizes the single use access token to access a secure, cloud-based computing resource.

Abstract: This disclosure relates generally to audio-video processing, and more particularly to system and method for dynamically generating and rendering highlights of a video content. In one embodiment, the method may include receiving a start trigger and a stop trigger to generate and render the highlights of a portion of the video content playing on a first device for a registered user, recording at least one sub-portion of the portion of the video content upon receiving the start trigger and until receiving the stop trigger, monitoring the at least one sub-portion of the video content to detect one or more critical events, dynamically generating the highlights of the at least one sub-portion of the video content for each of the one or more critical events, and dynamically rendering the highlights of the at-least one sub-portion of the video content on a second device in possession of the registered user.

Abstract: Systems and methods for managing media, such as digital content, using block chain technology are described. In some embodiments, the systems and methods perform multiple digital currency transfers between address nodes to register a collection of rights to a digital content item to a block chain, and perform a digital currency transfer transaction between address nodes to register the collection of rights to the block chain.

Abstract: An image processing apparatus includes circuitry to verify validity of an access token of a web application that is provided by a web server communicably connected to the image processing apparatus via a network. The circuitry determines whether one of a plurality of functions of the image processing apparatus is available to the web application based on the access token verified and determined as being valid in response to a request to use one of the plurality of functions from the web application. The plurality of functions of the image processing apparatus includes at least one of a print function and a scan function.

Abstract: Disclosed are authentication methods, systems and servers. Aspect processes include receiving an authentication request sent by a first terminal; determining at least a first sub authentication request and a second sub authentication request with both corresponding to the authentication request; sending the first sub authentication request to a second terminal and the second sub authentication request to a third terminal; when receiving the first verification information sent by the second terminal and the second verification information sent by the third terminal, authenticating the first verification information and the second verification information; and sending the authentication result to the first terminal; wherein the second terminal or the third terminal is the same terminal as the first terminal or is a different terminal from the first terminal.

Abstract: An apparatus, computer program, and method are provided for utilizing a data structure to access fully qualified domain name information. A data structure is stored including a plurality of pairs. Each pair has a first element including information associated with a fully qualified domain name, and a second element including a result of a hash function performed on the information associated with the fully qualified domain name. In use, the data structure is utilized to access the information associated with the fully qualified domain name of at least one of the pairs, based on the result of the hash function performed on the information associated with the fully qualified domain name.

Abstract: An online identity verification application may be provided. According to an exemplary embodiment, an online identity verification application may utilize photographic, biometric, and documentation identification protocols. The verification application may use a multi-tier verification process based on identification protocols to verify the owner of a verification account and subsequently verify any linked accounts.

Abstract: In particular embodiments, in response a data subject submitting a request to delete their personal data from an organization's systems, the system may: (1) automatically determine where the data subject's personal data is stored; and (2) in response to determining the location of the data (which may be on multiple computing systems), automatically facilitate the deletion of the data subject's personal data from the various systems (e.g., by automatically assigning a plurality of tasks to delete data across multiple business systems to effectively delete the data subject's personal data from the systems).

Abstract: A data registration system (1) includes a terminal (20), a storage (10), and a server (30) communicable one another via a network. The terminal (20) executes check program (11) stored in a first area (P) of the storage (10) to function as a data receiving unit (21), a format checking unit (22), a data storing unit (23), and an alerting unit (24). The format checking unit (22) checks whether or not the format of data received by the data receiving unit (21) is correct. When the format of the data is correct, the data storing unit (23) stores this data in a second area (D1 to Dn) of the storage (10). An executing unit (32) of the server (30) executes a process to the data which is stored in the second area (D1 to Dn) of the storage (10) and which has the correct format.

Abstract: A communication channel for an X-ray imaging system may operatively couple a first imaging component to a second imaging component. The communication channel may include a first connector configured to couple to the first imaging component, a second connector configured to couple to the second imaging component, and a first authentication module configured to authenticate with the second imaging component.

Abstract: One or more elements on a computing device can be selected and locked from use. For example, a first user (e.g., adult) of a computing device can allow a second user (e.g., child) to use the former's device; however, the first user might not want the second user to have access to all of the elements on the device, and so the first user can select which elements he/she wants to share with the second user and which elements he/she does not want to share. For example, the first user can select elements and choose to lock the selected elements, lock all other elements, lock the selected elements for a certain period of time, or lock the selected elements but allow for earned usage, etc. The lock can be removed in response to an unlock event, which can comprise a user-initiated unlock, a timed unlock, or a user-earned locked.

Abstract: A method for controlling access to a file system having data elements, including the steps of maintaining a record of respective actual accesses by users of the file system to the data elements, defining a proposed removal of a set of the users from a superset of the users, wherein members of the superset have common access privileges to a portion of the data elements, and wherein following an implementation of the proposed removal, members of the set retain respective proposed residual access permissions, ascertaining, prior to the implementation of the proposed removal, that at least one of the respective actual accesses are disallowed to the members of the set, or to non-members of the set having actual access profiles which are similar to the actual access profiles of the members of the set, by the respective proposed residual access permissions, and generating an error indication, responsively to the ascertaining.

Abstract: Examples relate to managing cross-domain information. The examples disclosed herein relate to generating a cross-domain sharing specification that comprises an identifier of a first domain and at least one type of user interaction information that a first user enables for cross-domain sharing. The at least one type of user interaction information may be selected from a plurality of types of user interaction information related to the first domain. The examples relate to obtaining, from the first domain, user interaction information corresponding to the at least one type of user interaction information and storing the user interaction information in the cross-domain sharing specification.

Abstract: Methods and systems are provided for proxying data between an application server and a client device. One exemplary application system includes an application server to generate a virtual application and a proxy server coupled to the application server over a network to provide the virtual application to a client device. The proxy server receives input data from the client device and provides the input data to the application server, wherein the application server encodes the input data for an action in response to authenticating the proxy server and provides the data encoded for the action to the proxy server. The proxy server performs the action on the data and provides the result to the client device.

Abstract: The present invention relates to a method for, when using security software which allows documents to be utilized in PCs and terminals in companies or institutions but not to be leaked therefrom, enabling members to view, generate, edit and delete work files that are generated in the course of business in only secure areas and to freely view, generate and edit non-business personal documents with the same PCs and the same editing software in non-secure areas. More specifically, the present invention relates to a method for, when a program enabling access to a certain secure storage space is set to be a security program, allowing the program to be driven only in the secure storage space by pre-copying a temporary work file (cache file), a folder path, a license file, etc.

Abstract: A computer system enforces access control rules based at least in part on a set of parameters for cryptographic protection of communications that has been negotiated with another computer system. A cryptographically protected communications session is established. A request is transmitted over the cryptographically protected communications session. Fulfillment of the request is dependent on a set of parameters for cryptographic protection of communications of the cryptographically protected communications session.

Abstract: A multi-tenant logging system that allows a user to have an individual profile that controls the user's access to tenant logs is provided. The system includes a plugin that adds features of an access control list (ACL) to indexes of a logging stack based on a user's access role. The stack is an aggregate of logs for nodes that are stored globally in the system. When a user requests a particular index to logs in the logging stack, an authorization token associated with the user is provided. Before the user request is allowed to proceed, the access guard plugin performs access control on the stack by referencing the ACL using the authorization token to determine which tenants a user can access in view of the user's current access role. The plugin uses the token and the user identifier to construct the ACL to enable each user's access to the stack.

Abstract: In response to an attempt to install an instance of a container in a production environment, a set of security criteria associated with the container and features of the production environment are compared. Based on the comparison, a determination is made as to whether the features of the production environment satisfy the set of security criteria.

Abstract: A retrieving system for retrieving information concealed within a sequence of symbols. The system includes a decoder configurable using rule information and operable when so configured to retrieve the information concealed within the sequence of symbols by applying to the sequence of symbols at least one decoder rule determined by the configuration of the encoder.

Abstract: Systems and methods for performing adaptive bitrate streaming using alternative streams of protected content in accordance with embodiments of the invention are described. One embodiment of the invention includes a processor, and memory containing a client application. In addition, the client application configures the processor to: request a top level index file identifying a plurality of alternative streams of protected content, where each of the alternative streams of protected content are encrypted using common cryptographic information; obtain the common cryptographic information; request portions of content from at least the plurality of alternative streams of protected content; access the protected content using the common cryptographic information; and playback the content.

Abstract: A security system determines authorizations for entities to access data objects. The security system may train an adaptive model to predict the intent of a user who provides authorization for various entities or other users. In an embodiment, the adaptive model may be configured to determine latent properties of training data by identifying common parameters between entities that are, or are not, permitted to access given data object(s). The training data may include previous authorizations provided to the entities. Based on the identified common parameters, the model may generate usage expressions for determining a likelihood that the user intends to provide authorization for a given entity to access the given data object. If the likelihood is greater than a threshold value, the security system may provide a recommendation to the user to provide the authorization for the given entity.

Abstract: Task scheduling in a hybrid cloud that includes a private cloud and an external cloud is performed. First a job to be performed is identified. Then, the job identified is decomposed into a set of tasks, whereby a task schedule is obtained for tasks of the set of tasks to be executed across the hybrid cloud. Next, a task to be executed in the external cloud that requires private data from the private cloud for its execution is detected from the task schedule. Finally, one or more non-anonymized portions of the private data are anonymized before execution of the detected task in the external cloud, by executing an anonymizing function from the private cloud. De-anonymization functionality may similarly be involved.

Abstract: A method, apparatus and computer readable storage to implement an automated system for video surveillance in a casino or other controlled environment. Players in the casino can be automatically scanned and analyzed for whether they are under the legal gambling age or not. When an underage gambler is detected, a casino security employee (or other casino personnel) is notified so they can take the appropriate action. Similarly, players who are excluded from the casino can also be automatically detected and would be ejected when detected.

Abstract: A global policy store, in which policies applicable to multiple applications in an enterprise environment can be stored, can be stored in association with that environment. An application-level policy combining algorithm can be associated with a specific application to resolve conflicts between the results of evaluating policies that pertain to that application's resources. A persistent model is defined for an Extensible Access Control Markup Language (XACML) target definition.

Abstract: Aspects described herein relate to controlling incoming data processing requests or messages and whether the incoming data processing requests are allowed to reach destination applications unmodified. The destination application may be a secure application operating within a secure application wrapper, and the secure application wrapper may determine whether and how much of the request or message is allowed to pass into a managed partition or through the secure application wrapper to reach the secure application for processing.

Abstract: WPD devices can be managed at the device capability level. When a WPD device is connected to a computer, a filter driver can be employed to examine communications with the WPD device. During initialization, the WPD device will provide a list of its capabilities. The filter driver can intercept this list and compare it against any applicable policies to determine whether any capabilities should be blocked. When it is determined that a capability should be blocked, the filter driver can remove the capability from the list while retaining any non-blocked capabilities. The filter driver can also cause device initialization to fail in some scenarios. In this way, an administrator can block specific capabilities of a WPD device rather than blocking the entire device.