Abstract: A method for monitoring access to an electronically controllable device includes establishing communication between a mobile device and a control platform via a communication network. A booking, including first and second data, is created for a controllable device in the platform. The first data is access information and the second data is encrypted with an individual key which is assigned to an access control unit in the controllable device. The mobile device is wirelessly connected to the access unit and the second data, as well as a subset of the first data, is transmitted to the access unit which decrypts the second data and checks its signature. If the check is successful, a configuration of the access unit is adapted as a function of the decrypted data. Authorization for access to the controllable device by the mobile device is checked as a function of the decrypted data.

Abstract: An electronic device and an operation method thereof, according to various embodiments, may: receive first data and second data compressed in a designated compression scheme; decompress the received first data and the received second data on the basis of at least the designated compression scheme; decrypt the decompressed second data; detect success of the decryption; and reproduce the decompressed first data and the decrypted second data.

Abstract: Described herein is an application ownership enforcement system and method. Ownership identification information (e.g., name, email address, identifier) regarding portion(s) (e.g., a function, a subroutine, a module, an HTML page, a component, a form, and/or an element) of an application is received and stored in the application. In response to receipt of a request to compile the application, prior to compilation, the stored ownership identification information can be compared to stored information regarding current users (e.g., a list, a directory, a database). When it is determined that the stored ownership information is currently valid, the application can be permitted to be compiled. When it is determined that the stored ownership information is not currently valid, the application is not permitted to be compiled or a warning provided, and, information regarding the determination that the stored ownership information is not currently valid can be provided (e.g., via a graphical user interface).

Abstract: According to one embodiment, a data storage apparatus includes a controller with a data protection function. The controller manages first and second personal identification data. The first personal identification data only includes authority to request inactivation of the data protection function. The second personal identification data includes authority to request inactivation of the data protection function and activation of the data protection function. The controller permits setting of the first personal identification data, when the second personal identification data is used for successful authentication and the first personal identification data is an initial value, or when the data protection function is in an inactive state.

Abstract: Embodiments described include systems and methods for multiple users to provide input on an input element of a network application. A first client application may establish, for a first user, a first session of a network application via a first embedded browser within the first client application. A second client application may establish, for a second user, a second session of the network application via a second embedded browser within the second client application. The first client application may communicate an invite to the second user to collaborate on an input element of a user interface displayed in the first embedded browser. The second client application may provide, responsive to acceptance of the invite, a second user interface for the second user to enter input into the input element. One of the first or the second client applications may display input received in the input element.

Abstract: Embodiments described herein provide a privacy mechanism to protect user data when transmitting the data to a server that estimates a frequency of such data amongst a set of client devices. In one embodiment, a differential privacy mechanism is implemented using a count-mean-sketch technique that can reduce resource requirements required to enable privacy while providing provable guarantees regarding privacy and utility. For instance, the mechanism can provide the ability to tailor utility (e.g. accuracy of estimations) against the resource requirements (e.g. transmission bandwidth and computation complexity).

Abstract: A system for capturing impression data includes a server in communication with a user's computing device via a communications network. The server is configured to generate a pixel for embedding in a digital communication viewable in a web browser on the user's computing device. The pixel is served from a domain associated with the server. The server is configured to, in response to the digital communication being viewed in the web browser on the user's computing device, set a cookie on the user's computing device via the pixel. The cookie is configured to store data associated with one or more impressions of digital communications viewed on the user's computing device. The server is configured to, in response to the user's computing device accessing the domain via the web browser, receive the stored data associated with the one or more impressions from the cookie set on the user's computing device.

Abstract: An account lifecycle management system is provided. The system includes a discovery engine configured to discover and identify an account. The system further includes a policy engine configured to identify privileged access data granted to the account identified by the discovery engine. The system further includes a data modeling engine configured to associate the identified privileged access data with organizational information. The system further includes a remediation engine configured to remediate the account based on the associated privileged access data.

Abstract: A tag positioned on an object provides information for selecting augmented reality (AR) content that is based, at least in part, on a user profile or other user information. The tag may be utilized to transmit messages between users where AR content can be integrated into the message and presented upon scanning and processing of the tag. The AR content may also be related to user interests or real time user information, such as user location. The user may interact with the AR content to retrieve additional information, which provides an improved customer experience and improved integration into a provider ecosystem.

Abstract: The invention described herein is directed to a secure text messaging and object sharing mobile application connected to a DRM cloud service that provides encryption, digital rights management (DRM) of the text and of the attachments, blockchain transactions, the capability of attaching documents, photos and so forth, the capability of interfacing with a user's contacts application, and that operates in both Android and iOS environments.

Abstract: A system for provisioning computerized devices of a plurality of tenants is provided. The system includes a security credential management system (SCMS) host connected to the devices and that is operable to receive provisioning requests from respective ones of the devices needing certificates, each provisioning request indicating a tenant identifier uniquely identifying a tenant, at least one registration authority that is communicatively connected to the SCMS host and transmits the provisioning requests to SCMS backend components based on the tenant identifier of each provisioning request.

Abstract: Systems, methods, and devices are provided for eliminating binary-level exploitable vulnerabilities in computer systems, making the computer systems more secure. Embodiments of the present disclosure can improve security using a computer system that can force user applications to be interpreted high-level language code, permitting the implementation of several well-defined security mechanisms in the computer system.

Abstract: An information provision method includes accumulating, in a first database, a first identifier identifying each of one or more service providers, and first device information indicating an electrical device to be designated by each of the one or more service providers in association with each other; accumulating, in a second database, a second identifier identifying each of one or more users, and second device information indicating an electrical device to be used by the one or more users in association with each other; extracting a service provider associated with the first device information when the second device information is updated by addition of a new electrical device to be used by one of the one or more users, and when the new electrical device is included in the electrical devices indicated by the first device information.

Abstract: A digital asset is represented and verified as a set of related digital asset or other content objects. Related metadata is stored on an immutable distributed ledger separately from the content objects themselves. For example, a transaction object includes metadata such as identifiers for two or more content objects, fingerprints for the content objects. The content objects may be stored in a local or cloud object repository. Validation of a later identified content object may include determining a fingerprint for the later identified content object, mapping that fingerprint to an address within the immutable distributed ledger to retrieve metadata previously mapped, and comparing the two fingerprints. Visual validation may be provided when the first and second fingerprints match, such as by displaying a positive icon adjacent the later identified object.

Abstract: A keystroke dynamics anonymization technique that includes: receiving a plain-text password from a computer user; providing at least the plain-text password as a seed to a pseudorandom mapping function; applying the pseudorandom mapping function to keycodes that are produced by the computer responsive to keystrokes of the computer user, to map the keycodes to a set of mapped, anonymized keycodes; and providing the set of mapped, anonymized keycodes to a keystroke dynamics algorithm, to enable the keystroke dynamics algorithm to (a) learn a keystroke dynamics model of the computer user, and (b) authenticate an identity of the computer user.

Abstract: A memory storage system is provided according to an exemplary embodiment of the disclosure. The memory storage system includes a host system and a memory storage device. In a first handshake operation, the memory storage device transmits first encrypted information corresponding to first authentication information to the host system, and the host system transmits second encrypted information corresponding to the first authentication information to the memory storage device. In a second handshake operation, the memory storage device transmits third encrypted information corresponding to second authentication information to the host system, and the host system transmits fourth encrypted information corresponding to third authentication information to the memory storage device based on the third encrypted information. The third authentication information is configured to encrypt data transmitted between the host system and the memory storage device in a developer command transmission stage.

Abstract: Techniques are disclosed for serializing assertion-triggering transactions by locking special purpose resources (i.e. other than rows or tables), which enables a high level of concurrency for these transactions while at the same time ensuring correctness of the SQL assertion validation code. The techniques involve creating objects referred to therein as “Assertion-Locking Memory-Objects” or “ALMOs”. The database server causes each assertion-triggering transaction to obtain locks on one or more ALMOs prior to determining whether the changes made by assertion-triggering transaction violates the assertion. Because locks on the ALMOs are finer than the table locks, fewer transactions are blocked by ALMO locks.

Abstract: Embodiments are directed to securing data using attribute-based encryption. In an embodiment, a computer system encrypts a portion of data with an attribute-based encryption, including associating the encrypted portion of data with one or more encryption attributes. The computer system sends the encrypted portion of data and the one or more encryption attributes to a data store, which stores the first portion of data along with the one or more encryption attributes. The computer system also defines one or more access controls for the portion of data that include an identity of at least one user permitted to access the portion of data. The attribute-based encryption allows the encrypted portion of data to be provided by the data store upon request by the identified user when the request includes one or more search attributes that are relevant to the one or more encryption attributes.

Abstract: A method, and associated system, for security processing of a request for a resource in a network security system. The request for the resource and a duplicate of request for the resource are forwarded to a first proxy server and a second proxy server, respectively. A first output including the received request, and a second output including the duplicate of the received request, are received from first proxy server and the second proxy server, respectively. A determination is made that the first output and the second output differ and in response, a first alarm is generated and transmission to the web server of the received request and the duplicate of the received request is blocked.

Abstract: In one implementation, a method for providing security on an externally connected controller includes launching, by the controller, a security layer that includes a whitelist of permitted processes on the controller, the whitelist including (i) signatures for processes that are authorized to be executed and (ii) context information identifying permitted controller contexts within which the processes are authorized to be executed; determining, by the security layer, whether the particular process is permitted to be run on the controller based on a comparison of the determined signature with a verified signature for the particular process from the whitelist; identifying, by the security layer, a current context for the controller; determining, by the security layer, whether the particular process is permitted to be run on the controller based on a comparison of the current context with one or more permitted controller contexts for the particular process from the whitelist.

Abstract: A method, system and program is described for providing virtual storage domains for content addressable system. At least one tenant data storage policy is configured for at least one tenant in a storage system. A virtual storage domain is created based on the tenant data storage policy, each virtual storage domain having a unique identifier (ID). The corresponding virtual storage domain ID is tagged to a data request based on a data set policy when data belonging to a data set gets written to the storage system. A hash signature is calculated for the data taking the data content and the storage domain ID as inputs to calculate the hash signature.

Abstract: A system provides intelligent gallery management for biometrics. A first gallery is obtained that includes biometric and/or other information on a population of people. An application is identified. A subset of the population of people is identified based on the application. A second gallery is derived from the first gallery by pulling the information for the subset of the population of people without pulling the information for the population of people not in the subset. Biometric identification (such as facial recognition) for the application may then be performed using the second gallery rather than the first gallery. In this way, the system is improved as less time is required for biometric identification, fewer device resources are used, and so on.

Abstract: Particular embodiments described herein provide for a system that can be configured to receive a notification that a client device is requesting, to modify original data associated with an online application, wherein the original data is stored in encrypted format in a cloud; decrypt the original data using a first client encryption key; store the decrypted data in a location accessible by the online application; enable editing capability of the decrypted data; receive a notification that the client device is finished modifying the data in decrypted format; determine whether the original data in decrypted format was modified; encrypt, based on a determination that the original data was modified, the modified data using a second client encryption key; and upload the modified data in encrypted format to the cloud.

Abstract: A system and method for detecting and managing electronic transactions and providing a domain specific collection of remotely callable functions in a video game environment.

Abstract: Sharing data in a data exchange across multiple cloud computing platforms and/or cloud computing platform regions is described. An example computer-implemented method can include receiving listing information to create a listing in a data exchange, wherein the listing information includes a data set identifier for a data set hosted by a first cloud computing entity and a set of cloud computing entities for the listing. The method may also further include creating, by a processing device, the listing in the data exchange, wherein the data set can be shared from the first cloud computing entity with the set of second cloud computing entities using at least a provider corresponding account of that second cloud computing entity.

Abstract: Examples of the present disclosure describe systems and methods for restricting access to application programming interfaces (APIs). For example, when a process calls an API, the API call may be intercepted by a security system for evaluation of its trustfulness before the API is allowed to run. Upon intercepting an API call, the process calling the API may be evaluated to determine if the process is known to the security system, such that known processes that are untrusted may be blocked from calling the API. Further, when the security system cannot identify the process calling the API, the security service may evaluate a call stack associated with the call operation to determine if attributes of the call operation are known to the security system. If the call operation is known to the security system as untrusted, the call operation may be blocked from calling the API.

Abstract: A method for training an obfuscation network capable of performing distinct concealing processes for distinct regions of an original image is provided. The method includes steps of: a learning device (a) inputting a training image into the obfuscation network to generate an obfuscated training image by performing a 1-st to an n-th concealing process respectively on a 1-st to an n-th training region of the training image; (b) inputting the obfuscated training image into a 1-st to an n-th discriminator to respectively generate a 1-st to an n-th obfuscated image score on determining whether the obfuscated training image is real or fake, and inputting the obfuscated training image into an image recognition network to apply learning operation on the obfuscated training image to generate feature information for training; and (c) training the obfuscation network such that an accumulated loss is maximized, and an accuracy loss is minimized.

Abstract: A method of certifying a state of a platform includes receiving one or more software elements of a software stack of the platform by an authentication module and performing a hash algorithm on the software stack to generate one or more hash values. The software stack uniquely determines a software state of the platform. The method includes generating creation data, a creation hash, and a creation ticket, corresponding to the hash values and sending the creation ticket to the platform. The method also includes receiving the creation ticket by the authentication module and certifying the creation data and the creation hash based on the creation ticket. The method further includes generating a certified structure based on the creation data and performing the hash algorithm on the certified structure to generate a hash of the certified structure. The certified structure uniquely determines the software state of the platform.

Abstract: The loading of a privileged application can be selectively blocked. An application restrictor can be configured to register for notifications whenever an application image is loaded. Then, whenever the application restrictor receives a notification, the application restrictor can evaluate whether the application image that is being loaded is a privileged application. If so, the application restrictor can evaluate the current process's parent tree to determine if an untrusted application is present at any level of the parent tree. The application restrictor will then allow the privileged application to load only when all applications in the parent tree are trusted applications. In this way, untrusted applications can be blocked from accessing a privileged application without blocking trusted applications from accessing the privileged application.

Abstract: A plurality of attributes associated with a user of an account making a request is determined based on the received request. One or more operations to grant the user access to the one or more resources of the second account are determined based on the attributes. Access is provided to one or more resources of the second account according to the one or more operations to fulfill the request.

Abstract: This application relates to embodiments for providing a content stream to a device from a content server based on a protocol that is established between the device and an account server. The account server can initiate a session with the device and provide the device with a list of channels available for a user account associated with the device. When a channel is selected at the device, conditional access information can be provided from the account server to the device, which can thereafter relay the conditional access information to the content server. The content server can use the conditional access information to verify that the device has the appropriate permission to receive streaming content. In this way, because the conditional access information originates at the account server, permission to access streaming content can be managed by correspondence between the account server and the device, rather than the content server.

Abstract: The disclosed computer-implemented method for preventing sharing of sensitive content in image data on a closed computing platform may include (i) detecting initiation of a network connection for sending network traffic data to a data storage service on the closed computing platform, (ii) monitoring the sending of the network traffic data to identify a target traffic indicator associated with image data, (iii) interrupting the sending of the network traffic data upon identifying the target traffic indicator, (iv) analyzing the image data to identify sensitive content, and (v) performing a security action that protects against the sensitive content being shared to the data storage service on the closed computing platform. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In an embodiment, another general aspect includes a method including, by a compliance bot deployed on a computer system including a system of bots, monitoring the system of bots for deployment activity. The method also includes, responsive to the monitoring, identifying activity indicative of deployment of a particular bot. The method also includes determining an automation type of the particular bot. The method also includes retrieving compliance rules corresponding to the automation type of the particular bot. The method also includes retrieving data from the particular bot. The method also includes automatically checking compliance of the particular bot with the compliance rules based on the retrieved data. The method also includes, responsive to a determination that the particular bot is noncompliant, automatically invalidating the particular bot.

Abstract: Systems and methods of memory operation that provide a hardware-based reset of an unresponsive memory device are disclosed. In one embodiment, an exemplary system may comprise a semiconductor memory device having a memory array, a controller that may include a firmware component for controlling memory operations, and a reset circuit including power-up circuitry and timeout circuitry. The reset circuit may be configured to detect when the memory device is in a non-responsive state and reset the memory device without using any internal controller components potentially impacted/affected by the non-responsive state.

Abstract: A method includes identifying an impersonating message, transmitted over a Controller Area Network (CAN) bus by an attacking node connected to the bus, that appears to originate from a source other than the attacking node. The method further includes, in response to identifying the impersonating message, driving the attacking node into an error-passive state in which an ability of the attacking node to communicate over the bus is limited, relative to before entering the error-passive state. The method further includes, subsequently to driving the attacking node into the error-passive state, driving the attacking node into a bus-off state in which the attacking node cannot communicate over the bus, by transmitting, over the bus, a plurality of passive-error-flag-trumping messages that collide with, and trump, respective instances of a passive-error flag that the attacking node transmits over the bus. Other embodiments are also described.

Abstract: An operation control method for a vehicle infotainment system for enabling phone projection to be automatically executed during a connection between a head unit of a vehicle and a smart device, and the method comprises: a phone projection setting step of allowing any one of a plurality of phone projections mounted on a head unit of a vehicle to be set; a step of connecting a first smart device to the head unit of a vehicle; a step of determining whether the first smart device connected to the head unit of a vehicle supports the phone projection set in the phone projection setting step; and a step of executing the set phone projection if the first smart device supports the set phone projection, according to the determination result.

Abstract: A system notification service control method, apparatus, a terminal device, and a storage medium are described. The system notification service control method may include detecting whether an application initiates a registration for a system notification reading permission; in response to detecting that the application initiates the registration for the system notification reading permission, determining whether the application meets a registration condition; and prohibiting the application from registering for the system notification reading permission when the application does not meet the registration condition.

Abstract: Examples associated with application approval are described. One example includes receiving an application package. The application package contains an application from a service provider and a privacy description for the application from a review provider. The application operates on private data controlled by a user. The application package is validated to ensure components of the application package is properly credentialed. An application summary for the user is generated from the privacy description. The application summary describes what portions of private data will be accessed by the application and how portions of the private data will be transmitted. An authorization is received from the user, and execution of the application is controlled based on the authorization of the user.

Abstract: A semiconductor device includes: a memory device; and a storage controller. The storage controller includes a flash controller performing data operations on the memory device, and a processor executing a real-time operating system (RTOS) for controlling the flash controller, wherein the RTOS receives expiration time information of data from a host and performs at least one of the data operations using a scheduler based on the expiration time information.

Abstract: A first set of data associated with one or more data stores is received. A distance from a representation of a subset of the first set of data to at least a second representation of another set of data in vector space is identified. In response to the identifying of the distance, the first set of data is anonymized. The anonymizing includes adding noise to at least some of the first set of data.

Abstract: Embodiments provides a method for facilitating a client-server communication using cyclic tokens. The method includes receiving a request for token generation from a client device, generating a token in response to the request for token generation, and sending the token and a number of sub-tokens to be formed from the token to client device. The method includes establishing a cyclic token by token server for client device, where establishing includes generating a plurality of sub-tokens from the token based on the number of sub-tokens. Method further includes sending the plurality of sub-tokens of token to client device in an order defined by a sequence, and recording the plurality of sub-tokens in an order defined by the sequence as cyclic token. The method further includes facilitating validation of cyclic token upon receipt of sub-tokens in order of sequence as part of token validation request from an application server for client device.

Abstract: In accordance with an embodiment, described herein is a system and method for providing security services using a security configuration template in a multi-tenant environment. The system can load a security configuration template in memory when the multi-tenant environment starts, and can use the security configuration template to create a multi-headed tree to represent tenant-specific security configurations. Each head of the multi-headed tree can represent a root node of either the security configuration template or a tenant-specific security configuration. Each tenant-specific security configuration can reuse one or more nodes in the security configuration template by referencing those nodes, and can include one or more new nodes created from the security configuration template by replacing each placeholder therein with tenant-specific values.

Abstract: A system for communication between two or more computer programs is disclosed. The system includes a memory, an interface, and a processor. The memory stores a first file, expected metadata for the first file, and expected metadata for one or more fields in the first file. The interface receives a file from a computer program. The file comprises fields that each comprise information provided by one or more sources. The processor executes a second computer program which extracts a first set of file metadata from the received file, compares the extracted first set of file metadata to the expected metadata, and determines if the extracted first set of file metadata corresponds to the expected metadata. If the extracted first set of file metadata corresponds to the expected metadata for the first file, then the processor performs analogous comparisons at a field level and stores the first file in the memory.

Abstract: A method for managing personal data of a user of a user device is provided. The user device is adapted to have installed thereon an application (APP). The APP is configured to require access to the personal data when running on the user device. The method comprises creating a certification for the APP, the certification being based on a corresponding statement providing information regarding the relationship between the APP and personal data; associating the certification to the APP for certifying the APP; allowing the user to provide user-defined policies about exploiting the user personal data; checking whether the user-defined policies provided by the user are compatible with requirements of the APP defined in the corresponding statement. If the user-defined policies are compatible with the requirements of the APP defined in the statement, the method executes operations when the APP running on the user device requires to access personal data.

Abstract: A method for creating a secure document, registering the secure document and verifying the authenticity of the secure document includes receiving a print object that has content. A security feature, including an identifier, is created and is associated with the content. The identifier may be a barcode. The barcode may represent a character string. The security feature may include the identifier barcode and a decoy barcode that is not associated with the content. The identifier barcode (or the character string represented by the barcode) and the content are transmitted to a database for storage. Once stored, the identifier and the content are considered to be registered. A print object that includes the security feature and the content is then transmitted to a printer for printing.

Abstract: Disclosed herein are a method of transferring data in a parallel system including a main device and at least one accelerator, and a parallel system for performing the method. The method of transferring data in a heterogeneous system including a main device and at least one accelerator includes: turning off a write permission for a first main memory area corresponding to a first accelerator memory area where input data for a computation task is stored; performing the computation task by using the at least one accelerator; and turning off a read permission for a second main memory area corresponding to a second accelerator memory area where output data for the computation task is stored, in the state in which data of the second accelerator memory area has not been transferred to the second main memory area.

Abstract: Customized data management may include an example method which provides identifying data being accessed by at least one user device, retrieving a user profile associated with the user device, identifying access rights associated with the user profile, modifying the data by obscuring at least a portion of the data based on the access rights of the user profile.

Abstract: According to some embodiment, a microservice architecture is instantiated in accordance with a predefined framework to perform monitoring services of a first system and a second system. The microservice architecture includes one or more microservices. The microservice architecture is segmented into groups of microservices. Each group of microservices is represented by a subset of the predefined framework. A first group of microservices is deployed to the first system. A second group of microservices is deployed to the second system.

Abstract: In one embodiment, a method includes identifying a plurality of segments of media content, each of the plurality of segments including a plurality of media frames, generating segment metadata for each of the plurality of segments, the segment metadata including a segment identifier, transmitting a broadcast stream including the plurality of segments and the segment metadata for each of the plurality of segments, and making the plurality of segments available for retrieval via a unicast stream using the segment identifiers.

Abstract: Managing data in a file system with a verification engine that may obtain a user identifier associated with a user, an object identifier, and a target object. The verification engine may determine target identities associated with two or more file system protocols based on the user identifier. The verification engine may determine permission entries associated with the two or more file system protocols associated and the target object. The verification engine may employ the target identities and the permission entries to directly verify access rights to the target object for the user. Accordingly, the verification engine may provide a report that includes the target identities, the permission entries, or the access rights.