Abstract: Managing a lifecycle of a shared privileged account via a proxy service which comprises an Identity Management (IdM) system that defines and manages identity services, which in turn manage privileged accounts used to access managed targets. Each of the identity services is mapped to a privilege group of the proxy service and an ID pool manager is implemented to manage sharing of the privileged accounts. A request is generated to access a managed target with a privileged account. A shared privileges module generates a shared ID authorization account and associates it with the requestor. The shared ID authorization account is populated with sign out information for a shared privileged account, which the requestor uses to access the corresponding managed target. When use of the shared privileged account is ended, the shared privileges module disassociates the requestor with the shared privileged account by deleting the shared ID authorization account.

Abstract: Method of detecting anomalous behavior in a computer network comprising the steps of—monitoring network traffic flowing in a computer network system,—authenticating users to which network packets of the network traffic are associated,—extracting parameters associated to the network packets for each user, said parameters including at least the type (T) of network services,—forming symbols based on a combination of one or more of said parameters, and—modeling and analyzing individual user behavior based on sequences of occurrence of said symbols (S).

Abstract: Managing a lifecycle of a shared privileged account via a proxy service which comprises an Identity Management (IdM) system that defines and manages identity services, which in turn manage privileged accounts used to access managed targets. Each of the identity services is mapped to a privilege group of the proxy service and an ID pool manager is implemented to manage sharing of the privileged accounts. A request is generated to access a managed target with a privileged account. A shared privileges module generates a shared ID authorization account and associates it with the requestor. The shared ID authorization account is populated with sign out information for a shared privileged account, which the requestor uses to access the corresponding managed target. When use of the shared privileged account is ended, the shared privileges module disassociates the requestor with the shared privileged account by deleting the shared ID authorization account.

Abstract: When a login request in which a network terminal serves as a login destination is received from an administrator terminal, a login request receiving unit of a login administration server causes the administrator terminal to transmit a shared account and fingerprint information. A search engine unit performs a search in an authentication table by using the account and the user fingerprint information as a key, and, when the authentication succeeds, acquires association data including a right upon successful authentication and a login permitted terminal from an association data table. A login request transmitting unit transmits a login request to the network terminal of the login destination so as to achieve login and imparts the right upon successful authentication. Furthermore, the login request transmitting unit transmits a login request to the unprocessed network terminal so as to achieve login and imparts the right upon successful authentication.

Abstract: A communication apparatus includes an encryption key generation unit that generates encryption key information at constant encryption key generation intervals, a common key generation unit that generates common key information uniquely with respect to a generation time at common key generation intervals set longer than the encryption key generation intervals, a common key application unit that performs encryption or decryption of the encryption key information by using the common key information, and an encryption key distribution unit that makes a request to a data transmitting/receiving unit to distribute the encryption key information to a plurality of communication apparatuses to be communicated simultaneously at encryption key distribution intervals set shorter than the encryption key generation intervals to perform communication with higher security.

Abstract: Method and apparatus for identifying a web server is described. In some examples, an initial request by a client to an intended web server is identified. A fingerprint for the intended web server is determined responsive to the initial request. A subsequent request by the client to the intended web server is detected. A response to the subsequent request is received from a responding web server. Verification of the responding web server as the intended web server is performed using the fingerprint.

Abstract: Classification of security sensitive information and application of customizable security policies are described, including classifying information as security sensitive information at an application level, the security sensitive information being associated with a security sensitive category, determining a security policy for the security sensitive information, the security policy being configured to secure the security sensitive information, and applying the security policy to the security sensitive information at the application level, the policy being based on the security sensitive category.

Abstract: A device minimizes a quantization error in the inverse quantization of a quantized coefficient during a compression method, the quantization error describing a difference between the quantized coefficient after inverse quantization and an associated coefficient prior to quantization. According to the method, at least one parameter that is characteristic of the compression of the quantized coefficient is selected, (at least two characteristic parameters being selected if one of the two characteristic parameters corresponds to a temporal prediction mode), a correction value is chosen based on the selected characteristic parameter(s) and inverse quantization takes place after the correction value has been added to the quantized coefficient.

Abstract: A system, method, and computer program product are provided for a pre-deactivation grace period. In operation, a deactivation request is detected for a deactivation event. Further, the commencement of the deactivation event is delayed for a predetermined time period, in response to the deactivation request. Additionally, the deactivation event is commenced, after the predetermined time period.

Abstract: A secure electronic payment system and method for conducting a secure transaction using voice authentication is provided. A merchant's computer transmits an authorization request to an access control server. The access control server places a telephone call to the purchaser and performs voice authentication to confirm the identity of the purchaser. The access control server then transmits a response to the merchant's computer. If the purchaser is authorized to access the account, payment is processed by the merchant and the transaction is completed.

Abstract: One or more techniques and/or systems are disclosed that provide for determining mathematical pairings for a curve for use in cryptography. A plurality of inversions used for determining the mathematical pairings for the curve are aggregated (e.g., into a single inversion in respective levels of a binary tree representation of elements of the computation). The mathematical pairings for the curve are determined in affine coordinates from a binary representation of a scalar read from right to left using the aggregated plurality of inversions.

Abstract: In one embodiment, a method includes receiving from a credential a credential-owner authentication information associated with an identity of an individual. A issuer validation information associated with an issuer of the credential is also received. The method also includes providing a plurality of options, including a first option associated with a first domain and a second option associated with a second domain mutually exclusive from the first domain. The method also includes sending to a portion of the first domain the credential-owner authentication information and the issuer validation information in response to the first option being selected.

Abstract: A computer-implemented method for defending an attack from the execution of shellcode is described. Elements within a dynamically linked library (dll) may be duplicated. The dll resides in a first memory space. The duplicated elements may be redirected into a second memory space. A protection attribute may be established for the elements within the second memory space. A location of execution code attempting to access the elements within the second memory space may be determined. The execution code may be prevented from being executed based on the determined location.

Abstract: Systems and methods to implement load balancing of connections to a server computer in a server collection are described. The server collection receives connection requests from remote clients over a network. A session broker evaluates one or more load parameters of the server computers in the server collection and, based on those load parameters, determines load associated with each server computer. The session broker redirects the connection requests to the server computer which has a lesser load.

Abstract: The invention relates to a method of processing an image of a video image sequence, wherein it comprises the following successive steps: a step for computing a complexity value representative of the complexity of said image; a first step of morphological processing applied on said image, said first step generating a first processed image; a second step for mixing said image and said first processed image depending on said complexity value, said second step generating a mixed image; a third step of morphological processing applied on said mixed image, said third step generating a second processed image; and a fourth step for mixing said mixed image and said second processed image depending on said complexity value.

Abstract: A method for dynamically associating, by a server, access rights with a resource includes the step of receiving, by the server, a request for a resource from a client. The server requests, from a policy engine, an identification of a plurality of access rights to associate with the resource, the plurality of access rights identified responsive to an application of a policy to the client. The server associates the resource with the plurality of access rights via a rights markup language. The server transmits the resource to the client with the identification of the associated plurality of access rights. An application program on the client makes an access control decision responsive to the associated plurality of access rights. The application program provides restricted access to the resource responsive to the access control decision.

Abstract: A method for sending a message includes randomizing a signature generation key with a random number to calculate a randomized signature generation key, encrypting the random number with a public encryption key to calculate an encrypted random number, signing a message with the randomized signature generation key to calculate a signed message, and sending the signed message and the encrypted random number to a recipient.

Abstract: A method of accessing an image forming apparatus (IFA) or a multifunction printer (MFP) using a management device (MD) via a network, transmitting security information from the MD to the IFA, updating an original security configuration of the IFA with a new security configuration using the security information, using the new security configuration by the IFA, and confirming the new security configuration with the MD. After confirming, it is preferable the security information is deleted. Also, an IFA including a confirmation unit and a write protection unit for use with the method.

Abstract: A key management server in a storage area network (SAN) provides encryption keys for source and destination storage objects and also associates destination storage objects with source storage objects. When a source object is to be replicated, a replication facility in a storage system of a new destination object requests the key management server to associate the destination object with the source object and assign the data encryption key of the source object or a new data encryption key to the destination object. For recovery of the source object, a replication facility in the storage system of the source object obtains information from the key management server about the replica associated with the source object for replicating data from the destination object back to the source object.

Abstract: The invention relates to a method in which program information is obtained to an execution environment in an electronic device. The program information comprises at least a program code. A key is computed of the program information and a device specific secret value. The key is used to decrypt program specific state data in the execution environment and to encrypt modified state data after the execution.