Abstract: A client system associated with a user includes at least one hardware processor configured to initiate the following operations. A modified login page is received from a proxy hardware system. An asynchronous engine is loaded by a browser system executing on the client system and caused by a routine from the modified login page. A login process with an authentication profiling service is executed, using the asynchronous engine, to retrieve login information for a back-end server. The authentication process with the back-end server is completed using the asynchronous engine. The modified logic page is generated by the proxy hardware system by adding the routine to a login page being sent from the back-end server to the browser.

Abstract: A hybrid device includes a personal digital key (PDK) and a receiver-decoder circuit (RDC). The PDK and RDC of the hybrid device are coupled for communication with each other. In one embodiment, the hybrid device also provides a physical interconnect for connecting to other devices to send and receive control signals and data, and receive power. The hybrid device operates in one of several modes including, PDK only, RDC only, or PDK and RDC. This allows a variety of system configurations for mixed operation including: PDK/RDC, RDC/RDC or PDK/PDK. The present invention also includes a number of system configurations for use of the hybrid device including: use of the hybrid device in a cell phone; simultaneous use of the PDK and the RDC functionality of hybrid device; use of multiple links of hybrid device to generate an authorization signal, use of multiple PDK links to the hybrid device to generate an authorization signal; and use of the hybrid device for authorization inheritance.

Abstract: A device, method, computer program product, and network subsystem are described for associating a first mobile agent with a first security policy and a second mobile agent with a second security policy or for providing a first agent with code for responding to situational information about the first agent and about a second agent and for evaluating a received message at least in response to an indication of the first security policy and to an indication of the second security policy or for deploying the first agent.

Abstract: Techniques for accelerated authentication include receiving first data that indicates a first portion of user credentials for a first user but not a second portion. It is verified whether the first portion of user credentials is valid. If the first portion of user credentials is valid, then second data that indicates a valid value for the second portion of user credentials for the first user is sent. Other techniques include receiving first data that indicates a first portion of user credentials for a first user but not a second portion of user credentials for the first user. A first message that indicates the first portion of user credentials is sent to a remote process that initiates authentication of the first user based on the first portion of user credentials before receiving second data that indicates the second portion of user credentials for the first user.

Abstract: Methods and apparatuses for identifying and detecting threats to an enterprise or e-commerce system are disclosed, including grouping log lines belonging to one or more log line parameters from one or more enterprise or e-commerce system data sources and/or from incoming data traffic to the enterprise or e-commerce system; extracting one or more features from the grouped log lines into one or more features tables; using one or more statistical models on the one or more features tables to identify statistical outliers; labeling the statistical outliers to create one or more labeled features tables; using the one or more labeled features tables to create one or more rules for identifying threats to the enterprise or e-commerce system; and using the one or more rules on incoming enterprise or e-commerce system data traffic to detect threats to the enterprise or e-commerce system. Other embodiments are described and claimed.

Abstract: In the approaches described herein, a data file storage service may control access to file system objects using corresponding “personal” or organization-related “work” identity information which may include encryption keys or passwords. To assist the user with identifying respective file system objects, the user is presented with a corresponding graphical user interface (GUI) which displays a corresponding personal or work identity icon next to a visual rendering of the file system objects. Keys that control access to work identity files and folders are purged from a local key store as soon as user authorization changes are detected. In this way, even a user who originated a data file will not be able to decrypt files stored in a folder shared using a work identity once that identity is canceled by the organization, while at the same time, the user's access to their personal files may continue.

Abstract: A network monitoring apparatus includes a log collecting unit and a log analyzing unit. The log collecting unit collects log information related to passing packets from at least one of a FW and a proxy server, which are included in a network, for packets transferred in the network. The log analyzing unit extracts log information satisfying a predetermined condition in a predetermined time period by analyzing, over time, the log information collected by the log collecting unit.

Abstract: One embodiment provides a method, comprising: receiving, from a client device, a request by a user to access an aggregate service device; authenticating, at an aggregate service device, the user to provide access to a plurality of cloud storage accounts of the user hosted by a single cloud storage service; providing, by the aggregate service device, data analogous to data of the plurality of cloud storage accounts; receiving, by the aggregate service device, a selection of data accessible by the user from the plurality of cloud storage accounts of the user; and facilitating data transfer associated with the selection.

Abstract: In embodiments of the present invention improved capabilities are described for detecting restricted content associated with retrieved content. The method and system may include receiving a client request for content, saving contextual information from the client request, presenting retrieved content in response to the client request, and presenting the contextual information from the client request, and retrieved content, to a scanning facility. The scanning facility may utilize the contextual information from the client request to aid in the detection of restricted content associated with retrieved content.

Abstract: An exemplary system preserves the autonomy of two or more distinct storage management systems all the while enabling backed up data to be restored from a first storage management system (the “local system”) to a specially-configured client in a second storage management system (the “remote system”). For example, backed up data in the local system (e.g., a secondary copy of production data) may be transferred, in a restore operation, from secondary storage in the local storage management system, which originated the data, to a client of the remote storage management system (the “remote client”). As a specially-configured “restore-only client,” the remote client is limited to receiving backed up data from the local storage management system, via restore operation(s) managed by the local storage manager. The remote client remains a full-fledged client in its home system, the remote storage management system.

Abstract: In accordance with disclosed embodiments, there are provided methods, systems, and apparatuses for implementing cross organizational data sharing including, for example, means for storing customer organization data in a database of the host organization; allocating at least a sub-set of the customer organization data to be shared as shared data; configuring a hub to expose the shared data to a proxy user and configuring the proxy user at the hub with access rights to the shared data; configuring one or more spokes with access rights to the shared data of the hub via the proxy user; receiving a request from one of the hubs for access to the shared data of the customer organization via the proxy user at the hub; and returning a response to the hub having made the request. Other related embodiments are disclosed.

Abstract: Delegating authorizations sufficient to access services is contemplate. The authorization may be delegated in the form of a token or other transmissible construct relied upon to authenticate access to services, such as but not necessarily limited to conferring a user identity established via authenticated device for the purposes of enabling an unauthenticated or unsecured device to access a service associated with the user identity.

Abstract: Methods and systems are provided for supporting efficient and secure “Machine-to-Machine” (M2M) communications using a module, a server, and an application. A module can communicate with the server by accessing the Internet, and the module can include a sensor and/or an actuator. The module, server, and application can utilize public key infrastructure (PKI) such as public keys and private keys. The module can internally derive pairs of private/public keys using cryptographic algorithms and a first set of parameters. A server can authenticate the submission of derived public keys and an associated module identity. The server can use a first server private key and a second set of parameters to (i) send module data to the application and (ii) receive module instructions from the application. The server can use a second server private key and the first set of parameters to communicate with the module.

Abstract: The embodiments herein relate to a method in an AAA server (103) for enabling authorization of a wireless device (101) to access a first network (100a) while simultaneously accessing a second network (100b). The AAA server (103) retrieves information identifying a current SGSN (108) currently serving the wireless device (101) in the second network (100b). When the AAA server (103) retrieves authorization information for the wireless device's (101) access to the first network (100a) from a HLR (105), the AAA server (103) indicates the current SGSN (108) as a new SGSN to the HLR (105). The indication is to be interpreted by the HLR (105) as an update of location information or a refresh procedure from the current SGSN (108).

Abstract: A method, an apparatus, a host, and a network system for processing a packet. The method includes receiving, by a physical host through a virtual bridge in the physical host, a network packet sent by a source virtual machine in the physical host, where the network packet carries a source media access control (MAC) address and a target MAC address; obtaining, by the physical host according to the source MAC address and the target MAC address by querying correspondence between each virtual machine MAC address and a security domain, a security domain to which the source virtual machine corresponds and a security domain to which a target virtual machine corresponds; and controlling, by the physical host, the virtual bridge to discard the network packet, when the security domain to which the source virtual machine corresponds is different from a security domain corresponding to the virtual bridge.

Abstract: Methods for voice sensing and keyword analysis are provided. An example method allows for causing a mobile device to transition to a second power mode, from a first power mode, in response to a first acoustic signal. The method includes authenticating a user based at least in part on a second acoustic signal. While authenticating the user, the second acoustic signal is compared to a spoken keyword. The spoken keyword is analyzed for authentication strength based on the length of the spoken keyword, quality of a series of phonemes used to represent the spoken keyword, and likelihood of the series of phonemes to be detected by a voice sensing. While receiving the first and second acoustic signals, a signal to noise ratio (SNR) is determined. The SNR is used to adjust sensitivity of a detection threshold of a voice sensing.

Abstract: A system for confidentially retrieving data from a person, such as by authorized personnel. One embodiment provides a data carrier item such as jewelry, having encrypted data imparted upon the item in manner that is only intelligible after being unencrypted. Such data can be encrypted and/or invisibly disposed such that the data is not identifiable by the public, but can be quickly and accurately retrieved by authorized personnel.

Abstract: This application is directed to trusted platform module certification and attestation utilizing an anonymous key system. In general, TPM certification and TPM attestation may be supported in a device utilizing integrated TPM through the use of anonymous key system (AKS) certification. An example device may comprise at least combined AKS and TPM resources that load AKS and TPM firmware (FW) into a runtime environment that may further include at least an operating system (OS) encryption module, an AKS service module and a TPM Certification and Attestation (CA) module. For TPM certification, the CA module may interact with the other modules in the runtime environment to generate a TPM certificate, signed by an AKS certificate, that may be transmitted to a certification platform for validation. For TPM attestation, the CA module may cause TPM credentials to be provided to the attestation platform for validation along with the TPM and/or AKS certificates.

Abstract: In embodiments of the present invention improved capabilities are described for detecting restricted content associated with retrieved content. The method and system may include receiving a client request for content, saving contextual information from the client request, presenting retrieved content in response to the client request, and presenting the contextual information from the client request, and retrieved content, to a scanning facility. The scanning facility may utilize the contextual information from the client request to aid in the detection of restricted content associated with retrieved content.

Abstract: Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.