Abstract: Providing an end-to-end citizen engagement, in one aspect, may comprise obtaining data of multiple disintegrated sources from one or more of communication and social computing channels via one or more adapters. Data refactoring and management, integration and process orchestration of the data according to a data model as data attributes of the data model may be provided. One or more analytics may be performed based on the data attributes stored according to the data model and input specified to the one or more analytics. One or more results computed by performing the one or more analytics may be provided. One or more application logics supporting one or more front-end applications may be produced. One or more front-end applications for automated sensing of user activities and sensor-based individual assistant capability may be provided.

Abstract: Techniques for reviewing transaction information are provided. A reviewer computer can review transactions that are marked for review by a resource provider. The reviewer computer can review the transaction based on user information obtained from third party servers. The reviewer computer can also review the transaction based on historical transaction information obtained from a history database. The reviewer computer can aggregated the user information and the historical transaction information in order to generated a consolidated view.

Abstract: While managing private data in cognitive surveys, a method, system, and computer program product may deploy a set of gather agents. Access credentials for a plurality of participants may be obtained from an encrypted data store and verified. The set of gather agents may gather a set of target data associated with the plurality of participants, and the set of target data may be collected according to a set of policy criteria. It may be determined whether one or more participants of the plurality of participants has requested to review a subset of the target data, and those participants may be prompted to review the subset of target data. It may be determined whether the one or more participants rejected the subset of target data. The subset of target data may be filtered, and the filtered subset of target data may be posted to a results database.

Abstract: A device that includes a network interface configured to communicate with a remote database and a memory operable to store a set of applications. The device further includes an authentication engine implemented by a processor. The authentication engine is configured to receive log-in credentials for a user on a first application, to send a user information request to the remote database, and to receive user information in response to sending the request. The authentication engine is further configured to send a user profile information request to a second application and to receive user profile information in response to sending the request. The authentication engine is further configured to identify corresponding information between the user information and the user profile information, to determine that at least a portion of the corresponding information between the user information and the user profile information matches, and to authenticate the user in response to determination.

Abstract: In response to detected attempts to gain unauthorized access to user accounts of an online system, a security module of an online system applies an attack response policy to take actions in response to the attempts. Possible responses of the policy include reordering credential types requested by the online system during multi-factor authentication-enabled login, switching to a mode in which login requests are accepted but login is not permitted for the requesting user, and logging information about the login requests. Logged information may be applied to enhance the ability to prevent future unauthorized accesses, such as adding credential values to a list of common credential values and prohibiting users from associating those values with their accounts, or training a model based on the logged information to predict a probability that a given login request is unauthorized.

Abstract: There are provided systems and methods for vehicle identification and device communication through directional wireless signaling. A user's device may include a directional wireless transceiver that may be used to provide wireless signaling in a specific target direction. The user may direct the device at a particular vehicle, where the vehicle may has a transceiver located within or attached to the vehicle that responds to the particular wireless signaling. The vehicle's transceiver may respond to the device of the user with a unique identifier that allows for communication with the vehicle's operator. The unique identifier may therefore allow for message content to be sent directly to a device for the vehicle's operator, or may allow for a service provider to process the message. Additionally, the vehicle's operator may establish privacy settings for communications, which may be utilized to determine whether the message content will be provided to the device.

Abstract: Multiple profiles are received in association with a first user account in an asynchronous messaging system. One or more of the profiles are associated with other user accounts. The associated profiles are transmitted to user clients associated with the other user accounts for storage as a local copy. The association may include inclusion in a contact list of the first user, or a contact list of the other users. The associated profiles are transmitted when messages are sent from the first account to the other user clients, or the profiles are created or updated. A public profile may include a version identifier which is updated when the public profile is updated. Updates to local copies of the public profile at other user clients may occur only when a local copy of the associated version identifier indicates that the local profile is outdated, thereby reducing network traffic.

Abstract: A device and method to accurately detect list-based attacks without reducing the convenience for authorized users. An acquirer acquires information on accounts used for log-in trials to a plurality of websites. An analyzer calculates the degree of use of each account used in common for log-in trials to different websites in a predetermined period of time out of the accounts acquired by the acquirer and determine the log-in trials using the account to be attacks when the degree of use exceeds a predetermined threshold. A detector detects, as an attack, a log-in trial to the website using the same account as the account used for the log-in trials determined to be attacks by the analyzer.

Abstract: A method for operating an SDN-based mobile communication system, which includes a mobile network having a control plane and a data plane, with a network controller being implemented therebetween, includes: providing a control plane function that possesses information from an access network about location and/or proximity of devices and information about rules and/or policies for setting up sessions for the devices; and the network controller, by collaborative operations with the control plane function, selecting one or multiple data plane nodes that are, based on a particular device's request for session establishment, suitable to act as policy enforcement points for enforcing rules in the data plane that are for enabling connectivity for the particular device.

Abstract: A system and method comprising a server that automatically configures and sets up a restaurant's or business' information technology (IT) infrastructure, more specifically relating to point-of-sale devices (POS) and other networked devices such as scanners, tracking displays, and any other device that any business may use. Communication between the networked devices and the server is facilitated by a preconfigured router, wherein after initial communication with the server, the server may update firmware, operating parameters, and software packages of the preconfigured router and other networked devices.

Abstract: Account recovery control systems and methods are provided to support a self-service account recovery process for registered users of an information system. Account recovery protocols implement a secret sharing scheme between trusted referees and registered users of the information system to enable a registered user to regain access to the user's registered account when one or more authentication factors of the registered user are lost (e.g., forgotten, misplaced, damaged, stolen, etc.).

Abstract: A system for “horizontal” salting of database tables, text files, and data feeds utilizes a key field and character position within that field (the “Key Character”) and a Salting Field, which contains content that can legitimately be in one of at least two states without impacting the usefulness of the data. A unique identifier, which is assigned to the recipient of the data, is hidden within the data by using the variations of the states in the Salting Field to represent a binary 0 or 1, with the value of the Key Character identifying the bit position of the binary 0 or 1 within the unique identifier. This type of salting is invisible to the recipient of the data file, does not alter the accuracy of the data, and can be made unique for a particular party receiving data files or unique for each data file.

Abstract: Methods and systems for implementing single sign on (SSO) and/or conditional access for client applications are described herein. The system may comprise an identity provider gateway, and the system may authenticate a user of the client application using the identity provider gateway. In some aspects, a secure communication tunnel may be established between the client application and the identity provider gateway, and the secure communication tunnel may use, for example, a client certificate. The identity provider gateway may grant or deny the client application access to one or more resources based on information associated with the client certificate.

Abstract: A method of verifying the integrity of a virtual machine in a cloud computing deployment comprises: creating a virtual machine image derived from a trusted virtual machine, wherein the trusted virtual machine has a Keyless Signature Infrastructure signature stored in a signature store; and verifying that a computation resource can be trusted. If it is verified that a computation resource can be trusted, the method further comprises: submitting the virtual machine image to the trusted computation resource; checking a signature of the virtual machine image against the stored signature of the trusted virtual machine; launching the virtual machine image on the trusted computation resource, and creating a Keyless Signature Infrastructure signature of the virtual machine image; and storing the signature of the virtual machine image in a signature store.

Abstract: The current document is directed to reverse federated identity-management systems and to reverse-federated-identity-management methods employed by the reverse federated identity-management systems. The currently disclosed reverse-federated-identity-management systems automatically provision local proxy identities in distributed computers systems from which distributed resource-distribution systems allocate resources on behalf of users and clients of the distributed resource-distribution systems. In addition, the currently disclosed reverse-federated-identity-management systems automatically record associations of local proxy identities with users and clients of the distributed resource-distribution systems so that the users can be subsequently identified to auditing and monitoring organizations should the need for detailed auditing and monitoring subsequently arise.

Abstract: A system includes a plurality of servers, a control plane to determine a first partition of a plurality of devices and to determine a subset of the plurality of servers to assign as candidate servers for the first partition, and a common data store comprising a first stream and a second stream. The control plane is to store, in the first stream, a first message indicating the first partition, the candidate servers, the second stream, and a first message tag, the candidate servers elect a primary server of the first partition from the candidate servers using the first stream, and the elected primary server inserts read and write updates associated with the plurality of devices of the first partition into the second stream.

Abstract: Technology is described for registering Internet of Things (IoT) devices. A hub device may receive a request for hub registration from an IoT device. The request for hub registration may include IoT device information. The hub device may validate the request for hub registration at the hub device based on the IoT device information. The hub device may retrieve registration information from an IoT service. The registration information may include a dedicated security certificate for the IoT device. The hub device may forward the registration information to the IoT device to enable the IoT device to communicate IoT device data to the IoT service.

Abstract: A system for determining a calculation utilizing differential privacy including an interface and a processor. The interface is configured to receive a request to determine a result of a calculation using multitenanted data. The processor is configured to determine result data by performing the calculation on the multitenanted data; determine a deterministic modification in the event that the deterministic modification is needed to ensure privacy; modify the result data using the deterministic modification to determine modified result data; and provide the modified result data.

Abstract: The systems, methods and apparatuses described herein provide a computing device that is configured to attest itself to a communication partner. In one aspect, the computing device may comprise a communication port configured to receive an attestation request from the communication partner, and an application-specific integrated circuit (ASIC). The ASIC may be configured to receive the attestation request from the communication port. The attestation request may include a nonce generated at the communication partner. The ASIC may be further generate a verification value and send the verification value to the communication port to be transmitted back to the communication partner. The verification value may be a computation result of a predefined function taking the nonce as an initial value. In another aspect, the communication partner is configured to attest the computing device using speed of computation attestation.

Abstract: A method for execution by one or more processing modules of one or more computing devices of a dispersed storage network (DSN), the method begins by determining a DSN node configuration automatically during deployment. The method continues by modifying the DSN node configuration to enable/disable specific hardware features. The method continues by modifying the DSN node configuration to test hardware failure scenarios. The method continues by modifying the DSN node configuration for component replacement procedures. The method continues by reporting the modified DSN node configuration to a DSN management unit and providing a status on component and health of the DSN node to an operator of the DSN.

Abstract: Embodiments of the present disclosure are directed to, among other things, improving data security with respect to data collection, verification, and authentication techniques associated with obtaining and transmitting identity information. For example, an identity credential may be secured using biometric information associated with a user, the biometric information being obtained using a first biometric input method of a plurality of biometric input methods. When the user is later authenticated, the authentication may be based at least in part on determining that the user has selected a biometric input method that matches the biometric input method used to secure the credential as well as providing biometric information that matches the biometric information used to secure the identity credential.

Abstract: Authentication with security in wireless networks may be provided. A first confirm message comprising a first send-confirm element and a first confirm element may be received. Next, an Authenticator Number Used Once (ANonce) may be generated and a second confirm message may be sent comprising the ANonce, a second send-confirm element, and a second confirm element. Then an association request may be received comprising a Supplicant Number Used Once (SNonce) and a Message Integrity Code (MIC). An association response may be sent comprising an encrypted Group Temporal Key (GTK), an encrypted Integrity Group Temporal Key (IGTK), the ANonce, and the MIC. An acknowledgment may be received comprising the MIC in an Extensible Authentication Protocol (EAP) over LAN (EAPoL) key frame and a controller port may be unblocked in response to receiving the acknowledgment.

Abstract: Systems and methods for device-agnostic, multi-factor network authentication are disclosed. In some embodiments, a wireless network connection can authenticate a device over secure authentication means with a certificate that confirms a device identity. After authenticating the device, a user can be prompted to provide credentials in a captive portal. The captive portal can be inaccessible to devices that have not already authenticated using a certificate. After providing approved credentials to the captive portal, the user can access the network. This embodiment and additional embodiments are readily integrated into private wireless networks and others.

Abstract: A device comprises: a receiver configured to receive a client certificate; a processor coupled to the receiver and configured to: authenticate the client certificate, extract, in response to the authentication, attributes from the client certificate, and create, in response to the extraction, a message comprising reformatted attributes based on the attributes, wherein the reformatted attributes can be trusted; and a transmitter coupled to the processor and configured to transmit the message. A device comprises: a processor configured to: process a client certificate comprising a certificate identifier (ID) attribute, a tenant ID attribute, and a role ID attribute, and package the client certificate in a request for a shared service; and a transmitter coupled to the processor and configured to transmit the request.

Abstract: Embodiments of the present invention provide an automated network security system for dynamically managing network security rules. The system uses a cognitive engine to capture network traffic and analyze behavioral data about said network traffic. Based on analysis of the behavioral data, the system may identify one or more vulnerabilities in the network security system and determine one or more changes to the network security rules to remedy the one or more vulnerabilities. The system further uses a robotic process automation system to test and simulate the one or more changes.

Abstract: Among other things, this document describes systems, methods, and apparatus for monitoring and protecting a user credential issued by an organization when that credential is used outside that organization's network security perimeter. For example, a reverse proxy server (RPS) receives a client request directed to a content provider's site. The RPS initiates a process that involves parsing the request message and extracting a user credential. The RPS locates a credential policy from the credential owner based on the user credential. The RPS can issue an API request to a credential service that is authoritative for the credential. That credential service may return a directive to the RPS specifying how to handle the client request message. Preferably, the operation is transparent to the content provider whose site was the target of the client's request message. Activity records can be presented in visualizations that enhance security analysts' tactical comprehension at a glance.

Abstract: A technique and system provide protection to a protected document while being viewed on a Web browser or mobile application on a mobile device, such as a smartphone or tablet. Methods, techniques, and systems control access to protected documents and use of content in protected documents to support information management policies.

Abstract: A vehicle includes a controller, programmed to responsive to wirelessly connecting to a mobile device using a mobile credential issued from a server within a time frame specified in the mobile credential, issue an access token to the mobile device, and responsive to receiving a command authorized by the access token from the mobile device, route the command to a vehicle subsystem for execution.

Abstract: Methods, apparatus, and systems are provided to secure access to an account of a user. The account may have a system administrator. The user may have a credential for accessing the secure data on the account. The methods, apparatus, and systems involve setting a universal reset credential associated with the account, denying the system administrator of the account permission to change the first credential of the access feature, and permitting the system administrator to reset the access feature from the first credential to the universal reset credential.

Abstract: Authentication translation is disclosed. A request to access a resource is received at an authentication translator, as is an authentication input. The authentication input corresponds to at least one stored record. The stored record is associated at least with the resource. In response to the receiving, a previously stored credential associated with the resource is accessed. The credential is provided to the resource.

Abstract: The present disclosure relates to techniques for helping targeted users determine whether it is safe to supply personal information requested by a web site. In one embodiment, a method generally includes extracting textual content from a web page that requests information from a user and determining, based on the textual content, the type of information requested. A service type the web page provides is also determined based on the textual content. The service type and the information type are then compared to a set of predefined rules to determine a risk level associated with the web page. A visual indicator of the risk level is then displayed with the web page.

Abstract: Technology for interoperability is disclosed by enabling the sharing of application state data for an application experience across computing devices, operating systems, applications, or locations. In one aspect, a secondary application shares encrypted state data along with a non-encrypted hint that describes the application experience reflected in the state data with a primary application. The primary application is then able to use the hint to determine that a user is interested in returning to the experience in the secondary application. The primary application then transfers the encrypted state data to the secondary application which uses the state data to return the application to the application experience. A platform and application programming interface (API) are provided for computer applications and services to store and retrieve application state data associated with an event.

Abstract: There is disclosed a method of establishing trust between an agent device and a verification apparatus, the method comprising: obtaining, at the agent device, a trust credential, wherein the trust credential relates to an aspect of the agent device and comprises authentication information for identifying at least one party trusted by the verification apparatus and/or device data relating to the agent device; transmitting, from the agent device to the verification apparatus, the trust credential; obtaining, at the verification apparatus, the trust credential; analysing, at the verification apparatus, the trust credential; determining, at the verification apparatus, whether the agent device is trusted based on the analysis; and responsive to determining the agent device is trusted, establishing trust between the agent device and the verification apparatus.

Abstract: Embodiments of the present invention enable setup synchronization of an end user medical device such as a blood glucose meter. Some embodiments may include a controller including a memory; a transceiver operatively coupled to the controller; and a host computer interface operative to couple the controller to a host computer, wherein the memory is operative to store instructions executable on the controller. The instructions are adapted to cause the controller to scan for an advertising medical device using the transceiver, establish a communications connection with a medical device advertising for synchronization, and transmit synchronization data to a medical device once a communication connection has been estabilshed. Numerous other aspects are disclosed.

Abstract: A shared communication system associates a plurality of owner profiles with the device and processes user interaction requests based on information included in the owner profiles. The communication system classifies incoming requests based on whether the results of a request should be personal to one user, shared among several users, or generic to all users, and processes requests according to the classification. In one embodiment, the user request is targeted at establishing a video call session between a user of the communication system and one or more other target recipient users of a communications system. The communication system determines which user to associate with the outgoing video call based on which user has the target recipient in an associated contacts list.

Abstract: A system and method for a secure remote payments process and for generation of one-time only remote payment cards is presented. Use of the one-time payment (OTP) cards can use multi-factor authentication where one factor is a biometric technique. A process can include generating an OTP card number based on a first encryption algorithm, an expiry date, and a security code based on a second encryption algorithm. A purchase amount, and the OTP card information are decrypted by an issuer to approve payment for a remote payment, after which the OTP card is no longer valid.

Abstract: An information processing system includes a first sound reception apparatus, a first server, and a second server. The first sound reception apparatus includes an input unit and a communication unit. The input unit receives an input password. The communication unit transmits the input password and identification information regarding the first sound reception apparatus. The second server includes a generation unit, a determination unit, and an information generation unit. The determination unit determines whether the input password and the generated password match. The information generation unit generates first association information on the basis of a result of the determination made by the determination unit.

Abstract: A computer security protection may be provided by dynamic computer system certification. User usage of a computer system may be monitored. Based on the monitoring a role of the user in the usage of the computer system is determined. A certification required for the role and whether the user has the certification sufficient for the role are determined. Responsive to determining that the user does not have the certification sufficient for the role, a certification process is initiated.

Abstract: A processing device in an illustrative embodiment includes a processor coupled to a memory and is configured to receive user credentials from a user device in conjunction with an access request, to apply one or more automated tests in order to determine one or more device identifiers of the user device, to generate a risk score for the access request based at least in part on the received user credentials and the one or more determined device identifiers, and to grant or deny the access request based at least in part on the risk score.

Abstract: A computer implemented method for controlling a device on a software defined network (SDN) in response to environmental data. The method comprises receiving environmental data. A master SDN controller is provided for controlling the SDN network. Control data is generated by the master SDN controller in response to the environmental data. A co-controller is generated by the master SDN controller containing the control data. The co-controller is dispatched to the device for residing thereon. The device is controlled in response to the control data.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, to provide digital identification. One of these methods includes comparing the location of a requester of a digital identification to the location of an owner of the digital identification. The method also includes providing information about the digital identification to the requester based at least in part on determining that the requester and the owner are within a predetermined distance.

Abstract: A verification information update method includes: receiving a first request message for binding to a smart device from a terminal device, the first request message carrying a universally unique identifier (UUID) of the smart device; determining a binding relationship between the UUID and a user identifier of the terminal device, and generating a session random number corresponding to the binding relationship; and generating a new verification number and a new verification password of the smart device based on the session random number. The technical solution of the present disclosure implement dynamic update of verification information during a session, thus increasing the difficulty in monitoring the verification information during update.

Abstract: A computer implemented method for controlling a software defined network (SDN). Comprising providing one or more voice-user interfaces which are configured for facilitating users controlling networked devices. Generating control data based on speech input received from users via the voice-user interfaces. Provising a master SDN controller for managing data flow control on the SDN network. The master SDN controller being operable to generate control data for the networked devices. Generating by the master SDN controller a plurality of discrete co-controllers each associated with a particular end user. Each SDN co-controller including at least one of control data and routing data for an associated networked device. Dispatching the SDN co-controller by the master SDN controller to the networked devices associated with the respective end users for controlling thereof. Installing the SDN co-controller on the networked devices.

Abstract: An emergency communication server is provided for collaboration of an emergency response. The server comprises a processing system including a processor. The processing system is configured to receive an input from an electronic device, the electronic device being operated by a member from an originating communication group, upon receipt of the input from the electronic device, generate a notification based on the received input and send the generated notification to at least one member in the originating communication group, determine one or more receiving communication groups for the received input, send the notification to at least one member in each of the determined one or more receiving communication groups, and enable the at least one member in each of the determined one or more receiving communication groups to communicate with one or more members of the originating communication group.

Abstract: Methods, apparatuses, and computer programs for increasing the efficiency of throughput in a communications network are disclosed. To maintain link throughput even when packet loss is detected, deep packet inspection data is used for determining whether to temporary elevate scheduling priority of a stream, and if the decision is to elevate, the scheduling priority of the stream is elevated temporarily. Thus, an example method includes detecting at an intermediate network node an incoming packet; determining deep packet inspection data from the packet; using the deep packet inspection data to determine whether to temporary elevate scheduling priority of the stream the packet belongs to; and causing, in response to determining to elevate scheduling priority of the stream, a temporary elevation of the scheduling priority of the stream.

Abstract: Disclosed are various approaches for relaying and caching authentication credentials. A single sign-on (SSO) token is received, the SSO token representing a user account authenticated with an identity manager. An authentication request is then sent to a service that is federated with the identity manager in response to receipt of the SSO token, the authentication request including the SSO token. An access token is received in response to the authentication request, the access token providing access to the service for the user account authenticated with the identity manager for a predefined period of time. The access token and a link between the access token and the SSO token are then cached.

Abstract: A method for enhancing customer authentication and consent for finalizing an offer to a customer of a product and/or a service is provided. The method may include using a first receiver to receive an authentication request from an initiator. The authentication request may include a customer name and a customer phone number. The method may also include using a first processor to generate a pin number and transmit the pin number to the customer phone number. The pin number may include an identifier associated with the product and/or service. The method may further include using a second receiver, included in a mobile phone, to receive the pin number, and using a second processor, included on the mobile phone, to authenticate the pin number. The authentication may include verifying a match between the customer phone number and a mobile phone number associated with the mobile phone.

Abstract: Disclosed herein is a technique for managing permissions associated with the control of a host device that are provided to a group of wireless devices. The host device is configured to pair with a first wireless device. In response to pairing with the first wireless device, the host device grants a first level of permissions for controlling the host device to the first wireless device. Subsequently, the host device can receive a second request from a second wireless device to pair with the host device. In response to pairing with the second wireless device, the host device can grant a second level of permissions for controlling the host device to second wireless device, where the second level of permissions is distinct from the first level of permissions.

Abstract: Temporary biometric templates for maintaining a user authenticated state are described herein. In some implementation, an electronic device receives an input to unlock using a first secure authentication technique to initiate a current unlock session. A temporary biometric template of a biometric feature of a user unlocking the electronic device is created effective to initiate a user authenticated state. The biometric feature of the user associated with the temporary biometric template is tracked during the current unlock session. The user authenticated state is maintained based on a comparison of the tracked biometric feature of the user with the biometric feature of the temporary biometric template. When the biometric feature of the user can no longer be tracked, the user authenticated state is terminated and the temporary biometric template is invalidated.

Abstract: Systems and methods for embodiments of a graph based artificial intelligence systems for identity management are disclosed. Embodiments of the identity management systems disclosed herein may utilize a network graph approach to analyzing identities or entitlements of a distributed networked enterprise computing environment. Specifically, in certain embodiments, an artificial intelligence based identity management systems may utilize the peer grouping of an identity graph (or peer grouping of portions or subgraphs thereof) to identify roles from peer groups or the like.