Abstract: A method, system, and computer-readable storage medium are provided. Embodiments of the invention include receiving notification of a log-in event associated with a first login session wherein a user is authorized to access a resource of a computing system based on a credential. During the first login session and in response to determining the credential is valid, a second login session is established by granting the user access to a resource of an application associated with the computing system. During the first login session and in response to receiving information indicating an event has occurred, the second login session is terminated such that the user does not have access to the resource of the application. And during the first login session and in response to determining again that the credential is valid, a third login session is established by granting the user access to a resource of the application.

Abstract: Apparatus and methods are provided for protecting network resources, particularly in association with automatic provisioning of new client devices. A global PKI (Public Key Infrastructure) scheme is rooted at a globally available server. Roots of PKIs for individual organizations also reside at this server or another globally available resource. To enable access to an organization's network, one or more authenticators are deployed, which may be co-located with access points or other network components. After a client device enabler (CDE) and an authenticator perform mutual authentication with certificates issued within the global PKI, the CDE is used to provision a new client device for the organization. After the client is provisioned, it and an authenticator use certificates issued within the per-organization PKI to allow the client access to the network.

Abstract: Instructions of an application program are emulated such that they are carried out sequentially in a first virtual execution environment that represents the user-mode data processing of the operating system. A system API call requesting execution of a user-mode system function is detected. In response, the instructions of the user-mode system function called by the API are emulated according to a second emulation mode in which the instructions of the user-mode system function are carried out sequentially in a second virtual execution environment that represents the user-mode data processing of the operating system, including tracking certain processor and memory states affected by the instructions of the user-mode system function. Results of the emulating of the application program instructions according to the first emulation mode are analyzed for any presence of malicious code.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to distributed computing for large data sets on clusters of computers and provide a novel and non-obvious method, system and computer program product for detecting and correcting malicious nodes in a cloud computing environment (e.g., MapReduce computing). In one embodiment of the invention, a computer-implemented method for detecting and correcting malicious nodes in a cloud computing environment can include selecting a task to dispatch to a first worker node, setting a suspicion index threshold for the selected task, determining a suspicion index for the selected task, comparing the suspicion index to the suspicion index threshold and receiving a result from a first worker node. The method further can include applying a recovery action when the suspicion index exceeds the selected suspicion index threshold.

Abstract: A system and method for determining effective policy profiles, is presented herein. The system includes one or more client devices configured to initiate a request for at least one effective policy profile, a server mechanism communicatively coupled to the one or more client devices and configured to receive the request for the at least one effective policy profile and determine the at least effective policy profiles for each of the requesting one or more client devices, and a policy data storage component communicatively coupled to the server mechanism and configured to store a plurality of policy profiles. The plurality of plurality of policy profiles includes an association between each of the one or more client devices and one or more of the plurality of policy profiles.

Abstract: A sending apparatus includes an encryption unit and a sending unit. The encryption unit encrypts each of data packets on the basis of a frame number of a frame and a determined cryptographic key. The sending unit transmits a frame including the data packets encrypted. A receiving apparatus includes a receiving unit and a decoding unit. The receiving unit receives the frame. The decoding unit decodes each of the data packets on the basis of the frame number of the frame and a determined decoding key.

Abstract: An information processing apparatus displays, on a display device, personal information including person-identifying information based on which a person can be identified and non-person-identifying information based on which a person cannot be identified. First, the information processing apparatus determines whether or not authentication of a user has succeeded based on an input by the user and authentication information stored in storage means of the information processing apparatus. Then, the information processing apparatus prohibits display of the person-identifying information of the personal information stored in the storage means when it is determined that authentication has failed.

Abstract: A method includes registering with a proxy for an auxiliary event-package, wherein the auxiliary event-package is provided by a plurality of auxiliary event-package servers. The method may further include subscribing to the auxiliary event-package through the proxy. The proxy forwards the subscription to the plurality of auxiliary event-package servers. The method may include receiving an initial notify from one of the auxiliary event-package servers and identifying the one of the auxiliary event-package servers as a primary handle for the auxiliary event-package. In addition, the method may include identifying others of the plurality of auxiliary event-package servers as secondary handles for the auxiliary event-package.

Abstract: A device may be authorized via a method, which includes: displaying several numbered folder objects while the device is in an unauthorized state, each of which is displayed with a corresponding serial number and represents a folder containing several files stored in the device; executing a predefined operation toward one of the folder objects; detecting the serial numbers corresponding to the operated folder object; comparing the detected serial numbers and a predetermined password; and maintaining the device in the unauthorized state, if the detected serial numbers do not correspond to the password.

Abstract: An exemplary authentication method includes sending a polling inquiry to an authentication module, identifying a passive notification sent from the authentication module in response to the inquiry, accepting authentication credentials in response to the passive notification, and transmitting authentication information based on the authentication credentials to the authentication module. An exemplary authentication system includes a remote server in communication with a client computer and hosting an access control module. An authentication server is in communication with the remote server and hosts an authentication module.

Abstract: A system and method for implementing an enhanced transport layer security (ETLS) protocol is provided. The system includes a primary server, an ETLS servlet and an ETLS software module. The primary server operates on a computer network and is configured to communicate over the computer network using a non-proprietary security protocol. The ETLS servlet also operates on the computer network and is securely coupled to the primary server. The ETLS servlet is configured to communicate over the computer network using an ETLS security protocol. The ETLS software module operates on a mobile device, and is configured to communicate over the computer network using either the non-proprietary security protocol or the ETLS security protocol. Operationally, the ETLS software module initially contacts the server over the computer network using the non-proprietary security protocol, and subsequently contacts the server through the ETLS servlet using the ETLS security protocol.

Abstract: A method and system for ensuring security-compliant creation and signing of endorsement keys of manufactured TPMs. The endorsement keys are generated for the TPM. The TPM vendor selects an N-byte secret and stores the N-byte secret in the TPM along with the endorsement keys. The secret number cannot be read outside of the TPM. The secret number is also provided to the OEM's credential server. During the endorsement key (EK) credential process, the TPM generates an endorsement key, which comprises both the public key and a hash of the secret and the public key. The credential server matches the hash within the endorsement key with a second hash of the received public key (from the endorsement key) and the vendor provided secret. The EK certificate is generated and inserted into the TPM only when a match is confirmed.

Abstract: Techniques for credential auditing are provided. Histories for credentials are evaluated against a principal credential policy for a user and an enterprise credential policy for an enterprise as a whole. An audit trail is produced within a report for the histories. The report indicates whether compliance with the principal and enterprise credential policies occurred and if not at least one reason is provided as to why compliance was not met within the histories.

Abstract: A signature system includes a public key certificate obtainment device 100, a public key certificate issuance device 200, and a signature device 300. The public key certificate obtainment device 100 inputs item data and an infrastructure public key that includes an item key that is an element corresponding to each item of the item data and outputs both a public key certificate that includes item data and a secret key using the data that have been input and data supplied from the public key certificate issuance device. The public key certificate issuance device 200 inputs an infrastructure public key that includes the item key that is the element corresponding to each item of the item data and outputs a proof used to identify a signer using the data that have been input and the data supplied from the public key certificate obtainment device.

Abstract: A network device implements congestion management of sessions of a network protocol. In one implementation, an incoming request component receives session requests for a negotiation session between the network device and a second network device. A capacity pool stores a value relating to capacity of the network device to continue to efficiently process the session requests. New sessions are initiated when the value stored in the capacity pool is less than an estimate of the capacity of the network device at which the network device maximizes processor usage while minimizing session timeouts.

Abstract: A method, an apparatus and a system perform software deactivation based on a deactivation time period. In some embodiments, a method includes receiving a communication from a first client machine to deactivate a license of a software product that was previously activated on the first client machine. The method also includes determining a specified time period of deactivation. The method includes deactivating the license of the software product from the first client machine responsive to a determination that the license was previously activated on the first client machine during the specified time period of deactivation.

Abstract: Secure access and processing of an encryption/decryption key may include generating one or more keys within a key controller block of a chip. The generated keys may be transferred from the key controller block of the chip to an on-chip bus interface block via a secure serial link. The transferred keys may be stored in registers which may be accessible by only the key controller block of the chip. In this regard, the generated keys may be written to one or more of the key registers only by the key controller block. Furthermore, a written key may be read from a key register only by the key controller block. During the transfer of a generated key, a data valid signal may be used to indicate valid keys in a data signal used to transfer the keys via the secure serial link.

Abstract: Disclosed are methods and systems for compressing location data of a radio for over-the-air transmission. A method includes obtaining raw latitude and raw longitude coordinates reflecting a current location of the client device, the raw latitude coordinate represented by x number of bits and the raw longitude coordinate represented by y number of bits. The raw latitude coordinate is truncated by removing n number of most significant bits from the raw latitude coordinate to create a compressed latitude coordinate. The raw longitude coordinate is truncated by removing m number of most significant bits from the raw longitude coordinate to create a compressed longitude coordinate, where m varies as a function of the value of the raw latitude coordinate. The compressed longitude and compressed latitude coordinates are then transmitted to another network device for decompression and use as an indication of the client device's absolute location.

Abstract: A system, method, and client registration and verification device for handling personal identification information. The client device collects from an individual, a sufficient amount of biometric information to uniquely identify the individual, as well as historical mobility information providing a history of locations where the individual has lived. A caching manager stores the collected biometric information at a selected cache node in a hierarchical database having a plurality of cache nodes at multiple levels of the database. The caching manager selects the cache node based on the historical mobility information collected from the individual. The client device sends subsequent requests to verify the identity of the individual to a local cache node where newly input biometric information is compared with the cached information.

Abstract: A method and system for managing a large number of servers and their server components distributed throughout a heterogeneous computing environment is provided. In one embodiment, an authenticated user, such as a IT system administrator, can securely and simultaneously control and configure multiple servers, supporting different operating systems, through a “virtual server.” A virtual server is an abstract model representing a collection of actual target servers. To represent multiple physical servers as one virtual server, abstract system calls that extend execution of operating-system-specific system calls to multiple servers, regardless of their supported operating systems, are used. A virtual server is implemented by a virtual server client and a collection of virtual server agents associated with a collection of actual servers.