Abstract: The invention is an authentication framework that enables a user to log in to a website using an Internet-connected device, such as smartphone, smart watch, smart glasses, or tablet, while browsing on a computer. The framework makes it easier for people with certain disabilities to log in to a website, such as by removing the mandatory step of entering usernames and passwords while giving users multiple options through which they are establish their identity using Internet-connected devices. For example, gyroscope, camera, microphone, or the accelerometer can be used to provide credentials. This approach of the framework greatly reduces the number of barriers that a user with disability encounters when trying to use password-based authentication on the Internet.

Abstract: A visitor authorization management method is provided. In the method, an authorization object identifier and an authorization operation information corresponding to the authorization object identifier are obtained. The authorization operation information according to the authorization object identifier is cached. A current latest authorization operation information corresponding to the authorization object identifier is retrieved from the cache. A reference time is determined based on an authorization time in the current latest authorization operation information. When a preset time period having the reference time as an end is reached, an authorization operation is performed according to the current latest authorization operation information and the authorization object identifier.

Abstract: It is proposed that known digital rights management (EDRM: Enterprise Digital Rights Management) be extended such that control over the access to data stored in a cloud remains with the user or originator of the data. This requires the access information to be coordinated between a rights application in the cloud and a rights server in the region of the user (that is to say outside the cloud). A rights policy can be used for fine-grained regulation of the access for users (user groups), computers (client, server) and validity periods. In this context, the access comprises a wide variety of actions which can be performed with the data. In particular, it is advantageous that a server application is provided with (temporally limited) access to a portion of the data in order to index said data, for example, without the server being able to access the complete contents of the data in the process.

Abstract: According to one embodiment, an electronic apparatus includes a memory and a hardware processor. The hardware processor is configured to store a log of a received packet in the memory, set a transmission delay time for the log stored in the memory, and transmit the log in accordance with the transmission delay time of the log.

Abstract: Methods, apparatus, systems, and non-transitory computer-readable media for managing a plurality of disparate computer application and data control policies on a computing device, especially a computing device connected to a computer network, are described. In one example, at least one policy distribution point is provided that includes least one policy distribution point including at least one information management policy. A plurality of policy enforcement points, including a first policy enforcement point operating at a first policy enforcement level, and a second enforcement point operating at second policy enforcement level, are also provided. A first policy element to the first policy enforcement point, and a second policy element to the second policy enforcement point, are allocated.

Abstract: Method and system for securely communicating with a machine to machine, M2M, device comprising sharing a secret or data derived from the secret between the M2M device and a server. Establishing a connection between the M2M device and the server. Using the shared secret or data derived from the shared secret to establish cryptographic material on both the M2M device and the server. Securing communication between the M2M device and the server with a cryptographic protocol using the established cryptographic material. The cryptographic material is unrecoverable from the shared secret or data derived from the shared secret alone.

Abstract: In accordance with some embodiments of the present invention, systems and methods that protect an application from attacks are provided. In some embodiments of the present invention, input from an input source, such as traffic from a communication network, can be routed through a filtering proxy that includes one or more filters, classifiers, and/or detectors. In response to the input passing through the filtering proxy to the application, a supervision framework monitors the input for attacks (e.g., code injection attacks). The supervision framework can provide feedback to tune the components of the filtering proxy.

Abstract: An identity authentication method and device and a storage medium are disclosed, and the method includes: receiving a CAPTCHA code acquiring request from a user equipment; randomly selecting a CAPTCHA code and a password corresponding thereto as per the request, the CAPTCHA code comprising a first CAPTCHA image formed by a plurality of spliced sub-images, and the password comprising a preset processing rule for the sub-images; sending the CAPTCHA code and password to the user equipment, so that the user equipment rearranges positions of the sub-images to form a second CAPTCHA image and presents the second CAPTCHA image to a user; and receiving, from the user equipment, authentication response information inputted by a user according to the second CAPTCHA image, authenticating an identity of the user according to the authentication response information, and returning an authentication result to the user equipment.

Abstract: An application is comprised of a plurality of processes. A process is able to accesses a remote service using a service access credential which is adapted to the particular requirements of the process. By providing a process with customized credential, the process is constrained from performing unnecessary operations, and the overall security of the application is improved. When processes are deployed to a host computer, an agent on a host computer collects credential information and other metadata associated with the processes running on the host computer. The agent makes the metadata available to a credential provider running on the host, and the credential provider exposes an interface that is accessible to the processes. The processes include a credential proxy which communicates with the credential provider. The credential proxies relay credential requests to the credential provider, and return the provided credentials from the credential provider to the processes.

Abstract: A secure communication system comprises a software program client operating on a host computing device, a service manager configured to manage client access to the protected services, an authorizer in communication between the client and the service manager, and a receiver in communication with the service manager and serves as an interface to the protected services. At least one of a browser and an application of the client is configured to access one or more protected services running on a computing device that is remote to the host computing device over a communication channel. The service manager maintains a list of predetermined services authorized for the client and limits client access to the predetermined services.

Abstract: A login method is disclosed, including: receiving, by a first server, a login request of a first terminal; generating, by the first server, a unique identifier according to the login request, storing the unique identifier, generating a corresponding two-dimensional code according to the unique identifier, and returning the corresponding two-dimensional code to the first terminal, the two-dimensional code including the unique identifier; receiving, by a second server, the unique identifier that is obtained by a second terminal by scanning the corresponding two-dimensional code and a user name that has been used by the second terminal for logging in to an application, and sending the unique identifier and the user name to the first server; performing, by the first server, identity verification of the second server, and binding, by the first server, the stored unique identifier to the user name when the identity verification of the second server succeeds, to implement login to the first terminal by using the use

Abstract: A system for changing policy information of a process is provided. When a process is to execute, the system stores policy information for the process in association with the process code. The system also creates a token for the process. The token provides evidence of the policy for the process and includes at least a reference to the stored policy information. The system provides the token to the process for use by the process as evidence of the policy for the process. When the process provides the token to a service provider, the service provider uses the reference to access the policy information for the process. While the process is executing, the system modifies the stored policy information. When the process subsequently provides the token to a service provider, the service provider uses the reference to access the modified policy information for the process.

Abstract: A malicious website access method and apparatus are provided. The method includes: determining whether a website is a malicious website; and acquiring a non-executable preview interface of a web page of the malicious website for a terminal to display, if the website is a malicious website. A user may view, through a non-executable preview interface, information about a website to be accessed by the user. Moreover, because a terminal does not access a malicious website directly, the terminal is not exposed to malicious websites, thereby enhancing security of the terminal.

Abstract: A technique for network authentication interoperability involves initiating an authentication procedure on a first network, authenticating on a second network, and allowing access at the first network. The technique can include filtering access to a network, thereby restricting access to users with acceptable credentials. Offering a service that incorporates these techniques can enable incorporation of the techniques into an existing system with minimal impact to network configuration.

Abstract: The transmission of flight instructions from a ground unit to an aircraft comprising an onboard system. The ground unit is configured to generate, on the basis of flight data intended for the aircraft, at least one optical symbol containing a flight instruction. The onboard system comprises an optical reader and a flight management system. The optical reader is configured to read the optical symbol and to transfer the flight instruction contained in the symbol to the flight management system to prepare the flight of the aircraft.

Abstract: A computing platform for on-demand I/O channels, which enable secure application to dynamically connect to diverse peripheral devices of untrusted commodity OSes.

Abstract: Functionality is described herein for performing at least one network connectivity task on a client device with the aid of one or more assistant devices. In some implementations, a client device (such as a smartphone, desktop personal computing device, etc.) relies on an assistant device to assist it in updating its programs, including its driver programs. In other implementations, a client device relies on an assistant device in establishing a network connection with a network-accessible entity. Functionality is also described herein for performing at least one program execution task on a client device with the aid of one or more assistant devices. For instance, the client device may rely on the assistant device to assist it in executing a driver program. The driver program, in turn, enables the client device to interact with a peripheral device or some other component.

Abstract: Embodiments of the present invention provide a method used for an HTTP network, including: receiving, by a BNG, a first HTTP request sent by user equipment; adding, by the BNG, an identifier of the BNG to the first HTTP request, to obtain a second HTTP request; sending, by the BNG, the second HTTP request to an application server; receiving, by the BNG, a third HTTP request sent by the application server, where the third HTTP request includes location information of an image for creating a virtual machine; and obtaining, by the BNG, the image according to the location information, and creating, by the BNG, the virtual machine in the BNG according to the image.

Abstract: A method and system determines a probability that a mobile device is in use by a first user. Sensors of a mobile device are used to detect and quantify human activity and habitual or behavior traits. A collection of such habitual human trait values identifying a first user of the device are memorized during a training and learning period. During subsequent periodic predictive periods, a new collection of like habitual trait values of the current user of the device, when captured and compared with memorized values of the first user of the device relative to time, uniquely identify the person in possession of the mobile device as being or not being the first user of the device. By associating this knowledge with a unique device known to be assigned to the first user of the device, it becomes possible to confirm identity without risk of impersonation.

Abstract: Technical solutions are described for extending shrouding capability of a virtual server hosting system. An example method includes receiving a request to deploy a shrouded virtual server using a predetermined set of hardware components, and using a shrouded mode. The method also includes adding a guest server to the hosting system, the guest server including the predetermined set of hardware components. The method also includes deploying a preconfigured hypervisor on the guest server, where the preconfigured hypervisor is deployed in an immutable mode that disables changes to security settings of the preconfigured hypervisor. The method also includes deploying, by the preconfigured hypervisor, a preconfigured boot image as an instance of the virtual server on the preconfigured hypervisor. The method also includes sending an identifier of the virtual server for receipt by the client device.