Abstract: A cloud access manager obtains input regarding access control for at least one application deployed on a plurality of virtual machine instances in a cloud computing environment; the virtual machine instances are divided into at least first and second access zones. A cloud access manager registrar located in the cloud computing environment registers internet protocol addresses of external clients as seen from the cloud computing environment; at least some of the addresses are assigned to the clients via network address translation (NAT). Session traversal utility for NAT (STUN) is carried out to determine public internet protocol addresses assigned to the clients via NAT. The cloud access manager controls (i) access of the external clients to the plurality of virtual machine instances; and (ii) access of the plurality of virtual machine instances to each other, based on the registered internet protocol addresses, in accordance with the access zones.

Abstract: Techniques for balancing network load at network devices in a virtualized computing environment are disclosed. In one embodiment, a first network device having network load above a threshold value is determined. Further, a first host coupled to the first network device is identified. The first host executes a workload that transmits and receives network traffic via the first network device. If the first host is not coupled to any other network device, the network load at the first network device is reduced by initiating migration of at least a part of the workload to a second host coupled to any other network device. If the first host is coupled to a second network device, the network load at the first network device is reduced by instructing a virtual switch of the first host to route at least a part of the network traffic between the workload and second network device.

Abstract: Embodiments disclosed herein enable scaling up and making advanced natural language (NLU) applications more robust. According to one embodiment, state(s) associated with a dialog session may be recorded to a non-transitory medium. The dialog session may be suspended after a given period of inactivity and later automatically awakened based on unique client, session, or device identifier, or any combination thereof. Memory and resources associated with the suspended session may be reclaimed, the memory and resources being otherwise held by the session during the period of inactivity, enabling higher density (e.g., a larger number of sessions supported). Embodiments disclosed herein obviate a need for sticky dialog sessions, enabling higher density, and may further failover protection and fault tolerance for the dialog sessions.

Abstract: A prognostics module includes a systems analysis module and a determination module. The systems analysis module is configured to obtain operational information corresponding to a system-wide operation of a multi-element system. The multi-element system includes multiple elements communicatively coupled by at least one common communication link. The determination module is configured to determine a future health of at least one of the multiple elements of the multi-element system using the operational information corresponding to the system-wide operation of the multi-element system.

Abstract: A method for securing a first program with a second program, a third program and a fourth program, each program comprising constitutive elements having a finite number of program points and evolution rules associated with the program points and defining the passage from one program point to another program point, and each program comprising a definition of a set of properties each property being associated with one or more of the constitutive elements of the program. The fourth program constructed by defining at least one relation between at least one constitutive element of the second program and at least one constitutive element of the third program, said relation being named a correspondence relation, and at least one property of the third program being proven, propagate the proof of said property to at least one property of the first program by exploitation of the correspondence relation.

Abstract: The invention discloses system and method for data authentication among processors. The method comprises: generating a first key, by a first processor, according to a first identification data and a first algorithm; generating a first digest, by the first processor, according to data to be transmitted, the first identification data and a second algorithm; generating a digital signature, by the first processor, according to the first key, the first digest and a third algorithm; and transmitting the data and the digital signature from the first processor to a second processor.

Abstract: In some embodiments, in a registration process where a user device is registering for access to a network, a public/private key pair may be generated based on a media access control (MAC) address of a user device. The generated public/private key pair may be transmitted to the user device for future access to the network. In some embodiments, where a user device is requesting access to a network, a MAC address embedded in a public key may be utilized to determine whether access to the network should be granted.

Abstract: In one or more embodiments, attributes other than a supplicant's MAC address can be used for the user name in the authentication process in a network computing environment. In at least some embodiments, doing so utilizes an association structure, such as a table, that is already resident at the authentication server. By using attributes other than a supplicant's MAC address, various matching scenarios can be provided by the authentication server in which authentication or authorization takes place responsive to satisfying conditions defined in the authentication server's association or database. Furthermore, a variety of non-authentication scenarios can be supported using the authentication server's association.

Abstract: Even for encrypted programs, when all modules are decrypted all at once at the time of execution, it is possible to analyze codes stored within a storage area. Therefore, a program execution and decryption method that prevents easy analysis via reverse-engineering is required. In order to solve the aforementioned problem, this invention provides a program complex that allows execution of modules while modules are being decrypted upon execution, even if a program has been started. Thereby, modules cannot be easily analyzed and program tamper resistance can be improved.

Abstract: Techniques are described for updating resources provided to a user device, using subscription based polling. A user device may send initial requests for resource to a server, each initial request including a resource identifier and a subscriber identifier. In some cases, the subscriber identifier may uniquely identify the communication session. The server maintains subscription information correlated with the subscriber identifier, the subscription information listing which resources the user device has requested and which versions of the resources are currently available on the user device. Updates to the subscribed resources may then be provided to the user device in response to a request for updates that specifies the session identifier but that may not specify the particular subscribed resources.

Abstract: A method of associating a function to a room within a home, includes forming a mesh network in the structure with a plurality of nodes, each node having a communication module, segmenting the nodes into rooms based upon the time of flight, obtaining an identity for at least one node in a room; and using the identity to assign a purpose to the room.

Abstract: Disclosed herein are a method and a corresponding apparatus that provides a tethering alert if the apparatus is tethering data. In one example, a method for providing a tethering alert by an apparatus having a first network communication interface and a second network communication interface is disclosed. The method includes i) receiving incoming data via one of the first network communication interface and the second network communication interface, ii) sending outgoing data via the other of the first network communication interface and the second network communication interface, iii) making a determination that there is a threshold similarity between the incoming data and the outgoing data, and iv) responsive to making the determination, the apparatus providing a tethering alert indicating that the apparatus is tethering data.

Abstract: A data processing method, comprising: using computing apparatus, causing instantiating a plurality of baseline application instances that are running a first version of software, and one or more canary application instances that are running a second version of the software; using computing apparatus including a load balancer, causing selectively routing a first proportion of incoming requests to the baseline instances, and routing a second proportion of the incoming requests to the canary instances; monitoring the plurality of canary instances to collect performance data for performance metrics; determining that the performance data indicates a negative performance issue, and in response thereto: using computing apparatus, automatically updating the first proportion to be larger and updating the second proportion to be smaller, and then reconfiguring the load balancer based upon the first proportion and the second proportion; terminating one or more of the canary application instances.

Abstract: An application manager module provides anonymized user profile information to third party adaptive software applications. As a result, a software developer may produce a single software application that is adapted to run in a first mode providing full-functionality for use by adults and a second mode providing appropriate privacy and content restrictions for use by children. The mode is selected at run-time based on the anonymized user profile information received from the application manager module.

Abstract: Methods and systems for management of cloud computing resources are described herein. A management server for a cloud of physical computing resources may assign states to individual physical computing resources or groups of physical computing resources. The states may include a disabled state, in which only administrator access to the resources is permitted; an enabled state, in which user access to the resources is permitted; a restricted state, in which some, but not all user requests to the resources are permitted; and an unmanaged state, in which no communications between the resources and the management server are permitted.

Abstract: Systems and methods are provided for encrypting electronic files during a transfer to a low-security storage location is provided. In one embodiment, a method comprises receiving a file copy request for a file stored on a source storage system to be copied to a destination storage system; determining a desired file security level of the file based on a desired security level for the file when the file is accessed; determining a destination security level of the destination storage system; comparing the file security level and the destination security level; encrypting the file to create an encrypted file when the destination security level is less than the file security level prior to copying the file; and copying at least one of the file and the encrypted file to the destination storage system as a function of the comparison of the file security level and the destination security level.

Abstract: In one embodiment, a method includes configuring a first router of a second entity to link the first router to a communication network of the second entity. The configuration of the first router establishes router-configuration data for the communication network on a computer system of a first entity. The method also includes configuring a second router of the second entity to link the second router to the communication network using at least some of the router-configuration data for the communication network established on the computer system of the first entity.

Abstract: A method, device, and non-transitory computer readable medium for determining and representing one or more authentication requirements for at least one valid service flow of one or more information centric network (ICN) based services. This technique involves capturing service specification and storing it in a repository. Then, one or more possible service flows are generated and represented based on the nature of contents, delivery options and preferred architecture. This representation is again modified based on the trust level among functional entities and authentication scope which are inferred from the service specification. The final representation of the service flow shows only the valid inter-connections and operations among functional entities and the service flow is constrained by authentication requirement.

Abstract: An authentication engine may be configured to receive an authentication request and credentials from a client. The authentication engine may then generate a proxy agent configured to interact with an identity provider to authenticate the client on behalf of the client, using the credentials. In this way, the authentication engine may receive an assertion of authentication of the client from the identity provider, by way of the proxy agent.

Abstract: A method of authenticating and encrypting a client-server communication is provided. Two one-time passwords (OTP1 and OTP2) are generated from a cryptographic token. An encryption key (K_ENC) and a MAC key (K_MAC) are generated based on OTP2. The client data are prepared and protected using K_ENC and K_MAC. A request message is sent from the client to the server, and contains the protected client data, a cryptographic token identifier and OTP1. OTP1 is validated at the server, and OTP2 is generated at the server upon successful validation. K_ENC and K_MAC are derived from OTP2 at the server. The request message is processed and result data is generated. The result data is encrypted using K_ENC and a digest is created using K_MAC. The encrypted result data is sent to the client, and is decrypted using K_ENC and the authenticity of the result data is verified using K_MAC.