Abstract: A method and system for role based access control for a plurality of users in a heterogeneous enterprise environment, comprising: establishing a functional relationship between a plurality of provisioning unit using a provision unit module. The users are mapped with the provisioning unit based on attributes of the users. Events are captured via the provision unit module. The users needed to be re-mapped are determined upon the event completion. Application role defined in context of an application embedded in an application registry module is mapped with the provisioning unit. Call back service is executed for the re-mapped users having entitlement associated with each of the application stored in a roles registry module. An application role is determined and defined for a new user for the plurality of the application enabling managing of the role based access control.

Abstract: A system and method for a credentials agent that automatically rotates and stores security credentials usable at least in part to authenticate calling applications with a computing resource service provider. Upon determining that a first set of credentials are due to be rotated, the credentials agent may obtain a second set of credentials and store the second set of credentials in a data store. The credentials agent may give notice to a calling application that the first set of credentials is due to be rotated, whereupon the calling application may obtain the second set of credentials and be authenticated to access a resource of the computing resource service provider at least in part by providing the second set of credentials. The authorization system provides visualizations and alerts to administrators of unexpected states that may be caused by misconfigured applications or malicious users.

Abstract: An information processing system provisions a client account for a user to enable a client computer associated with the user to store information in an elastic storage system and to prohibit the client computer, the information processing system, and the elastic storage system from altering and from deleting the stored information during an authorized retention period. Data messages are received from one or more client computers and include information that is required to be stored for the authorized retention period. That information is transmitted via one or more data communications networks to the elastic storage system for storage so that the stored information is non-rewriteable and non-erasable during the authorized retention period. The secure data center receives the retrieved copy and provides it to the user device.

Abstract: Concepts and technologies are described herein for providing status of site access requests. In accordance with the concepts and technologies disclosed herein, a user attempts to access functionality of a server application that is limited to authorized users. In response to the access attempt, the server application determines if the user is authorized to access the functionality and if the user has previously requested access to the functionality. If the user has not previously requested access to the application, the server application can present a user interface to the user for requesting access to the server application. If the user has previously requested access to the application, the server application can present an indication that an access request already exists, history and status information associated with the access request, and/or an interface for submitting messages to the site owner or other entity.

Abstract: A method for processing and verifying remote dynamic data is provided. The method includes providing a radix tree structure having N levels, obtaining and recording N initial values for representing the empty radix tree structure, wherein all nodes at the same level are assigned an identical initial value. When performing a data processing operation to the radix tree structure, determining a first leaf node and calculating and recording the value of each node in a shortest path from the first leaf node to the root node. When performing a verification of a specific data, obtaining a second leaf node corresponding to the specific data, a sibling node of each node in a shortest path from the second leaf node to the root node, and generating a verification result according to a digital signature for verifying the root node, the value of each obtained sibling node, and the specific data.

Abstract: A method of detecting malware is provided. The method includes (a) from a database of historic network traffic, identifying a suspect file that traveled through a network as being suspected malware, (b) deriving a distinctive signature based on contents of the suspect file, and (c) scanning a computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device. Embodiments directed to analogous computer program products and apparatuses are also provided.

Abstract: A security trimming system disclosed herein uses intelligent caching of the security trimming information received from a security datastore. The security trimming system uses an access cache to store the security trimming information received from the access datastore together with other parameters associated with such security trimming information. Subsequently, in responding to a request for the security trimming information, the security trimming system uses the cached value of the security trimming information together with the other associated parameters to determine a response to the request from the content providers. In one implementation, if the other parameters associated with a particular security trimming information imply that the security trimming information in the cache is still valid, the cached security trimming information is used in the request response. Otherwise, a new request is sent to the security datastore for an updated value of the security trimming information.

Abstract: A process for identifying potentially harmful malware, comprises the steps of: a) identifying an executable that is about to run; b) providing a monitoring agent that monitors all threads that are descendent of a thread initiated by the process of said executable; and c) configuring said monitoring agent to conclude that a high probability of malware presence exists, if one of said descendent threads reaches a target process in which suspicious patches are created.

Abstract: A method of unified content scanning in which content is deconstructed into base formats so as to be presented to content filters in a common format. The base formats include text, image and audio. The invention also includes a system of unified content scanning and a gateway appliance embodying the method of unified content scanning.

Abstract: Systems and methods verifying a user during authentication of an integrated device. In one embodiment, the system includes an integrated device and an authentication unit. The integrated device stores biometric data of a user and a plurality of codes and other data values comprising a device ID code uniquely identifying the integrated device and a secret decryption value in a tamper proof format, and when scan data is verified by comparing the scan data to the biometric data, wirelessly sends one or more codes and other data values including the device ID code. The authentication unit receives and sends the one or more codes and the other data values to an agent for authentication, and receives an access message from the agent indicating that the agent successfully authenticated the one or more codes and other data values and allows the user to access an application.

Abstract: A method and apparatus for managing network profiles and/or access to a network. Network profiles stored in a computer may be deleted and/or a connection to a wireless network may be disabled when a corresponding access period for the network has been exhausted. The access period may define an amount of time, a number of connections, a number of bits or packets of information, or other measure of connectivity to a network and/or maintenance of profile information related to the network that may be limited in some fashion.

Abstract: A computer system for accessing confidential data via at least one remote unit (4), the data being stored in a secured centralized computer system (3) including elements for processing data intended for producing results, a computer connection (2) being established between the unit and the computer element, the unit being a microcomputer operating under the dependency of a local operating system. The computer connection is an encrypted tunnel connection over a public network, the unit only supporting remote administration, the unit not being operable if the computer connection is not established and, during the access thereof to the data, the unit only receiving display information associated with the process performed on the data and produced by the centralized computer system, the microcomputer of the remote unit also including an electronic encryption circuit, the operating system and the information required for the operation of the unit being stored in encrypted form.

Abstract: A system and method for allowing hand-held/wireless device devices to (1) provide audio/video conferencing; (2) access AV content through streaming and cloud transfer; and (3) offer hand-held and computer access to cameras and sensors for surveillance using ordinary personal computers as proxy servers is described. In a first aspect, a remote view streaming system which comprises a webcam server which enables streaming video over a network is disclosed. The system includes a portable device. The portable device includes a client application. The portable device is configured to receive the streaming video from the network and display it on a screen. The system includes a proxy server for authenticating a connection between the webcam server and the portable device. In a second aspect, a portable device is disclosed.

Abstract: A method and system are disclosed whereby an activity launch modifier is combined with a passcode. The activity launch modifier is used to determine a portion of an application to activate upon valid authentication.

Abstract: Stateless application notifications are described that enable third parties to provide messages to client applications. A communication channel can be established between a notification service and an application. Upon request, the notification service can generate obfuscated routing data for the channel, which can be in the form of a channel handle or token. The routing data can be encrypted and digitally signed to obscure the content and format of the routing data from third parties. An application service possessing the obfuscated routing data can package a notification with the data and send the package to the notification service for delivery. The application service does so without knowing the channel particulars encoded by the obfuscated routing data. The notification service that produces the obfuscated routing data can decrypt and interpret the data, and deliver the notification on the channel to an appropriate endpoint application on behalf of the application service.

Abstract: In a particular embodiment, a method includes receiving, at a set-top box from a server, a temporary authentication token that enables access to an account accessible by one or more devices. The temporary authentication token is generated after validation by the server of a particular authentication token received at the server from a first device. The first device is distinct from the set-top box. The method further includes initiating, at the set-top box, presentation of the temporary authentication token.

Abstract: A method for secure single-packet authorization and secure transparent access to software services residing on cloud-based servers other than the host system where the SPA server itself is running. A single packet authorization (SPA) server running on a host system passively monitors a network for a valid SPA packet while maintaining a default deny stance on a gateway packet filter. The SPA server stores the MD5 sum of every valid SPA packet that it monitors and flags any duplicate access attempts. This way, if any SPA packet has the same MD5 hash as a previously monitored packet the SPA server treats the packet as malicious. After a valid SPA packet is sent, the SPA host server provides a Network Address Translation (NAT) which essentially creates an “SPA gateway” within a Cloud network independent of any other border gateway devices that already exist within the Cloud.

Abstract: Techniques and systems for maintaining a secure document replication environment based on information contained in CACs are disclosed. In one embodiment of the invention, a device such as an MFP, a printer, a scanner, a copier, or a fax machine comprises or is connected to a card reader. The device prevents users from using the device until the users have been authenticated. In order to authenticate himself to the device, a user inserts his CAC into the card reader. The device reads the user's digital certificate off of the user's CAC. The device determines whether the digital certificate is valid. If the digital certificate is not valid, then, in one embodiment of the invention, the device prevents the user from using any of the device's functions (e.g., printing, scanning, copying, faxing, etc.).

Abstract: What is disclosed is a method of operating a communication system, where a user device receives wireless access for a communication session over a first wireless communication network. The method includes receiving a registration request transferred by the user device for wireless access from a second wireless communication network, and in response to the registration request, processing an authentication status for the communication session of the first wireless communication network to authenticate the communication session in the second wireless communication network.

Abstract: Illustrated is a system and method to receiving input at a soft bar, the input received at a middle position on the soft bar equal distance from a first position and a second position on the soft bar. The system and method also including a traversing of the soft bar from the middle position to one of the first or second position, using the input, a plurality of times to generate a candidate password, each traversal to generate a position value that is part of the candidate password. Further, the system and method to include unlocking a Graphical User Interface (GUI) for use, the unlocking to occur where the candidate password is equivalent to a stored password.