Abstract: In one embodiment, a first network device receives a priority message from a second network device, wherein the priority message conforms to a connection establishment protocol and indicates a priority associated with the second network device. The first network device obtains the priority from the priority message and stores the priority. The first network device allocates resources for at least one of control or data plane processing to the second network device in accordance with the priority.

Abstract: Concepts and technologies are described herein for a mechanism by which participants who have been invited to attend a conference event and who are physically present within a conference event environment, such as a meeting room, can provide authentication credentials to join the conference event via a conference event environment system. When an individual attempts to join a conference event via a conference event environment system, the individual is prompted to provide his or her authentication credentials to join the conference event via the conference event environment system to participate in the conference event. The conference event environment system may inherit the individual's permissions, such as in regards to whether or not the individual has been permitted to present content during the conference event. A conference event roster may be used to indicate that the individual has joined the conference via the conference event environment system.

Abstract: A watermarking process is contemplated to facilitate branding and other message communication operations, such as to facilitate notifying a user associated with a home service provider of a watermark or communicating advertisements and/or personal messages to the user while accessing services through a visited service provider. The contemplated watermarking process may be particularly beneficial with devices having capabilities to roam between multiple service providers.

Abstract: Resetting a password for a network service account may include redirecting the user to a password reset tool, wherein the user is blocked from network access other than the password reset tool while being redirected. After redirecting the user to the password reset tool, user entry of verification information may be accepted, and the verification information from the user may be compared with known verification information for the user. User entry of a new password may be accepted if the verification information accepted from the user matches the known verification information for the user; and the new password may be stored as the known password for the user. Related systems and computer-program products are also discussed.

Abstract: Methods and systems provide indirect and temporary access to a company's IT infrastructure and business applications. The methods/systems involve establishing an access control center (ACC) to control the access that technical support personnel may have to the company's IT infrastructure and business applications. Thin client terminals with limited functionality may then be set up in the ACC for use by the technical support personnel. The thin client terminals connect the technical support personnel to workstations outside the ACC that operate as virtual desktops. The virtual desktops in turn connect the technical support personnel to the IT infrastructure and business applications. An ACC application may be used to automatically establish the connection between the thin client terminals to the virtual desktops, and the virtual desktops to the IT infrastructure and business applications.

Abstract: A computer implemented method and system for protecting information and resources in an online environment is provided. A process initialization monitor application monitors process initialization of a client application provided on a user's communication device. The client application identifies and authenticates one or more components operating on the communication device and one or more third party applications attempting to access the client application. The client application performs the authentication by performing a code integrity check integrated in the client application independent of the communication device, and grants access to the authenticated components and the authenticated third party applications. The client application protects information being processed, exchanged, stored, and displayed within the client application.

Abstract: The invention relates to a method of executing a secure application in an NFC device, the method comprising steps during which: a contactless link is established between first and second NFC devices, the first NFC device transmits by the contactless link an identifier of a secure processor of the first NFC device, the second NFC device transmits by the contactless link an application identifier, the secure processor transmits by the contactless link first authentication data allowing the authentication of the secure processor of the first NFC device, the second NFC device transmits to an application server the first authentication data, the application server transmits to an authentication server the first authentication data and second authentication data) to authenticate the application and authorizes the two NFC devices to execute the application only if the secure processor and the application are authenticated.

Abstract: Organizing permissions to authorize a subject to perform an action on an object in a cloud computing environment is described. A plurality of permissions associated with a cloud customer is created. A first set of permissions from the plurality of permissions is associated with one or more objects. Each of the first set of permissions describes an action performed on an object. A second set of permissions from the plurality of permissions is associated with one or more users. Each of the second set of permissions describes an action to be performed by one or more users.

Abstract: A service cooperation system is provided with a multi-function apparatus and a relay apparatus. The service cooperation system changes a disclosure condition of an album in which an electronic file is categorized and stored, for an electronic file storing service offered by the service provider. Without the need for a terminal apparatus such as a personal computer having a fulfilling web browser function, an image reading apparatus itself can perform uploading process, setting of an album of an upload destination and security setting/changing for an album, while notifying the user, who is authorized to a limited disclosure and to view the album, that the album has been updated.

Abstract: A system and method for securing data in mobile devices (104) includes a computing mode (102) and a plurality of mobile devices (104). A node security program (202) executed in the computing node (102) interfaces with a device security program (204) executed at a mobile device (104). The computing node (102) is responsible for managing the security based on a node security profile (208) interpreted by a node security program (202) executed in the computing node (102). A device discovery method and arrangement (106) also detects and locates various information (120) about the mobile devices (104) based on a scan profile (206).

Abstract: The disclosure relates to systems and methods for targeted messaging, workflow management, and digital rights management for geofeeds, including content that is related to geographically definable locations and aggregated from a plurality of social media or other content providers. The system may facilitate targeted messaging to users who create content. The targeted messaging may be based on the content (or location related to the content) such as a request for additional information or a promotional message. The system may generate workflows that allow management of the content with respect to operational processes of an entity that wishes to use the content and facilitates the management of usage rights related to the content as well as payments related to such usage rights. For example, the system may store whether content requires permission to use the content and/or whether such permission was obtained and facilitates payment.

Abstract: Systems and methods to control access to multimedia are disclosed. A method includes receiving a request for multimedia content at a computing device, retrieving a destination address of a mobile communication device related to an authorized user of the computing device and determining whether the mobile communication device is located within a predetermined distance from the computing device. When the mobile communication device is located within the communicative distance from the computing device, the multimedia content is received at the computing device. When the mobile communication device is not located within the communicative distance from the computing device, an authorization-request message is transmitted via a network to the destination address of the mobile communication device, wherein the authorization-request message includes a request for authorization to receive the multimedia content at the computing device.

Abstract: Techniques for multi-level authentication for medical data access are supported. A system may include a central medical information management system that provides restricted access to medical data. An accessing device supports multiple different authentication levels. For example, the accessing device may use a combination of device identifiers, passwords, and quick access codes to ensure access only by authorized users.

Abstract: A method for enhancing the accuracy performance of authentication systems includes determining an authentication data requirement for a desired transaction and at least one new verification phrase. The method also includes capturing authentication data from a user with a communications device in accordance with the authentication data requirement, and capturing biometric data of the at least one new verification phrase from the user with the communications device. Moreover, the method includes adding the determined at least one new verification phrase to an enrollment phrase registry and storing the biometric data captured for the at least one new verification phrase in an enrollment data record of the user after successfully authenticating the user.

Abstract: The disclosed embodiment relates to identity verification and identity management, and in particular, to methods and systems for identifying individuals, identifying users accessing one or more services over a network, determining member identity ratings, and based on member identity ratings that restrict access to network-based content and certain user-to-user interactions. Further, the user experience in performing identity management is simplified and enhanced as disclosed herein.

Abstract: The disclosed embodiment relates to identity verification and identity management, and in particular, to methods and systems for identifying individuals, identifying users accessing one or more services over a network, determining member identity ratings, and based on member identity ratings that restrict access to network-based content and certain user-to-user interactions. Further, the user experience in performing identity management is simplified and enhanced as disclosed herein.

Abstract: An improved technique involves automatically producing a set of KBA questions using values of attributes associated with correctly answered questions. A KBA question server obtains such attribute values from a prior set of pilot questions taken from users who were successfully authenticated. Examples of attributes include a source of facts in a question, placement of facts in a question, and question structure. The KBA question server then generates optimal formatting rules based on the attribute values; such formatting rules define a relationship between facts used to derive KBA questions and the words used to express the KBA questions to users. The KBA question generator then produces KBA questions according to the formatting rules.

Abstract: A method, system, and apparatus for agile generation of one time passcodes (OTPs) in a security environment, the security environment having a token generator comprising a token generator algorithm and a validator, the method comprising generating a OTP at the token generator according to a variance technique; wherein the variance technique is selected from a set of variance techniques, receiving the OTP at a validator, determining, at the validator, the variance technique used by the token generator to generate the OTP, and determining whether to validate the OTP based on the OTP and variance technique.

Abstract: A system for challenge-response authentication is provided by receiving, from an external terminal over a communication network, a request for access to a service. A plurality of objects is presented to a user via a display. A plurality of codes is received over the communication network, each of the plurality of codes corresponding to one of the plurality of objects. The plurality of codes are matched to a plurality of alphanumeric characters according to a predetermined table. An alphanumeric string is generated from the plurality of alphanumeric characters and the alphanumeric string is compared to a user identifier stored in a database. Based on the comparing, a determination is made as to whether to grant the user access to the service.

Abstract: The examples of the present invention provide a method and device for verifying a dynamic password. In the method and device, some algorithm parameters can be exchanged in public by using a DH algorithm, and thus a same key is shared safely between two entities, so as to implement the verification of the dynamic password and further improve the security of identity verification. Moreover, the method and device can be easy to use. Further, by the above technical solution, no message exchange is needed between a mobile device and a verification server, and a user does not need to pay for additional flux, so as to decrease the burden of the user and verification costs.

Abstract: A system and method is provided for visual authentication and authorization of a user for mobile touch devices, the system having: a login display on a mobile touch device displaying a visual pattern; a data collection engine whereby touch attributes are obtained from a plurality of user touch events to the mobile touch device with reference to the visual pattern, the touch attributes comprise measured touch attributes and derived touch attributes calculated from the measured touch attributes; an authentication engine whereby the touch attributes are compared to projected user touch attributes derived from user touch attribute values obtained during prior successful logins.

Abstract: A system and method for authenticating mobile communications devices. The method comprises: generating a code corresponding to a user configured to be rendered on a rendering device to produce a rendered code, the rendered code being readable by a mobile communications device having a code reading device, the rendered code comprising a secret token; storing the secret token along with information identifying the user on a first storage device; providing the code to the user; receiving, at the authentication server, a setup message from the mobile device, the message includes a device identifier and the secret token; comparing the received secret token and the secret token stored on the first storage device; if the received secret token matches the secret token stored on the first storage device, storing, on a second storage device, information identifying the user and a trusted device value corresponding to the device identifier.

Abstract: An opportunity for a computing device to participate in a secure session with a particular domain is identified. A domain identifier of the particular domain is received and a secured microcontroller of the computing device is used to identify a secured, persistent hardware identifier of the computing device stored in secured memory of the computing device. A secure identifier is derived for a pairing of the computing device and the particular domain based on the hardware identifier and domain identifier of the particular domain and the secure identifier is transmitted over a secured channel to the particular domain. The particular domain can verify identity of the computing device from the secure identifier and apply security policies to transactions involving the computing device and the particular domain based at least in part on the secure identifier.

Abstract: The present invention provides a new method for user centered privacy which works across all 3rd party sites where users post content, or even for encryption of emails. Users have an identity with a Hyde-It Identity provider (HIP) which authenticates the user to a Hyde-It Service (HITS) which performs key distribution. The functionality can be invoked through a user toolbar, built into the browser or be downloaded on demand via a bookmarklet.

Abstract: Secure communications may be established amongst network entities for performing authentication and/or verification of the network entities. For example, a user equipment (UE) may establish a secure channel with an identity provider, capable of issuing user identities for authentication of the user/UE. The UE may also establish a secure channel with a service provider, capable of providing services to the UE via a network. The identity provider may even establish a secure channel with the service provider for performing secure communications. The establishment of each of these secure channels may enable each network entity to authenticate to the other network entities. The secure channels may also enable the UE to verify that the service provider with which it has established the secure channel is an intended service provider for accessing services.

Abstract: An information processing system comprises one or more processing devices of at least one processing platform. In one embodiment, the system comprises cloud infrastructure that is configured to validate an externally-generated security token issued to a user, to extract one or more claims from the validated externally-generated security token, and to create a session object to hold the extracted claim or claims. The cloud infrastructure issues an internally-generated security token based on the session object that allows the user to be identified to a protected resource. The internally-generated security token is validated in conjunction with a request from the user for access to the protected resource, and information associated with at least one extracted claim is selectively released responsive to validation of the internally-generated security token. Access of the user to the protected resource is granted or denied based on the selectively-released information.

Abstract: A method, system, and computer program product for providing protected remote access from a remote access client to a remote access server over a computer network through a plurality of inspections. A remote access configuration file is created for the remote access client. A digital hash of the configuration file is then generated. The digital hash is compared with a configuration file stored at a predefined web location. If the comparison results in a match between the digital hash and the stored configuration file, a digital hash comparison is performed between an encrypted remote access configuration file and an encrypted configuration file stored at the predefined web location. If the plurality of inspections are passed, the remote access client is released from a quarantine state and a virtual private network (VPN) connection to the remote access server is established.

Abstract: A user-portable computing device configured as a smart card enables a user to carry identification information and to generate security tokens for use in authenticating the user to a service provider. The device includes memory for storing user identities as information cards that are exported to a host computer, presented to a user in visual form, and then selected for use in the authentication process. A security token service installed on the device issues a security token in response to a token request sent from the host computer that references the selected user identity. The security token service uses user attribute information stored on the user device to compose the claim assertions needed to issue the security token. The token is returned to the host computer and used to facilitate the authentication process.

Abstract: To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a token of a process. The rule may include an application-criterion set and changes to be made to the groups and/or privileges of the token. The rule may be set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers or users. When a GPO containing a rule is applied to a computer, a driver installed on the computer may access the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule, the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.

Abstract: A security token service generates a security token for a user that is associated with a client and stores the full security token within a memory. The security token includes an identity claim that represents the identity of the generated security token. Instead of passing the entire security token back to the client, the identity claim is returned to the client. For each request the client makes to the service, the client passes the identity claim in the request instead of the full security token having all of the claims. The identity claim is much smaller then the full security token. When a computing device receives the identity claim within the request from the user, the identity claim is used to access the full security token that is stored in memory.

Abstract: Provided is a method for controlling an information processing system including a relay service device, an intermediate service device, and an authentication service device. The control method includes transmitting an authentication request from the intermediate service device to the intermediate service device; acquiring a first access token from the authentication service device that has made a success of authentication; storing the first access token; comparing the stored first access token with a second access token included in an execution request of an relation processing upon reception of the processing execution request from the relay service; and executing processing received from the intermediate service device when it is determined in the comparing that the first access token matches the second access token or not executing the processing when it is determined in the comparing that the first access token does not match the second access token.

Abstract: A method of ensuring secure and cost effective communication of aeronautical data to and from an aircraft is provided. The method includes uplinking air-ground aircraft data communications via an aeronautical safety data link and downlinking air-ground aircraft data communications via a consumer data link separated from the aeronautical safety data link by a one-way firewall.

Abstract: Embodiments for performing service binding between a client and a target server are disclosed. In accordance with one embodiment, a clear text client service binding value is received from a client at the target server, the client service binding value is compared to a server service binding value, and a communication channel is formed between the client and the target server when the client service binding value matches the server service binding value.

Abstract: An approach is provided for providing separation of authentication protocols and/or authentication contexts for client-server and server-server communication in network communication. A proxy server receives a request to initiate a service session. The request includes a first authentication context. The proxy server request verification of the first authentication context from an authentication server and validates the first authentication context based, at least in part, on the verification. The proxy server implements a second authentication context based, at least in part, on the verification of the first authentication context to initiate the service session.

Abstract: A system for, and method of, generating a plurality of proxy identities to a given originator identity as a means of providing controlled access to the originator identity in electronic communications media such as e-mail and instant messaging.

Abstract: Provided is a Captcha Access Control System (CACS) for generating an improved captcha that are based, in one described embodiment, upon a command in one format and a response in a different format, one or both of which are rendered in a format that is difficult for an automated system to interpret. A computer system or program to which a user is requesting access generates a textual or audible command. A video device captures the user's response and transmits the response to a response evaluation device. Based upon an analysis of the transmitted video and a comparison between the analyzed video and the command, the computer or program either enables access or denies access.

Abstract: Disclosed are a processor and processing method that provide non-hierarchical computer security enhancements for context states. The processor can comprise a context control unit that uses context identifier tags associated with corresponding contexts to control access by the contexts to context information (i.e., context states) contained in the processor's non-stackable and/or stackable registers. For example, in response to an access request, the context control unit can grant a specific context access to a register only when that register is tagged with a specific context identifier tag. If the register is tagged with another context identifier tag, the contents of the specific register are saved in a context save area of memory and the previous context states of the specific context are restored to the specific register before access can be granted.

Abstract: A method and apparatus for automatic user authentication are described. The method includes receiving information at a device, the device including a credential container; storing the information at the credential container and performing cryptographic calculations on the received information and providing the encrypted information upon request.

Abstract: An application program of the portable device receives a command of an owner when the portable device is powered on. The application program notifies a basic input/output system to set a protection variable, and notifies the owner to set a password in a setup menu of the basic input/output system after the application program receives the command of the owner. A keyboard controller turns off the portable device to enable the protection variable after the basic input/output system sets the protection variable and the setup menu of the basic input/output system stores the password. After the protection variable is enabled, whenever the portable device is powered on, the basic input/output system checks a password inputted to the portable device at least once and the basic input/output system executes a corresponding operation according to a check result.

Abstract: This specification relates to a mobile terminal capable of executing a lock state of restricting a touch input and a control method thereof. The control method for the mobile terminal, which displays a lock screen in the lock state of restricting an input of a control command for an application, includes displaying an execution screen of an application on the lock screen, and controlling the lock screen based upon a touch input detected in the lock state.

Abstract: Disclosed is a computer implemented method and apparatus to provide authorizations to an administrative user. An integrated solutions console (ISC) receives an administrative user login corresponding to a console administrative user. The ISC presents a list of at least one management task. The ISC presents at least one input interface to a display for an administrative user name and at least one console role. The ISC receives an administrative user name and a console role. The ISC obtains an authorization descriptor that can be used to couple the administrative user name and the console role.

Abstract: Architecture that utilizes logical combinations (e.g., of Boolean logic) of authorizations as a logical authorization expression that is computed through a proofing process to a single proof value which equates to authorizing access to an intended entity. The authorizations are accumulated and processed incrementally according to an evaluation order defined in the authorization expression. The logical combinations can include Boolean operations that evaluate to a proof value associated with a sum of products expression (e.g., combinations of AND, OR, etc.). The incremental evaluations output corresponding hash values as statistically unique identifiers used in a secure hash algorithm that when evaluated in order allow execution of a specific command to access the entity. The architecture, employed in a trust module, uses minimal internal trust module state, and can be employed as part of a device system that handles trust processing to obtain authorization to access the intended entity.

Abstract: User accounts, authentication information and user home directories are stored on an external storage media that can be transferred from one device to another. Measures are included for detecting tampering of stored information and for preventing possibly conflicting or damaging account and file information from entering a host device.

Abstract: A printing system includes an image forming apparatus and a host terminal apparatus. The image forming apparatus is operated by a first user who picks up a printed output of the image forming apparatus. A second user sends print data from the host terminal apparatus. The image forming apparatus includes an input section, a receiving buffer, and a watermark embedding section. The first user inputs a first item of information indicative of the first user through the input section. The receiving buffer stores the print data therein. The watermark embedding section produces a watermark pattern in which information representative of the first item of information is embedded, and combines the print data with the watermark pattern. The image forming apparatus prints out the received print data with the watermark pattern embedded therein. The watermark pattern includes the first item of information therein.

Abstract: The present invention provides a system and method to process information regarding a network attack through an automated workflow that actively reconfigures a plurality of heterogeneous network-attached devices and applications to dynamically counter the attack using the network's own self-defense mechanisms. The present invention leverages the security capabilities present within existing and new network-attached devices and applications to effect a distributed defense that immediately quarantines and/or mitigates attacks from hostile sources at multiple points simultaneously throughout the network. In a preferred embodiment, deployed countermeasures are automatically lifted following remediation activities.

Abstract: Detecting infectious messages comprises performing an individual characteristic analysis of a message to determine whether the message is suspicious, determining whether a similar message has been noted previously in the event that the message is determined to be suspicious, classifying the message according to its individual characteristics and its similarity to the noted message in the event that a similar message has been noted previously.

Abstract: Unauthorized URL requests are detected based on individual user's access map(s). An access map describes legitimate paths that a user may be led from one URL to another URL. Additional information on individual URLs forming the paths, such as whether a particular URL is a start URL or a critical URL, is also included in the access map. The access map may be updated based on the most currently available information. When a URL request is made from a client device associated with a user, and it if is determined that the requested URL may potentially suffer from CSRF attacks, then the requested URL and its referral URL are compared against the URL paths in the user's access map to determine whether the URL request is unauthorized. If so, then an alert may be raised.

Abstract: A method and apparatus for detecting attacks against a computing device are described. Such attacks may be detected by the device and reported to a requesting entity in a manner that makes it difficult for an attacker to know that the attack has been detected. Several exemplary embodiments comprising different client/server and client/network type systems are presented.

Abstract: A computing device capable of instant messaging (IM) contains IM anti-malware software for preventing the transmission of malware-created IMs and opening potentially harmful IMs that it receives. When transmitting an IM, the software checks to ensure that the message being sent was created by the user (a human being) and not by IM malware, such as an IM BOT. This is done by copying details of a message as it is being typed by a user into a database and searching for that data before an IM is transmitted from the device. The software also ensures that when it receives an IM from an outside source, that the message contains a special encrypted signal that was inserted into the message by the source when the source has determined that the message was created by a human being. If the special signal is not found, it is presumed that the message was created by malware and may be discarded.

Abstract: A candidate suspicious website is identified. A plurality of lightweight features associated with the candidate suspicious website is identified. A filter score is determined based on the plurality of lightweight features, wherein the filter score indicates a likelihood that the candidate suspicious website is a malicious website. Whether the filter score exceeds a threshold is determined. Responsive at least in part to the filter score exceeding the threshold it is determined that the candidate suspicious website is a suspicious website. Whether the suspicious website is a malicious website is determined by identifying software downloaded to the computing system responsive to accessing the suspicious website and determining whether the software downloaded to the computing system is malware based on characteristics associated with the downloaded software.