Abstract: A method for managing unlinkable database user identifiers includes distributing to a first database a first encrypted user identifier, a first database identifier, and a first database user identifier; distributing to a second database a second encrypted user identifier, a second database identifier, and a second database user identifier; receiving from the first database a third encryption and a fourth encryption, the third encryption being formed from the first encrypted user identifier, the second database identifier, and a message comprised in the fourth encryption; decrypting the third encryption thereby obtaining a decrypted value; deriving a blinded user identifier from the decrypted value; and sending the encrypted blinded user identifier and the fourth encrypted value to the second server thereby enabling the second server to compute the second database user identifier from the encrypted blinded database user identifier and the decrypted fourth encrypted value.

Abstract: A computer-implemented method for smart cipher selection may include (1) receiving, at a server and from a client, a request to communicate according to a cipher for encryption, the request containing a client list of ciphers available at the client, (2) identifying a server list of ciphers available at the server, (3) measuring, in response to receiving the request, a resource load at the server and a risk factor indicating a degree of risk posed by the client, and (4) selecting a common cipher, from the client list and the server list, for encrypted communication based on the measured resource load at the server and the measured risk factor indicating the degree of risk posed by the client. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system, method, and computer-readable storage medium for protecting a set of storage devices using a secret sharing scheme. The data of each storage device is encrypted with a key, and the key is encrypted based on a shared secret and a device-specific value. Each storage device stores a share and its encrypted key, and if a number of storage devices above a threshold are available, then the shared secret can be reconstructed from the shares and used to decrypt the encrypted keys. Otherwise, the secret cannot be reconstructed if less than the threshold number of storage devices are accessible, and then data on the storage devices will be unreadable.

Abstract: Methods, devices, and systems are provided for optimizing the dissemination of information in various types of systems such as an access control system. More specifically, there are provided herein various mechanisms to provide a modified agent path such that an agent following the modified agent path, may update at least one non-networked reader. The update of the at least one non-networked reader not occurring if the agent follows an unmodified agent path.

Abstract: A network system includes: a network device; and a portable connection device capable of connecting thereto a terminal device which accesses the network device, where the portable connection device holds authentication information related to the connection between the network device and the terminal device, the authentication information being previously set. Here, the network device includes a processor, and the processor acquires the authentication information held in the portable connection device according to the connection of the portable connection device to the network device, acquires identification information on the terminal device from the terminal device according to the connection of the terminal device to the portable connection device, and compares the acquired authentication information with the identification information on the terminal device and device information on the network device to determine whether or not the access from the terminal device is allowed.

Abstract: A client terminal transmits a signal related to an authentication request to a service delivery server through a browser every time an application is started by an instruction from a user. Upon receiving the authentication request from the client terminal, an authentication server executes authentication processing in cooperation with the service delivery server based on authentication information of an application of the client terminal, a session of which has been established, and stored in the service delivery server, and user information related to the user stored in the authentication server.

Abstract: After an initial user sign-on with an identity provider, and in response to an intention of the user to use a third-party application executing on a client device of the user and requiring user sign-on, the identity provider provides a client script to the third-party application. The client script facilitates user and application authentication and invokes a trusted broker application that interacts with the identity provider to enable the user to use the third-party application. The use of the trusted broker application provided by the identity provider frees the authors of third-party applications from the need to modify their applications to explicitly sign in with the identify provider.

Abstract: A system, method, and apparatus are provided for performing reliable network, capability, and service discovery. A method may include providing for transmission of a request for signed access point information. The request may be provided for transmission prior to authenticating with an access point when authentication is performed or prior to associating with an access point when authentication is not performed. The method may further include receiving a response including signed access point information. The method may additionally include verifying the signed access point information using a digital certificate. The method may also include selecting the access point for communication based in least in part on the verified signed access point information. A corresponding system and apparatus is also provided.

Abstract: Methods and systems for authenticating a security device for providing a secure access and transaction authorization to a remote network location are provided. The security device is authenticated by installing private security software on the security device. A Two-Channel authorization method includes a transaction notification/authorization channel and a transaction channel. A Three-Channel authorization method includes a transaction notification channel, a transaction authorization channel, and the transaction channel. Embodiments of the present invention provide increased security and privacy. A corresponding system for authenticating a security device and preforming secure private transactions is also provided.

Abstract: Methods and systems for enrolling a user in an authentication program. In some embodiments, voice interaction that includes a request or command is received from a user. The user may be requested to provide authentication information to fulfill the request or command made during the voice interaction. The user may be authenticated using a first authentication method. The user may be passively enrolled into an authentication program that uses a second authentication method. Enrolling may include deriving characteristics of the user's voice from the voice interaction. After the user is enrolled in the authentication program, the second authentication method may be used to authenticate the user prior to fulfilling requests or commands made during voice navigation.

Abstract: A method and device for performing a service. The method includes detecting whether a user terminal device approaches an approach recognition area, receiving identifier information from the user terminal device, when it is detected that the user terminal device approaches the approach recognition area, obtaining user information based on the identifier information, and displaying a personalized area based on the user information.

Abstract: A method and system for providing security to Universal Plug and Play (UPnP) operations in a home network environment based on ownership rights where a request is received from a Control Point (CP) to perform an UPnP action associated with an UPnP resource. It is determined whether the CP holds an ownership right to perform the UPnP action based on ownership data associated with the UPnP resource. Accordingly, the CP is authorized to execute the UPnP action on the UPnP resource or an error message is returned to the CP based on the ownership of the UPnP resource.

Abstract: An authentication-related request sent from a mobile device to an authentication server is received at a proxy server. A posture of the mobile device is dynamically determined based at least in part on information included in the request. The request is validated based at least in part on the dynamically-determined posture. The proxy server communicates with an authentication server on behalf of the mobile device to obtain authentication information usable by the mobile device to access a service.

Abstract: Systems and methods here may be used for authorizing network access including using a flow controller server in communication with a first gateway associated with a first network, a second gateway associated with a second gateway, and a repository, the flow controller server configured to, receive a first client device request to access the first network via the first gateway, receive a second client device request to access the second network via the second gateways, retrieve a validation response from the repository, wherein the validation response includes correlated client device identifier with client device credentials for the first network and second network.

Abstract: A method and system for authorizing a user at a field device by a portable communications device. A first information is acquired by the portable communications device for identifying the field device. The portable communications device sends to a system the first information and a second information for identifying at least one of (i) the portable communications device, and (ii) the user thereof. The system determines a first piece of access information on the basis of the first information and the second information, and sends the first piece of access information to the portable communications device. The portable communications device transmits the second information and the first piece of access information to the field device. The field device determines a second piece of access information on the basis of the second information, and compares the first piece of access information with the second piece of access information.

Abstract: User requests for a web application can be received at a reverse proxy. Web application code for a first application can be obtained. Data can be checked at the reverse proxy to determine whether to insert an element into the first application. If there is a match, a combined web application can be produced, including the first web application and the element.

Abstract: A system and method for tracking sensitive data uses dynamic taint analysis to track sensitive data as the data flows through a target application running on a computer system. In general, the system and method for tracking sensitive data marks data as tainted when the data input to the target application is indicated as sensitive. The system and method may then track the propagation of the tainted data as the data is read from and written to memory by the target application to detect if the tainted data is output from the application (e.g., leaked). Dynamic binary translation may be used to provide binary instrumentation of the target application for dynamic taint analysis to track propagation of the tainted data at the instruction level and/or the function level. Of course, many alternatives, variations, and modifications are possible without departing from this embodiment.

Abstract: An information processing system implements an intelligent remediation system for security-related events. The intelligent remediation system comprises a classifier configured to process information characterizing the events in order to generate respective risk scores, and a data store coupled to the classifier and configured to store feedback from one or more users regarding the risk scores. The classifier is configured to utilize the feedback regarding the risk scores to learn riskiness of particular events and to adjust its operation based on the learned riskiness, such that the risk score generated by the classifier for a given one of the events is based at least in part on the feedback received regarding risk scores generated for one or more previous ones of the events. A user interface is provided to allow one or more users to supply the feedback regarding the risk scores.

Abstract: The disclosed computer-implemented method for attributing potentially malicious email campaigns to known threat groups may include (1) identifying a potentially malicious email campaign targeting at least one organization, (2) detecting, within the potentially malicious email campaign, an incriminating feature that has been linked to a known threat group, (3) determining, based at least in part on detecting the incriminating feature linked to the known threat group, that the known threat group is likely responsible for the potentially malicious email campaign, and then in response to determining that the known threat group is likely responsible for the potentially malicious email campaign, (4) attributing the potentially malicious email campaign to the known threat group. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: When obtained communication data corresponds to an external communication from the outside of the network to the inside, external communication data is stored. When the obtained communication data corresponds to a service start, external communication data associated with the service start is extracted, and service start data is stored in correlation with the extracted external communication data. When the obtained communication data corresponds to an operation end, operation end data is stored. When the obtained communication data corresponds to a communication from the inside to the outside of the network, operation end data associated with the obtained communication data is extracted. Then, it is determined that a condition is satisfied that external communication data associated with the obtained communication data is stored in correlation with the service start data associated with the extracted operation end data. When the condition is satisfied, an attack for the system is detected.

Abstract: Various techniques for exploit detection based on heap spray detection are disclosed. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment, monitoring a heap of a memory while executing the program in the virtual environment, and detecting a potential heap spray attack based on detecting a burst allocation of a first plurality of blocks in the heap of the memory, in which each of the first plurality of blocks is stored in the predefined address range of the memory.

Abstract: Denial-of-service attacks are prevented or mitigated in a cloud compute environment, such as a multi-tenant, collaborative SaaS system. This is achieved by providing a mechanism by which characterization of “legitimate” behavior is defined for accessor classes, preferably along with actions to be taken in the event an accessor exceeds those limits. A set of accessor “usage profiles” are generated. Typically, a profile comprises information, such as one or more “constraints,” and one or more “actions.” At least one constraint is generated by applying one or more parameters of a transaction weighting function such that the resulting constraint represents an actual or estimated cost of executing the transaction. An action defines how the system will respond if a particular constraint is triggered. By applying the constraints to accessor requests, the approach prevents over-utilization of compute resources.

Abstract: Systems and methods for detecting a visual characteristic of interest within an image are disclosed. An example method involves obtaining an image that includes at least one pixel representing a visual characteristic of interest, creating a first sequence and a second sequence of bitwise data from values associated with the pixel, and converting these bitwise sequences into a first sequence of integers and a second sequence of integers. Using a distance function, a similarity metric is determined between the first sequence of integers and the second sequence of integers. Based on the similarity metric, a third sequence of integers is created and stored. The third sequence of integers can be used to facilitate the identification of the visual characteristic of interest in other images.

Abstract: A security device may be configured to receive information regarding traffic that has been outputted by a particular user device; and compare the information regarding the traffic to security information. The security information may include device behavior information, traffic policy information, or device policy information. The security device may determine, based on the comparing, that a security threat exists with regard to the traffic; and take, based on determining that the security threat exists, remedial action with respect to the traffic. Taking the remedial action may include preventing the traffic from being forwarded to an intended destination associated with the traffic, providing an alert, regarding the security threat, to the particular user device, or providing an alert, regarding to the security threat, to another device.

Abstract: A plurality of security events is detected in a computing system, each security event based on at least one policy in a plurality of security policies. Respective interactive graphical representations are presented in a graphical user interface (GUI) of either or both of the security events or security policies. The representations include interactive graphical elements representing the respective security events or security policies. User selection of a particular event element via the interactive GUI causes a subset of the security policies to be identified, each security policy in the subset serving as a basis for at least one particular security event represented by the particular event element. User selection of a particular policy element via the interactive GUI causes a subset of the security policies to be identified, each security event in the subset based at least in part on a particular security policy represented by the particular policy element.

Abstract: A permitting system for controlling devices in a system includes a permit issuing agent that receives a command to be sent to a device. Based upon at least one attribute of the command, the permit issuing agent identifies one or more business logic modules that is pertinent to the command. Each business logic module has a respectively different set of business rules associated with it. Each identified business logic module determines whether the command complies with the business rules associated with that module. If the command is determined to comply with the business rules of all of the identified business logic modules, the agent issues a permit for the command, and the permit is sent to the device for execution of the command.

Abstract: A computer-implemented method, including receiving, by one or more computer systems, customer characteristic information for a user; applying, by the one or more computer systems, one or more recommendation rules to the customer characteristic information to determine a security tier; comparing, by the one or more computer systems, the customer characteristic information to one or more other users with a threshold level of similarity to the user for which the customer characteristic information is received; identifying, by the one or more computer systems, a security tier assigned to one of the one or more other users; and generating information indicative of a recommended security tier, based on the identified security tier and the determined security tier.

Abstract: A computer system receives a service request over a service channel from a user device, initiates a challenge to the user device to provide authentication information based on a set of authenticators, and determines an initial level of authentication. When the initial level of authentication is not sufficient for the service channel or protected resource, the apparatus generates a challenge to the user device with at least one additional authenticator and determines an achieved level of authentication based on the further authentication information. When the achieved level of authentication reaches a target authentication level for the service channel, the apparatus continues processing the service request by the service channel. The computer may transfer the service request to another service channel with the authentication token obtained on the original service channel and further challenges the user device with additional authenticators when a higher level of authentication is necessary.

Abstract: Data is asynchronously provided to a participant of a conversation. A temporal model is maintained for each of a plurality of client devices associated with the conversation. A temporal model describes a state of an associated client device. Data for sending to a client device is identified based on conversation context information describing a context of a conversation participant associated with the client device. A determination of whether to send the identified data to the client device is made based on the temporal model associated with the client device. The temporal model associated with the client device is updated based on the determination.

Abstract: The obfuscation of information included in Session Initiation Protocol (SIP) invites for the purposes of facilitating Lawfully Authorized Electronic Surveillance (LAES) is contemplated. The obfuscation may include the use of LAES headers with invites of sessions that require surveillance as well as those not requiring surveillance and/or selecting values or otherwise influencing parameter selection of data included in LAES headers according to a validity function, a shared secret, a key or other construct.

Abstract: A method for preparing media content to be streamed to a client divides a stream of the media content at the server into multiple media segments. Each of the multiple media segments is to be stored as an individual file in a memory in a transfer protocol compliant format. A top-level manifest file is generated, which has a plurality of Universal Resource Locators (URLs). The plurality of URLs indicates an ordering of the multiple media segments to recreate the stream of media content. Responsive to a client request received over a network to present the media content in a trick play mode of operation, a modified manifest file is obtained based on the top-level manifest file. The modified manifest file includes a subset of the plurality of URLs indicating an ordering of media segments that create a representation of the stream of media content presentable in the trick play mode of operation.

Abstract: An electronic device and method for sourcing and/or constructing a playlist are provided. An assignment of a playlist identifying a plurality of songs is received. A plurality of devices from which the plurality of songs may be retrieved is determined. The availability of the plurality of devices is determined. At least one of the plurality of devices is connected to in order to to access at least one of the plurality of songs. Memory of the electronic device can be scanned for stored songs to incorporate into the playlist.

Abstract: A method and a device are provided for making available at least one communication datum retrieved during consultation of a multimedia stream on a first terminal. The method includes a step of reception of a request for obtaining the at least one communication datum, a step of extraction of the at least one communication datum from the multimedia stream, a step of transmission to at least one second terminal of the at least one communication datum extracted. The communication datum transmitted thus makes it possible to implement on the second terminal an application making it possible to establish a multimedia communication between the second terminal and a remote device.

Abstract: An Internet protocol Multimedia Subsystem (IMS) gateway application server includes an originating application server module adapted to invoke call control services in response to requests initiated by a voice over Internet Protocol (IP) (VoIP) client associated with a communication device such as an IP telephone. Disclosed gateway application servers include a proxy server module adapted to notify the communication client of session control messages intended for the communication device.

Abstract: The disclosed embodiments include a system, computer program product, and method for routing a call over a packet network. A call request may be received from a calling party to call a called party at a network address. At least one potential call path over a packet network may be determined to connect the calling party to the called party at the network address. Network performance information associated with each potential call path may be accessed and a determination may be made that each of the call paths are impaired or congested. In response to determining that each of the call paths are impaired or congested, the call may be routed over a call path other than one of the at least one potential call paths to enable the calling party to communicate with the called party.

Abstract: The invention includes a method of providing media data of a SIP-based Auxiliary Service from an Auxiliary Application Server, AS, to a recipient peer of an established communication exchange between peers. The method includes issuing an invocation to the Auxiliary AS, the invocation including an indication of the recipient peer of the Auxiliary Service. The Auxiliary Service media data is prepared and sent to the recipient together with a correlation ID identifying the established communication exchange, and an Application Classmark identifying the auxiliary service.

Abstract: According to one embodiment, a technique is presented to dynamically adjust a sample period used at a presenter device for a screen content capture sharing function during a communication session. In another embodiment, a technique is provided to control how frames of screen capture content, e.g., in a desktop sharing function, are sent to attendee devices during an online conference session. According to a still another embodiment, a technique is provided to enable on-demand designation of frames as key-frames during a desktop sharing function of an online conference session.

Abstract: Embodiments of the invention address deficiencies of the art in respect to application sharing and provide a method, system and computer program product for user interface widget unit based application sharing. In a first embodiment, a data processing system for user interface widget unit based application sharing, can include a dynamic widget server communicatively linked to a dynamic widget browser. The dynamic widget browser can include program code enabled to render a user interface including one or more remote dynamic widgets peered to corresponding dynamic widgets for a dynamic view for an application launched by the dynamic widget server.

Abstract: Techniques for adaptive content transmission are described herein. During transmission of a content item, a network connection may be monitored to collect data corresponding to one or more network conditions associated with the transmission of the content item. Such network conditions may include, for example, network throughput, available network bandwidth, network latency and others. The collected data may be used to dynamically adjust one or more transmission attributes in connection with the transmitted content item. The one or more transmission attributes may be determined for adjustment at any desired transmission interval.

Abstract: Systems and methods for electrophoretically displaying a brand identifier of a telecommunications service provider or equipment manufacturer on the portable electronic device. The branding may be set at the manufacturer or when the user first powers the phone on. In addition, the branding may be wiped and reset if there is a change in ownership and/or telecommunications service provider of the portable electronic device. Periodically upon startup after the branding has been set and locked, making a user unable to manually change the branding at will, the portable electronic device may check to ensure the displayed branding is the same as or equivalent to the current brand.

Abstract: In a networked system connecting a subscriber to a content source via one or more networks, a computer-implemented method includes instantiating a session model for a media session between the subscriber and the content source, the session model to generate session metadata from application-layer interactions between the subscriber and the content source. The method further includes instantiating an interaction model in response to detecting an application-layer interaction in a transport flow of the subscriber, the application-layer interaction comprising media data for the media session. The method also includes generating, at the interaction model, interaction metadata representative of the application-layer interaction, and processing at least one of the interaction metadata and the media data at the session model to generate session metadata responsive to matching the interaction model to the session model.

Abstract: An audiovisual signal is converted from a native format to a digital, packetized interchange format and transported between a capture node and a display node through a switch. The display node converts the audiovisual signal from the interchange format to a displayable format and causes display of the audiovisual signal. The use of a switch for video routing and distribution allows one-to-one, one-to-many, many-to-one, and many-to-many distribution. The use of a device-independent interchange format allows concurrent distribution of multiple heterogeneous audiovisual signals.

Abstract: Systems and methods are presented to facilitate caching of programming from broadcast and/or content streaming services to a user device for local playback. In addition, metadata can be provided to guide the user in selecting, caching, or playing the cachable content. In some exemplary embodiments, a receiver or other user device can automatically select the programming to be cached based on a user's historical topic interest and listening history. In some exemplary embodiments, the metadata can also include DRM information that can limit the ability of a user to playback the content, so as to comply, if necessary, with operative legal requirements related to usage of the content.

Abstract: A method for determining a preferred image format in a User Equipment (UE) supporting a mobile video call between UEs, each having a camera and a display includes receiving, from an opposing UE, video transmission control information including therein a preferred image format, and if the preferred image format requested by the opposing UE is acceptable, then the opposing UE sends video transmission control information including therein at least one of an acceptable response message and an acceptable new preferred image format according to acceptability of the preferred image format requested by the opposing UE.

Abstract: A method for sorting and merging data from at least two sources may include providing a multi-state merge of queues from a first input queue and a second input queue to a merged output, responsive to states of the first and second input queues, setting the state of the first input queue; preventing merging of the first input queue with the non-empty second input queue while the state of the first input queue is empty waiting; and merging the first input queue with the non-empty second input queue responsive to the state of the first input queue being active or ignore, or the wait duration time being exceeded, or in response to a startup command.

Abstract: A transmitter and receiver for communication of multimedia streams across a multi-lane communications link. The transmitter packetizes multimedia streams according to a link layer protocol and distributes the packets across multiple lanes of a communications link. The entire packet, including the header and payload, can be distributed across the lanes in an ordered sequence to increase utilization of the communication lanes. The transmitter may also packetize multiple multimedia streams and intermix the packets across the lanes of the communication lane. The receiver extracts the packets that are distributed across the multiple lanes and decodes the packets into the multimedia streams.

Abstract: An apparatus can include a congestion controller at a source endpoint node of a network that is configured to send substantially real-time media data at a variable sending rate to another endpoint node via the network. The congestion controller can be configured to compute the sending rate as a function of a predetermined target delay and feedback from the other endpoint node that includes a receive delay time for packets of the substantially real-time media data to be received at the other endpoint node from the source endpoint node.

Abstract: Systems and methods for predicting content performance with interest data include receiving a content selection request that includes a client identifier. One or more topical interest categories associated with the client identifier may be used as inputs to a prediction model to predict the likelihood of an online action occurring as a result of third-party content being selected. The predicted likelihood may be used to select third-party content.

Abstract: There is provided a system and method for exchanging messages between a native application and a web browser using a server. The server configured to receive a message from a communication application of a first client device for delivery to the second client device, determine if the second client device includes the communication application, create a link to a webpage for rendering the message on the webpage when the second client device does not have the communication application, transmit the link to the second client device, render the message on the webpage to the second client device in response to receiving a request, receive a reply message from the second client device, and transmit the reply message to the first client device for rendering by the communication application. The message from the first client device may include a multimedia message, such as an animated avatar with a lip-sync audio.

Abstract: A logical client includes a primary client device and one or more secondary client devices. Each of the secondary client devices may be coupled to one or more peripherals. The primary client in the logical client may use a virtual machine (VM) and/or an application that uses one or more peripheral devices. The primary client device may not be coupled to the one or more peripheral devices used by the application and/or the VM. The primary client device may access the peripheral devices coupled to secondary client devices in order to use the application and/or the VM.