Abstract: A method and arrangement is provided which allows a PC or other client device to be used to communicate with third parties through a mobile communication device when a user and the mobile communication device are not in the vicinity of one another. The arrangement allows the user to control operation of the mobile communication device over a WLAN so that the user can send or receive messages such as voice and text messages to a remote party from the client device through the mobile communication device over the WLAN and the mobile communication network employed by the mobile device.

Abstract: Comprises identifying an end point or content server that can best serve an end user that sent a DNS request to an ISP DNS resolver, given a geographically distributed network of end points. In particular, the method further comprises using the end points themselves and a tracker to identify and notify to the end user the IP addresses of the least-loaded and closest end points that can best serve the content request.

Abstract: A computer-implemented method for automatically configuring virtual private networks may include 1) broadcasting by a client on a network to discover a virtual private network server configured to manage virtual private networks, 2) discovering, by the client in response to the broadcast, the virtual private network server, 3) establishing a secure connection between the client and the virtual private network server in response to the discovery, and 4) receiving, by the client from the virtual private network server through the secure connection, configuration settings that enable the client to automatically connect to a virtual private network. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In some embodiments, an apparatus includes a management module configured to assign a unique set of identifiers to each network control entity from a set of network control entities. As a result, a network control entity from the set of network control entities can assign an identifier from its unique set of identifiers to a port in response to that network control entity receiving a login request from the port. The set of network control entities is associated with a distributed multi-stage switch. The management module is also configured to store a zone set database associated with the distributed multi-stage switch. The management module is configured to send an instance of an active zone set stored within the zone set database to each network control entity from the set of network control entities such that each network control entity can enforce the active zone set.

Abstract: Various techniques can be used to advertise adjacency segment identifiers (IDs) within a segment routing (SR) network. For example, a method, performed by a first node, can involve identifying an adjacency segment between a first node and a second node; assigning an identifier to the adjacency segment; and sending an Intermediate-System-to-Intermediate-System (IS-IS) hello (IIH) message to another node. The adjacency advertisement includes the identifier. If the adjacency segment is part of a LAN, the IIH message can be sent to a designated node that aggregates adjacency segment ID advertisements for the other nodes on the LAN.

Abstract: A method, system and computer program product for electronically communicating a correct Uniform Resource Locator (URL). The browser detects a copying of a URL to be placed in an electronic communication. In response to determining that the URL specifies an address of a loopback interface of the computing device via a localhost, the browser obtains the Fully Qualified Domain Name (FQDN) or Internet Protocol (IP) address of the computing device hosting the resource (e.g., application) referenced by the URL. The browser replaces the localhost in the URL with either the FQDN or IP address of the computing device. The modified URL is then made available to be shared with other users via electronic communication. In this manner, the localhost is automatically replaced with the correct domain name or IP address thereby ensuring that third party users will be able to retrieve the resource hosted on the computing device.

Abstract: A one-way data transmission and reception system and method, which mitigate the problem of a buffer overflow that may occur on a reception system while also mitigating the problem of data loss caused by a link error that may occur in the unidirectional line of a physical one-way data transmission system. The one-way data transmission system includes a first interface unit connected to a first network. A second interface unit is unidirectionally connected to a reception system connected to a second network. An interface integration module unit transmits a delayed Transmission Control Protocol (TCP) Acknowledgement (ACK) frame to a TCP session established with a device of the first network unit through the first interface unit, and transmits one or more identical data frames to the reception system through the second interface unit.

Abstract: Verification of continuity for a network service path that includes at least one network function that blocks test packets may be achieved by providing a bypass mechanism to bypass test packets around the at least one network function that blocks test packets. Verification of continuity may be done when the network service is available for active use or when it is not ready for active use. Detection of a continuity problem leads to more detailed diagnostic work.

Abstract: Techniques to rate-adjust data usage on mobile devices using a virtual private network are described. In one embodiment, an apparatus may include a processor circuit, and an application component operative on the processor circuit to present a link to third party data, receive a control directive to follow the link, and to request to access the third party data. The apparatus may also include a client virtual private network (VPN) component operative on the processor circuit to communicate with a server having a server VPN component, receive the request to access the third party data from the application component, determine whether the accessing is rate-adjusted, and connect to a source of the third party data via the server VPN component. Other embodiments are described and claimed.

Abstract: Provided are a system and method for controlling virtual private network (VPN) access. The system includes a first VPN gateway, a second VPN gateway, a wireless local area network (WLAN) access control server configured to detect a corporate intranet connection of a wireless communication terminal connecting to a corporate intranet via the first VPN gateway, and a VPN setting change server configured to receive a request to change a VPN setting of the wireless communication terminal from the WLAN access control server and control the wireless communication terminal to change the VPN gateway currently in connection with the wireless communication terminal to the second VPN gateway in accordance with the VPN setting change request.

Abstract: A proxy server receives from a client device a request for a network resource that is hosted at an origin server for a domain. The request is received at the proxy server as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server retrieves the requested network resource. The proxy server determines that the requested resource is an HTML page, automatically modifies the HTML page, and transmits the modified HTML page to the client device.

Abstract: A load balancer is provided that can direct Internet Protocol Security (IPsec) traffic received from a single IPsec tunnel initiator to one of a plurality of endpoints provided Virtual Private Network (VPN) gateways in a network. The load balancer uses IP (Internet Protocol) addresses and SPIs (Security Parameter Identifier) to identify an endpoint responsible for processing particular packets for the VPN. Messages received at the load balancer from the endpoints are utilized to map endpoints responsible for processing packets having a particular IP address and SPI for forwarding IPsec traffic to the correct endpoint.

Abstract: A security monitor processing server is disclosed. The server comprises a plurality of processors, a memory, and a security monitor application that, when executed by a first processor checks for a message that requests establishment of a secure communication link between a different server and the server directed to it by the different server. The application sends a request to an operating system (OS) to suspend functionality of the other processors except for the first processor. The application sends a request to the OS to suspend a process executing on the first processor. The application conducts a communication session with the different server. The application, responsive to completion of the communication session sends a request to the OS to allow the other processors to resume functionality. The application sends a request to the OS to resume execution of the suspended process on the first processor.

Abstract: When theft protection of a computing device is initiated, credentials of the user are provided to one or more services that verify the credentials and generate a recovery key. A data value is generated based on the recovery key and an identifier of the computing device (e.g., by applying a cryptographic hash function to the recovery key and the computing device identifier), and the data value is provided to the computing device, which stores the data value at the computing device. When a user is prompted to prove his or her ownership of the device, the owner can prove his or her ownership of the device in different manners by accessing the one or more services via a network (e.g., the Internet), or by providing the recovery key (e.g., obtained using another computing device) to the computing device.

Abstract: A Digital Rights Management (DRM) system provides a lightweight layering of encryption and decryption of keys that allows efficient use of different cryptographic techniques to effect the secure delivery of multimedia content. Asymmetric cryptography, where a public key is used to encrypt information that can only be decrypted by a matched private key, is used by the DRM system to deliver symmetric keys securely.

Abstract: This disclosure provides a method, performed in a wireless device 60, for enabling a secure provisioning of a credential from a server 70. The wireless device 60 stores a device public key and a device private key. The server 70 stores the device public key. The method comprises receiving S1 an authentication request from the server 70; generating S2 a device authentication and integrity, DAI, indicator; and transmitting S3 an authentication response to the server 70. The authentication response comprises the DAI indicator. The method comprises receiving S4 a credential message from the server 70, the credential message comprising a server authentication and integrity, SAI, indicator. The SAI indicator provides a proof of the server's possession of the device public key. The method comprises verifying S5 the received credential message using the device public key.

Abstract: The present invention generally relates to systems and methods for establishing trusted, secure communications from a mobile device, such as a smart phone, to an immobile device, such as a multi-function device. The disclosed techniques can include the immobile device displaying a pattern that encodes a cryptographic key. The mobile device can obtain an image of the pattern and decode it to obtain the cryptographic key. Because the mobile device obtained the image within its line-of-sight, for example, it can be assured that it communicated with the immobile device, and only the immobile device. The mobile device and the immobile device can use the cryptographic key to secure further communications.

Abstract: An information processing server system in which agreement to terms of service by a user is confirmed using a second authentication session different from a first authentication session used when a client uses the web service is provided.

Abstract: The disclosure of the present document can be embodied in a non-transitory computer-readable medium storing instructions that cause one or more processors to perform various operations, including, receiving, from a first client device associated with a user account of a first user, a request for sharing a document. The document is associated with a credential of the first user, and the credential is associated with the user account of the first user. The operations include transmitting, in response to the request, a code associated with the document, and receiving, from a second client device, a request to access the document. The request to access the document includes the code associated with the document. The operations include determining, based on the request to access the document, that the second client device is authorized to access the document, and communicating, to the second client device, a message including information about the document.

Abstract: Methods and systems for securely accessing content irrespective of the security of the environment in which the content is being accessed are described herein. In some embodiments, a mobile computing device may determine whether secure enterprise content is being accessed on a mobile computing device. In response to determining that a private user device (e.g., virtual reality or augmented reality headwear/eyewear), is communicatively coupled to the mobile computing device, the mobile computing device may prevent the secure content from display on the mobile computing device and instead generate the secure enterprise content for presentation in an unencrypted form on the private user device.

Abstract: A network security system receives a request from a user over a network to access a network application. The system verifies user credentials for the user. The user credentials include a user identifier and specify a social network. The user is redirected to the social network for authentication. The system queries a rule-set database using the user identifier and an integer representation of the social network. The rule-set database includes recommendations as to access determined by a security application based at least in part on a known memory state for the user associated with the user identifier. Then the system blocks access by the user to the network application based on a recommendation in the rule-set database.

Abstract: Techniques are disclosed for sending, from an application executing on a device associated with a user, through a Representational State Transfer (REST)-based interface, to an authorization computer system, a request for permission to access a scope of information associated with the user. The techniques can further include, based on authentication of the user, receiving, at the device associated with the user, through the REST-based interface, a request for consent by the user to allow the application to access information that is within the scope of information associated with the user. Furthermore, the techniques can include, responsive to the device receiving consent from the user, sending, from the device associated with the user, through the REST-based interface, to the authorization computer system, the consent to allow the application to access the information for the authorization computer system to store a mapping between the application and the scope.

Abstract: A method and system for facilitating collaboration across a plurality of platforms are disclosed. A server with one or more processors and memory performs an identity authentication process to validate a user to access a super account, where the super account is bound to a plurality of sub-accounts, and where each of the plurality of sub-accounts corresponds to a distinct platform. In accordance with a determination that the authentication process is successful, the server queries sub-servers corresponding to the plurality of sub-accounts for respective usage rights of each of the plurality of sub-accounts. The server transmits, to the user, one or more tokens identifying the respective usage rights of each of the plurality of sub-accounts and generates a user interface including affordances based at least in part on the usage rights of each of the plurality of sub-accounts.

Abstract: Various techniques are described to authenticate the identity of a proxy in a client-proxy-server configuration. The configuration may have a client-side and a server-side SSL session. In the server-side session, if the proxy has access to the private keys of the client, the proxy may select a client certificate from a collection of client certificates and send the selected certificate to the server to satisfy a client authentication request of the server. If the proxy does not have access to the private keys, the proxy may instead send an emulated client certificate to the server. Further, the client certificate received from the client may be embedded within the emulated client certificate so as to allow the server to directly authenticate the client, in addition to the proxy. An emulated client certificate chain may be formed instead of an emulated client certificate. Similar techniques may be applied to the client-side session.

Abstract: A method and apparatus are provided for protecting security credentials (e.g., username/password combinations) and/or other sensitive data in a “password vault.” A password vault device may be or may be incorporated into a portable (or even wearable) electronic device, such as a smart phone, smart watch, smart glasses, etc. When a security credential is requested during a user's operation of the password vault device or some other computing/communication device, such as when the user is accessing an online site or service via a browser program, the request is passed to the password vault, and the appropriate security credential is retrieved, delivered, and entered into the requesting interface.

Abstract: Provided are mechanisms and methods for managing a risk of access to an on-demand service as a condition of permitting access to the on-demand service. These mechanisms and methods for providing such management can enable embodiments to help prohibit an unauthorized user from accessing an account of an authorized user when the authorized user inadvertently loses login information. The ability of embodiments to provide such management may lead to an improved security feature for accessing on-demand services.

Abstract: Techniques are described for controlling access to an online service by a one or more authentication mechanisms based on device, browser, or location, or a combination of the three. A method comprises receiving a request to access a service, receiving, in association with the request, a first access mechanism, receiving a first and second level of authentication associated with the user requesting the service, updating authenticated-mechanism data to indicate that the first access mechanism is an authenticated access mechanism for the particular user, receiving a second request to access the service, in response to receiving a second request, determining whether the second access mechanism is an authenticated access mechanism for the particular user, upon determining that the second access mechanism is not an authenticated mechanism, requesting a second level of authentication for the particular user, otherwise granting access.

Abstract: A digital certification analyzer (or “analyzer”) provides protection for digital content stored on servers, file sharing systems, hard drives and USB enabled external drives or other digital repositories. A temporary external secured storage (or “TESS”) system provides an external storage location for digital content hosted and transferred or shared in a digital realm, while the original device hosting the content is turned off or otherwise offline during the file share or file transfer process.

Abstract: Configuration and credential data associated with a wireless network can be stored by the wireless network or a by a gateway device associated with the wireless network. The configuration and credential data can be accessed via a user profile and pushed to unauthenticated wireless devices to authenticate the unauthenticated wireless devices for the wireless network. The configuration and credential data can be backed up via a manual, automatic, or semi-automatic back-up process.

Abstract: The present disclosure provides a number of systems and associated processes for using machine-readable codes to perform a transaction. Embodiments of the present disclosure provide a system and associated processes for consolidating and replacing various forms of payment (e.g. credit cards, debit cards, and cash) with a single payment system. Further, embodiments of the present disclosure provide a system and associated processes for reordering a product provided by a product provider. Moreover, embodiments of the present disclosure provide a system and associated processes for accepting a gift, or gift transaction, associated with a gift card. In addition, embodiments of the present disclosure provide a system and associated processes for performing an Automatic Teller Machine (ATM) transaction using a machine-readable code.

Abstract: Embodiments are provided for mutually authenticating a pair of electronic devices. According to certain aspects, the electronic devices may connect to each other via an out-of-band communication channel. The electronic devices may each output audio signals and detect audio signals output by the other electronic devices. Based on timestamps associated with audio output and detection events, each of the electronic devices may calculate relevant time and distance parameters, and transmit the calculated parameters to the other electronic device via the out-of-band communication channel. The electronic devices may compare the calculated parameters to determine mutual authentication.

Abstract: A system and method for embedding a written signature into a secure electronic document is disclosed. In certain embodiments, a user views the electronic document on a first computing device and creates an electronic digital signature on a mobile computing device. The user is securely certified by a system created alphanumeric code and the identification of the mobile device. The signature is then embedded into the electronic document and stored securely on a central server.

Abstract: Described is an architecture for providing access to administrative functionality in a virtualization system using implied authentication. This approach avoids the problems associated with the requirements to use a user ID and password to access an admin console. The user ID and password can be rendered completely unnecessary, or where the user ID and password combination is only used as a supplement to the implied authentication.

Abstract: A virtual computing environment service may receive a request from a customer to provision a virtual computing environment and join the virtual computing environment to a managed directory. The virtual computing environment service may provision the virtual computing environment and uses a set of administrator credentials from the customer and a set of credentials corresponding to the environment to access the managed directory and request joining of the environment to the managed directory. In response, the managed directory may create a computer account corresponding to the environment and which enables the environment to be used to access the managed directory. The virtual computing environment service may then enable the customer to specify one or more users that may utilize the virtual computing environment to access the managed directory.

Abstract: A method of implementing requirements applicable to systems of an enterprise includes modeling the requirements as contents of policies applicable to target domains of the enterprise. The policy contents are integrated into a policy model. The policy model is adapted to obtain representations of domain-specific requirements corresponding to target systems in the target domains. The representations are integrated with the corresponding target systems to implement the domain-specific requirements.

Abstract: IoT devices are secured on multiple local area networks. Each local network contains a router which monitors activities of IoT devices, and transmits corresponding information to a backend server. The backend amalgamates this information, calculates dynamic reputation scores, and determines expected authorized activities for specific IoT devices. Based thereon, the backend creates a constraint profile for each IoT device, and transits the constraint profiles to the routers for enforcement. Enforcing a constraint profile can include creating multiples VLANs with varying levels of restricted privileges on a given local area network, and isolating various IoT devices in specific VLANs based on their reputation scores. Constraint profiles can specify to enforce specific firewall rules, and/or to limit an IoT device's communication to specific domains and ports, and/or to specific content.

Abstract: A computer system includes program instructions to generate a first virtual keypad for entry of a first portion of a password, wherein the first portion includes a first value and a second value. The program instructions receive the first portion, wherein the first portion includes a first number of keys selected equal to the first value and the second value present in the first number of keys selected. The program instructions generate a second virtual keypad for entry of a second portion, wherein the second portion includes a third and a fourth value. The program instructions receive the second portion, wherein the second portion includes a second number of keys selected equal to the third value and the fourth value present in the second number of keys selected. The program instructions determine to grant a user access to an account associated with the account password.

Abstract: Technologies for providing access control for a network are disclosed. The method may include receiving a request from a user to access a network, receiving a plurality of data associated with the user, the plurality of data comprising a plurality of social data associated with the user's relationship to a social circle, identifying an electronic security policy based at least on the plurality of social data, and authenticating the user to the network if the electronic security policy permits authentication based at least on the plurality of social data.

Abstract: Embodiments of the invention are directed to systems, methods and computer program products for receiving a request from a user for access to at least one function associated with a first application; determining that access to at least one function requires user authentication; initiating sensing of an authentication validating carrier comprising a first credential; determining the first credential based at least in part on the sensed authentication validating carrier; validating the first credential, thereby resulting in a first successful user authentication; and granting access to at least one function associated with the first application based on the validation of the first successful user authentication.

Abstract: A computer establishes normal activity levels of a factor associated with an application, system, network, or computing environment. The computer receives rules prescribing the trust levels assigned to users or devices during normal and abnormal activity levels exhibited by the factor. The computer monitors the activity level exhibited by the factor and determines whether the activity is normal or abnormal. If the computer determines that the factor is exhibiting abnormal activity, the computer modifies the trust level of associated users and devices according to the rules. The computer continues to monitor the activity of the factor until the computer determines that normal activity levels of the factor have returned, at which point the computer modifies the trust level of associated users or devices according to the rules.

Abstract: The disclosed embodiments provide a system that facilitates use of a website. During operation, the system enrolls a claim containing an assertion of a characteristic of the website with a central authority. To enroll the claim, the system obtains the claim from an issuer of the claim and includes a first secure attribute with the claim, wherein the first secure attribute is signed with a first private key of the central authority. Next, the system enables verification of the claim using the first secure attribute and a first public key of the central authority.

Abstract: Methods and systems are provided for validating a signature in a multi-tenant environment. A server or other computing device that is part of a distributed network may request a certificate collection from an identified tenant store. The requested certificate collection may be loaded in a virtual store that is accessible by the server or other computing device. The sever or other computing device may then access one or more certificates from the virtual store to validate a signature.

Abstract: A system and method for authentication of a communication device is disclosed. A system that incorporates teachings of the present disclosure may include, for example, an authentication system can have a controller element that receives from a communication device by way of a packet-switched network an authentication request comprising a first identification (ID) of a gateway and a second ID of the communication device. The gateway and at least one network element of the packet-switched network can be provisioned to have a physical association with each other such that other network elements of the packet-switched network deny services to the gateway when the gateway attempts to operate outside of said physical association. From said physical association and the aforementioned IDs the controller element can authenticate the communication device. Additional embodiments are disclosed.

Abstract: The present invention relates to a method and system for tracking the movement of data elements as they are shared and moved between authorized and unauthorized devices and among authorized and unauthorized users.

Abstract: Embodiments provide apparatuses and methods supporting software development teams in identifying potential security threats, and then testing those threats against under-development scenarios. At design-time, embodiments identify potential threats by providing sequence diagrams enriched with security annotations. Security information captured by the annotations can relate to topics such as security goals, properties of communications channels, environmental parameters, and/or WHAT-IF conditions. The annotated sequence diagram can reference an extensible catalog of functions useful for defining message content. Once generated, the annotated sequence diagram can in turn serve as a basis for translation into a formal model of system security. At run-time, embodiments support development teams in testing, by exploiting identified threats to automatically generate and execute test-cases against the up and running scenario. The security annotations may facilitate detection of subtle flaws in security logic, e.g.

Abstract: Techniques for detecting exfiltration content are described herein. According to one embodiment, a malicious content suspect is executed within a virtual machine that simulates a target operating environment associated with the malicious content suspect. A packet inspection is performed on outbound network traffic initiated by the malicious content suspect to determine whether the outbound network traffic matches a predetermined network traffic pattern. An alert is generated indicating that the malicious content suspect should be declared as malicious, in response to determining that the outbound network traffic matches the predetermined network traffic pattern.

Abstract: There is provided a computer implemented method for detecting anomalous behavior in a network, comprising: receiving data representing at least one network activity, each network activity representing a certain data access event involving certain network entities; extracting from the data the certain network entities involved in the respective network activity; retrieving at least one relevant diversity value from a network behavior model based on the extracted certain network entities, wherein the network behavior model includes at least one diversity value, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type; calculating an abnormality score for the received network activity based on the retrieved relevant diversity values; and classifying the network activity as anomalous or normal based on the calculated abnormality score.

Abstract: A system and method for adaptively securing a protected entity against cyber-threats are presented. The method includes selecting at least one security application configured to handle a cyber-threat, wherein the at least one security application executes a plurality of security services assigned to the at least one security application; determining at least one workflow rule respective of the at least one security application; receiving a plurality of signals from the plurality of security services, wherein each signal of the plurality of signals is generated with respect to a potential cyber-threat; generating at least one security event respective of the plurality of received signals; checking determining if the at least one security event satisfies the at least one workflow rule; and upon determining that the at least one security event satisfies the workflow rule, generating at least one action with respect to the potential cyber-threat.

Abstract: A technique for detecting fraudulent activity in a compromised device involves downloading a software application from a processor that controls access to a resource to an electronic device requesting access to the resource. The software application includes instructions that gather selected information from the electronic device such as mouse coordinates and active windows at a selected time and transmitting the information to the processor for analysis. The analysis includes determining whether more than a single input operation is occurring simultaneously. Simultaneous input operations are an improbable combination of processes for a single electronic device, and suggest a potential fraudulent activity. The technique may include sending a message to a security location for further analysis of the potential fraudulent activity, or the user may be contacted while the transaction attempt is delayed, or the attempted transaction operation may be terminated until enhanced security procedures are implemented.

Abstract: An approach for addressing (e.g., preventing) detected network intrusions in a virtualized/networked (e.g., cloud) computing environment is provided. In a typical embodiment, users may group components/systems of an environment/domain according to a range of security sensitivity levels/classifications. The users may further configure rules for responding to security threats for each security sensitivity level/classification. For example, if a “highly dangerous” security threat is detected in or near a network segment that contains highly sensitive systems, the user may configure rules that will automatically isolate those systems that fall under the high security classification. Such an approach allows for more granular optimization and/or management of system security/intrusion prevention that may be managed at a system level rather than at a domain level.