Abstract: A system for delivering notification messages across different notification media comprises a processor. A processor is configured to provide an indication of a new platform notification channel to one or more platform notification services. The indication is provided to one of the one or more platform notification services through a communication module specific to the one of the one or more platform notification services. The processor is configured to create a mapping from a new universal notification channel to a set of one or more platform notification channel identifiers. Each platform notification channel identifier of the set of platform notification channel identifiers is received from a platform notification service. The processor is configured to provide the set of one or more platform notification channel identifiers to a content provider of the new universal notification channel. The processor is coupled to the memory and is configured to store instructions.

Abstract: Among other things, embodiments of the present disclosure improve the functionality of electronic messaging software and systems by allowing senders to transmit messages and content using a messaging system, and recipients to access such messages and content, even if the recipients do not have access to the messaging system.

Abstract: A system, device and method for secure message thread communication is provided. The device comprises a communication interface; a display device; and, a controller configured to: generate, at the display device, a plurality of message threads, the plurality of message threads associated with different incident reports; receive multimedia data for transmission in a first message thread of the plurality of message threads; compare the multimedia data with data from the different incident reports; and when an association is determined between the multimedia data and respective data from an incident report associated with a second message thread, of the plurality of message threads: transmit, using the communication interface, the multimedia data in the second message thread, and not the first message thread.

Abstract: Methods, systems, and media for identifying video objects linked to a source video are provided. In some embodiments, the method comprises: identifying demographic attributes corresponding to a first user participating in an online conversation; determining at least one keyword associated with the online conversation, wherein the keyword indicates a topic of the online conversation; identifying a video object based at least on the demographic attributes and the at least one keyword, wherein the video object comprises a portion of a video; causing the identified video object to be presented in a group of video objects on a first user device associated with the first user; receiving an indication that the identified video object has been selected on the first user device for inclusion in a message in the online conversation; and causing the identified video object to be presented on a second user device associated with the second user.

Abstract: Among other things, embodiments of the present disclosure improve the functionality of electronic messaging software and systems by automatically analyzing media content associated with a user and generating collections of such content (e.g., “stories”) based on varying criteria.

Abstract: Disclosed are systems and methods for improving interactions with and between computers in electronic messaging and/or providing systems supported by or configured with personal computing devices, servers and/or platforms. The disclosed systems and methods provide systems and methods for generating electronic message filters and for using electronic message filters comprising item category filtering criteria and having an automatically-determined expiration. The discloses systems and methods filter electronic messages using the item category filtering criteria while an electronic message filter remains active as determined using the automatically-determined expiration information.

Abstract: Methods and systems for authenticating and confidence marking e-mail messages are described. One embodiment describes a method of authenticating an e-mail message. This method involves extracting a plurality of e-mail headers associated with the e-mail message, and identifying a sending edge mail transfer agent (MTA). The method then calls for determining if the sending edge MTA is authorized to send the e-mail message.

Abstract: A non-transitory computer-readable recording medium has computer-readable instructions stored thereon, which when executed, cause an information processing apparatus that includes a memory and a processor, to execute a process. The process includes receiving a first content in a first group including a first user and a second user, displaying one or more contents including the first content transmitted and received in the first group on a screen, and hiding the first content from among the one or more contents transmitted and received in the first group in response to receiving a request to cancel transmission of the first content from the first user.

Abstract: Disclosed is a system and method for email management that leverages information derived from automatically generated messages in order to identify types of messages and message content. The disclosed systems and methods apply the information learned from decoding previously received messages to other messages in a user's inbox to fully, or at least partially decode the information included within such messages. The disclosed systems and methods analyze messages received in a user's inbox to detect message specific information corresponding to types of content in the message and the location of such content in the messages. The message specific information is then applied to other newly received or identified messages to learn message specific information about those messages. Based on such learning, information can be extracted from such messages in order to increase a user's experience and increase monetization.

Abstract: Message content is scaled to support rich messaging. Devices and associated messaging systems can support various levels of content richness or fidelity. Message content scaling is employed to ensure sharing of content in as rich a manner as possible given limitations associated with various messaging systems, among other things. Messages can be scaled down or degraded, for instance where communicating devices do not support high fidelity content being transmitted. Alternatively, messages can be scaled up or enriched in cases, where low fidelity content is transmitted to a device supporting richer content, for example.

Abstract: A processor may analyze one or more social media messages from one or more social media platforms. Each of the one or more social media messages may include a generalized metadata tag and the one or more social media messages may be categorized as a generalized group. The processor may determine, from the generalized group, that the one or more social media messages exceeds a generalized threshold. The processor may generate a first specialized metadata tag for a first set of social media messages included in the one or more social media messages. The processor may partition, based on the first specialized metadata tag, the first set of the one or more social media messages into a specialized group within the generalized group. The processor may direct one or more users associated with the first set of social media messages to the specialized group.

Abstract: Described systems and methods allow a selective collection of computer security data from client devices such as personal computers, smartphones, and Internet of Things (IoT) devices. A security application executing on each client device comprises a domain name service (DNS) proxy that tags outgoing DNS messages with a client ID. The DNS server selects a client for data collection by returning a DNS reply comprising a service activation flag. Some embodiments thus enable a per-DNS-message selectivity of data collection. In some embodiments, subsequent network access requests by the selected clients are re-routed to a security server for analysis.

Abstract: The subject matter of this specification can be embodied in, among other things, a computer-implemented method that includes obtaining, at a computer system, a plurality of contact identifiers for a computer account holder, wherein the identifiers represent a plurality of different communication modes; identifying a handle for the account holder, wherein the handle is associated with a uniform resource locator; and correlating the handle with the plurality of contact identifiers, and storing the handle and plurality of contact identifiers together so as to permit retrieval of the contact identifiers in response to identification of the handle.

Abstract: A system identifies a significant communication from a revived contact. A user and the contact interact, and the interaction is monitored to determine a weighted significance value to attribute to the contact. The interaction may include communication, a designation of significance by the user, and organizational associations. The weighted significance value is attributed to the contact. A subsequent communication is detected and a weighted time difference value for the subsequent communication is determined. If the subsequent communication satisfies a significant communication condition, then the subsequent communication is designated as a significant communication.

Abstract: A device implementing a dynamic local media access control (MAC) address assignment system may include at least one processor that is configured to initiate a link establishment with a network device. The at least one processor may be further configured to determine whether a previously assigned media access control (MAC) address is stored locally. The at least one processor may be further configured to transmit a message to the network device requesting validation of the previously assigned MAC address when stored locally. The at least one processor may be further configured to communicate using the previously assigned MAC address when the validation is received from the network device, otherwise communicating using a dynamically assigned MAC address received from the network device during the link establishment.

Abstract: A method of discovering addressing information of one or more upstream devices to respond to specific messages by a second device on behalf of the one or more upstream devices in a network includes acquiring the addressing information in an upstream direction from one or more downstream devices to the one or more upstream devices. The method further includes acquiring the addressing information in a downstream direction from the one or more upstream devices to the one or more downstream devices. The method further includes responding to specific messages using the acquired addressing information about the one or more upstream devices.

Abstract: Systems and methods for detecting Internet services by a network policy controller are provided. According to one embodiment, a network controller maintains an Internet service database (ISDB) in which multiple Internet services and corresponding protocols, port numbers, Internet Protocol (IP) address ranges and singularity levels of the IP ranges are stored. The network policy controller intercepts network traffic and detects the Internet service of the network traffic. If an IP address of the network traffic falls in an IP range with highest singularity level and the protocol type, port number of the network traffic are matched in the ISDB, the corresponding Internet service is identified as the Internet service of the network traffic. The network policy controller further controls transmission of the network traffic based on the Internet service.

Abstract: A firewall service for a cloud computing environment is described that uses an application identifier-based ruleset to process data packets. An application identifier-based rule may provide an action to be taken on a received packet based on the source application identifier, the destination application identifier, and/or an identification token associated with the source application. A firewall controller may verify applications of the computing environment, provide unique application identifiers, and manage the application identifier rules for one or more firewalls of the computing environments.

Abstract: Embodiments of this application provide a firewall configuration method, applied to a cloud computing management platform. The method includes: determining, by a compute node, a subnet associated with received firewall policy information; determining that a virtual machine that belongs to the subnet is deployed on the compute node; and delivering the firewall policy information to a network access control list corresponding to the subnet. The network access control list and a local list of a virtual machine bridge of the virtual machine are in a jump relationship. With the provided method when a virtual machine sends a received packet by using the virtual machine bridge, an access packet and a response packet that belong to a same flow need to pass through a firewall deployed in the virtual machine bridge, to ensure that the firewall can implement packet access control.

Abstract: A system and method for homomorphic encryption in a healthcare network environment is provided and includes receiving digital data over the healthcare network at a data custodian server in a plurality of formats from various data sources, encrypting the data according to a homomorphic encryption scheme, receiving a query at the data custodian server from a data consumer device concerning a portion of the encrypted data, initiating a secure homomorphic work session between the data custodian server and the data consumer device, generating a homomorphic work space associated with the homomorphic work session, compiling, by the data custodian server, a results set satisfying the query, loading the results set into the homomorphic work space, and building an application programming interface (API) compatible with the results set, the API facilitating encrypted analysis on the results set in the homomorphic work space.

Abstract: The present invention discloses a method of processing data, comprising: sending, a first data to a first image capturing device, by the first computer, through an image output interface of the first computer; sending, the first data to the second computer, by the first image capturing device. The first data comprises a first information and a second information, the second data comprises a third information and a forth information. The second computer processes the third data or the forth data by a first method if the third information is consistent with the first information and the forth information is consistent with the second information; and the second computer processes the third data or the forth data by a second method if the third information is inconsistent with the first information and the forth information is inconsistent with the second information.

Abstract: A method for operating an electronic control unit (ECU) includes a normal mode and a protected mode. In the protected mode a new security artifact is stored in a microcontroller. The security artifact is transferred from the microcontroller to a microprocessor, and, after having received the security artifact, the microprocessor uses the security artifact for authenticating a program.

Abstract: Disclosed herein are systems, methods, and computer-readable storage devices for a new browser including multiple application programming interfaces. A method includes receiving, from a site, at a browser and via a first application programming interface that defines a first protocol for communicating data between the browser and the site, a first payment request associated with a potential purchase by a user, in response to the first payment request and based on an identification of a payment service, communicating, from the browser and via a second application programming interface that defines a second protocol for communicating data between the browser and the payment service, a second payment request to the payment service, receiving, at the browser, from the payment service, via the second application programming interface, authorized payment information and communicating, from the browser, to the site and via the first application programming interface, the authorized payment information.

Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: A key management protocol (such as KMIP) is extended to provide an extended credential type that enables an initiating (first) client device to create a credential dynamically and that can then be selectively shared with and used by other (second) client devices. Using a dynamically-created credential of this type, the other (second) devices are able to fetch the same key configured by the initiating (first) device. In this manner, multiple devices are able to create and share one or more keys among themselves dynamically, and on as-needed basis without requiring a human administrator to create a credential for a device group in advance of its usage.

Abstract: Systems, methods and computer program products for controlling access to data owned by an application subscriber using two-factor access control and user partitioning are disclosed. In one embodiment, applications are executed on a multi-tenant application platform in which user partitions designate associated users and authentication services for those users. Tenants may subscribe to the applications and may allow access to the subscriptions through designated entry points. Users that are authenticated according to the corresponding user partition and access the application through the designated entry point are allowed to access the application through the tenant's subscription.

Abstract: An example implementation may involve a computing system receiving, from a media playback system, a request to initiate playback of a cloud queue. The cloud queue may currently have a first access status that authorizes a first set of queue operations, which may include playback of the cloud queue. After receiving the request to initiate playback, the computing system may cause audio tracks of the cloud queue to be queued in a local queue of the media playback system such that the media playback system may playback audio tracks of the cloud queue via the local queue. The computing system may modify the access status of the cloud queue to a second access status. This second access status may authorize a second set of queue operations on the cloud queue. The computing system may cause access to the local queue to be restricted to the second set of queue operations.

Abstract: A method for managing access to a shared endpoint of a network is disclosed. The method includes: receiving a user request to access a service associated with the shared endpoint; verifying that a user associated with the user request is authorized to access the service; in response to verifying that the user is authorized to access the service, obtaining a unique session identifier (USID) associated with the user request; receiving, via input from a device associated with the user, an access code; in response to determining that the inputted access code matches the USID, granting access to the service for the user.

Abstract: Embodiments provide session synchronization across multiple devices. Embodiments receive, at a single sign-in (“SSO”) service, user credentials from a user in response to the user signing into the first device. In response to receiving the user credentials, embodiments create a primary SSO session by the SSO service. In response to an attempt by the second device to create another SSO session, subsequent to the creating of the primary SSO session, embodiments create an alias SSO session linked to the primary SSO and set an encrypted session cookie containing the alias SSO session and returning an authorization code including the alias SSO session to the second device. Embodiments verify the second token using a second public key of the second device and send user information of the user to the second device, where the second device uses the user information to automatically sign the user into the second device.

Abstract: Systems and methods for embodiments of artificial intelligence systems for identity management are disclosed. Specifically, embodiments of an identity management system may provide identity management in association with cloud services used by an enterprise and, in particular, may provide identity management in association with cloud based services that may be accessed through federated access providers.

Abstract: According to some embodiments, methods and systems may include a provisioning application platform processor to receive a user request for an integration service. The provisioning application platform processor may then transmit information to a platform resource manager processor to facilitate creation of a plurality of microservices resulting in implementation of the integration service for a tenant associated with the user. A multi-tenant keystore management service, automatically deployed upon implementation of the integration service, may automatically call a trusted authority platform. The multi-tenant keystore management service may then receive a signed security certificate from the trusted authority platform and add the signed security certificate to a keystore deployed to the tenant.

Abstract: The present disclosure discloses a system and method for providing multi-factor authorization for IEEE 802.1x-enabled networks. Specifically, a network device authenticates a client device to obtain access to network resources in a network via a network authentication protocol. The network device then detects a device quarantine trigger indicating an increased level of suspicion that a current user of the client device is a non-authenticated user. In response to the device quarantine trigger, the network device temporarily places the client device from an authenticated state to a quarantined state pending completion of a particular workflow by the current user. The client device has limited access to the network resources while in the quarantined state regardless of a previous successful user and/or device authentication.

Abstract: Digital rights management is extended such that control over the access to data stored in a cloud remains with the originator of the data. The access information is coordinated between a rights application in the cloud and a rights server outside the cloud. A rights policy is used for fine-grained regulation of the access for users (user groups), computers (client, server) and validity periods. The access limits actions that can be performed with the data, such as a server application being provided with access to index said data without being able to access the complete contents of the data in the process. The access extension may be used for any type of distributed data processing in which the data are intended to be protected against unauthorized access operations.

Abstract: Systems and methods involving a user authentication system for granting access to digital systems and content, computing systems and devices and physical locations. The authentication system granting access to digital systems and content involves a mobile device, a computing device and a server. The authentication system granting access to computing systems and devices and physical locations involves a mobile device, an interface device, a secure system and a server. The authentication systems described permit a user to access digital systems and content, computing systems and devices and physical locations using only the user's mobile device. The mobile device runs mobile application that performs the authentication functionality using biometric data obtained on the mobile device. The authentication data is stored on the mobile device in an encrypted format and is not shared with the other devices in the authentication system.

Abstract: A multifactor authentication system onboard a vehicle including at least one processor, a first database, a second database, and one or more protected computer systems is provided. The at least one processor is programmed to receive, from a user, a request for access to the one or more protected computer systems, wherein the request contains authentication information including a first authentication factor and a second authentication factor, retrieve first factor authentication data associated with the user from the first database, compare the first factor authentication data with the received first authentication factor to determine if there is a match, retrieve the second factor authentication data associated with the user from the second database, compare the second factor authentication data with the received second authentication factor to determine if there is a match, and grant access to the one or more protected computer systems if all of the comparisons match.

Abstract: Biometric health monitoring of a specific user or population is performed during biometric authentication for granting access to physical or digital assets. If biometric authentication, biometric verification and biometric health monitoring is acceptable, access to the physical or digital assets is allowed. Likewise, if a health anomaly is detected in a specific user or if an outbreak is detected in a specific community, an electronic notification can be sent to the individual, a health administrator, or to a government official, and access may be denied to the specific user.

Abstract: An information processing system includes an information processing apparatus having a first function, and a server apparatus being configured to communicate with the information processing apparatus via a communication network. The information processing apparatus includes an operation control apparatus being configured to control the first function. The server apparatus transmits operation permission information indicating operation permission for the first function to the information processing apparatus, in response to satisfaction of a predetermined condition related to the information processing apparatus. The operation control apparatus activates the first function, in response to the operation permission information received by the information processing apparatus.

Abstract: A first device may transmit, to a peer device, a first digital certificate containing a first unique identifier associated with the first device and receive, from the peer device, a second digital certificate containing a second unique identifier associated with the peer device. The first device and the peer device may independently generate a symmetric key using a cryptographic hash function based on respectively determining that a certificate authority signed the first digital certificate and the second digital certificate. For example, the first device and the peer device may independently generate the symmetric key using the cryptographic hash function based on the first unique identifier, the second unique identifier, and one or more random numbers. Accordingly, the first device and the peer device may use the symmetric key to establish a secure communication session over an Ethernet link.

Abstract: In some implementations, a controller device can implement communication restriction configurations on a managed device operated by a first user with a first account identifier, the configurations designed to limit a feature or functionality of the managed device. For example, the controller device can remotely cause the managed device to limit the communication capabilities of the first device. For example, the first device receives a message including the configuration. The managed device determines that the communication restriction configuration is created by a second user of the controller device. The first device identifies a second account identifier for the controller device. The first device determines that the second account identifier represents a member of a family group that includes the first account identifier.

Abstract: The present disclosure provides an authentication method of an IoT device, an IoT device, a cloud server, an IoT authentication system and a computer readable medium. The authentication method includes: calculating account information corresponding to the IoT device according to an identifier and preset attribute information of the IoT device; and sending the account information to a cloud server, to cause the cloud server to perform identity authentication on the IoT device according to the account information.

Abstract: In some embodiments, a secure local connection between a network node of a network and an edge device attached to the network node is provided by extending the security of the network to this local connection. The edge device attached to the network node communicates with a network manager of the network to obtain security keys and security credentials for the edge device. Using the security keys and the security credentials, the edge device can establish a secure channel between the network node and the edge device over the local connection. The edge device further communicates with the network manager to exchange routing information and to obtain a network address for the edge device. The edge device can then communicate, through the network node, with other network nodes in the network using the security keys, the security credentials, and the network address.

Abstract: Apparatus, systems, architectures and methods for communication over an enterprise internet-of-things (EIoT) network are disclosed. Network(s) may be micro-segmented. Network segment(s) may be associated with distinct function(s). EIoT device(s) may be identified by type(s), class(es), functionality(ies), function(s) and/or security level(s). EIoT device protocol(s) may be translated/emulated. EIoT device(s) may be temporarily/permanently quarantined. Network gateway(s) may factor EIoT device/network data based on function(s) and/or specification(s). Data may be routed to network segment(s) based on associated function(s).

Abstract: Embodiments described herein provide for a satellite device that can be associated with a user account of a minor aged (e.g., child or adolescent) user that does not have a smartphone that can be used as a companion device to the satellite device. The satellite device can be configured to be used as a primary device, without reliance upon a paired smartphone. Certain information can be synchronized with the satellite device via the association with the family account. During initial configuration, a set of cryptographic keys can be generated to associate the account of the satellite device with the set of accounts in the family. The satellite device can then access calendars, media, or other data that is shared with user accounts within a family of user accounts.

Abstract: Methods to securely remediate a captive portal are provided. In these methods, a processor of a user device detects a connection, via a network, to a captive portal. Based on the detected connection to the captive portal, the processor launches a dedicated secure web browser, and selectively restricts access of the user device to the network in order to only allow, via the dedicated secure web browser, communications related to remediation with the captive portal.

Abstract: Systems and method for verifying an identity of a user during interaction with a resource provider are disclosed. Embodiments enable using an authorization request message to inquire about an identity attribute (e.g. age) of a user during an interaction between the user and a resource provider. An authorizing entity (e.g. issuer) or a processing entity provides an answer to the inquiry within an authorization response message. The answer to the inquiry may establish whether the consumer meets a threshold (e.g. minimum age requirement).

Abstract: A method of rolling security for a system that includes multiple server groups, such as a first server group of one or more servers and a second server group of one or more servers. The method includes repeatedly initiating rebuilding of the first server group of one or more servers. The method also includes repeatedly initiating rebuilding of the second server group of one or more servers. The rebuilding of the first server group of one or more servers is staggered in time from the rebuilding of the second server group of one or more servers. The servers may be physical servers or virtual machines. Rolling security may also be applied to software containers, computing devices within a data center, and computing devices outside of a datacenter.

Abstract: A computer-implemented method includes receiving a request for one of a network session and a virtual network function, wherein the request includes a single packet authorization request. The method further includes classifying the single packet authorization request at a first service classifier. The method further includes routing the request, via a service function forwarder, to a single packet authorization service function for validation. The method further includes instantiating a security virtual function in response to the request, wherein instantiating the security virtual function occurs after validation of the single packet authorization request. The method further includes configuring the security virtual function to apply at least one connection policy to allow or deny traffic in a data session. The method further includes, in response to allowing the data session, terminating the security virtual function after the data session has concluded.

Abstract: Methods and systems are disclosed for controlling user creation of data resources on a software platform for storing and executing data resources for multiple users. The methods and systems may be performed using one or more processors or special-purpose computing hardware and may comprise receiving from a user a user request to create a data resource on the software platform, the user request comprising, or identifying, a specification indicative of the data resource and a user identifier associated with said user. A further operation may comprise performing verification of said user using the user identifier to determine if said user is permitted to create or modify the data resource indicated in the specification in accordance with a predetermined set of permissions.

Abstract: Aspects of the subject disclosure may include, for example, a process that includes receiving first input defining a relationship between first and second entities, generating a first rule based on the first input, wherein the first rule determines accessibility of a networked service, and associating the first rule with the relationship. The first rule modifies settings of a service management infrastructure to effectuate the first rule in accordance with the relationship, wherein the service management infrastructure provides access to the networked service based on the accessibility. Other embodiments are disclosed.

Abstract: Methods and apparati for permitting Computing Devices 200 to safely accept Payloads 220 from External Access Entity Devices 260, and to safely access external Networks 710. In an apparatus embodiment, a Computing Device 200 contains an Access Control Module 210 comprising an Access Verification Public Key 211 and a Device Signature Key 214. The Access Control Module 210 is configured to verify authorization of an External Access Payload 220 by verifying a digital signature affixed to the Payload 220 using the Access Verification Public Key 211. The authorized External Access Payload 220 is then permitted to execute on the Computing Device 200. The Access Control Module 210 is also configured to receive from a Network Access Device 600 information associated with a Network 710 access request, and to create a plurality of digital signatures, using the Device Signature Key 214, that link said information associated with the Network 710 access request with the Access Verification Public Key 211.