Abstract: A system for reporting and investigating threats includes one or more computer processors configured to: present a chatbot via a user interface device; request response data associated with a threat inquiry via the chatbot by requesting freeform response data associated with the threat inquiry via the chatbot and transitioning to intelligent question-path selection to collect additional response data associated with the threat inquiry, wherein the intelligent question-path selection is prompted by the freeform response data; record user input response data; and identify suspicious activity based on the user input response data by performing natural language analysis and searching the user input response data for threat related words or phrases.

Abstract: An electronic device and a method for controlling thereof are provided.

Abstract: A method for communicating in a digital conversation is implemented on a computing device and includes: receiving an interactive contextual emoji from a first digital conversation participant to post in the digital conversation with at least a second digital conversation participant, where the interactive contextual emoji is pre-defined to indicate at least a current availability status associated with the first digital conversation participant, requesting the current availability status from a status application based on at least an indication of the interactive contextual emoji, where the status application maintains the current availability status, receiving the current availability status from the status application, and displaying the interactive contextual emoji in the digital conversation with at least an indication of the current availability status.

Abstract: An extendable augmented reality (AR) system for recognizing user-selected objects in different contexts. A user may select certain entities (text, objects, etc.) that are viewed on an electronic device and create notes or additional content associated with the selected entities. The AR system may remember those entities and indicate to the user when those entities are encountered by the user in a different context, such as in a different application, on a different device, etc. The AR system offers the user the ability to access the user created note or content when the entities are encountered in the new context.

Abstract: Embodiments include methods for generating automated responses to event feed items in a multiplatform collaboration system. The methods can include receiving event notifications for events generated at a respective application service of a set of applications services, rendering a set of event cards corresponding to the events, and identifying a subset of event cards that include an update to a comment field. Methods include generating, for each event card in the subset of event cards, a comment field and causing the client device to display event cards of the set of event cards in an event feed. Methods include a, in response to a user selecting a reply option in an event card, causing the client device to launch an application platform associated with the application service and generate a response interface including a pre-populated response comment.

Abstract: Systems and methods for initiating an instant messaging chat session from an email thread are described. In examples, an email thread including at least one email is received and user identifiers form the at least one email are extracted. Presence information associated with each user identifier of the plurality of user identifiers is obtained and then ordered. The ordered plurality of user identifiers together with their presence information are displayed in a user interface window. A determination to display a user control associated with an instant messaging capability is based on the presence information associated with at least one user identifier of the plurality of user identifiers. Upon receiving an indication that the user control associated with the instant messaging chat capability is selected, an instant messaging chat session is initiated.

Abstract: A communication management system manages the exchange of messages between devices using different communication networks and/or protocols. A sender device may transmit a message (e.g., a short message service “SMS” message) to a destination associated with a traditional “landline” phone number. The message may be delivered over a traditional landline phone network. The communication management system can receive the message via the phone network, process the message, and provide the message to one or more electronic devices over a packet switched network, such as a local area network or the Internet. The electronic devices may use chat-based application software to process and display the message, provide robust message handline functionality, and facilitate responses to the message.

Abstract: Among other things, embodiments of the present disclosure improve the functionality of electronic messaging software and systems by allowing senders to transmit messages and content using a messaging system, and recipients to access such messages and content, even if the recipients do not have access to the messaging system.

Abstract: According to an aspect of the present disclosure, a method of controlling an information processing apparatus comprises receiving identification information of a first message from a server providing a chat function, obtaining the first message identified by using the identification information, and generating a file in a predetermined format based on information of the first message.

Abstract: Embodiments are provided for detecting overlapping topics in a messaging system. In an example system, a plurality of trigger phrases is received, where each trigger phrase is configured to trigger a bot that receives the trigger phrase to select a corresponding topic for conversation. For each trigger phrase, a vector representation is generated. Measures of similarity are generated based at least on the vector representations, where each measure of similarity represents a degree of similarity between a respective pair of vector representations. A topic overlap is detected based on a pair of vector representations having a measure of similarity above a similarity threshold, where the topic overlap indicates two trigger phrases that are overlapping. The topic overlap is provided to an authoring tool that comprises one or more interactive elements to enable a user to change at least one of the two trigger phrases that are overlapping.

Abstract: There is provided an apparatus for managing a group mention based on a user behavior condition by mention type. The apparatus includes: a user-designated mention reception portion that receives a user-designated mention including a user-designated identifier and user-designated information about one or more users forming a user group; an unread count calculation portion that identifies the user-designated identifier, distinguishes the mention type of the user-designated mention, and calculates an unread count of the user-designated mention that has not yet been read by a corresponding user based on the user-designated information; and an unread count processing portion that determines the user behavior condition for subtracting the unread count according to the mention type and determines whether to subtract the unread count by detecting a user behavior associated with the user-designated mention.

Abstract: An electronic messaging system that provides for assessing the risk score associated with a message and its recipients in the moment after the send process has been initiated and before the transmission begins, to provide for alerts to be generated when the system detects that a recipient message address is of high risk.

Abstract: Techniques for internet protocol (IP) messages via short message service (SMS) are described and may be implemented via a wireless device to enable messages originated via an IP technique (e.g., an IP application) to be converted to SMS messages when a condition occurs that prevents sending and/or receiving an IP message.

Abstract: A DNS server comprises: a receiver configured to receive a registration request comprising a domain name, a local address, and a scope, the registration request requests registration of the domain name; a processor coupled to the receiver and configured to execute computer instructions that cause the processor to: assign an address to the domain name based on the local address and the scope, and generate a registration response comprising the address; and a transmitter coupled to the processor and configured to transmit the registration response towards an endpoint. The processor may be further configured to cache a correspondence among the domain name, the address, and the scope.

Abstract: Systems and methods are provided for monitoring a connection state between a primary DHCP server and a secondary DHCP server, determining that a connection between the primary DHCP server and the secondary DHCP server has not been established within a first timeframe, establishing a partner-down operation state at one or more of the primary DHCP server and secondary DHCP server, and, during an established partner-down operation state, issuing/allocating short-term network address leases from one of the primary DHCP servers or secondary DHCP servers. Short-term network leases of the present disclosure may have a duration of between 1 second and 5 minutes.

Abstract: Techniques for providing a networking and security split architecture are disclosed. In some embodiments, a system, process, and/or computer program product for providing a networking and security split architecture includes receiving a flow at a security service; processing the flow at a network layer of the security service to perform one or more networking functions; and offloading the flow to a security layer of the security service to perform security enforcement based on a policy.

Abstract: This disclosure provides systems, methods and apparatus, including computer programs encoded on computer storage media, to mitigate a denial of service attack to a power line communication (PLC) network. A first node of the PLC network may activate a countermeasure that enables the PLC network (including the first node and a second node) to continue to communicate when one or more transmissions associated with a denial of service attack are injected onto the communication medium. This disclosure includes several techniques to detect a denial of service attack and several countermeasures that may be implemented. For example, a countermeasure may include the use of a custom preamble or a custom priority resolution symbol that is specific to the PLC network. The first node and the second node may disregard transmissions that do not conform to the custom preamble or custom priority resolution symbol.

Abstract: Systems and methods for enforcement of secure data communications between nodes of a Controller Area Network (CAN) bus implemented in a vehicle are provided. According to one embodiment, a node coupled with the CAN bus receives a data frame broadcast from a source node and extracts information from the data frame. The node analyzes coherence between the extracted information and historical information observed by the node. When a result of the analyzing coherence indicates that the data frame is valid (i.e., the extracted information is coherent with the historical information), the node updates the historical information based on the data frame; otherwise the node drops the data frame to discontinue processing of the data frame.

Abstract: Techniques for fast policy matching with runtime signature update are disclosed. In some embodiments, a system/process/computer program product for fast policy matching with runtime signature update includes receiving a plurality of rules for malware signatures; compiling the plurality of rules for a fast policy matching engine that detects malware using the malware signatures; and executing the compiled plurality of rules using the fast policy matching engine to detect malware using at least one of the malware signatures.

Abstract: A method for providing and managing non-direct URL fetching service for retrieving a content from a web server to a client device is disclosed, such as for overcoming geo-blocking or a Man-In-The-Middle (MITM) attack. The non-direct fetching method may use intermediate devices, such as proxy server, Data-Center proxy server, tunnel devices, or any combination thereof. A URL request may be sent in parallel using both direct and non-direct fetching schemes, in order to verify the need for using the non-direct fetching service. Direct or non-direct fetching scheme may be selected by using a file that associates a fetching scheme to the requested URL. The selection of the fetching mechanism may use dynamically in real-time updating of a Proxy Auto-Configuration (PAC) file. As part of an accounting scheme, quotas may be applied to a cumulative received data or a time duration of using a non-direct fetching service.

Abstract: A method including predicting or determining, by a VPN server, potential overloading of the VPN server based on predicting or determining a breach of a critical threshold associated with the VPN server; verifying, by the VPN server based on predicting or determining the potential overloading, an identity of a secondary server with which the VPN server is authorized to establish a secure connection; establishing, by the VPN server based on verifying the identity of the secondary server, a secure connection with the secondary server to enable communication of encrypted information between the VPN server and the secondary server; and transmitting, by the VPN server to the secondary server, an encrypted message identifying a host device and data of interest to be retrieved from the host device to enable the secondary server to request the data of interest from the host device is disclosed. Various other aspects are contemplated.

Abstract: The disclosure is generally directed towards a client device agent (e.g., a network agent) learning that a service domain is authenticated via a corresponding suffix proxy domain. The network agent may then direct a service domain request to the suffix proxy domain. The learning process generally involves evaluating headers in URL redirection communications between the client device and an authentication service, such as an identity provider (IDP). Based on a session control policy, the IDP may “bounce” the user to a proxy service (e.g., a suffix proxy). Accordingly, the IDP may include a “bouncer”. The network agent generally learns from the headers that a request to a service domain gets redirected (e.g., bounced) to a suffix proxy domain. The agent intercepts subsequent requests to the service domain, updates the request URL, and sends the updated request to the suffix proxy domain.

Abstract: A secure executable container executed by an endpoint device receives a request by an originating entity for initiating a secure peer-to-peer transfer of a data object to at least a second network entity via a second network device in a secure data network. The secure executable container establishes a two-way trusted relationship between the originating entity and the endpoint device, and between the endpoint device and the second network device. The secure executable container generates a root data object containing metadata identifying the data object and comprising a list identifying message objects containing respective data chunks of the data object, and causes the second network device to execute a secure autonomic synchronization of the root data object via the secure data network, enabling the second network entity to execute the secure peer-to-peer transfer of at least a selected portion of the data object as a hyperlinked hypercontent object.

Abstract: A method for processing telegrams in an automation network provides a master subscriber to at least partially encrypt and output telegrams, respectively, to another subscriber. The other subscriber comprises an input port, a receiving logic connected to the input port, a decryption unit connected to the receiving logic, and a processing unit connected to the decryption unit and the receiving logic. The receiving logic is configured, when a telegram at least partially encrypted by the master subscriber is present at the input port, to forward an encrypted portion of the telegram to the decryption unit. The decryption unit is configured to decrypt the encrypted portion of the telegram with a key, and to forward the encrypted portion to the processing unit for processing. If an unencrypted telegram is present at the input port, the receiving logic is configured to forward the unencrypted telegram to the processing unit for processing.

Abstract: A system can include, for example, a secure data module(s) configured to store sensitive data regarding the user(s), a synthetic dataset generating module(s) configured to generate the synthetic dataset based on the sensitive data, and a control module configured to receive a request from an application for a dataset related to the user(s), provide the request to the synthetic dataset generating module(s), receive the synthetic dataset from the synthetic dataset generating module(s), and provide the synthetic dataset to the application. The synthetic dataset generating module(s) can be configured to generate the synthetic dataset based on the dataset.

Abstract: According to one aspect of the technique of the present disclosure, there is provided a device in a network including: a storage in a secure zone to store encryption algorithms, information generators, and keys; and an operation processor in the secure zone. When the device operates as a master device, the operation processor selects at least one of an encryption algorithm, an information generator or a key used for encrypted communication within the network, generates profile information including at least one of identification information of the encryption algorithm, the information generator or the key, and transmits the profile information to another device in the network. When the device does not operate as the master device, the operation processor receives the profile information from the master device, and designates based thereon at least one of the encryption algorithm, the information generator or the key used for the encrypted communication.

Abstract: Aspects of the subject technology provide for shared experience sessions within a group communications session such as a video call. The shared experience session may be, as one example, a co-watching session in which the participants in the call watch a video together while in the call. Encrypted shared state data may be exchanged between the participant devices, with which the participant devices can provide synchronized and coordinated output of shared experience data for the shared experience session of the group communications session.

Abstract: Methods and systems for a browser extension system are disclosed. In some embodiments, a browser extension server includes a communication device configured to communicate with a first computing device executing a browser extension application and a web browser application and a second computing device executing an authentication application. The browser extension server further includes a memory storing instructions, and a processor configured to execute the instructions to perform operations. The operations may include receiving from the first computing device an indication of a financial service account associated with the first computing device, detecting a payment field in a web page provided by the computing device through the web browser application and, in response, generating a secure token mapped to the financial service account.

Abstract: Encryption and decryption techniques based on one or more transposition vectors. A secret key is used to generate vectors that describe permutation (or repositioning) of characters within a segment length equal to a length of the transposition vector. The transposition vector is then inherited by the encryption process, which shifts characters and encrypts those characters using a variety of encryption processes, all completely reversible. In one embodiment, one or more auxiliary keys, transmitted as clear text header values, are used as initial values to vary the transposition vectors generated from the secret key, e.g., from encryption-to-encryption. Any number of rounds of encryption can be applied, each having associated headers used to “detokenize” encryption data and perform rounds to decryption to recover the original data (or parent token information). Format preserving encryption (FPE) techniques are also provided with application to, e.g., payment processing.

Abstract: Methods, apparatus, and processor-readable storage media for dynamically unifying disparate UI applications in a cloud native environment are provided herein.

Abstract: Various systems and methods of establishing and providing credential dependency information in RESTful transactions are described. In an example, accessing credential resource dependencies may be performed by a credential management service (CMS) or other server, with operations including: receiving a request for a credential resource in a Representation State Transfer (RESTful) communication; identifying the credential resource which has a credential path that indicates a dependency associated with a credential; identifying dependency characteristics of the credential resource, based on the dependency; populating the credential resource to include a dependent credential, based on the dependency characteristics; and transmitting the populated credential resource in response to the request.

Abstract: Methods and systems for offload of data from a wireless sensing device to a gateway device. A certificate that is generated by the management server in response to a determination that the gateway device is associated with a wireless sensing device is received during an initial connection with the management server. In response to confirming, based on the certificate, that the gateway device is authorized to connect to the wireless sensing device, the certificate is transmitted to the wireless sensing device; and data is received from the wireless sensing device in response to confirming that the wireless sensing device is authorized to connect with the gateway device based on the certificate.

Abstract: The techniques disclosed herein enable improved security as well as more scalable and reliable job execution by utilizing granular security boundaries and certificate-based authentication for all communication within cloud-based platforms. To manage a cloud-based platform, a system receives a plurality of jobs and associated certificates at a first security boundary that are to be executed at various resource units within a second security boundary. The system then authenticates each certificate before transmitting each job to its respective resource unit for execution. In addition, the system is further configured to monitor active certificates for compromise and accordingly isolate various security boundaries in the event of a security breach. By isolating portions of the cloud-based platform within security boundaries, the system can mitigate the impact of security breaches. Furthermore, certificate-based authentication addresses performance constraints to enable more efficient and scalable job execution.

Abstract: A virtual session manager of an electronic device maintains a web session for a user across multiple electronic devices. The virtual session manager receives an authentication request from a first electronic device that is in a communication range of the device. The virtual session manager transmits the authentication request to an endpoint device with a grant token without providing the first electronic device with any access to the grant token. The virtual session manager will receive, from the endpoint device, a first access token in response to the first authentication request. The virtual session manager will transmit the first access token to the first electronic device so that the first electronic device can establish a virtual session with the first web resource.

Abstract: A method includes detecting proximity between a mobile device and a remote device associated with a transaction reserved by a user of the mobile device and a mode of the electronic device. A verification password is sent to the remote device responsive to detecting the proximity and the mode. A device includes a module to detect proximity between the device and a remote device associated with a transaction reserved by a user of the device occurring within a predefined distance threshold and a processor coupled to the module. A device includes another module to detect a stationary mode of the electronic device occurring for at least a predefined duration threshold. The processor is sends a verification password to the remote device responsive to detecting the proximity and the mode.

Abstract: Embodiments described herein relate to methods and apparatuses for enabling remote management of a profile in an identity module in an NB-IoT device. A proxy server is configured with access to a database of one or more external identifiers associated with one or more respective NB-IoT devices, wherein the one or more external identifiers are used to address the respective one or more NB-IoT devices via an exposure function in a core network. A method in the proxy server comprises receiving a request to deliver a triggering message to the NB-IoT device, wherein the request comprises a device identifier; determining an external identifier based on the received device identifier; and delivering the triggering message to the NB-IoT device using the external identifier.

Abstract: Examples describe data security for communication systems. One example includes validating a user device using secure user data and generating a long term token for the user device, where the long term token is generated with a randomized unique token system. The method further includes receiving a transaction communication associated with a secure transaction, the transaction communication including the long term token, generating a transaction token that is different than the long term token for the transaction communication using the long term token from the transaction communication, and facilitating the secure transaction using the transaction token and the long term token.

Abstract: Training an adversarial perturbation detector comprises accessing a training set comprising an enrolled biometric sample xi and a public biometric sample x of an enrolled user, and submitted biometric samples x? of a second user, the submitted biometric samples x? comprising perturbed adversarial samples x?+?x?. A transformation function k(?) is provided having learnable a parameter ? and a classifier having a learnable parameter ?. The training set is used to learn the parameters ? and ? by inputting the training set to the transformation function k(?). The transformation function k(?) generates transformed enrolled samples k(xi), a transformed public biometric sample k(x), and a transformed adversarial sample k(x?+?x?). The classifier classifies the transformed adversarial sample k(x?+?x?) as a success or as a fail based on the transformed enrolled samples k(xi). Based on a result of the classification, the learnable parameters ? and ? are updated.

Abstract: Various exemplary embodiments relate to an anonymous database system. The system includes a plurality of biometric nodes in communication with one another. Each of the plurality of biometric nodes includes a biometric input that receives biometric data from a user. The system also includes at least one central database in communication with the plurality of biometric nodes; and a plurality of institution databases in communication with the plurality of biometric nodes. A first node of the plurality of biometric nodes is configured to receive a message from a second node of the plurality of biometric nodes, the message requesting authorization of data access by the second node. Various embodiments relate to a method for performing an action requiring multiple levels of authentication using an anonymous database system.

Abstract: An electronic device includes a port binding module that binds ports to processes. A process running on the electronic device sends a port request to the port binding module. The port binding module determines whether the requested port is a restricted port. If not, the port binding module binds the requested port to the process. If the requested port is restricted, then the port binding module determines whether the requesting process has an entitlement corresponding to the port. If the requesting process has the corresponding entitlement, then the port binding module binds the requested restricted port to the process. If not, then the port binding module denies binding the requested restricted port to the process.

Abstract: A secure authentication between a network server and a network client. The secure authentication being achieved using server and client table objects only known to the server and client. The server and client table objects maintain equivalency. The server and client table objects have a table label for identifying working server and client table. The server and client table objects contain a label group, a data group, and a time group. The server and client contain a duplicate set of arithmetic formulas. The formulas use data from the table objects to send a solution to a receiving node. The receiving node arithmetically reverses the solution to verify sending node. The receiving node then responds using a different formula and different data from the table objects to verify itself to the original sending node. Once a server and client trust are established additional formula are then used to encrypt data.

Abstract: Techniques for authenticating and enforcing differentiated policies for a virtual machine (VM) executing in bridge mode on a wireless host device in a media access control (MAC)-based authentication network are described. In an example method a wireless host device is authorized to join a fabric enabled wireless network. A VM executes in bridge mode on the wireless host device. At the fabric edge, a source MAC address of the VM is determined. A session is created between the VM and an authentication server. The VM is authenticated. A policy for the VM is determined. A source internet protocol (IP) address is assigned to the VM to create a MAC-IP binding. A data-plane device in the fabric enabled wireless network is programmed to apply the policy to traffic communicated with the VM. Finally, the data-plane device applies the policy for the VM based at least in part on the MAC-IP binding.

Abstract: Techniques are described herein that are capable of dynamically routing an authentication request to a backup authentication system by a client device. For instance, the client device stores a list, which identifies authentication systems that are authorized to respond to authentication requests from the client device. The client device sends the authentication request toward a primary authentication system based at least in part on the authentication request identifying the primary authentication system as a recipient of the authentication request. The authentication request requests authentication of a principal by the primary authentication system.

Abstract: Secure methods, systems, and media for generating and verifying user credentials are provided. In some embodiments, the method comprises: receiving, from a user device, a request for access to a service that requires valid user credentials; determining an aspect of the user credentials that is to be satisfied to grant access to the requested service; transmitting, to the user device, a request for information related to the aspect of the user credential; receiving, from the user device, information related to the aspect of the user credential, wherein the information has been signed using a key associated with the user device; verifying the key used to sign the information by the user device; in response to verifying the key used to sign the information, determining whether the aspect of the user credential has been satisfied based on the received information; and, in response to determining that the aspect of the user credential has been satisfied, granting access to the service.

Abstract: The present disclosure is related to virtual spaces, such as channels, of a communication platform. In some cases, a channel may be designated as a private channel, which may permit access to the private channel by only users joined to the channel and may restrict/prevent access by all other users. The present disclosure is related to solutions for changing the private channel to a public channel, which may allow additional user accounts that were not associated with the private channel to discover and/or access the converted channel.

Abstract: An apparatus comprising a processor comprising a trusted execution environment (TEE) to be attested by a plurality of service provider servers on behalf of a plurality of endpoint devices in a network environment and provision kernels for the plurality of service provider servers requesting to access one or more of the plurality of endpoint devices.

Abstract: There are provided systems and methods for an authorization and access control system for access rights using relationship graphs. A service provider may provide an authorization and access control system that allows users within the service provider and/or customer entities to assign and change access rights or permissions to computing resources. When providing control of these access rights, the service provider may utilize relationship graphs, queried and generated using a graph database, to visualize and determine access rights that are inherited through different relationships and policies defining these access rights. The relationship graph may show edges for nodes that correspond to related objects, such as actors, groups, and resources. Paths over the relationship graph may be used to determine access rights that may be inherited by users. Once determined, these access rights may be established and/or updated with computing systems.

Abstract: Aspects of the disclosure relate to controlling access to secure information resources using rotational datasets and dynamically configurable data containers. A computing platform may receive, from a requesting system, a data access request. After authenticating the requesting system, the computing platform may load, using a first data container, first source data from a data track. The computing platform may send the first source data to a second data container. Then, the computing platform may load, using the second data container, second source data from the data track and may produce a first combined dataset. The computing platform may send the first combined dataset to a third data container. Subsequently, the computing platform may load, using the third data container, third source data from the data track and may produce a second combined dataset. Thereafter, the computing platform may send, to the requesting system, the second combined dataset.

Abstract: A system and method for protecting information managed by a content management system are disclosed herein. A first server of the content management system receives a request from a user or service to access a data item managed by the content management system. The first server determines a data type associated with the requested data item. The first server accesses a access control list to determine whether the user or service has permission to access data associated with the data type. The first server processes the request, based on a determination that the user or service has permissions to access data associated with the data type.

Abstract: The mobile device stores a plurality of communication profiles comprising one or more local communication profiles and a global communication profile. The mobile device determines local access requirements for connecting to a local cellular network operator and determines whether the plurality of communication profiles comprises a local communication profile that satisfies the local access requirements. When the plurality of communication profiles does not comprise a local communication profile that satisfies the local access requirements: the mobile device connects to a global cellular network operator using the global communication profile; receives, from the global cellular network operator, a new local communication profile that satisfies the local access requirements and connects to the local cellular network operator using the new local communication profile.