Abstract: Digital rights management is extended such that control over the access to data stored in a cloud remains with the originator of the data. The access information is coordinated between a rights application in the cloud and a rights server outside the cloud. A rights policy is used for fine-grained regulation of the access for users (user groups), computers (client, server) and validity periods. The access limits actions that can be performed with the data, such as a server application being provided with access to index said data without being able to access the complete contents of the data in the process. The access extension may be used for any type of distributed data processing in which the data are intended to be protected against unauthorized access operations.

Abstract: A communicating apparatus includes a first communication unit configured to communicate with an external apparatus using a first wireless communication method, and a second communication unit configured to communicate with an external apparatus using a second wireless communication method different from the first wireless communication method. The second communication unit searches for an external apparatus which communicates by the second wireless communication method using a wireless channel used in communication by the first communication unit, and connects to the external apparatus.

Abstract: A proxy API system intercepts and enriches API messages such as an API request or API response. The proxy API system enriches an API message by incorporating additional semantic meaning into the API message. More specifically, the proxy API system extracts features from a message and applies the features to a trained model. The trained model identifies annotations that are relevant for labeling the API message. Additionally, the proxy API system identifies reference data corresponding to the API message data and annotations to provide additional data related to content of the API message, such as additional detail about a data item in the message such as additional fields related to that item. The proxy API system enriches the API request or API response with the annotations and reference data.

Abstract: Systems and methods for manage throttling limits in a distributed system are disclosed herein, according to some embodiments. A system includes a plurality of server nodes to perform a service. The system includes one or more processors a memory. The memory stores instructions that, when executed by the one or more processors, cause the one or more processors to perform operations. The operations include receiving a request for the service. The operations also include calculating whether accepting the request would exceed a service throttling limit for the plurality of server nodes for the service and whether accepting the request would exceed a node throttling limit for a server node of the plurality of server nodes. The operations also include accepting the request for processing at the server node responsive to calculating that the service throttling limit and the node throttling limit would not be exceeded.

Abstract: A messaging system comprises a plurality of connected components and including a schema defining fields for messages, at least one field defined as non-essential. A mechanism for operating the messaging system comprises the steps of collecting one or more performance metrics for one or more components of the messaging system, determining that at least one performance metric has crossed a predetermined threshold, informing one or more components of the messaging system that a surge in workload has occurred, and the informed components removing non-essential fields from transmitted messages and/or not processing non-essential fields from received messages.

Abstract: Embodiments of the present disclosure relate to IO initiator aware data migration. A set of statistical metrics for a replica of a data block on a first node of a plurality of nodes is obtained. The first set of statistical metrics is associated with read operations on the replica. The read operations are operations initiated by a second node of the plurality of nodes. If it is determined that a first statistical metric in the set of statistical metrics exceeds a predefined threshold, the replica is migrated from the first node to the second node.

Abstract: A method, server, device and computer readable medium for facilitating communication between users permitted to access a messaging server is provided. The messaging server comprises a user database, a processor and memory. The user database is configured to store user information for the users and at least one name directory. The name directory includes a list of users permitted to communicate with each other. The memory has stored thereon instructions which, when executed by the processor, cause the messaging server to transmit the name directory to the users listed therein at predefined times.

Abstract: Embodiments described herein are implemented in authentication brokering systems where an authentication broker issues security tokens that represent its authentications of users. Client devices operated by the users store the security tokens and send them to resource providers. The resource providers authenticate and grant access to the users based on validation of the security tokens. Authentication related messages exchanged between the resource providers and the authentication broker are used to exchange authentication risk data that is obtained or derived by the resource providers and the authentication broker. The resource providers obtain authentication risk data directly from the authentication broker and indirectly, via the authentication broker, from each other. As security tokens are used or managed, authentication risk data is shared among the participants in the authentication brokering system.

Abstract: The disclosure relates to wireless networks, and more specifically to multiple access networks. This present disclosure provides for a method in a wireless device, for predicting Quality of Service of a possible future connection between the wireless device and one or more wireless networks. The predicted Quality of Service may be used e.g. for making a handover decision. The disclosed method comprises detecting an access point of a first wireless network within range of the wireless device. The method further comprises determining the number of devices already being connected to the access point and calculating the predicted Quality of Service based on the determined number of devices already being connected to the access point. The disclosure further relates to a wireless device and to a computer program.

Abstract: A user having remote device wants to access an application that requires that the user possess a user application cryptographic credential. If the application needs to verify the identity of the user, the user's remote device performs a cryptographic operation using the user application cryptographic credentials, and sends the result to the application. A configuration for securely distributing the user application cryptographic credentials includes at least one gateway located at an enterprise that is under the control of an enterprise administrator, and a controller that is not located at the enterprise but can be configured by the enterprise administrator to cooperate with the at least one gateway.

Abstract: A system for managing network connected devices, comprising at least one hardware processor adapted to produce a plurality of unique device descriptors, each describing one of a plurality of network connected devices, by: for each of a plurality of device descriptors, each having a plurality of supported actions, and one or more domain device identifiers, each identifier associating the device descriptor with one of a plurality of management domains: for each of the plurality of management domains not associated with the device descriptor: instructing execution on a network connected device described by the device descriptor a domain identification query according to the descriptor's plurality of supported actions, to determine a new domain device identifier; identifying in the plurality of device descriptors a second device descriptor having a domain device identifier equal to the new domain device identifier; and merging the device descriptor with the second device descriptor.

Abstract: A computer program product for cross-site request forgery (CSRF) prevention is provided and includes a computer readable storage medium having program instructions embodied therewith. The program instructions are readable and executable by a processing circuit to cause the processing circuit to issue a server request for a certificate, which is associated with a user, responsive to a client request to visit a uniform resource indicator (URI) being received, validate the certificate upon receipt in fulfillment of the server request, compare a referrer listed in a header of the client request with a list of certificate elements in the certificate, authenticate the user in accordance with correlation between the referrer and at least one of the certificate elements and authorize the client request to visit the URI upon the user being authenticated.

Abstract: Gateway devices at different sites of a primary Anycast network provide access to the sites by advertising a first set of Anycast addresses. A secondary shadow Anycast network advertises different second sets of Anycast addresses from the different sites in order to predetermine traffic shifts that occur as a result of changing one or more of the second set of Anycast addresses that are advertised from one or more of the sites. A traffic shifting device may implement a predetermined traffic shift in the primary Anycast network by selecting a particular second set of network addresses that produces a traffic shift at least equal to the predetermined traffic shift, mapping the particular second set of network addresses to a modified first set of addresses, and modifying routing in the primary Anycast network by advertising the modified first set of addresses instead of the first set of addresses.

Abstract: An access controlling method that causes a computer to execute processes, the processes including obtaining situation information that indicates at least one of situation of a terminal and an attribute of an owner of the terminal, determining a service corresponding to the obtained situation information among from a plurality of services having access destinations different from each other based on the obtained situation information, and when a service request has been transmitted from the terminal that has been executing an application software, transferring the service request to an access destination corresponding to the determined service, the application software having a function for transmitting a service request to a predetermined access destination.

Abstract: The example embodiments are directed to an application hub system and method configured to add a tenant-specific script to running instances of a plurality of independently developed software applications thereby customizing the behavior of the plurality of independently developed software applications through a single action. In one example, the method includes receiving a request to load an application hub interface associated with running instances of a plurality of software applications, determining at least one script to be used to customize a behavior of the running instances of the plurality of software applications, adding the at least one script to each of the running instances of the plurality of software applications via the application hub interface, and displaying a user interface associated with the application hub interface which provides access to the customized running instances of the plurality of software applications.

Abstract: Examples of techniques for determining security access based on user behavioral measurements are disclosed. In accordance with aspects of the present disclosure, a computer-implemented method is provided. The method may comprise performing a trust evaluation to calculate a trust penalty value for a user based on a plurality of measured user attributes. The method may further comprise determining, by a processing device, a security access level based on a predefined trust threshold and the trust penalty value for the user. The method may also comprise applying the security access level to the user.

Abstract: A method includes retrieving, by a processor, a first entry from a global wait list as a current waiting lock. The method further includes decreasing, by the processor, a deadlock timer of the current waiting lock. The method further includes determining, by the processor, whether the deadlock timer equals zero. The method further includes appending, by the processor, the current waiting lock to an end of a deadlock victim selection list, if the deadlock timer equals zero. The method further includes selecting, by the processor, a victim from the deadlock victim selection list.

Abstract: Fault isolation in over-the-top content (OTT) broadband networks is disclosed. Network topology information associated with a network service provider is received. Session information associated with one or more streaming sessions is received. A predictive model is generated for predicting session quality at least in part by using at least some of the network topology and session summary information as features. The predictive model is used to determine a first prediction of session quality using a first set of feature values. A second set of feature values is generated at least in part by replacing a first feature value in the first set of feature values with a replacement value. The predictive model is used to determine a replacement prediction of session quality using the second set of feature values including the replacement value with which the first feature value was replaced.

Abstract: A transcoding service is described that is capable of utilizing the excess capacity of the computing resources of a service provider. The customer of the transcoding service can submit a bid price for completing the transcodes. As long as the specified price exceeds the fluctuating price of the unused resource instances, the transcoding service will execute the job on the unused instance(s). If the price of the unused resource instances exceeds the customer's bid, the transcoding process stops. The transcoding service may pause the transcoding when the dynamically fluctuating price of the unused resource exceeds the customer's bid and then resume when the price falls back down. Users can specify constraints for transcoding, such as timeframes during which the transcode must be completed, a total price for completing transcoding or priorities of the media files. The system can automatically optimize the utilization of the resource instances according to the constraints.

Abstract: A pedestrian with a cellphone is in a public area. He sees a drone airborne nearby. He rents the drone to control its actions. His phone shows a signal encoding his electronic address, like a phone number. The drone decodes and sends a message with an URL, deep link or linket. The latter is a brand of the drone owner that maps to a deep link. The deep link designates an app in an app store. He installs the app and interacts with the owner, taking control of the drone for a specified time. The app shows images from the drone camera. The drone can crowdsource public safety. And check the presence of players at locations in Augmented Reality games. It can distribute electronic prizes to players. It can distribute keys for cryptosystems. The drone can pick up data from users at different places. Drone-drone interactions can optimise drone routes. Drones can be used with a blimp and electronic billboards to increase crowd use of an app.

Abstract: A method for operating a user equipment (UE) adapted to transmit beacons includes adjusting an initial beacon interval between successively transmitted beacons in accordance with a value of at least one parameter and a beacon configuration received from a network entity, thereby producing an adjusted beacon interval, and transmitting a beacon selected in accordance with the adjusted beacon interval in a beacon transmission opportunity determined in accordance with the initial beacon interval.

Abstract: A system that includes a network device, an access controller, and a data vault. The network device is configured to receive a first tokenized sub-string, combine a second tokenized sub-string with the first tokenized sub-string to generate an initiation token, and send the initiation token to the access controller. The access controller is configured to validate the initiation token and to send connection information comprising a connection identifier to the network device and send a post-action verification token to a data vault in response to validating the initiation token. The network device is further configured to send a network connection request comprising the connection identifier to the data vault. The data vault is configured to receive the network connection request, determine that the post-action verification token linked the connection identifier has been received, establish a network connection with the network device, and exchange data with the network device.

Abstract: Apparatus and methods are disclosed for implementing bandwidth throttling to regulate network traffic as can be used in, for example, vulnerability scanning and detection applications in a computer network environment. According to one embodiment, a method of routing network packets in a networked device having plural network interfaces combines applying traffic class and network interface throttling for marking network packets with a differentiated service code based on input received from a profiler application, throttling the bandwidth of network packets based on a threshold for a designated network interface for the packet, throttling the bandwidth of the bandwidth-throttled packets based on a threshold for its respective differentiated service code, and emitting network packets on each respective designated network interface.

Abstract: A method for initialization of a group of customer premises equipment devices (CPEs) during a training that registers capabilities of the CPEs is disclosed, wherein at least one CPE registers late to the training and cannot be registered. The method includes determining capabilities of the CPEs during a joining phase of the training, wherein it is determined whether a CPE device is capable of employing vectoring, and placing in a hold status the at least one CPE that registers late by keeping a line active that is coupled to the at least one CPE. The method further includes providing another joining phase after the joining phase to register the at least one CPE that registers late.

Abstract: A network controller for a network implementing a virtual network overlay determines a network gateway via which a service appliance accesses the network. The network controller determines a network gateway via which an application server accesses the network. First policy data is distributed to the network gateway via which the service appliance accesses the network. This first policy data indicates that the network gateway via which the service appliance accesses the network forwards return packets addressed to a client device sent from an application server to the service appliance. Second policy data is distributed to the network gateway via which the application server accesses the network. This second policy data indicates the network gateway via which the application server accesses the network is configured to forward return packets addressed to the client device to the network gateway via which the service appliance accesses the network.

Abstract: Techniques are disclosed for a queuing system for network devices. In one example, a network device includes a plurality of memories and processing circuitry connected to the plurality of memories. The plurality of memories includes a local memory of processing circuitry and an external memory to the processing circuitry. The processing circuitry is configured to receive an incoming network packet to be processed, wherein the network packet is held in a queue prior to processing and determine a predicted lifetime of the network packet based on a dequeue rate for the queue. The processing circuitry is further configured to select a first memory from the plurality of memories based on the predicted lifetime and store the network packet at the first memory in response to selecting the first memory from the plurality of memories.

Abstract: There is provided a system capable of performing cooperation through single sign-on, between a community created for each tenant in one service provision apparatus and a tenant of the other service provision apparatus.

Abstract: Arrangements described herein relate to accessing a cloud based service. Responsive to a user of a first communication device initiating access to the cloud based service via the first communication device, a prompt for a valid password to be entered to access the cloud based service can be received by the first communication device. Responsive to the valid password required to access the cloud based service not being stored on the first communication device, the first communication device can automatically retrieve the valid password from a second communication device via a peer-to-peer ad hoc communication link between the first communication device and the second communication device. The valid password can be automatically provided, by the first communication device, to a login service for the cloud based service to obtain access by the first communication device to the cloud based service.

Abstract: Provided is a communication device that prevents a shortage of wireless LAN resources. A communication-control unit controls wireless communication via an access point and P2P type communication (P2P communication), a connection-information-management unit manages a MAC address list in which MAC addresses of portable terminals from which there is a connection request by wireless communication are registered, and when the communication-control unit receives a connection request from a portable terminal by wireless communication, a system-control unit compares the MAC address that is included in the connection request with the MAC address list, and responds to the connection request when the MAC address is not registered in the MAC address list. As a result, unintended connection requests are prevented from being received from the portable terminal side.

Abstract: In a wireless communication network, a Transmission Control Protocol (TCP) optimization engine receives user data. The TCP optimization engine transfers a TCP packet having the user data to wireless User Equipment (UE). The UE wirelessly receives the TCP packet using a wireless communication protocol and loads the TCP packet into a TCP buffer. The UE generates a TCP Acknowledgment (ACK) for the TCP packet that also indicates the wireless communication protocol. The UE wirelessly transfers the TCP ACK to the TCP optimization engine. The TCP optimization engine selects a new size for the TCP buffer based on the wireless communication protocol in the TCP ACK from the UE. The TCP optimization engine generates and transfers a TCP buffer instruction to the UE indicating the buffer size. The UE wirelessly receives the TCP buffer instruction and sizes the TCP buffer to the TCP buffer size.

Abstract: When incentivizing vendors to give greater discounts on items or services offered or advertised to specific customers on a third-party website in exchange for reduced advertisement pricing, a vendor enters offer parameters (e.g., item or service for sale, price or discount amount, terms of the offer, a permitted number of acceptances of the offer, etc.) into a user interface along with target customer criteria (e.g., age, gender, minimum income, etc.). The target criteria is matched to customer profile data, and an advertisement generated using the offer parameter information is presented to customers whose profiles match the target criteria. In return for offering larger discounts, a cost per event (CPE) associated with the advertisement is reduced for the vendor. An invoice is generated and transmitted to the vendor, and upon receipt of payment, the advertisement provider remits a portion of the received payment to the website owner.

Abstract: An automated classification system may be configured to substantially automatically classify one or more pieces of personal information in one or more documents (e.g., one or more text-based documents, one or more spreadsheets, one or more PDFs, one or more webpages, etc.). The system may be implemented in the context of any suitable privacy compliance system, which may, for example, be configured to calculate and assign a sensitivity score to a particular document based at least in part on one or more determined categories of personal information identified in the one or more documents. The storage of particular types of personal information may be governed by one or more government or industry regulations, which may require particular security measures, storage techniques, handling, etc. for documents based on one or more categories of information contained therein.

Abstract: A method of ensuring compliance of a plurality of certificate stores on a mobile device with a first security policy is disclosed. The method includes: detecting a certificate store migration triggering event; in response to detecting the certificate store migration triggering event, initiating a bulk migration process to migrate each of the plurality of certificate stores to a respective version that is compliant with the first security policy, the bulk migration process proceeding according to a predetermined order of certificate stores; receiving, from a client application resident on the mobile device, a request to access a first certificate store that has yet to be migrated; and executing an out-of-order migration of the first certificate store.

Abstract: The present disclosure provides a message transmission method and apparatus. The method includes: a virtual machine control center (VMC) establishing a link of a message transmission between the VMC and a client side, herein, the client side is used to link and operate a virtual machine; the VMC performing the message transmission with the client side according to the established link.

Abstract: A charging method applied to a network architecture in which network control and data flow forwarding are separated. The method includes receiving, by a control plane (CP) entity, a charging rule delivered by a policy and charging rules function PCRF entity, generating, by the CP, a user plane UP entity reporting policy based on the charging rule, requesting, by the CP from an online charging system OCS, a quota required by a rating group in the charging rule; receiving, by the CP, a quota delivered by the OCS, and generating UP quota information based on the quota; and delivering, by the CP, the generated UP reporting policy and the generated UP quota information to the UP.

Abstract: Described herein are methods and systems for updating digital certificates on a computer and testing to confirm that the update was performed correctly. The testing may involve confirming that a server's common name (CN) and/or a server's subject alternative name (SAN) matches the domain name server (DNS) name utilized to access the server, confirming that, for all the certificates sent in chain, each certificate's expiration date is less than or equal to the expiration date of that certificate's parent certificate, confirming that the certificates' authority key identifier (AKI), subject key identifier (SKI), and/or authority information access (AIA) are in compliance, and comparing available cipher suites to a list of pre-approved cipher suites.

Abstract: Disclosed are various embodiments for a computing device with an integrated authentication token. The computing device includes first circuitry having a processor and a memory and providing general-purpose computing capability. The computing device also includes second circuitry configured to generate data. The first circuitry is incapable of determining the data due to a separation from the second circuitry, and the first and second circuitry may be in a single enclosure.

Abstract: In a distributed computing network, requests for allocation of resources to tenant workloads and messages identifying resource availability are received and aggregated. Resources are allocated to the workloads in accordance with a distribution policy defining values for resource entitlements of the tenants. The values include pre-emption quantities. In response to determining that a quantity of resources allocated for workloads of a first tenant is less than the tenant's pre-emption quantity, processing of another workload from a second tenant is interrupted to re-allocate resources from the second tenant's workload to the first tenant's workload.

Abstract: A mechanism is described for facilitating dynamic and trusted cloud-based extension upgrades for computing systems according to one embodiment of the invention. A method of embodiments of the invention includes detecting a computing device needing an upgrade. The upgrade may relate to a hardware component at the computing device needing an upgrade element for the upgrade. The method may further include calling a first cloud server to provide the upgrade over a network. The first cloud server may have first resources including the upgrade element. The method may further include facilitating the hardware component to access the upgrade element at the first cloud server without having to upgrade or replace the hardware component.

Abstract: Apparatus and methods for policy decisions regarding a service data flow enabled for service chaining. One embodiment comprises a policy control element configured to make policy decisions for a session. The policy control element communicates with an offline charging system. The policy control element detects a new service added to the service chain implemented for the service data flow, and transmits a charging rules request to the offline charging system responsive to detecting the new service being added to the service chain. The policy control element receives a response from the offline charging system that includes offline charging rules that are mapped to the new service of the service chain, makes a policy decision for the service data flow based on the offline charging rules, and transmits the policy decision to a policy enforcement element.

Abstract: A host computer supports a virtual guest system running thereon. The host system has a firewall that prevents it from communicating directly with the Internet, except with predetermined trusted sites. The virtual guest runs on a hypervisor, and the virtual guest comprises primarily a browser program that is allowed to contact the Internet freely via an Internet access connection that is completely separate from the host computer connection, such as a dedicated network termination point with its specific Internet IP address, or by tunneling through the host machine architecture to reach the Internet without exposing the host system. The virtual guest system is separated and completely isolated by an internal firewall from the host, and the guest cannot access any of the resources of the host computer, except that the guest can initiate cut, copy and paste operations that reach the host, and the guest can also request print of documents.

Abstract: Some embodiments provide a method for configuring a set of logical routers in a logical network. The method receives a configuration of an advertised route for a first logical router and a set of allowable routes for a second logical router to which the first logical router connects. The method determines whether the set of allowable routes for the second logical router includes the advertised route as an allowed route from the first logical router. Only when the advertised route is an allowed route from the first logical router, the method adds the advertised route to a routing table for at least one component of the second logical router.

Abstract: Aspects of the disclosure relates to managed access to content and/or services. In certain aspects, tokens or other artifacts can be utilized for authentication and authorization.

Abstract: The application relates to Network Function Virtualisation as standardised by ETSI GS NFV002 VI.2.1. The standard provides for dynamic instantiation and management of VNF instances. When using base stations as platforms on which VNFs can be instantiated, it has to be decided how this is done in an efficient way. The application proposes that in case a UE moves from an area covered by a source base station (210) to an area covered by a target base station (220), at least one VNF (250) is deployed on the target base station. This VNF may be a clone of a VNF (240) hosted by the source bases station.

Abstract: A system and method for mitigating security vulnerabilities of a computer network by detecting a management status of an endpoint computing device attempting to authenticate to one or more computing resources accessible via the computer network includes: detecting an authentication attempt by the endpoint computing device to the computer network; during the authentication attempt, collecting management status indicia from the endpoint computing device, wherein the management status indicia comprise data used to determine a management status of the endpoint computing device; using the management status indicia to identify the management status of the endpoint computing device and identifying the management status of the endpoint computing device; and controlling access to the computer network based on (a) whether the authentication attempt by the endpoint computing device is successful and (b) the identified management status of the endpoint computing device.

Abstract: A method and system for allowing an independent software vendor (ISV) access to proprietary software code for software of an organization has been developed. An ISV generates a login request that masquerades as a user of the software. A license management system that controls access to the software, is accessed and determines if two session IDs are present. The presence of two separate session IDs identifies the ISV and if detected, the ISV is allowed access to the proprietary software code. Finally, the organization is notified about the ISV's access to the proprietary software code.

Abstract: A system for remotely controlling multiple application programs executing on multiple respective physical computing devices, the system comprising a first computing device, comprising a first processor, and configured to execute a first application program; a second computing device, comprising a second processor, and configured to execute a second application program; and a controller configured to perform: generating, based on first information obtained from the first computing device and second information obtained from the second computing device, a global object hierarchy comprising a plurality of objects corresponding to active graphical user interface (GUI) elements of the first application program and the second application program; controlling the first application program to perform the first sub-task at least in part by using the global object hierarchy; and controlling the second application program to perform the second sub-task at least in part by using the global object hierarchy.

Abstract: Mobile device for receiving, demodulating and processing, from a cellular base station, a modulated spread spectrum signal into a demodulated spread spectrum signal. Modulating the received, demodulated and processed spread spectrum signal into a modulated Orthogonal Frequency Division Multiplexed (OFDM) signal and transmitting the OFDM modulated signal in a digital communications wireless Network. Processing, in a mobile device, a fingerprint signal for authenticating use of the mobile device, and processing a touch screen generated signal for controlling the mobile device. Processing in a mobile device a motion detector generated signal into a motion detector generated control signal for control of mobile device. Receiving, demodulating and processing in a mobile device a modulated location finder signal into a processed location finder signal. Generating and processing in a mobile device a photo and/or video signal into processed digital photo and/or video signal.

Abstract: Techniques are disclosed for facilitating impersonation for accessing resources through an access management system. When a user (“impersonator”) requests access to impersonate another user (“impersonatee”), the access management system may generate security data having two parts. One part may include a first security key that is sent to the impersonator and a second part may include a second security key that is sent to the impersonatee. Receipt of the second security key notifies the impersonatee about a request for impersonation to access a resource according to access permitted to the impersonatee. The impersonatee, if consenting to impersonation, may provide the security key received to the impersonator, thereby implicitly providing the impersonator with trust at run-time to access the resource. Upon verification of both security keys, by the access management system, access to a resource is provided to the impersonator based on access to the resource permitted to the impersonatee.

Abstract: An application programming interface (API) security gateway communicates with a client computer application to establish a URL key rotation operation. An API request is received from the client computer application that is directed to a computer server. The API request contains a URL address. The URL address is parsed to identify a URL key. A local validation key is generated based on the URL key rotation operation. The URL key is validated based on the local validation key to determine whether the URL key is valid. Based on determining that the URL key is valid, a modified API request is generated which contains the URL address with at least part of the URL key removed. The modified API request is provided to the computer server.