Abstract: The present disclosure provides data-driven methods and apparatuses for predicting user inquiries. One exemplary method includes: collecting user behavior data and pre-processing the user behavior data when a user inquiry is received; extracting candidate user behavior data that is contributive to the user inquiry from the pre-processed user behavior data; screening the candidate user behavior data based on a set target behavior data set, and selecting candidate user behavior data that is contained in the target behavior data set; inputting the screened candidate user behavior data into a trained classifier model; and predicting an inquiry category to which the user inquiry belongs. One exemplary apparatus includes a pre-processing module, an extraction module, and a prediction module. The method and the apparatus embodiments of the present disclosure can improve the efficiency and accuracy of the prediction.

Abstract: Techniques for maintaining and curating memories stored as data objects are described. A computing device receives a data object. The computing device analyzes, using a model, the data object to determine one or more classifications for the data object. The computing device stores the data object and the one or more classifications for the data object in a storage component of the computing device.

Abstract: A method of assigning IP addresses to devices of a building control network includes receiving a selection of selected devices of a plurality of devices from a user interface. The selected devices are displayed in a predetermined order on a display. A proposed static IP address for a first device in the predetermined order of the selected devices is received from the user interface. A static IP address is sequentially assigned to each of the selected devices following the first device in accordance with the predetermined order, assuming the subnet mask has been confirmed as valid. The selected devices in the predetermined order along with the assigned static IP addresses for each of the selected devices are displayed on the display. The assigned static IP address for each of the selected devices are downloaded to the corresponding one of the selected devices.

Abstract: An authorization entity in a communication system comprising a service-based architecture receives a request from a service consumer in the communication system for access to a given service type. The authorization entity obtains an access token that identifies a plurality of service producers for the given service type and sends the access token to the service consumer.

Abstract: An environment includes at least two network devices and a plurality of downstream devices or networks. The downstream devices or networks are communicatively coupled to network interfaces of the network devices using a plurality of data cables. The data cables each comprise a switch device configured to switch communication paths to the coupled network devices. Each of the data cables communicatively couple each of the network devices to one of the plurality of downstream devices or networks so that each of the downstream devices or networks has a communications path to each of the network devices and a switchable communications path from each of the network devices. The network devices do not arbitrate active/passive status via direct communication. Based on data contained in a reply packet indicating that a request packet sent by the first network device was acknowledged, the first network device determines that the first network device is an active network device.

Abstract: Aspects of the subject disclosure may include, for example, analyzing data to identify that the data is associated with an online game, translating, based on the analyzing, a first address associated with the data to a second address that is different from the first address, and transmitting the data to a communication device using the second address. Other embodiments are disclosed.

Abstract: An example embodiment may involve communicating with a server to separately access first and second records of sessions between the server and computing devices of a network, the first record including a first set of fields not present in the second record and the second record includes a second set of fields not present in the first record; identifying a common field present the first and second records; correlating information across the first and second records using the common field; using a set of license misuse criteria to identify, from the correlated information, (i) a set of the sessions that meets the set of criteria and (ii) a network address of a target device involved in the set of sessions; identifying the target device using the network address; and storing an indication identifying the target device as a potential source of misuse of licensed software executable on the server.

Abstract: An information processing apparatus includes: a processor configured to: when detecting an unauthorized access to a file or a directory, set a range including at least the specific file or directory subjected to the unauthorized access as a recording range in which access logs are recorded; and after setting the recording range, update or maintain the recording range according to at least a load on a resource used to record the access logs.

Abstract: A method for mitigating outbound electronic message spam includes determining whether an outbound electronic message to a recipient sent from an electronic messaging account of a sender has at least a predetermined number of indicators of compromise. The outbound electronic message is sent to the recipient using an IP address from a first pool of service delivery IP addresses based on a determination that the message has less than the predetermined number of indicators of compromise. The outbound electronic message is sent to the recipient using an IP address from a second pool of service delivery IP addresses based on a determination that the message has at least the predetermined number of indicators of compromise. The method may further include providing a notification of a possible compromise of the electronic messaging account and the notification may include a request to modify a security feature of the electronic messaging account.

Abstract: A transparent proxy for malware detection includes a monitor module, a protocol determination module, a challenge generation module, a response determination module, and a data control module. The monitor module examines data originating from an application towards a remote server. The protocol determination module identifies the protocol type used for the data. The challenge generation module produces a challenge for the application based upon the protocol type, sends the challenge to the application, and maintains a state related to the data and the challenge. The response determination module makes a determination if an automatic non-interactive application response is received in response to the challenge from the application. The data control module allows the first data to continue to the remote server when the determination is valid. The data control module reports malware detection and blocks the data to continue to the remote server when the determination is invalid.

Abstract: A mobile application development system includes a developer portal that receives an application from a developer and provides a routing library to the developer to augment the application. An offline analysis system analyzes the application to (i) determine a set of activities that a handler within the application is programmed to resume in response to respective resumption requests from a host operating system and (ii) determine parameters for each of the activities. The offline analysis system generates a set of links that each corresponds to a respective one of the activities. The routing library, installed as part of the augmented application onto a user device, receives a link, from the user device's operating system, that identifies a first activity. The routing library includes instructions for generating a first resumption request based on parameters corresponding to the first activity and transmitting the first resumption request to the augmented application's handler.

Abstract: The subject technology receives image data including a representation of a physical item. The subject technology analyzes the image data to determine an object corresponding to the physical item. The subject technology extracts product metadata based on the determined object. The subject technology sends, to a server, the product metadata to determine second product metadata associated with the product metadata. The subject technology receives, from the server, the second product metadata, the second product metadata including additional information related to the physical item. The subject technology causes display, at a client device, the additional information related to the physical item based at least in part on the second product metadata.

Abstract: In accordance with one disclosed method, a computing system may cause a first computing device to display a first notification of a first event detected at a monitored location, and may cause a second computing device to display a second notification of a second event detected at the monitored location. The computing system may additionally cause the second computing device to cease display of the second notification in response to a change of status of the first event.

Abstract: A virtual network function (VNF) controller (or module) instantiates two or more VNFs in a communication network to support a network service where the two or more VNFs include at least a first VNF and a second VNF. The VNF controller assigns a priority value to each VNF base on an overall network impact, a physical location of at least one network resource allocated to the respective VNF, a type of service to be implemented by the respective VNF and a customer impact based on how many customers would be using the respective VNF. The VNF controller monitors network resources allocated to each VNF. The VNF controller further determines the first VNF requires additional network resources and releases the network resources allocated to the second VNF based on respective priority values. The VNF controller further allocates the network resources released by the second VNF to the first VNF.

Abstract: Embodiments of this application disclose a method for sharing data in a local area network and an electronic device. The method is as follows: A first electronic device establishes a wireless connection to a wireless access point, and receives, from a first port, access request information of a second electronic device forwarded by using the wireless access point, where the first port is a serving port for a local area network shared access protocol, and the second electronic device also establishes a wireless connection the wireless access point; the first electronic device verifies validity of the second electronic device; and if succeeds, the first electronic device sends access response information to the second electronic device, so that shared data in the first electronic device is accessed from the second electronic device, where the access response information includes an internal storage directory and a common file directory.

Abstract: The disclosure provides an approach for cross-network communication by self-replicating applications. Embodiments include identifying, by a first instance of a self-replicating application on a first computing device having a first network connection to a parent component, a second computing device that is connected to the first computing device via a second network connection. Embodiments include self-replicating, by the first instance of the self-replicating application, across the second network connection to produce a second instance of the self-replicating application on the second computing device. Embodiments include initiating, by the first instance of the self-replicating application, a proxy tunnel on the first computing device. Embodiments include receiving, by the proxy tunnel, a first communication from the second instance of the self-replicating application via the second network connection.

Abstract: Methods and systems for managing a premises are disclosed. An interface device and a premises system may be located at the premises. The interface device may receive a signal from a premises device of the premises system. An indication of the premises device may be output via a user interface. Configuration information may be associated with the premises device. The interface may monitor and control the premises device.

Abstract: The present disclosure is related to Just-In-Time (JIT) services, that discloses a method and system for providing JIT services to automotive users. A Point of Interest (PoI) service aggregator system may receive a service request from an automotive user, including one of: information related to a preferred PoI service provider, request to recommend PoI service providers, or request to list PoI service providers based on user query. Based on service request, the PoI service aggregator system may perform one of: dynamically on-boarding the preferred PoI service provider, recommending PoI service providers, or providing PoI service providers based on user query. Thereafter, a real-time synchronization may be established between a candidate PoI service provider and the automotive user to enable the candidate PoI service provider to determine arrival events including an estimated time of arrival and non-arrival events of the automotive user, to provide JIT service to the automotive user.

Abstract: An aspect of the present disclosure relates to a computer-implemented method for routing a bursty data flow comprising a series of one or more data packets over a converged network comprising a plurality of communication networks, the method comprising, for each of the series of data packets in turn: selecting which one of the plurality of communication networks to transmit that data packet over by: (i) obtaining flow statistics indicating a current flow state of the bursty data flow; and (ii) selecting the one of the plurality of communication networks in dependence on said flow statistics; then initiating transmission of the data packet over that one of the plurality of communication networks. Further aspects relate to a data processing system, a computer program, a computer-readable data carrier and a data carrier signal.

Abstract: Ransomware attack (RWA) detection is performed during an incremental or differential backup of a system of folders or directories of a computer or network of computers via an electronic network. The RWA detection includes processing incremental or differential backup metadata acquired during the incremental or differential backup to determine whether a RWA alert is issued. RWA remediation is performed at least in part on the RWA alert being issued. The RWA alert may be issued based on processing of the incremental or differential backup metadata to identify candidate new files and candidate deleted files in which the candidate new files are candidates for being encrypted copies of the candidate deleted files. RWA alert criterion may be based on counts of new versus deleted files in a folder or directory, and comparison of file sizes of the new versus deleted files.

Abstract: A system configured to synchronize the displays of multiple infusion pumps is provided. In some embodiments, the system includes a plurality of infusion pumps in communication with a server. An individual infusion pump synchronizes its internal clock by communicating with the server. Based on the synchronized internal clock, the infusion pump determines the current time, calculates a parameter based on the current time, and causes screen content corresponding to the calculated parameter to be displayed.

Abstract: A method of accessing objects with fine-grained access control (FGAC) in a relational database management system (RDBMS) storing a segmented column-major database. For each object with access restrictions, an artificial neural network (ANN), is trained by generating an equally distributed segment map of segmented data entries, so that the map reproduces the row disposition in the unsegmented object. When a user access request is received, these ANNs are referred to determine if any of the objects to be accessed are subject to access restrictions. If that is the case, then the ANN creates a pseudo-view construct of its associated object which is limited to data entries that the user has permission to access. The pseudo-views are then injected into the user access request to embed the fine-grained access controls for subsequent processing of the request, which can then proceed without further regard to user-specific access restrictions.

Abstract: Methods, systems, and devices for data processing are described. Some systems may support data processing permits and cryptographic techniques tying user consent to data handling. By tying user consent to data handling, the systems may comply with data regulations on a technical level and efficiently update to handle changing data regulations and/or regulations across different jurisdictions. For example, the system may maintain a set of data processing permits indicating user consent for the system to use a user's data for particular data processes. The system may encrypt the user's data using a cryptographic key (e.g., a cryptographic nonce) and may encrypt the nonce using permit keys for any permits applicable to that data. In this way, to access a user's data for a data process, the system may first verify that a relevant permit indicates that the user complies with the requested process prior to decrypting the user's data.

Abstract: Systems and methods for using a device wallet identifier are disclosed. In one embodiment, in an information processing apparatus comprising at least one computer processor, a method for generating a device wallet identifier may include: (1) receiving a wallet identifier for an electronic wallet or payment application executed by an electronic device; (2) retrieving an issuer identifier for a customer associated with the electronic wallet or payment application; (3) generating a device wallet identifier; and (4) storing a mapping of the device wallet identifier to the issuer identifier for the customer.

Abstract: Embodiments include herein are directed towards a method for electronic circuit design. Embodiments may include enabling data transmission between plurality of protocol adapters, each of the protocol adapters including one ingress port and one egress port, wherein the ingress port of each of the plurality of protocol adapters maintains an active connection with a single egress port at one time. Embodiments may further include transmitting data between the plurality of protocol adapters using a distributed routing matrix that provides an interface between the plurality of protocol adapters.

Abstract: Methods, systems, and devices for providing for providing computer implemented services using managed systems are disclosed. To improve the likelihood of the computer implemented services being provided, a subscription based model may be used to manage the managed systems. The subscription model may utilize a highly accessible service to obtain information regarding capabilities of managed systems to present information regarding all potential solutions that the managed systems may provide. In some cases, subscription decisions may be based on inaccurate information. To reduce the impact of such decisions, entities that are more likely to have access to accurate information may elect to honor or reject subscription decisions made by entities that are more likely to have access to inaccurate information.

Abstract: Methods and systems are described for providing conditional access to a service. One or more tasks may be associated with a user profile. The one or more tasks may be indicated as required to be completed to access the service. The one or more tasks may have associated deadlines. If a task is not completed by the deadline, then any device associated with the user profile may be blocked from access to the service.

Abstract: In a remote control system (101), a terminal (121) waits for an instruction to be transmitted from a mediation device (111) by a browser, a virtual desktop, or the like. A remote controller (131) sends, to the mediation device (111), identification information that identifies the terminal (121) to be controlled and a service to be received by that terminal (121). If the terminal (121) identified by the sent identification information is waiting, the mediation device (111) transmits, to the waiting terminal (121), an instruction specifying the service identified by the sent identification information. The waiting terminal (121) sends, to a server (171) related to the service specified in the transmitted instruction, a request related to the service specified in the transmitted instruction. Note that it is possible to configure such that the server (171) provides the service after performing a confirmation that the terminal (121) that sends the request is the terminal (121) to be controlled.

Abstract: A system includes a memory device and a processor, operatively coupled to the memory device, to perform operations including receiving a request to provide a post-secrets-provisioning service with respect to a device, in response to receiving the request, determining whether to authorize the request, in response to authorizing the request, obtaining a set of secrets data corresponding to the device, and providing the post-secrets-provisioning service by performing a cryptographic function utilizing the set of secrets data.

Abstract: This disclosure describes techniques for managing the replication of a secret across different regions. A secrets management system (SMS) may be used to manage replication of secrets across different regions of the cloud that are in different geographic locations. Different input mechanisms, such as an API, a UI, or a CLI may be utilized to manage the replication of secrets. In some examples, upon detection of a replication message, the SMS reads the message, identifies the secret, and performs an action involving the secret. For instance, a secret identified within the replication message is accessed from the current region, and the secret is re-encrypted using a customer specified KMS key using customer credentials. The secret is then packaged into a secret replication message. An SRS in the replicated region reads this new secret replication message, accesses the secret that was replicated, and saves the secret in the replicated region.

Abstract: Systems and methods for implementing multi-factor system-to-system authentication using secure execution environments. An example method comprises: determining, by a first computing system, using a secure execution environment, a measure of one or more computing processes running on the first computing system; presenting, to a second computing system, a first authentication factor derived from the measure; computing, using the secure execution environment, a second authentication factor derived from at least one of: one or more first data items received from the second computing system, one or more confidential second data items received from one or more third computing systems, or one or more public data items received from one or more fourth computing systems; and presenting the second authentication factor to the second computing system.

Abstract: Disclosed are various embodiments for delegating authentication to certificate authorities. A connector service identifies a certificate request from a messenger service. The certificate request includes a credential identifier for a certificate authority. An authentication credential is retrieved using the credential identifier. A certificate request and the certificate authority authentication credential are transmitted to the certificate authority. A certificate is retrieved and provided as a response to the certificate request.

Abstract: Verification system and methods are provided for allowing database server responses to be verified. A proxy device may maintain a data structure (e.g., a Merkle B+-tree) within a secure memory space (e.g., an Intel SGX enclave) associated with a protected application. In some embodiments, the data structure may comprise hashed values representing hashed versions of the data managed by the database server. The proxy may intercept client requests submitted from a client device and forward such requests to the database server. Responses from the database server may be verified using the data structure (e.g., the hashes contained in the Merkle B+-tree). If the data is verified by the proxy device, the response may be transmitted to the client device.

Abstract: Embodiments of the present disclosure provide methods, systems, apparatuses, and computer program products that provide for an improved, more efficient, and more stable system of networked computing devices. The embodiments disclose an apparatus and system that enable client devices to selectively grant to third party applications permissions to access group-based communication objects of a group-based communication system. The apparatus and system further enable client devices to selectively grant to third party applications permissions to take specific actions with regards to the group-based communication objects within the system. To accomplish the improvements, the disclosed systems, apparatuses, and computing devices maintain a record of the permissions granted to third party applications in a permissions table stored in a computer storage device.

Abstract: A system and a method of providing security to an in-vehicle network are provided. The method efficiently operates multiple detection techniques to maintain robustness against malicious message detection while increasing overall detection efficiency.

Abstract: A communication device management device includes: at least one memory configured to store instructions; and at least one processor configured to execute the instructions to: detect a change in possibility/impossibility of communication with a communication device, based on a response from the communication device to a confirmation signal to be transmitted at every predetermined time; and perform, when a restriction is imposed on a predetermined function of the communication device in which the communication possibility/impossibility is changed from impossible to possible, the restriction after canceling the restriction of the communication device, and perform, when the restriction of the communication device is not imposed, the restriction of the communication device.

Abstract: A method, non-transitory computer readable medium and device that assists with managing L7 network classification includes receiving a request to access a service by a mobile computing device. Next, application layer network traffic from the requesting mobile computing device is classified based on mobile data associated with the requesting mobile computing device. One or more actions are performed based on the classification.

Abstract: A detection device runs a first sample file in a first virtual operating environment, when the first sample file sends a first Hypertext Transfer Protocol (HTTP) request to a server, the detection device obtains an identifier of the first sample file and a first data flow identifier correspondingly from the first HTTP request. The detection device obtains a second data flow identifier and a second sample file carried in subsequently transmitted data flow. If the second data flow identifier is the same as the first data flow identifier in the correspondence, the detection device determines that the second sample file is a subsample file of the first sample file, detects the second sample file to obtain a detection result of the second sample file, and determines, based on the detection result of the second sample file, that the first sample file is a malicious file.

Abstract: Establishing online social communications for enterprises whilst beneficial to them in terms of revenue, customer retention etc. require skills and time, both of which the enterprises personnel do not possess. The inventors have established an inventive turn-key software application that allows an enterprise to create invitation only private groups on mobile device platforms and monetize aspects of this online private group through direct payments to the club owner. An individual, a group, a society, a business or enterprise irrespective of whether they are active on other social networks can exploit the inventive turn-key software application augmenting their business with clear visibility of the return on investment. As such the inventive turn-key software application provides an effective “one-stop shop” for those looking to establish and build their brand on mobile technology.

Abstract: A scalable EBOF storage system identifies its storage devices and external physical interfaces, and respective public IP addresses assigned to each external physical interface. The scalable EBOF storage system assigns a respective private IP address to each storage device, private port identifier(s) to the storage devices, and respective public port identifier(s) to each storage device.

Abstract: The various implementations described herein include methods and devices for preventing unauthorized access to files and networks. In one aspect, a method includes installing a first application at a computing device, the first application designated as writing to user files. Installing the first application includes: (i) storing application data files for the first application within a first portion of the memory, where files stored in the first portion are designated as read-only for the first application; and (ii) allocating a second portion of the memory for user data files to be used by the first application. The method further includes installing a second application at the computing device, the second application designated as writing to application data files. Installing the second application includes: (i) allocating a third portion of the memory for prototype writable application data files; and (ii) allocating a fourth portion of the memory for network-based data access.

Abstract: An example method facilitates authenticating a client-side program, such as a spreadsheet, for access to and use of protected server-side data and/or functionality provided via a web service, such as a REpresentational State Transfer (REST) service or Application Programming Interface (API). The example method uses an add-in or plugin to the spreadsheet (which may run on a mobile device, desktop computer, other client system) to interrogate, negotiate with, or otherwise test or poll the web service to be accessed, so as to determine an authentication method used by the web service when authenticating clients; and to implement an authentication flow in accordance with the authentication method, thereby facilitating authentication of the spreadsheet for interaction with the web service in accordance with permissions associated with the authenticated client software, i.e., spreadsheet.

Abstract: A communication system is provided, the communication system including an authenticating unit that authenticates a plurality of communication terminals based on a single user ID, and keeps the plurality of communication terminals logged into an information providing service. A storing unit that stores therein provider registration information including a plurality of pieces of provider information that indicate providers of respective pieces of data being displayed on each communication terminal among the plurality of communication terminals. A receiving unit receives designation information that designates the provider registration information. A transmitting unit transmits each piece among the plurality of pieces of provider information to each communication terminal among the plurality of communication terminals so as to cause each communication terminal among the plurality of communication terminals to display data provided by a provider indicated by a plurality of pieces of provider information.

Abstract: A system for detecting and mitigating attacks using forged authentication objects within a domain is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: A system and methods for detecting and mitigating golden SAML attacks against federated services is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to create a security cookie for each valid authentication session; wherein subsequent access requests accompanied by authentication objects are validated by checking for a valid security cookie.

Abstract: A method includes a processor in a trusted domain receiving a first request having a plurality of messages for a device in an untrusted domain. The processor assigns a memory location having data segments and status segments. The memory location is accessible by an untrusted side interface card. The processor transmits a first message to a first data segment. The processor receives a first value associated with the first message from a first status segment. The processor determines whether the first value indicates that the first message has been received and stores a first representation of a successful data transmission. The processor transmits a second message to a second data segment. The processor retrieves a second value from the second status segment. The processor determines whether the second value indicates that the second message has been received and stores a second representation of the successful data transmission.

Abstract: An online service store to configure services for endpoints in connection with validating authenticity of the endpoints. For example, a service can be ordered for an endpoint prior to the use of the endpoint. After receiving a request having identity data generated by a memory device configured in the endpoint, a server system can determine, based on a secret of the memory device and other data stored about the endpoint, the validity of the identity data and thus the authenticity of the endpoint. Based on the service ordered for the endpoint, the server system causes the endpoint to be connected to a client server to receive the service. The server system can cause the firmware of the endpoint to be updated to enable the endpoint to receive the service from the client server.

Abstract: Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container.

Abstract: Systems and methods for securely accessing a legacy system are disclosed herein. In an embodiment, a method for securely accessing a legacy system via an enterprise system includes requesting issuance of a security token by an STS server of a security token service, causing, by an enterprise server of an enterprise system, association of a first user account with the security token upon reception of the security token, communicating the security token to an access server of a legacy access provider for authentication of the security token, enabling creation of a second user account after the legacy access provider authenticates the security token, accessing a legacy server of a legacy system via the first user account and the second user account, and causing at least the second user account to be deleted after a single use of the legacy system.

Abstract: A method of aggregating displays of performances into an aggregate site on a network is provided. The aggregated performances originate from at least one performance site on a network. The method includes the steps of selecting a performance criterion; observing at least one performance originating from at least one performance site on a network, the performance being associated with a link; determining when at least one performance meets the performance criterion; establishing an aggregation link to the link associated with the performance meeting the performance criterion; and providing the aggregation link to an aggregate site on a network such that the performance is accessible on the aggregate site.