Abstract: A virtual universe system has a system and method for identifying spam avatars based upon the avatar's behavior characteristics through the use of Turing tests. The system may provide a Turing test unit for performing Turing tests and an analysis unit that compares the behavior characteristics of new or newly changed avatars against the behavior characteristics of known spam avatars to determine if the avatar has known spam avatar characteristics. It may further have a scoring system to calculate a spam score based upon similarities of the comparison and identifying the avatar as a spam avatar based upon the calculated spam score. It may further compare the calculated spam score with a spam score threshold wherein the avatar is identified as a spam avatar if the calculated spam score is equal to or greater than the calculated spam score.

Abstract: A system and method in a virtual universe (VU) system for identifying spam avatars based upon the avatars' multimedia characteristics may have a table that stores multimedia characteristics of known spam avatars. It further may have an analysis unit that compares the multimedia characteristics of avatars against the multimedia characteristics of known spam avatars to determine if the avatar has known spam avatar characteristics. It may further have a scoring system to calculate a spam score based upon the similarities of the comparison and identifying the avatar as a spam avatar based upon the calculated spam score. It may further compare the calculated spam score with a spam score threshold wherein the avatar is identified as a spam avatar if the calculated spam score is equal to or greater than the calculated spam score. Multimedia characteristics include graphics, audio, movement, interactivity, voice, etc.

Abstract: The disclosure includes a system and method in which one or more virtual resources are presented to a secure element; and the one or more virtual resources are mapped to available resources based on a model architecture for the secure element in order to provide hardware abstraction, the available physical resources varying based on the model architecture and an associated host device, the virtual resources allowing consistent interaction with the virtual resources regardless of variation in the physical resources available and their location. The hardware abstraction increases the versatility of the secure element and may contribute to the secure element's functionality. The secure element providing functionality to replace most items carried in an individual's pockets, e.g., logical and physical keys, a thumb drive, identification, credit and debit cards, etc.

Abstract: A method of accessing data at a device, wherein the data is stored remotely from the device or in removable storage. The method may the following steps: (i) sending a request from the device to access the data, the request including an identification code of a secure element or a memory card associated with the device, (ii) verifying, based at least partly on the identification code, whether access to the data is to be allowed or denied, and (iii) allowing or denying the device access to the data accordingly.

Abstract: Embodiments are directed to access point deployment in a network including a centralized system and a distributed system. An embodiment of an apparatus includes a memory and a processor executing instructions stored in the memory. The instructions include instructions to receive a message from an access point (AP) requesting a role in a network and, based on reception of the message, to access a deployment policy. The instructions further include instructions to determine whether the deployment policy is defined for the AP and, based on a determination that the deployment policy is defined for the AP, to assign the role to the AP corresponding to the deployment policy and corresponding to at least one of a centralized system or a distributed system of the network.

Abstract: Example media monitoring apparatus disclosed herein include means for accessing, at a first server, a first adaptive bitrate streaming URL collected by a meter executing on a mobile platform, the first adaptive bitrate streaming URL collected from a first message to be sent by the mobile platform to a second server to stream first media according to an adaptive bitrate streaming protocol, the first adaptive bitrate streaming URL received at the first server in a report sent from the meter executing on the mobile platform. Disclosed example apparatus also include means for requesting network log information corresponding to the first adaptive bitrate streaming URL from a service provider providing network access for the mobile platform. Disclosed example apparatus further include means for monitoring presentation of the first media on the mobile platform using the network log information.

Abstract: A method of detecting compromised message information includes: wirelessly receiving, at a mobile wireless communication device, present unprotected information and present protected information; retrieving previous unprotected information, corresponding to the present unprotected information, and previous protected information, corresponding to the present protected information, from a memory of the mobile wireless communication device; comparing the present unprotected information to the previous unprotected information to determine that an unprotected information change has occurred; comparing the present protected information to the previous protected information to determine whether a protected information change has occurred; and determining that the present unprotected information is valid in response to the protected information change having occurred and being consistent with the unprotected information change, or that the present unprotected information is invalid otherwise.

Abstract: A system and a method of authentication to improve security communication between machines are disclosed. The system includes a retrieving unit (120) that identifies a critical component (102) of an apparatus (110) in response to an authentication request for the apparatus (110) and retrieves authentication information for the critical component (102) comprising expected physical and digital signatures for the critical component (102) and one or more associated additional components (104). An acquiring unit (160) that acquires present signatures for the components (102, 104). A checking unit (180) that checks validity of each present signature with the corresponding expected signature, in order to authenticate the apparatus (110). The authentication process is enhanced by strategically extending the biometric concept, that is, measurement and analysis of unique physical or behavioral characteristics for verifying identity purposes, to interactions between machines.

Abstract: A method for generation and distribution of protected user-specific information includes encrypting, by a processing device of a computer system, using a first encryption key of an encryption key pair, predetermined digits of a payment account number, the encryption yielding an encrypted identifier. The processing device of the computer system then generates a machine-readable code that is encoded with the encrypted identifier and additional data. A transmitting device of the computer system transmits, via an electronic communication, the generated machine-readable code to an electronic device of a user and transmits a second encryption key, of the encryption key pair, to a specialized computer system, wherein the second encryption key is associated with the first encryption key used to yield the encrypted identifier.

Abstract: The invention relates to a method for processing transactional data, implemented within a secured intermediate server, connected to a communications network. Such a method comprises: reception, by the secured intermediate server, of a request for payment comprising a piece of data representing an identification of a communications terminal used by a user to carry out a purchase operation with a merchant server connected to said communications network; setting up a secured point-to-point link with a payment module of the communications terminal; transmission, to said payment module, of a request for execution of payment; reception, by the payment module, of a piece of information on payment; transmission of a message of information to the merchant server.

Abstract: A local login processing method of an image forming apparatus is provided. The local login processing method include generating session information according to a remote login request upon receiving the remote login request from a mobile terminal, transmitting the session information to the mobile terminal, receiving, from the mobile terminal, a local login request including local login information generated by using at least some of the session information, and approving the local login request by comparing the session information and the local login information.

Abstract: A method and system are provided that may centralize the management of applications that access the data of social networks via API calls. A central service may generate tokens at a generation rate that permit an application to access an API. The tokens may be distributed to queues associated with certain content types. The relative distribution of tokens to each queue may be determined by rules. A queue may release tokens to applications that function to access the content type associated with the queue. The token generation rate and rules may be selected to prevent violation of the rate limits for the API.

Abstract: Various embodiments are generally directed to copying data to a clipboard of a mobile device from a contactless card using NFC. A mobile device may issue a request to read data from the contactless card. The contactless card may generate encrypted data in response to the request. The mobile device may receive the encrypted data via NFC and transmit the encrypted data to a server for verification. The server may verify the encrypted data and transmit an indication of an account number for the contactless card to the mobile device. The mobile device may then copy the account number to a clipboard of the mobile device.

Abstract: A system and method for a distributed security model that may be used to achieve one or more of the following: authenticate system components; securely transport messages between system components; establish a secure communications channel over a constrained link; authenticate message content; authorize actions; and distribute authorizations and configuration data amongst users' system components in a device-as-a-key system.

Abstract: A method of authenticating the communication of an authentication device and at least one authentication server using a local factor with creation of secret information shared by the authentication device and the authentication server; the reference information is derived from the secret information shared by the authentication device and the authentication server, where the manner of derivation is the same on the authentication device and on the authentication server; furthermore, the authentication device creates transformed reference information by means of cryptographic transformation from the reference information, where the local factor chosen and entered by the user or obtained from a medium or from the surrounding environment is used as an input in this cryptographic transformation, and where only the transformed reference information is stored on the authentication device and only the reference information is stored on the authentication server.

Abstract: Aspects of the present disclosure include methods, apparatuses, and computer readable media for controlling access including receiving registration information associating a mobile device with an access device, wherein the access device provides an access privilege to an access-controlled point, associating the mobile device with the access device, receiving a blocking request from the mobile device to suspend the access privilege to the access-controlled point provided by the access device, authenticating the blocking request, and suspending, in response to authenticating the blocking request, the access privilege to the access-controlled point provided by the access device.

Abstract: A method, system and computer-readable storage medium for controlling access to application data associated with an application configured on a computing device. The method comprises: storing data comprising, for each of a plurality of access levels associated with the application, first data indicative of a combination of one or more credentials associated with the respective access level and an access level key corresponding to the respective access level, the access level key being encrypted by the combination of one or more credentials associated with the respective access level; determining, based on the first data, an access level in the plurality of access levels corresponding to a combination of one or more credentials available to the application; decrypting the access level key in the stored data corresponding to the determined access level; and providing access to encrypted application data associated with the application and corresponding to the determined access level.

Abstract: Methods and apparatuses for managing access to hosts in a computerized system are disclosed. A request for an authenticator for enabling access to at least one host in the computerized system is communicated from an user to a portal. The portal verifies the right of the user to make the request, and in response to positive verification authorizes the user to make the request and sends the request to an authenticator manager to trigger providing of an authenticator for enabling access to at least one host in accordance with the request. The authenticator manager provides the authenticator for enabling access to the at least one host in accordance with the request. Acceptance of the request by an administration process according a predefined rule is required before said providing of the authenticator.

Abstract: There is provided an information processing device including a processing unit that authenticates a communication target device on a basis of predetermined information transmitted from the communication target device by broadcast in communication in a first communication scheme, the predetermined information being used in a process to be performed in communication in a second communication scheme that is different from the first communication scheme, and establishes the communication with the communication target device in the first communication scheme in a case in which authentication is completed.

Abstract: Apparatus and methods for managing provision of content to devices in a content delivery network. In one exemplary embodiment, content with a high probability of viewership is sent to consumer premises equipment (CPE) during off-peak periods and stored prior to viewing. An application is utilized to manage decisions related to content provision. The computer program will identify content that is likely to be of interest users associated with respective CPE, and schedule provision of that content in advance of viewing. Then, the system will develop a plan for optimal scheduling of transmission of content to CPEs, often including the use of trickle downloads. The scheduling plan is based collected statistical and historical data on network resource demand to make scheduling decisions. The system allows for the shifting of bandwidth utilization from periods of high demand to those of low demand, and increased performance with regard to user experienced latency.

Abstract: An example terminal includes a communication circuitry configured to communicate with a server; and a data processor configured to request the server to include a second user in a relationship group of a first user and to extend, to the relationship group, a range of authorization for an Internet of Things (IoT) apparatus registered as an apparatus of the first user.

Abstract: Some embodiments of the present invention include a system and method for validating state change requests and include generating one or more permission tokens based on a user's session identification (ID), each of the permission tokens associated with a record ID of a record, the one or more permission tokens and corresponding associated record IDs communicated to an application associated with the user. The system receives a state change request from the application, the state change request includes a first permission token from the one or more permission tokens and a record ID associated with the first permission token. In response to receiving the state change request, the system generates a second permission token based on the session ID and the record ID included in the state change request. The system then validates the state change request based on the first permission token matching the second permission token.

Abstract: A method, system, and apparatus for facilitating a payment transaction is disclosed. A server receives an event-setup request from an event organizer to set up an event-based payment session to obtain payments for one or more attendees of a subsequent event. In response to receiving the event set-up request: the server sets up the event-based payment session in accordance with the event-setup request; and provides a payment invitation corresponding to the payment session to each of one or more invitees of the subsequent event in accordance with the event-setup request. The server then receives from at least a first invitee of the one or more invitees, a conditional acceptance to the payment invitation, the acceptance being conditioned on one or more predefined criteria.

Abstract: Performing a financial transaction via a mobile device and a point-of-sale (POS) system may include utilizing the POS system to generate a digital code, communicating the digital code from the POS system to the mobile device, connecting the mobile device to a wireless network using the digital code as a password, forwarding a mobile identifying code, forwarding a network identifying code, transmitting transaction data associated with information regarding the financial transaction, the digital code, the mobile identifying code, the network identifying code, and account information associated with the POS system from the POS system to a payment system via a first digital network path, and transmitting the digital code, the mobile identifying code, the network identifying code, and account information associated with a user of the mobile device from the mobile device to the payment system via a second digital network path.

Abstract: Identification information is received from a transaction card at a transaction machine. The transaction card is associated with an account holder using the transaction machine and includes a transaction card type. Using the identification information, activity profile information is accessed for the account holder. The account holder's transaction machine usage is monitored and activity profile information related to the account holder's transaction machine usage is stored. A custom sequence of user interfaces to be displayed to the account holder is generated based on the transaction card type.

Abstract: The method provides a multi system trust chain between a client system and a remote system in a secure connection, wherein an intermediary system associated with the network flow path serves as a signing entity to establish an end to end transitive trust. The intermediate system is a corroborative entity in the operations technology (OT) realm of the client system. The remote system serves as the host for a plurality of services in the information technology (IT) realm. A two way handshake during the initial secure exchange protocol between a local client application and a remote service is extended to a three way handshake that includes a nonce issued by the remote service on the remote system and a digital signature for the nonce issued by a signature service on an associated intermediate system. The nonce signature is verified authoritatively at the remote system based on the signing certificate of the intermediate system for explicit proof of association.

Abstract: One embodiment provides a system that facilitates schematized access control in a content centric network. During operation, the system generates, by a content producing device, a secret key for a user based on a schema, wherein the schema is a regular expression which corresponds to one or more names and allows a user access to content associated with the names, wherein a name is a hierarchically structured variable length identifier that includes contiguous name components ordered from a most general level to a most specific level. The system receives an interest with a name that corresponds to the schema. The system encrypts a payload of a responsive content object based on the interest name. The system transmits the responsive content object with the encrypted payload to the user, which allows the user to decrypt the encrypted payload with the secret key.

Abstract: As a PUF device ages, the response characteristics of the device change. Thus, mappings made on the original PUF outputs can drift and become invalid. Re-enrollment or re-mapping of hidden values to PUF response characteristics can resolve the changing nature of the PUF. Unfortunately, an adversary may tamper with the PUF during re-enrollment compromising security of the PUF. Accordingly, techniques of securely and remotely re-enrolling a PUF device are described. During an initial enrollment of the PUF device, multiple sets of enrollment values of the PUF device can be generated. For remote re-enrollment, a first initial set of enrollment values can be used to authenticate the PUF device. Upon authentication using the first initial set, the PUF device can re-enroll the PUF device and account for changes in PUF characteristics. A second set of initial enrollment values can then be used to verify that the PUF device is unaltered.

Abstract: Techniques for enforcing data security in a cleanroom data processing environment are described herein. In one or more embodiments, a virtual private cloud environment stores a first set of data provided by a first user account and a second set of data provided by a second user account, where the first user account is associated with a first set of one or more security credentials and the second user account is associated with a second set of security credentials and where the first user account is prevented from accessing at least the second set of data and the second user account is prevented from accessing at least the first set of data. In response to receiving, from the first user account or the second user account, a request to destroy the virtual private cloud environment, at least the first set of data and the second set of data are deleted.

Abstract: The invention relates to a method for exchange of information between a computing unit of a first entity and a computing unit of at least one second entity. A computing unit of at least one second entity is detected and information on a token associated to the second entity from the computing unit is requested and received. On the basis of the received information, the token associated to the at least one second entity, is retrieved and a token associated to the first entity is modified at least partly with information of the received token associated to the at least one second entity. Finally, the modified token is utilized at least in the service the computing unit of the first entity belongs to. The invention relates also to a system and a computing unit implementing the method.

Abstract: A method of serving an API request includes receiving the API request at a local API proxy deployed at a local deployment environment. The method includes utilizing the local API proxy to service the API request at the local deployment environment, establishing a connection with a remote API management server, and providing to the remote API management server, via the connection, at least metadata about the API request.

Abstract: A system and method of tagging utterances with Named Entity Recognition (“NER”) labels using unmanaged crowds is provided. The system may generate various annotation jobs in which a user, among a crowd, is asked to tag which parts of an utterance, if any, relate to various entities associated with a domain. For a given domain that is associated with a number of entities that exceeds a threshold N value, multiple batches of jobs (each batch having jobs that have a limited number of entities for tagging) may be used to tag a given utterance from that domain. This reduces the cognitive load imposed on a user, and prevents the user from having to tag more than N entities. As such, a domain with a large number of entities may be tagged efficiently by crowd participants without overloading each crowd participant with too many entities to tag.

Abstract: A computer boot apparatus and related method use a primary boot component (PBC) that is fixedly mounted in the computer. The PBC has a firmware element that is a non-volatile memory comprising a boot critical portion with instructions that initiate a boot of the computer. The PBC also has a policy manager and a version identifier. The PBC initializes the computer boot via the boot critical portion. The policy manager verifies and authenticates a secondary boot component that is removably attached to the computer.

Abstract: A method, system, and medium are provided for sharing items residing on a computing device. Items selected for sharing can be made simultaneously available to users on a local network and to users outside of the local network. A remote sharing service allows access to copies of items based on user identifiers associated. Local attributes associated with items are modified such that the user identifiers are associated with the items for providing access via a local network.

Abstract: A physical wallet separation alert system capable of detecting, alerting, and defining a potentially-dangerous separation between a physical wallet and a mobile communication device is disclosed. In one example, the potentially-dangerous separation involves a user-defined “excessive” separation (e.g. a few meters, ten meters, twenty meters, etc.) between the physical wallet and the mobile communication device that may suggest a potential loss or theft of the physical wallet or the mobile communication device during a real-time tracking of the separated distance by a wallet separation prevention application executed by the mobile communication device. A physical wallet separation alert may be visual, aural, textual, or a combination thereof. The physical wallet separation alert system is capable of simultaneously tracking multiple physical wallets that are registered with the system.

Abstract: A first cryptographic device determines multiple sets of passcodes for possible release in association with a corresponding one of a plurality of epochs, and transmits a message to a second cryptographic device over an auxiliary channel embedded in one or more passcodes released by the first cryptographic device to the second cryptographic device. For example, the first cryptographic device can determine multiple sets of passcodes by precomputing and storing the multiple sets of passcodes, or by generating one or more data sets from which the multiple sets of passcodes can be computed. The first cryptographic device transmits the message over the auxiliary channel by selecting a particular one of the multiple sets of passcodes based on content of the message and releasing a passcode from the selected set. The first cryptographic device may comprise an authentication token and the second cryptographic device may comprise an authentication server.

Abstract: System and method to evaluate a plurality of security entities in a network environment is disclosed. Communication between a user computer and a destination computer is monitored by a security appliance. Selective information from the communication is extracted by the security appliance. The selective information is indicative of a value for one or more attributes of the plurality of security entities. A first value indicative of occurrence of each of the values for each of the attributes is generated. A second value indicative of occurrence of each of the values for each of the attributes for each of the security entity is generated. A third value is calculated based on the first value and the second value for each of the attribute value for each of the security entity, wherein the third value is indicative of significance of the value of the attribute for the security entity.

Abstract: An example method is provided in one example embodiment and may include generating a content token, wherein the content token is generated for a particular content type of a particular application service based on a trust relationship established between the particular application service and a mobile service provider; and embedding the content token in one or more packets of a plurality of packets sent to a user equipment (UE) for one or more Internet Protocol (IP) flows associated with the particular content type, wherein the content token is embedded in an unencrypted portion of each packet that is separate from an encrypted data payload portion of each packet.

Abstract: The present disclosure discloses a method, an apparatus and a system for device identification. A specific implementation of the method comprises: receiving a device identification request sent from a terminal device, the device identification request comprising a current user identifier of a current user of the terminal device; acquiring a public key in a preset asymmetric key pair to serve as a first public key; sending the first public key and a randomly-generated first random number to the terminal device; receiving device characteristic information sent from the terminal device, the device characteristic information being generated by the terminal device based on the current user identifier, the first public key, the first random number and a device identifier of the terminal device; and identifying the terminal device based on the current user identifier, the first random number and the device characteristic information.

Abstract: Systems and methods for authenticating an electronic transaction are described. A request to complete an electronic transaction is initiated using a third party application installed on a computing device. The third party application receives, from a remote server, a temporary URL including a token. A background application installed on the computing device decrypts the token. The computing device displays details of the request provided by a user of the computing device and prompts the user to provide biometric information to verify the request. A biometric hardware device in communication with the computing device receives biometric information and passes it to a hardware abstraction layer of the computing device, which maps the biometric information to generate a key. The background application encrypts the key and sends the encrypted key to the remote server. The computing device receives a verification result for the request, e.g., via the third party application.

Abstract: A system and method for first changing the encryption key on a self-encrypting disk drive followed by a complete disk wipe. Either process can be separately performed, and they can be performed in any order. In fact, one embodiment of the invention, resets the symmetric key, wipes the disk a predetermined number of times with different predetermined data patterns, and then resets the key a second time. This assures that there is absolutely no way to recover the original key or to read the original plain text data, even if some of it's encrypted values remain on unallocated tracks after wiping. A user can be assured that in milliseconds after starting the wiping process, the entire disk is rendered unreadable and unrecoverable.

Abstract: A lock stores two keys and can wirelessly communicate with a mobile device. After the mobile device obtains a lock instruction from a user, the lock generates a dynamic variable, encrypts it with a first key, and produces a first encrypted message including the encrypted dynamic variable. The first encrypted message is transmitted to the mobile device, which forwards it to a server. The server decrypts the first encrypted message with the first key, retrieves the dynamic variable, and encrypts the dynamic variable with a second key. The server produces a second encrypted message with the encrypted dynamic variable and sends the same to the mobile device, which forwards it to the lock. The lock decrypts the second encrypted message with the second key and determines that the decrypted dynamic variable is the same as was produced by the lock earlier. Based on the determination, the lock locks/unlocks a door.

Abstract: In one embodiment, a device in a network identifies a plurality of applications from observed traffic in the network. The device forms two or more application clusters from the plurality of applications. Each of the application clusters includes one or more of the applications, and wherein a particular application in the plurality of applications is included in each of the application clusters. The device generates anomaly detection models for each of the application clusters. The device tests the anomaly detection models, to determine a measure of efficacy for each of the models with respect to traffic associated with the particular application. The device selects a particular anomaly detection model to analyze the traffic associated with the particular application based on the measures of efficacy for each of the models.

Abstract: A system and method for a distributed security model that may be used to achieve one or more of the following: authenticate system components; securely transport messages between system components; establish a secure communications channel over a constrained link; authenticate message content; authorize actions; and distribute authorizations and configuration data amongst users' system components in a device-as-a-key system.

Abstract: A removable card-enabled BPID Security Device integrates a removable card reader with a biometric authentication component to provide secured access to electronic systems. The device allows for an individual to insert a removable card into an aperture in the physical enclosure of the BPID Security Device, allowing the removable card and the BPID Security Device to electronically communicate with each other. The BPID Security Device is based on a custom application specific integrated circuit that incorporates removable card terminals, such that the BPID Security Device can communicate directly with an inserted removable card. In an alternative embodiment of the invention, the BPID Security Device is based on a commercial off-the-shelf microprocessor, and may communicate with a commercial off-the-shelf microprocessor removable card receiver using a serial, USB, or other type of communication protocol.

Abstract: Shown is single sign-on support access to tenant accounts in a multi-tenant service platform involving a proxy user account in an identity provider for a tenant account on the service platform having security metadata associated therewith, mapping in the identity provider maps a support user to a proxy user identifier, a corresponding security endpoint in the service platform and mapping of the proxy user account identifier to the tenant account and security metadata. The identity provider authenticates a request to access the tenant account on the service platform, obtains the security credentials for the proxy user identifier, and sends a security assertion with the proxy user identifier and the security metadata to the security endpoint. The endpoint receives and validates the security assertion against the mapping for the proxy user identifier to the tenant account and the security metadata in the service platform, and permits access by the support user to the tenant account in the service platform.

Abstract: A data-carrying device and methods of authenticating the same are disclosed. The data-carrying device is described as being capable of communicating via the Near Field Communications (NFC) protocol and may have one or more NFC Data Exchange Format (NDEF) records stored in its memory. The data-carrying device also comprises or has the ability to generate a signature that proves the data-carrying device is the authorized device for storing the one or more NDEF records. A data-carrying device that attempts to transmit an NDEF record without a valid signature may be identified as an unauthorized data-carrying device.

Abstract: Applications are stored on removable storage of a mobile device in an encrypted form to provide isolation and piracy protection. In one implementation, each application is encrypted using its own associated encryption key that is generated based on an identifier of the application and a master key that is associated with a trusted platform module of the mobile device. In another implementation, each application is encrypted using two associated encryption keys. One key is used to encrypt binary data associated with the application such as source code, and the other key is used to encrypt application data such as graphics and configuration files. The encryption keys are each generated using the identifier of the application, the master key, and identifiers of the folders where the corresponding data types are stored on the mobile device. The removable storage includes SD cards formatted using the FAT or exFAT file systems.

Abstract: A self-updating system for defending against a cyberattack requests connected devices to solve a problem that is created in a random manner. The problems are created in a manner such that the system can determine whether the client device is being used as part of a cyberattack based on how the client device responds to the problems.

Abstract: Multilevel redirection can be performed in a VDI environment. When a user establishes a second remote session within a first remote session, various redirection techniques can be configured to span both remote sessions so that redirection will be available within the second remote session in the same manner that redirection was available in the first remote session. Therefore, from the user perspective, redirection will occur regardless of whether the user has established a single tier remote session or multitier remote session.