Abstract: Some implementations may provide a machine-assisted method for determining a trustworthiness of a requested transaction, the method including: receiving, from a relying party, a request to determine a trustworthiness of a particular transaction request, the transaction request initially submitted by a user to access data managed by the relying party; based on the transaction request, summarizing the particular transaction request into transactional characteristics, the transactional characteristics devoid of source assets of the transaction, the source assets including credential information of the user, the credential information of the relying party, or information content of the requested transaction; generating first machine-readable data encoding transactional characteristics of the underlying transaction as requested, the transactional characteristics unique to the particular transaction request; submitting a first inquiry at a first engine to determine an access eligibility of the user submitting the t

Abstract: Techniques for coercing users to encrypt synchronized content stored at their personal computing devices. In some aspects, one or more computing devices receive, from a personal computing device, an indication of whether data stored in at least a portion of a storage device of the personal computing device is protected by disk encryption. In response to determining, based on the indication, that the portion of the storage device is not protected by encryption, synchronization data for synchronizing a copy of one or more synchronized content items stored in the portion of the storage device with another copy of the synchronized content items stored at one or more server computing devices is withheld from the personal computing device until disk encryption on the personal computing device is enabled so as to coerce the user to enable disk encryption on the personal computing device.

Abstract: A one-time passcode authentication system includes an application server, an authentication server, and an access device, wherein the access includes an authentication engine configured to receive an authentication request from the authentication server and automatically, or in response to a single user input, initiate an access request to the application server, wherein the access request includes a token extracted from the authentication request, and the application server is configured to receive the access request, query the authentication server to authenticate the token, and enable access to an application if the token is authenticated.

Abstract: Systems and methods are provided for authorizing third-party access to a specific service from a service provider. In an example embodiment, a server system identifies a shared service from multiple services provided by the server system. The shared service is specified by an authorizing entity. The server system provides a credential associated with the shared service and the authorizing entity. The server system receives a request to access the shared service from a requesting entity that is separate from the authorizing entity. The server system verifies that the request includes the credential and that the credential is associated with the shared service and the authorizing entity. The server system provides access to the shared service to the requesting entity based on verifying that the request includes the credential. The requesting entity is restricted to accessing the shared service identified by the credential as authorized by the authorizing entity.

Abstract: Disclosed are various approaches for implementing an application authentication wrapper. An authentication request, such as a Kerberos request, is created for authenticating the computing device. The authentication request is encrypted to generate an encrypted authentication request. The encrypted authentication request is then forwarded to a reverse proxy server. An encrypted authentication response is received from the reverse proxy server. The encrypted authentication response, such as a Kerberos response, is then decrypted to generate a corresponding authentication response, which is then forwarded to the computing device that generated the authentication request.

Abstract: Provided are techniques for generating a temporary data access token for a subset of data for a specific period of time for a non-registered user who did not register with a computer providing access to the subset of the data. In response to the non-registered user attempting to access the subset of data with the temporary data access token, it is determined whether the temporary data access token is valid for the subset of data based on the specified period of time. In response to the temporary data access token being valid, the subset of data is provided to the non-registered user. In response to the temporary data access token not being valid, access is denied to the subset of data by the non-registered user.

Abstract: A third party device is authorized to access data associated with a user account at a service provider, wherein the third party device and a user device are in data communication with the service provider, and are both NFC-enabled. The method comprises obtaining a request token generated by the service provider, transmitting the request token from the third party device to the user device via NFC, authorizing the request token at the user device, transmitting the authorized request token from the user device to the third party device via NFC, and obtaining an access token generated by the service provider, corresponding to the authorized request token, wherein the access token allows the third party device to access data associated with the user account at the service provider.

Abstract: A computer system includes a master controller that receives an HTTP request for a first URL. The URL indicates a first state of a first mobile application. A navigation controller navigates to the first state of the first mobile application within a device. A content scraper extracts content from the first state and identifies forward links to corresponding additional states of the first mobile application. The computer system includes an output formatter configured to package the content and the forward links into an HTTP response and transmit the HTTP response to a source of the first HTTP request. The HTTP response includes a forward URL for each additional state of the first mobile application reachable from the first state. For each additional state, the forward URL includes an indicator of the first mobile application and a path to reach the additional state within the first mobile application.

Abstract: Systems and methods of verifying a user are provided. In particular, a request to engage in a verification process to gain access to an online resource can be received. The request can be provided by a first user device associated with a user. A validation request associated with a second user device associated with the user can be received. The validation request can include a device profile associated with the second user device. It can then be determined whether to validate the second user device based at least in part on the device profile. When it is determined to validate the second user device, the first user device can be granted access to the online resource.

Abstract: In an example, a method of managing access to resources managed by heterogeneous resource servers having different policy document formats in a cloud services environment includes obtaining, at an identity and access management (IAM) service, a policy document describing privileges of an end user with respect to accessing at least one resource of the resources managed by a resource server of the heterogeneous resource servers; sending the policy document from the IAM service to an resource server endpoint designated by the resource server for validation; storing, by the IAM service, the policy document in a datastore in response to a determination by the resource server endpoint that the policy document is valid; and generating, by the IAM service, an indication that the policy document is invalid in response to a determination by the resource server endpoint that the policy document is invalid.

Abstract: A method provides for associating reputation scores with policies, stacks and hosts within a network and upon receiving information about a newly provisioned entity (such as a host or a stack), recommending a policy scheme for the newly provisioned entity that will result in a particular reputation score of the reputation scores. The method further includes implementing the policy scheme for the newly provisioned entity.

Abstract: A technique for distinguishing between a human user and a software robot. The technique includes: receiving a first communication from a device different from the at least one computer; identifying, from the first communication, a request to access a web resource; transmitting software code and location information to the device, wherein the location information specifies a plurality of locations encoding a visual representation of a challenge text, and wherein the software code, when executed by an Internet browser, causes a plurality of graphical elements to be displayed at the plurality of locations in a webpage so that the webpage displays the challenge text; receiving a second communication from the device; identifying, from the second communication, a response text; and providing the device with access to the web resource based on a comparison between the challenge text and the response text.

Abstract: In some embodiments, a method includes sending an authentication request to a client device to obtain a utilization code in response to a request from the client device to access data. The utilization code is uniquely associated with the client device. The method includes obtaining an authentication response including the utilization code from the client device and authenticating the client device if the utilization code matches a utilization identifier stored in a database. The method includes generating an encryption key using a seed based at least in part on the utilization code and encrypting the data with the encryption key to generate encrypted data and sending, when the utilization code matches the utilization identifier stored in the database, the encrypted data to the client device without requiring a user of the client device to login.

Abstract: At least one of an HTTP request message and an HTTP response message is intercepted. A corresponding HTTP message model includes a plurality of message model sections. A representation of the at least one of an HTTP request message and an HTTP response message is parsed into message sections in accordance with the message model sections of the HTTP message model. A plurality of security rules are bounds to the message model sections. The plurality of security rules each specify at least one action to be taken in response to a given condition, which is based, at least in part, on a corresponding given one of the message sections. The at least one of an HTTP request message and an HTTP response message is processed in accordance with the plurality of security rules. Techniques for developing rules for a web application server firewall are also provided.

Abstract: Disclosed are various embodiments for synchronizing authentication sessions between applications. In one embodiment, a first authentication token is received from a first application in response to determining that the first application is authenticated with a service provider. A second authentication token is requested from a token exchange service associated with the service provider. The second authentication token is requested using the first authentication token. The second application is configured to use the second authentication token in order to access a resource of the service provider.

Abstract: A wireless relay serves User Equipment (UE) with hardware-trusted wireless data communications over Institute of Electrical and Electronics Engineers (IEEE) 802.11 links and Long Term Evolution (LTE) links. The wireless relay maintains hardware-trusted wireless backhaul links to a data network. The wireless relay broadcasts an IEEE 802.11 Service Set Identifier (SSID) and a Long-Term Evolution (LTE) Network Identifier (NID). The UE wirelessly transfers a hardware-trusted attachment request using the 802.11 SSID or the LTE NID. The wireless relay validates hardware-trust of the UE, and in response, establishes a hardware-trusted attachment of the UE. The wireless relay exchanges user data with the UE using hardware-trusted circuitry. The wireless relay exchanges the user data over hardware-trusted wireless backhaul links.

Abstract: The disclosure relates to technology for provisioning out-of-network user equipment with a network relay in a communications network. The network relay device receives an authentication key request message from user equipment including a user equipment identity and an authentication server identity, and communicates the authentication key request message to an authentication server having the authentication server identity. The network relay device communicates a relay authentication key response received from the authentication server to the user equipment such that a secure communication is established between the user equipment and the network. A relay authentication key is generated during establishment of the secure communication between the user equipment and authentication server, and a session with the user equipment is authenticated using a session key generated by the user equipment based on the relay authentication key.

Abstract: The present application provides an IPv6 address tracing method, apparatus, and system, where the method includes: receiving a to-be-traced target IPv6 address; selecting, in a longest match manner, IPv6 address information that matches the target IPv6 address, where the IPv6 address information includes an IPv6 address or IPv6 prefix information; and acquiring a user identifier corresponding to the IPv6 address information. The present application implements IPv6 address tracing.

Abstract: An internet-connected server comprising a first module for authorizing a user to access the server for: setting up, on the server, a given configuration for conducting a computer-executable experiment, wherein the given configuration comprises at least an executable instruction and a parameter or input data; executing, on the server, the computer-executable experiment with the given configuration so to produce a numerical result; certifying, on the server, the numerical result so to produce a certified result; and generating, on the server, a certification identifier of the certified result. The internet-connected server further comprises a second module for authorizing a reviewer for: providing the server with the certification identifier; and requesting and/or accessing, on the server, the certified numerical result on the basis of the provided certification identifier.

Abstract: A federated realm discovery system within a federation determines a “home” realm associated with a portion of the user's credentials before the user's secret information (such as a password) is passed to a non-home realm. A login user interface accepts a user identifier and, based on the user identifier, can use various methods to identify an account authority service within the federation that can authenticate the user. In one method, a realm list of the user device can be used to direct the login to the appropriate home realm of the user. In another method, an account authority service in a non-home realm can look up the user's home realm and provide realm information directing the user device to login at the home realm.

Abstract: The present disclosure presents methods, systems, and devices for encrypting and comparing genomic data. The comparison of genomic data allows the owner of the data to ensure security of the data even when the party conducting the comparison is beyond the control of the owner of the data. The encryption of the genomic data enables the transmission, storage, and use of the genomic data in a secure media.

Abstract: A computer system includes a master controller that receives an HTTP request for a first URL. The URL indicates a first state of a first mobile application. A navigation controller navigates to the first state of the first mobile application within a device. A content scraper extracts content from the first state and identifies forward links to corresponding additional states of the first mobile application. The computer system includes an output formatter configured to package the content and the forward links into an HTTP response and transmit the HTTP response to a source of the first HTTP request. The HTTP response includes a forward URL for each additional state of the first mobile application reachable from the first state. For each additional state, the forward URL includes an indicator of the first mobile application and a path to reach the additional state within the first mobile application.

Abstract: Certain relationships representing material insights are identified from among a set of discovered relationships. Cognitive discovery of relationships in a knowledge base, or corpus, are ranked according to one or more metrics indicative of material insights, including recentness and degree of alignment.

Abstract: A traffic on-boarding method is operative at an acceleration server of an overlay network. It begins at the acceleration server when that server receives an assertion generated by an identity provider (IdP), the IdP having generated the assertion upon receiving an authentication request from a service provider (SP), the SP having generated the authentication request upon receiving from a client a request for a protected resource. The acceleration server receives the assertion and forwards it to the SP, which verifies the assertion and returns to the acceleration server a token, together with the protected resource. The acceleration server then returns a response to the requesting client that includes a version of the protected resource that points back to the acceleration server and not the SP. When the acceleration server then receives an additional request from the client, the acceleration server interacts with the service provider using an overlay network optimization.

Abstract: A method includes storing data generated in a source node by sending write requests to multiple destination nodes. The destination nodes are requested to create snapshots of the data. The write requests are marked at the source node with marks that indicate to each destination node which of the write requests are pre-snapshot write requests that were issued before a snapshot request for a snapshot that the destination node is currently storing, and which of the write requests are post-snapshot write requests that were issued after the snapshot request for the snapshot that the destination node is currently storing. The snapshots are synchronized with one another at the destination nodes based on the marks.

Abstract: Communications methods and appliances are described. According to one embodiment, a communications method includes prior to deployment of an appliance, establishing a trusted association between the appliance and a certificate authority, during deployment of the appliance, associating the appliance with a communications address of a communications medium, using the certificate authority, creating a signed certificate including the communications address of the appliance, announcing the signed certificate using the appliance, after the announcing, extracting the communications address of the appliance from the signed certificate, and after the extracting, verifying the communications address of the appliance.

Abstract: A method of increasing communication security may include determining, responsive to receiving a first message from a first computer system, whether said first computer system is authorized to communicate with a second computer system, wherein said determining is performed at a third computer system. The method may also include generating a first data portion associated with a security token, wherein said generating said first data portion includes accessing data, wherein said data includes a first instance of a session key, and wherein said generating said first data portion further includes encrypting, using a key associated with said second computer system, said data to generate said first data portion. The method may further include communicating, if said first computer system is authorized to communicate with said second computer system, a second message from said third computer system for delivery to said first computer system.

Abstract: Systems, methods and computer-readable media are disclosed for performing single sign-on processing between associated mobile applications. The single sign-on processing may include processing to generate an interaction session between a user and a back-end server associated with a mobile application based at least in part on one or more existing interaction sessions between the user and one or more back-end servers associated with one or more other mobile applications. In order to establish an interaction session with an associated back-end server, a mobile application may leverage existing interaction sessions that have already been established in connection with the launching of other associated mobile applications.

Abstract: Systems and methods for trusted provisioning and authentication for networked devices in a cloud-based IoT/M2M platform is disclosed. In one embodiment, a fully qualified domain name and public key is registered in a domain name server for each networked device during device configuration. A network device establishes its trustworthiness to a data collection and processing server by providing credentials to the data collection and processing server. The data collection and processing server deduces the username, the device's fully qualified domain name, and encrypted password from the credentials. The domain name server is queried for the fully qualified domain name and the public key is returned. The encrypted password is decrypted using the public key and an attempt is made to verify the password. When the password is verified, the username is provided to the data collection and processing server to authorize a network connection between the networked device and the data collection and processing server.

Abstract: In some embodiments, a server can establish a session with a remote client. The server can generate a session key portion for the session and a client key portion for the remote client. The server can use a combined encryption key to encrypt client data received from the remote client during the session. The combined encryption key can be generated from a static key portion accessible by the server, the session key portion, and the client key portion. The server can associate the session key portion with the session. The session key portion is accessible by the server during the session. The server can delete the client key portion after providing the client key portion to the remote client. The server can obtain the client key portion from the remote client in response to determining that subsequent transactions during the session involve decrypting the encrypted client data.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for correlating domain activity data. First domain activity data from a first network domain and second domain activity data from a second network domain is received. The first domain activity data and the second domain activity data is filtered to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain. Unfiltered first and second domain activity data is aggregated. Aggregated unfiltered first and second domain activity data is correlated to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks. A visualization of the attack path is generated.

Abstract: The subject matter of this specification can be embodied in, among other things, a method that includes receiving, by one or more servers associated with an application marketplace, a policy that includes data that identifies one or more users, and a restricted permission. A request is received, by the servers associated with the application marketplace, to access one or more applications that are distributed through the application marketplace, wherein the request includes data that identifies a particular one of the users. One or more of the applications that are associated with the restricted permission are identified by the servers associated with the application marketplace, and access by the particular user to the applications that are associated with the restricted permission is restricted by the servers associated with the application marketplace.

Abstract: Disclosed are various embodiments that facilitate bootstrap authentication of a second application by way of a user confirmation via a first application, where the first application is authenticated using trusted credentials. A security credential for a user account is received from a user. A first application is authenticated with an authentication service using the security credential. One or more user actions are received by the first application. The user actions constitute a confirmation of a bootstrap authentication request submitted by a second application. Data encoding the user actions is sent to the authentication service.

Abstract: A system and method for exchanging identity information and for correlating protected data across independent data systems connected through a network is disclosed. The system contains connectors in communication with protected data systems which house the protected data. Data is correlated between the protected data systems through coincident authentication of both systems by a user. Messages are exchanged which allow the identity exchange system to correlate data based on a session identifier from an authenticated session on one of the protected data systems.

Abstract: Very strong, complex, unforgettable passwords unique to each web site are created for a user's Web site authentication by altering all or part of the web site address using, in a preferred embodiment, a predetermined encoding dictionary with more a single code for each entry and unique to each user. The entries in this preferred embodiment are single characters including characters used for words, punctuation, symbols and numerals; each single entry character appears more than once in the dictionary. The codes are of various character lengths and can be comprised of the same characters used in the entries. In a Web site authentication embodiment as well as for embodiments not used for Web site authentication, including pass-protecting files, the string of characters altered by encoding can be a private word or group of words. In another embodiment the password created by encoding is pseudo-randomly scrambled by using a seed unique to the user in order to create the password actually used.

Abstract: A method begins by a processing module receiving a dispersed storage network (DSN) access request that includes a requester identifier (ID), wherein the requester ID is associated with a certificate chain. When the certificate chain is valid, the method continues with the processing module accessing registry information for the DSN. The method continues with the processing module identifying one of a plurality of access control lists based on at least one of information associated with the requester ID and information associated with the certificate chain, identifying one or more entries of the one of the plurality of access control lists based on the information associated with the certificate chain to produce one or more identified entries, and generating, for the DSN access request, permissions from one or more sets of permissions associated with the one or more identified entries.

Abstract: The present invention relates to a method to build a non-alterable structure and to such a non-alterable structure including data relative to a set of cryptographic material generated randomly or derived from a secret key linked to a business use, the non-alterable structure being intended to be transferred from a first entity to a second entity, the entities sharing at least an encryption/decryption key and a signature key, the structure comprising at least business data relative to the intended use of cryptographic material, an encrypted protection key encrypted with the encryption key, an encrypted set of cryptographic material encrypted with the protection key, a signature of the set of cryptographic material, the protection key and the data relative to the intended use of cryptographic material signed with the signature key.

Abstract: An engine, system and method for a domain social network that interconnects Internet users with at least domains owned by or of interest to those Internet users, and that may obtain and/or forward obtained dynamic data regarding those domains automatically, such as by web service or email service. The dynamic data may be used to filter and protect content and data of the respective domains, to protect users by identifying low quality web pages or malicious software or pages, to isolate or improve search results regarding the domain, and/or to improve Internet-based transaction flow, such as the creation of advertising.

Abstract: Internet-wide identity management is described, including providing a user interface associated with a service provider; receiving, by an identity provider, a request to login a user associated with the service provider, the service provider being different from the identity provider; providing, by the identity provider to the service provider, a login status indicating that the user is authenticated, wherein, based on the login status, the user is authorized by the service provider to access a service provided by the service provider; and providing a widget associated with the login status, the widget being configured to present one or more settings associated with the user, including a first setting and a second setting, wherein the first setting is used by the service provider and the second setting is used by another service provider and not used by the service provider, and the another service provider is different from the identity provider.

Abstract: Apparatus and methods of communication include receiving, at a device, a device-specific identifier and a credential associated with an issuing identity provider, wherein an identity of the device is capable of authentication by the identity provider based on the device-specific identifier and the credential. Further, the aspects include storing the device-specific identifier and the credential in a secure environment on the device. Additionally, the device-specific identifier is capable of being associated with different subscriber service accounts each with a different one of a plurality of service providers. The described aspects also include apparatus and methods of an identity provider and a provisioning provider for managing identities in a multiple network environment, and apparatus and methods of a service provider for providing the device with access to a service.

Abstract: In Software-Defined Network (SDN), a trust controller and trust processor exchange hardware-trust data over an SDN southbound interface to maintain hardware-trust. A flow controller transfers a Flow Description Table (FDT) modification to the data-plane machine over the southbound interface. The flow controller transfers an FDT modification notice to the trust controller which transfers FDT security data over the southbound interface to authorize the FDT change in the SDN data-plane machine. The data-plane machine authorizes the FDT modification based on the FDT security data from the trust controller. The data-plane machine modifies the FDT in response to the successful authorization and processes user data traffic using the modified FDT. The trust controller may also transfer a Threat Description Table (TDT) to the data-plane machine to filter the user traffic for other threats.

Abstract: Obtaining and/or validating time-varying representations for user credentials at client devices is described.

Abstract: Disclosed are various embodiments for creating and manipulating chained entity identifiers that include multiple use case-specific entity identifiers. Each of the use case-specific entity identifiers may identify a single entity but may differ, as they are use case-specific. Further, each of the use case-specific entity identifiers may be encrypted and/or signed using different use case-specific keys. The use case-specific entity identifiers may be nested or appended within a chained entity identifier.

Abstract: A user accesses a remote session, the connection to which is managed by a connection broker, according to a single sign-on (SSO) process. The SSO process includes the user entering his or her credentials and being authenticated to the connection broker. In addition to user authentication, the SSO process includes connection broker authentication to confirm that the connection broker is trustworthy. When the connection broker is authenticated, the user credentials are transmitted to the connection broker in a secure manner and the connection broker forwards them onto a machine hosting the remote session so that the user can be logged into the remote session without entering his or her credentials again.

Abstract: Embodiments of systems and method as presented herein allow a user's locally stored authentication credentials to be reset without needing either to contact the domain controller over a network or authenticating a user at the device. Credentials being reset by the user are obtained at the device and encrypted in the same manner as the original locally stored domain credentials such that the new credentials can be used to overwrite the previously stored authentication credentials for the user at the device without contacting the domain controller over the network. The user can then access his device without contacting the domain controller using these new locally stored authentication credentials. Additionally, the user's credentials may be independently reset with respect to the domain controller.

Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: A method for controlling access of a user to a secondary system. A primary system receives, from a user system connected to the secondary system, first authentication information comprising an encryption of a random string. The encryption of the random string is a user-specific key. Second authentication information is generated from protected secondary authentication data stored in the primary system. Generation of the second authentication information includes applying the user-specific key to the protected secondary authentication data to generate the second authentication information. The second authentication information is provided to the secondary system to enable access of the user to the secondary system.

Abstract: Systems and methods are presented for generating a threat score and a usage score of each of a plurality of IP addresses. The threat score may be determined based on quantity of occurrences and recency of each occurrence of an IP address in network alert datasets, in addition to a weighting factor for each data source indicating the accuracy of the data source.

Abstract: A verification method and system are disclosed that verify a user. The user is provided a verification code via, for example, a website, to be communicated to the system via an application on a mobile communication device. If the correct verification code is communicated by the user, the user receives via the application a verification message containing another verification code, which the user submits to a website or on-line form or to another verification system for authentication.

Abstract: A computing resource service provider may receive, from a user client connected to an on-premises network, a security document specifying one or more user roles defining a level of access to customer resources within the on-premises network. In response, the service provider may generate and provide the user client with a cookie specifying the user roles and including an address for an interface within the service provider network. The service provider may receive a request from the user client to access one or more customer resources hosted by the service provider. The request may include the cookie previously provided to the user client. Accordingly, the service provider may extract the user roles from the cookie and determine, based at least in part on these user roles, whether to fulfill the user client request.