Abstract: An exemplary system preserves the autonomy of two or more distinct storage management systems all the while enabling backed up data to be restored from a first storage management system (the “local system”) to a specially-configured client in a second storage management system (the “remote system”). For example, backed up data in the local system (e.g., a secondary copy of production data) may be transferred, in a restore operation, from secondary storage in the local storage management system, which originated the data, to a client of the remote storage management system (the “remote client”). As a specially-configured “restore-only client,” the remote client is limited to receiving backed up data from the local storage management system, via restore operation(s) managed by the local storage manager. The remote client remains a full-fledged client in its home system, the remote storage management system.

Abstract: Disclosed are various embodiments for updating account data with multiple account providers. Account management logic determines that personal information associated with a user has been updated. Multiple accounts of the user that may use the personal information are determined. The accounts are with multiple account providers. Corresponding account update requests for the accounts are sent to the account providers. The account update requests specify the personal information that has been updated.

Abstract: A router management server may be utilized to manage a plurality of home routers. Appropriate access control rules may be determined by the router management server for various client devices including IoT devices based on the type and/or make/model of the client devices. MAC address-bound WLAN passphrases may be assigned to the client devices and bound to the MAC addresses associated the client devices. Further, WLAN passphrases may be associated with expiration periods and/or access control rules. Therefore, a secure home network environment that takes into account the vulnerabilities of IoT devices may be achieved without the involvement of an IT department. Moreover, Flexibility of WLAN passphrase management may be improved.

Abstract: A user device registers with a proxy-call session control function device (P-CSCF) associated with an Internet protocol (IP) multimedia subsystem (IMS). The user device forwards a request to the P-CSCF requesting a session via the IMS for an IMS call. If a response to the request is not received from the P-CSCF during a time period after forwarding the request, the user device attempts to newly register with the P-CSCF. If the new registration is successful, the user device re-forwards the request to the P-CSCF. Otherwise, if the new registration with the P-CSCF is unsuccessful, the user device registers with a different P-CSCF and forwards the request to the second P-CSCF.

Abstract: A system and method for facilitating personalization of one or more multi-instance software applications in a networked enterprise computing environment. An example method includes providing a first user option to specify one or more adjustments to a rendering of a software application; identifying one or more servers that are employed to obtain content for the rendering; and selectively providing information specifying the one or more adjustments to the one or more servers, such that the one or more adjustments appear in a rendering provided when a user accesses the software application from any of the one or more servers. In a more specific embodiment, the information specifying the one or more adjustments to the one or more servers include customization metadata (also called personalization metadata) stored on a first server, called the gateway server.

Abstract: Cross-Site Request Forgery attacks are mitigated by a CSRF mechanism executing at a computing entity. The CSRF mechanism is operative to analyze information associated with an HTTP request for a resource. The HTTP request typically originates as an HTTP redirect from another computing entity, such as an enterprise Web portal. Depending on the nature of the information associated with the HTTP request, the HTTP request may be rejected because the CSRF mechanism determines that the request is or is likely associated with a CSRF attack. To facilitate this determination, the approach leverages a new type of “referer” attribute, a trustedReferer, which indicates that the request originates from a server that has previously established a trust relationship with the site at which the CSRF mechanism executes. The trustedReferer attribute typically is set by the redirecting entity, and in an HTTP request header field dedicated for that attribute.

Abstract: The embodiments herein relate to a method in a wireless device (101) for enabling trusted communication between a wireless device entity (101a) and a second network node (105) via a first network node (103). The wireless device (101) and the first network node (103) are adapted to communicate using a secure communication channel. The wireless device (101) transmits a message to the first network node (103) using the secure communication channel. The message comprises information indicating that the wireless device entity (101a) is comprised in a trusted zone of the wireless device (101). The trusted zone is at least partly trusted by the first network node (103).

Abstract: A system and method that provides for the backup and recovery of personalized user data. An exemplary method includes storing user data files in electronic memory of a user device, continuously tracking user actions by one or more user devices to detect interact with at least one external resource; determining whether the tracked user actions have modified one or more of the plurality of user data files; and if the processor determines that the tracked user actions have modified a user data file, storing the modified user data file in a data storage system.

Abstract: Various embodiments enable an application to obtain information associated with a link to content without navigating to the link. The application can be configured to identify a link, receive input to attain information associated with the link, and send a request to a service for the information. In one or more embodiments, a service can be configured to receive a request for information associated with a link, ascertain one or more sources from which to gather the information, determine appropriate mechanisms by which to obtain the information, and acquire the information. Alternately or additionally, the service can further assemble the information into a consumable format, and return the consumable format to a requesting application or device.

Abstract: A communication event is established between an initiating device and a responding device under the control of a remote communications controller. In a pre-communication event establishment phase, a secure connection is established between the initiating device and the communications controller, and session key negotiation messages are exchanged between the initiating device and the communications controller via the secure connection to obtain session key data in an electronic storage location accessible to the initiating device. The secure connection terminates once the session key data has been obtained. In a subsequent communication event establishment phase—after the session key data has been obtained and the secure connection has terminated in the pre-establishment phase—a communication event request is transmitted from the initiating device to the communications controller comprising a payload encrypted with the session key data.

Abstract: Provided are a communication control device and a communication system capable of detecting message transmission in the case where an invalid device transmits a message to a common communication line. A monitoring device decides a reference time point t0 for periodical message transmission by an ECU, decides multiple scheduled transmission time points t1, t2, . . . obtained by adding a period corresponding to an integer multiple of a transmission cycle T of a message to the reference time point t0, and decides that a predetermined period including each of the scheduled transmission time points is a permission period for message transmission. The monitoring device determines whether or not a detected message on a CAN bus has been transmitted during the permission period. If determined that transmission of an invalid message is not permitted, the monitoring device performs processing of causing the ECU which receives the message to discard the message.

Abstract: A communication event is established between an initiating device and a responding device under the control of a remote communications controller. In a pre-communication event establishment phase, a secure connection is established between the initiating device and the communications controller, and session key negotiation messages are exchanged between the initiating device and the communications controller via the secure connection to obtain session key data in an electronic storage location accessible to the initiating device. The secure connection terminates once the session key data has been obtained. In a subsequent communication event establishment phase—after the session key data has been obtained and the secure connection has terminated in the pre-establishment phase—a communication event request is transmitted from the initiating device to the communications controller comprising a payload encrypted with the session key data.

Abstract: A system for hierarchical scanning includes an interface and a processor. The interface is to receive an indication to scan using a payload; provide the payload to a set of addresses on a set of ports; and receive a set of responses. Each response is associated with an address and a port. The processor is to: for each response of the set of responses: determine whether a follow-up probe exists associated with the response; and in the event the follow-up probe exists associated with the response: execute the follow-up probe on the address and the port associated with the response; and store the set of data received in response to the follow-up probe in a database.

Abstract: Net2Core is a Server Application Design Framework that provides inherent security for information due to its tri-partite structure. The Net2Core Server Application Design Framework consists of a Server process (the “Net Process”) that is accessible by a Client; a Server process that is responsible for all Application information processing (the “Core Process”) which is inaccessible directly by a Client; and a Storage medium to pass requests to the “Core Process” from the “Net Process” and to pass results provided by the “Core Process” to the “Net Process”. Additional to the request/response interaction of the “Net Process” to/from the “Core Process” through the Storage, there is also direct communication from the “Net Process” to signal the “Core Process” of the need for operation and from the “Core Process” to the “Net Process” to signal “Core Process” completion.

Abstract: Management of virtual machines within a private network may be provided from a server application, such as a web application, on a machine remote from a private network. The server application receives management commands and communications the management commands in a vendor independent format to a client application within the private network. The client application receives the management commands, instantiates the management commands into a vendor specific definition and redirects the management commands to the virtual machine host for appropriate execution.

Abstract: A processor is configured to execute an event-driven program along a plurality of execution paths. Each of the plurality of execution paths is determined by randomly chosen outcomes at non-deterministic points along the plurality of execution paths. A memory is configured to store values of properties of the event-driven code in response to executing the event-driven program along the plurality of execution paths. The processor is also configured to infer normal ranges of the properties of the event-driven program based on the values stored in the memory.

Abstract: An online system determines a frequency with which its users delete information stored in a browser on client devices associated with each user. When a user accesses the online system, the online system determines a user identifier associated with the user and determines if one or more conditions are satisfied based on information received from a browser used to access the online system. If a condition is satisfied, the online system communicates an instruction to the browser to communicate information associated with a third party and the user identifier to the third party. Information previously stored in the browser and associated with the user identifier is compared to information associated with the user identifier received from the browser. Deletion of information stored in the browser is determined when stored information associated with the user identifier differs from received information associated with the user identifier.

Abstract: A containerized architecture to secure and manage Internet-connected devices, such as “Internet of Things” devices, is disclosed. In various embodiments, one or more containerized applications are run, e.g., on an Internet of Things gateway, subject to management by the management server. At least one of the containerized applications is a management agent configured to participate, subject to control of the management server, in management of one or more other of said containerized applications.

Abstract: The present disclosure relates to network security software cooperatively configured on plural nodes to authenticate and authorize devices, applications, users, and data protocol in network communications by exchanging nonpublic identification codes, application identifiers, and data type identifiers via pre-established communication pathways and comparing against pre-established values to provide authorized communication and prevent compromised nodes from spreading malware to other nodes.

Abstract: Disclosed are various embodiments for resuming sessions and electronic commerce session across devices. A computing environment is employed to maintain a navigation history comprising a plurality of product pages accessed by a first client device during an electronic commerce session. At least one of the plurality of product pages is determined to be presented on the second client device in response to a request to resume the electronic commerce session being received from a second client device. The product page determined is presented on the second client device.

Abstract: Techniques described herein may be used to centralize authentication and authorization for accessing cloud services provided by different cloud platform deployments. A user equipment (UE) may provide user information to a cloud admin server. The cloud admin server may authenticate and authorize the UE locally and then initiate a sign on procedure with each cloud platform deployment. The sign on procedure may include obtaining user group information for the user and providing the user group information to the cloud platform deployments so that the cloud platform deployments may return permission information without having to each perform an authentication and authorization procedure. The cloud admin server may relay the permission information to the UE, and the UE may use the permission information to access any/all of the cloud services.

Abstract: Embodiments of the present invention provide methods, systems and computer program products for the centralized, secure offloading of security services for distributed security enforcement points. In an embodiment, a network data processing system can be configured for centralized secure offload of security services for distributed security enforcement points and can include a set of security enforcement points controlling communication flows between devices in different less trusted zones of protection. The system also can include a security server communicatively coupled to the security enforcement points and hosting security services logic disposed in a more trusted zone of protection. Each of the security enforcement points can include an interface to the security services logic and program code enabled to offload security related services processing through the interface to the security services logic disposed in the more trusted zone of protection.

Abstract: A method for identifying a device capable of communicating by Li-Fi including the steps of generating and storing a list of first pieces of address data and a list of transmission frequencies each associated with a first piece of address data; selecting second pieces of address data (11) to form a MAC address (10); transforming each second piece of address data into a third piece of address data containing a transmission frequency value associated with the second piece of address data; generating a global address; assigning the global address to the device; and recording the global address in a memory module of the device capable of communicating by Li-Fi.

Abstract: A network system includes a datacenter including a gateway router configured to route data transmissions of public network traffic to and from a plurality of VPCs hosted by the datacenter. A first VPC is configured to communicate with the gateway router. The first VPC is accessible and identifiable via a first public IP address. A second VPC is configured to communicate with the gateway router, and the second VPC is accessible and identifiable via a second public IP address. A direct connection transmits a particular data transmission based on the first public IP address and the second public IP address, directly between the first VPC and the second VPC so as to bypass the gateway router. The first public IP address and the second public IP address are assigned from among a group of public IP addresses allocated for assignment to VPCs hosted by the datacenter.

Abstract: Embodiments of the present disclosure provide a method and an apparatus for performing communication in software-defined networking, and a communications system. The method includes: receiving a message sent by a network device, where the message includes a signaling message; determining, according to a control policy, a matching condition that matches the message, where the control policy includes a matching condition and operation information corresponding to the matching condition; processing the message according to the operation information corresponding to the matching condition that matches the message; and sending the processed message to the network device. According to the method and the apparatus for performing communication in software-defined networking, and the communications system in the present disclosure, a problem in the prior art that a control device serving as a network control center cannot communicate with a base station is resolved.

Abstract: An information processing apparatus having a function of entering and returning from a hibernation state and communicable with a server apparatus performing device certification includes a storage unit configured to, in a case where a software module is activated, store a hash value of the activated software module in a volatile memory, a request unit configured to request device certification based on a hash value stored in the volatile memory from the server apparatus, and an excluding unit configured to, in a case where the device certification is requested after returning from the hibernation state, exclude a software module activated before entering the hibernation state from a target of the device certification.

Abstract: Systems, methods, and computer-readable media related to configuration of browser applications executed on client computing device to control the functionality of the browser application as at least some content is accessed. The configuration of the browser application can be controlled programmatically such that the browser configuration can be validated and controlled by at least some content providers. Additionally, the configuration and subsequent processing of content provided by an authenticating content provider can be implemented in a manner such that users of a client computing device and other applications on the client computing device may not have access to modify or otherwise interfere with the operation of the browser software application.

Abstract: Systems and methods for managing risk management rules are provided. A risk management rule may be configured at a rule configuration interface are described. The rule configuration interface may include a list of access rights available for selection. Based on input received, one of the access rights may be identified as a base access right and one of the access rights may be identified as a conflicting access right for the risk management rule. The access rights provisioned at the computing system may be monitored to determine whether a user is provisioned with both the base access right and the conflicting access right. If so, a violation review may be created and presented at a violation review interface at which a decision for the violation review is receivable. An exception to the risk management rule may also be configured at an exception configuration interface.

Abstract: Provided are a method and apparatus for sending or forwarding information. The sending method is applied to an M2M communication system and includes: a sending device sends to-be-sent information to a target device through a communication network, wherein the information carries one of the followings: a first ID, which is used for identifying the target device outside the communication network, and a second ID, which is used for identifying the target device inside the communication network; the sending device acquires a recognizable ID corresponding to the specified ID through the communication network; and the sending device sends the information to the target device through the communication network according to the recognizable ID. The technical problem that there is still no effective object identification solution which is compatible with various standard systems in the related arts is solved, and different M2M user equipment can be distinguished in the M2M communication system.

Abstract: Techniques to securely store and retrieve data are disclosed. In various embodiments, a process of retrieving secure data includes receiving a request, where the request includes a first secret data and a second secret data. The process further includes identifying a first encrypted data to retrieve based on the request, using the first secret data to decrypt the first encrypted data to generate a decrypted data, generating a second encrypted data, where the second encrypted data is encrypted using the second secret data. In response to the request, the second encrypted data is provided.

Abstract: Embodiments provide system and methods for a DDoS service using a mix of mitigation systems (also called scrubbing centers) and non-mitigation systems. The non-mitigation systems are less expensive and thus can be placed at or near a customer's network resource (e.g., a computer, cluster of computers, or entire network). Under normal conditions, traffic for a customer's resource can go through a mitigation system or a non-mitigation system. When an attack is detected, traffic that would have otherwise gone through a non-mitigation system is re-routed to a mitigation system. Thus, the non-mitigation systems can be used to reduce latency and provide more efficient access to the customer's network resource during normal conditions. Since the non-mitigation servers are not equipped to respond to an attack, the non-mitigation systems are not used during an attack, thereby still providing protection to the customer network resource using the mitigation systems.

Abstract: A method includes receiving authentication information for a client device at a server. The authentication information includes a geographic location of the client device and a first result of a one-way hash function based on a combination including an authentication seed and a first secret. The method includes computing, at the server, a second result of the one-way hash function based on a combination including the authentication seed and a second secret. The method also includes enabling the client device to access a second network in response to a determination by the server that the first result matches the second result and a determination by the server that the client device is authorized to access the second network based on the geographic location.

Abstract: A method for blocking web page trackers by a web browser of a mobile device, including loading a web page on a mobile device, scanning the web page to detect scripts in the web page, for each detected script, comparing content of the script with a list of URL connections, to detect trackers present in the script, each URL connection being associated with a corresponding tracker, storing the detected trackers, displaying the stored trackers to a user, enabling a user to selectively block, via said mobile device, one or more of the displayed trackers, and reloading the web page, comprising, for each selected tracker to block, rejecting the URL connection corresponding to the selected tracker.

Abstract: The techniques described herein are configured to map a new security association to an active Internet Protocol (IP) Multimedia Subsystem (IMS) session subsequent to the occurrence of a connectivity interruption. In various examples, the connectivity interruption occurs in an access network that supports an IMS network. The new security association is established using an updated IP address that is configured for (e.g., assigned to) a mobile device after the connectivity interruption to the IMS session occurs. The techniques described herein improve network performance because less resources are spent to establish new IMS session in response to the interruption. Rather, in accordance with the examples provided herein, network components can determine that a new security association is associated with an active IMS session, and the network components can map the new security association to the active IMS session (e.g., one for which the IMS has not released the IMS bearer).

Abstract: An approach for managing collaboration on IWBs allows users of different third-party collaboration services to participate in collaboration meetings on IWBs. The approach allows the users to use collaboration functionality provided by IWBs, such as annotation, and to communicate with each other, even though the users are using different third party collaboration services. The approach uses a collaboration manager that provides a “single wrapper” application program interface (API) and centralized management of collaboration meetings, including license key and token management, cross-license collaboration, user management and meeting management. The collaboration manager acts as a mediation layer that handles the APIs of different third-party collaboration services and allows users using heterogeneous collaboration clients to participate in collaboration meetings.

Abstract: At least one application may include instructions comprising application instructions and a plurality of separate pipeline definition instructions. The application instructions may be within a virtual container including at least one program that is generically executable in a plurality of different continuous integration and delivery (CI/CD) environments. Each of the plurality of separate pipeline definition instructions may be configured for each of the plurality of different CI/CD environments such that each pipeline definition may operate only in the CI/CD environment for which it is created. Each pipeline definition may be configured to cause the CI/CD environment for which it is created to execute the at least one program.

Abstract: Techniques are disclosed for providing a distributed customer premises equipment (CPE) comprising several devices. The distributed CPE may include a control plane subsystem configured to execute on a first device, a first data plane subsystem configured to execute on a second device, and a second data plane subsystem configured to execute on a third device. The second device may be further configured to execute a first virtual machine capable of executing a first network function. The third device may be further configured to execute a second virtual machine capable of executing a second network function. In certain embodiments, the control plane subsystem may be configured to control forwarding functionality of the first data plane subsystem and the second data plane subsystem, and control the first network function and the second network function. In certain embodiments, the first device and the second device are customer premises equipment (CPE) devices.

Abstract: Systems and methods for decentralized and asynchronous authentication flow between users, relying parties and identity providers. A trusted user agent application or digital lock box under a user's control may perform the functions of an authentication broker. In particular, the user agent application or digital lock box can accept relying party requests and respond with authentication and identity data previously obtained from an identity provider server, and without the involvement of a centralized broker server.

Abstract: A system and method for providing a network proxy layer are disclosed. The network proxy layer may receive a connection establishment event for a client connection of an application session and send the client connection event to an application proxy for the application session, the application proxy being associated with an application of a server. Upon establishment of the client connection, the network proxy layer may receive one or more data packets from the client connection. The network proxy layer may further receive a connection establishment event for a server connection of the application session of the server, and receive one or more data packets from the server connection.

Abstract: An access control rule authorizing communication between a plurality of managed servers within an administrative domain is determined. Communication information describing past communication between the plurality of managed servers is obtained. A subset of managed servers from the plurality of managed servers is identified by grouping the plurality of managed servers based on the obtained communication information. A group-level label set is determined to associate with the subset of managed servers. Role labels are determined for managed servers in the subset of managed servers. A managed server is associated with one role label. Based on the group-level label set and the role labels, an access control rule is generated authorizing communication between a first managed server of the subset of managed servers and a second managed server. The access control rule is stored as part of an administrative domain-wide management policy.

Abstract: The disclosure describes systems, methods and devices relating to a sign-on and management hub or service for users of multiple internal, external or Software-as-a-Service (SaaS) software applications (Apps), with options for centralized management and sharing of accounts without needing to provide login credentials to individual users.

Abstract: Techniques for analyzing a page to be presented by a browser running on a computing platform. The page is disabled. The page is tested to determine if the page is framed by a second page. The page is enabled if the testing indicates that the page is not framed by a second page. Each level of a hierarchy of framed pages is inspected to determine whether each level is authorized. The page is enabled if the inspecting indicates that each level of the hierarchy of framed pages is authorized.

Abstract: A communications system includes communications terminals connected to a management server.

Abstract: Techniques for setting up wireless data transfer are described. In one embodiment, for example, an apparatus may be configured to monitor network traffic. A context or origin of the network traffic may be determined. Control options for setting up a wireless data transfer may be determined and presented to a user. Based upon user input, a control option may be selected. Routing network traffic may be performed based upon the selected control option. Other embodiments are described and claimed.

Abstract: A system includes: a CPU, a computer readable memory and a computer readable storage medium associated with a computer device of a service provider; program instructions to receive, by the computer device, a breach notification from a user device, wherein the user device includes a client that corresponds to the service provider, and the breach notification indicates a potential security compromise of the user device; program instructions to identify, by the computer device, a plurality of user devices that have the client; and program instructions to transmit, by the computer device, a respective security profile to each of the identified plurality of user devices, wherein each of the respective security profiles defines a security challenge that must be completed to obtain access. The program instructions are stored on the computer readable storage medium for execution by the CPU via the computer memory.

Abstract: Concepts and technologies are disclosed herein for providing a basic firewall using a virtual networking function. A control system having a processor can detect a firewall request that can include a request to create a basic firewall. The processor can analyze a recipe to determine a virtual switch and a basic firewall virtual function that are to provide the functionality of the basic firewall. The processor can trigger instantiation of the virtual switch via a network control function and instantiation of the basic firewall virtual function via a service control function. The processor also can validate the basic firewall. The basic firewall can provide filtering of traffic at the network transport layer using the virtual switch, and as such, the virtual switch may not operate on the application layer.

Abstract: According to one embodiment, a storage device includes a processor which executes first processing, second processing and third processing. The second processing includes processing for relaying a command issued by a host device, and an execution result of the first processing corresponding to the command, between the host device and the first processing. The third processing includes processing for causing the second processing to transition from a first state to a second state of lower energy consumption than the first state, when a first period in which the second processing is in an idle state exceeds a second period. The third processing further includes processing for maintaining the first state under a first condition, when the first period exceeds the second period.

Abstract: Various embodiment methods for performing security-focused web crawling by a server may include identifying sensitive data on a first web page, and generating a first document object model (DOM) for the first web page in which the first DOM represents the sensitive data on the first web page. Various embodiments may further include comparing one or more attributes of the sensitive data in the first DOM with the one or more attributes of the sensitive data in a second DOM for a second web page, and determining whether the first web page is different from the second web page based on the comparison of the one or more attributes of the sensitive data in the first DOM and the second DOM.

Abstract: A secure interface for a mobile communications device has output communications circuitry operable to communicate with an external network, private network communications circuitry operable to communicate with a mobile communications device, and an input/output filter connected between the output communications circuitry and the private network communications circuitry. The input/output filter separately filters, based on programmed stored criteria, externally-received information packets from the external network via the output communications circuitry and internally-received information packets from the mobile communications device via the private network communications circuitry.

Abstract: Disclosed are systems, methods and computer-readable storage medium for extending a private cloud to a public cloud. The private cloud can be extended to the public cloud by establishing a virtual private network between a private cloud and a public cloud, receiving one or more access control lists provisioned by the private cloud, determining contracts between an end point group of the private cloud and an end point group of the public cloud based on the one or more access control lists, and extending the end point group of the private cloud to the end point group of the public cloud across the virtual private network.