Abstract: A method of managing a virtualization system includes detecting a change in location of an object within a virtualization environment, determining user permission rights for a current location of the object responsive to detecting the change in location of the object, and updating a record of user permission rights with the user permission rights for the current location of the object. Related systems and computer program products are also disclosed.

Abstract: A system and method for realizing specific security features for a mobile device that may store sensitive and private data by providing secured communications to a paired remote device. In this respect, both the mobile device (which may be a mobile phone, for example) and the paired remote device (which may be a keychain, for example) include a SIM card that may have identification data stored therein. Once paired, the two devices may communicate encrypted security messages back and forth in order to implement various security measures to protect data and wireless communications. Such messages may be generated from initial information known only to each respective device such as a randomly generated offset number and a common time reference.

Abstract: A method, apparatus, and computer usable program product for automatic activation of roles is provided. When a user initiates an action, a set of roles needed for the action is identified. A set of roles assigned to the user is also identified. From the two sets of roles, all roles that are common to both sets are identified in a subset of roles. Roles in this subset are assigned to the user and are sufficient for the action. One or more roles from this subset of roles is selected for activation depending on system policies in effect. Selected roles are automatically activated without requiring any intervention from the user. Once the selected roles are activated, they can become inactive upon completion of the current action, or remain active for subsequent actions by the user during all or part of a user session. System policies can decide how the roles are selected for activation, and the duration of which the roles remain active once activated.

Abstract: A computer-implemented method for generating secure passwords may include 1) displaying a user interface for entering a textual password, 2) receiving user input via the user interface to select a color for at least one character of the textual password, 3) displaying the entered textual password via the user interface by displaying the character in the selected color and by displaying at least one additional character in at least one additional color, and 4) generating a modified textual password by encoding the textual password with information relating the selected color to the character. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In one embodiment a computing device comprises a processor, a memory module coupled to the process and comprising logic instructions stored in a computer readable medium which, when executed, configure the processor to initiate boot operations in a computing device, present an authentication challenge when authentication is required to boot the computing device, continue boot operations in response to a successful response to the authentication challenge, and invoke an error routine in response to an unsuccessful response to the authentication challenge.

Abstract: An authentication processing device receives biometric data to be checked from a biometric measuring device; transforms the biometric data that is input from the biometric measuring device by using a checking transformation parameter that is different from a registration transformation parameter; and creates checking biometric data. Then, the authentication processing device performs a differential transformation process on the created checking biometric data by using a differential parameter by which a transformation state transformed by the checking transformation parameter and a transformation state transformed by the registration transformation parameter have the same state. Thereafter, the authentication processing device checks the transformed checking biometric data against the registration biometric data stored in a transformation registration data DB and performs authentication.

Abstract: A computer implemented method, a computer program product, and a computer distribute a virtual machine image. A request for a virtual machine image is received. Responsive to receiving the request or the virtual machine image, the authenticity of a virtual machine image catalog associated with the virtual machine image is identified. Responsive to identifying that the virtual machine image catalog is authentic, a first digital signature to be sent with the virtual machine image is determined. Responsive to determining the signature, the virtual machine image and the signature is sent.

Abstract: In a resource-on-demand environment, virtual machine images are validated before use. A provider or source of a virtual machine image may generate a manifest, indicating executable components of the machine image. Before use, a created virtual machine may compare its executable components with those specified by the manifest. To ensure authenticity, the manifest may be associated with a signature, and the virtual machine may use the signature to verify the manifest and the source of the machine image.

Abstract: A peer-to-peer (P2P) bot(s) in a network is identified using an already identified P2P bot. More specifically, such embodiments may facilitate determining a candidate set of computers, which may be potential P2P bots, by identifying computers in a network that have a private mutual contact with a seed bot, which is a computer identified as a P2P bot, and identifying additional computers that have private mutual contacts with the identified computers. Further, a confidence level indicative of a certainty of a membership of each of the candidate computers in the P2P botnet is determined and responsive to a determination that the confidence level of the candidate computer exceeds a determined threshold confidence level, the candidate computer is identified as a P2P bot.

Abstract: A system for managing adaptive security zones in complex business operations, comprising a rules engine adapted to receive events from a plurality of event sources and a security manager coupled to the rules engine via a data network, wherein upon receiving an event, the rules engine determines what rules, if any, are triggered by the event and, upon triggering a rule, the rules engine determines if the rule pertains to security and, if so, sends a notification message to the security manager informing it of the triggered event, and wherein the security manager, on receiving a notification message from the rules engine, automatically establishes a new security zone based at least in part on the contents of the notification message, is disclosed.

Abstract: According to one embodiment, a computing device is coupled to a set of web application layer attack detectors (ADs), which are coupled between HTTP clients and web application servers. The computing device automatically learns a new condition shared by a plurality of alert packages reported by the set of ADs due to a triggering of one or more rules that is indicative of a web application layer attack. The computing device automatically generates a new set of attribute values by analyzing the plurality of alert packages to identify the condition shared by the plurality of alert packages, and transmits the new set of attribute values for delivery to the set of ADs for a different rule to be used to protect against the web application layer attack from the HTTP clients or any other HTTP client.

Abstract: A virtualized computing system includes a plurality of inventory objects and an access control subsystem that manages permissions to perform actions on the inventory objects using corresponding access control labels of the inventory objects. Permissions are managed by detecting a change in an association of a tag with an inventory object, where the tag defines one or more users and one or more privileges. In response to the detecting, an access control label of the inventory object is updated based on the users and privileges that are defined by the tag.

Abstract: Systems and methods of authentication and authorization between a client, a server, and a gateway to facilitate communicating a message between a client and a server through a gateway. The client has a trusted relationship with each of the gateway and the server. A method includes registering the client with the gateway. The client also constructs the address space identifying the gateway and the client. The client communicates the address space to the server. The client receives an identity identifying the server. If the client authorizes to receive a message from the server through the gateway, the client informs the authorization to the gateway. The client puts the identity identifying the server on a list of servers which are authorized to send messages to the client. In addition, the client communicates the list of servers to the gateway.

Abstract: A computer-implemented method for applying data-loss-prevention policies. The method may include (1) maintaining a list of applications whose access to sensitive data is controlled by data-loss-prevention (DLP) policies, (2) detecting an attempt by a process to access sensitive data, (3) determining that the process has a parent-child relationship with an application within the list of applications, and (4) applying, based at least in part on the determination that the process has the parent-child relationship with the application, a DLP policy associated with the application to the process in order to prevent loss of sensitive data. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A persona determination approach can be utilized to apply digital personas across multiple communications domains. A service gateway can determine whether to transfer a request for communications services to a Persona Determination Mechanism (PDM). The PDM can select a digital persona based on available information and transmit the digital persona to the service gateway. The service gateway can process the communications services based on the selected digital persona or based on the determination not to transfer the request. In some methods, the service gateway can forward the processed request to one or more network elements for further processing. Related systems are also disclosed.

Abstract: Techniques for in-app user data authorization are described. An apparatus may comprise a processor circuit, a permissions component, and a token component. The permissions component may be operative on the processor circuit to receive a request from an application to perform a task on a device and to return a response to the request to the application based on active permissions for the application. The token component may be operative on the processor circuit to manage a token database and to determine the active permissions for the application based on the token database. Other embodiments are described and claimed.

Abstract: To prevent gaming of a reputation system, a security token is generated for a security module using metadata about the client observed during the registration of the security module. The registration server selects metadata for use in generating the security token. The generated security token is provided to identify the client in later transactions. A security server may conduct a transaction with the client and observe metadata about the client during the transaction. The security server also extracts metadata from the security token. The security server correlates the observed metadata during the transaction with the extracted metadata from the security token. Based on the result of the correlation, a security policy is applied. As a result, the metadata in the security token enables stateless verification of the client.

Abstract: Session-specific information stored to a cookie or other secure token can be selected and/or caused to vary over time, such that older copies will become less useful over time. Such an approach reduces the ability of entities obtaining a copy of the cookie from performing unauthorized tasks on a session. A cookie received with a request can contain a timestamp and an operation count for a session that may need to fall within an acceptable range of the current values in order for the request to be processed. A cookie returned with a response can be set to the correct value or incremented from the previous value based on various factors. The allowable bands can decrease with age of the session, and various parameter values such as a badness factor for a session can be updated continually based on the events for the session.

Abstract: The image forming device includes an image data input unit that receives image data of a document; a set password acquisition unit that acquires information regarding a password from the image data received by the image data input unit; an input password receiving unit that starts reception of input of the password before the reception of the image data of all pages of the document is completed by the image data input unit; a password verification unit that performs verification between an input password and a set password; and a job execution unit that cancels execution limit of a job based on a verification result and executes the job, wherein, when the password is set in arbitrary one page of the document, the image data input unit sequentially completes the reception of the image data of the next page of the arbitrary one page of the document, before the input of the password corresponding to the password set in the arbitrary one page is completed by the input password receiving unit.

Abstract: Systems and methods for presenting a request are disclosed. The systems and methods may include one or more steps, such as receiving, by an electronic device, request information from an entity. The request information may include a request for approval by a user. The steps may further include transmitting, by the electronic device, data containing the request information to a computing device, receiving, by the electronic device, a symbology corresponding to the request information from the computing device and presenting, by the electronic device, the symbology to the user.

Abstract: According to one embodiment, a computing device is coupled to a set of web application layer attack detectors (AD), which are coupled between HTTP clients and web application servers. The computing device learns a new set of attribute values for a set of attribute identifiers for each of a sequence of rules through an iterative process having a plurality of iterations. The iterative process begins with an attack specific rule, and the sequence of rules includes an attacker specific rule and another attack specific rule. Each iteration includes receiving a current alert package from one of the ADs sent responsive to a set of packets carrying a web application layer request meeting a condition of a current rule used by the AD, automatically generating a new set of attribute values based upon the current alert package, and transmitting the new set of attribute values to the set of ADs.

Abstract: A storage unit 601g of a recording medium device 600g stores a content and a revocation list. The revocation list includes a revocation identifier that is associated with the content and identifies a revoked public key certificate allocated to an apparatus related to use of the content. A controller 602g of the recording medium device 600g is provided with an acquisition unit 621g that acquires, from an apparatus 300g, an acquisition request for the content and an apparatus identifier identifying a public key certificate of the apparatus 300g; a judgment unit 622g that judges whether the apparatus identifier matches a revocation identifier; and a control unit 623g that controls to prohibit output of the content to the apparatus when the apparatus identifier and the revocation identifier match.

Abstract: A print relay system determines whether a printing function (capability) of an image forming apparatus corresponding to user authority setting has been registered in a printing service. Having determined that the printing function has been registered, the print relay system enables other users having the same authority to share the printing function (capability) of the image forming apparatus registered in the printing service.

Abstract: Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.

Abstract: A secure mechanism for performing a network boot sequence and provisioning a remote device may use a private key of a public key/private key encryption mechanism to generate a command by a server and have the command executed by the device. The command may be used to verify the authenticity of the remote device, and may be used to establish ownership of the device. After authenticity and, in some cases ownership is established, bootable software may be downloaded and executed. The remote device may be provisioned with software applications. One mechanism for performing the initial encrypted commands is through a Trusted Platform Module. In many embodiments, the public key for the initial encrypted communication may be provided through a trusted second channel.

Abstract: A device is configured for providing at least one secure cryptographic key for performing a cryptographic security function using a control device which requires a cryptographic key therefor. A configured key provided for the security function is selected from a first configuration memory and is tested using the read configured key whether a secure replacement key associated with the read configured key is memorised in a second configuration memory, said replacement key is provided for the control device for performing the security function instead of the configure key.

Abstract: Systems and methods for use in secure network communication. A physical network interface receives a network packet associated with a security level. The network packet is transmitted from the physical network interface to a security policy component. The network packet is routed to a stack offload engine by the security policy component based on a network address associated with the network packet and the security level associated with the network packet. The network packet is provided by the stack offload engine to a software application via trusted memory interface that transfers the packet to a memory portion of a plurality of memory portions. The memory portion corresponds to the security level.

Abstract: A method for authenticating the identity of a handset user is provided. The method includes: obtaining, a login account and a password from the user; judging whether the login account and the password are correct; if the login account or the password is incorrect, refusing the user to access an operating system of the handset; if the login account and the password are correct, sending the login account and the password to a cloud server, wherein the login account and the password correspond to a face sample image library of the user stored on the cloud server; acquiring an input face image of the user; sending the input face image to the cloud server; authenticating, by the cloud server, the identity of the user according to the login account, the password and the input face image.

Abstract: In a first embodiment of the present invention, a method for operating a presence server in a home network is provided, the method comprising: receiving a request for presence information; sending an event notification to all subscribed control points informing them of the request for presence information; receiving an action from one of the subscribed control points accepting or rejecting the request for presence information; and if the action received from the one of the subscribed control points accepts the request for presence information, causing presence information regarding the one of the subscribed control points to be sent to the entity that sent the request for presence information.

Abstract: Provided are a method, system, and computer program product for a local authorization extension to provide access authorization for a module to access a computing system. A memory stores information on a first validity range comprising position coordinates for a module seeking to access the computing system and a second validity range comprising position coordinates for a location authorization extension for a computing system. A determination is made of a first position signal from a first receiver of the module and of a second position signal from a second receiver of the location authorization module. Determinations are made as to whether the first position signal is within the first validity range and whether the second position signal is within the second validity range. The module is granted access to the computing system in response to determining that the first position signal is within the first validity range and the second position signal is within the second validity range.

Abstract: A computer-implemented method for negotiating a time and a medium for communications between users is described. The method is performed at a server including one or more processors and memory storing one or more programs. The method includes receiving a request from a first user to negotiate a time and a medium for communication with a second user. The request includes a plurality of acceptable mediums of communication. The method also includes generating a first notification based on the request. The first notification includes the plurality of acceptable mediums of communication. The method furthermore includes transmitting the first notification to the second user, and receiving a response to the first notification from the second user. The response indicates whether the second user has accepted one of the acceptable mediums of communication.

Abstract: A method begins with a processing module receiving a data retrieval request and obtaining a real-time indicator corresponding to when the data retrieval request was received. The method continues with the processing module determining a time-based data access policy based on the data retrieval request and the real-time indicator and accessing a plurality of dispersed storage (DS) units in accordance with the time-based data access policy to retrieve encoded data slices. The method continues with the processing module decoding the threshold number of encoded data slices in accordance with an error coding dispersal storage function when a threshold number of the encoded data slices have been retrieved.

Abstract: An embodiment of the invention provides a method for controlling access to a system, wherein a request to access the system and metadata of the request are received from a user, the request including a user identification. The metadata includes: information obtained from a history of prior accesses to an application access system, information obtained from a history of prior accesses to a wireless authentication system, and/or confirmation of the user identification by an entity physically proximate to the user. A database is queried with the user identification and the metadata to identify relationship data. The relationship data indicates the relationship between the individual assigned the user identification and an entity owning the system, an entity leasing the system, and/or an entity operating the system. The relationship data is input into a rules engine; and, security measure(s) are selected with the rules engine based on the relationship data.

Abstract: A method for associating a web event with a member of a group of users is implemented at a first computing device. The method includes: receiving a data access request from a second computing device; determining whether the user has previously provided personal information and authorization to the first computing device through the second computing device; if the user's personal information and authorization are found: generating a record for the data access request; if the user's personal information is found but the user's authorization is not found: generating a record for the data access request; and if neither of the user's personal information and authorization is found: identifying one or more user identifiers that are associated with the second computing device; and returning personal information associated with the one or more user identifiers to the second computing device.

Abstract: A lightweight solution enables the exchange of multimedia information in a secure manner. Exchanged cryptographic material can be used to encipher multimedia message-oriented communications between devices. This lightweight solution can be used by common off the shelf devices such as smartphones, tablets, feature phones, or special purpose machine to machine devices for private communications, such as command and control, location services, video, audio, electronic attachments, etc. using insecure voice or data communication paths, such as MMS.

Abstract: Resources may be managed in a topology for audio/video streaming. DisplayPort is a digital audio/video interconnect standard of the Video Electronic Standards Association (VESA). It allows video and audio to be coupled from a computer to a video display or an audio playback system. The topology includes audio/video sources and sinks and intervening branch devices. Messages between these sources, sinks, and branch devices may be used for resource management.

Abstract: A method for authenticating the identity of a handset user is provided. The method includes: obtaining, a login account and a password from the user; judging whether the login account and the password are correct; if the login account or the password is incorrect, refusing the user to access an operating system of the handset; if the login account and the password are correct, sending the login account and the password to a cloud server, wherein the login account and the password correspond to a face sample image library of the user stored on the cloud server; acquiring an input face image of the user; sending the input face image to the cloud server; authenticating, by the cloud server, the identity of the user according to the login account, the password and the input face image.

Abstract: A method for interpreting messages, user-defined alert conditions, voice commands and performing an action in response is described. A method for annotating media content is described. A method for presenting additional content associated with media content identified based on a fingerprint is described. A method for identifying that an advertisement portion of media content is being played based on a fingerprint derived from the media content is described. A method of one media device recording particular media content automatically in response to another media device recording the particular media content is described. A method of concurrently playing media content on multiple devices is described. A method of publishing information associated with recording of media content is described. A method of deriving fingerprints by media devices that meet an idleness criteria is described. A method of loading, modifying, and displaying a high definition frame from a frame buffer is described.

Abstract: Systems, methods, and apparatus for generating and validating product keys. In some embodiments, a product key includes security information and identification information identifying at least one copy of a software product. The identifying information may be used to access validation information from at least one source other than the product key, and the validation information may be used to process the identification information and the security information to determine whether the product key is valid. In some further embodiments, the security information includes a first portion to be processed by a first validation authority using first validation information and a second portion to be processed by a second validation authority using second validation information, wherein the second validation information is stored separately from the first validation information.

Abstract: A processing device comprises a processor coupled to a memory and is configured to receive authentication information from a user, to generate a message authentication code based at least in part on the received authentication information, to generate a credential for a particular access control interval based at least in part on the message authentication code and an intermediate value of a hash chain, and to provide the credential to a user in order to allow the user to access a protected resource in the particular access control interval. The message authentication code may be generated over a message payload that includes a password provided by the user. The credential may comprise a combination of the message authentication code and the intermediate value of the hash chain.

Abstract: Systems and methods are provided for FAA-certified avionics devices to safely interface with non-certified mobile telecommunications devices before, during, and after flight. Data transmitted to the certified devices do not affect functionality of the certified device unless and until a user acknowledges and/or confirms the data on the certified device. Thus, the integrity of the certified device is maintained.

Abstract: In a system and method for managing mainframe computer usage, preferred values for service class defined performance goals are determined to optimize workload performance in service classes across a logical partition. A method for managing mainframe computer system usage can include receiving a performance optimization goal for workload performance in a service class, the service class having a defined performance goal. Achievement of the performance optimization goal is assessed, and a preferred value for the defined performance goal is determined based on assessing achievement of the performance optimization goal. Workload criticality can be taken into account, and automatic changes to the performance goal authorized.

Abstract: Systems and methods for verifying human users through cognitive processes that computers cannot imitate are described herein. Human cognitive language processing techniques may be used to verify human users. Visual patterns and tests may be used to distinguish between humans and computers because computer-based visual recognition is fundamentally different from human visual processing. Persistent plugins and tests may be used to continuously verify human users.

Abstract: Managing access to resources shared among multiple processes within a computer system. Multiple program instances of an application are almost simultaneously executed on multiple processors for fault tolerance. The replication solution supports the recording and subsequent replay of reservation events granting the shared resources exclusive access rights to the processes, when one program code instruction may request access to a set of shared resources in a non-deterministic order.

Abstract: A request for information or services available on an intranet may be made by users on an extranet outside the intranet. An email is generated in an external server on the extranet in response to the request for information or services, and then sent from the external server to an internal server inside the intranet. The email comprises one or more approved forms based on the request, wherein specifics of the request are embedded into the body of the email. The email is processed at the internal server, in order to generate a response to the request, wherein the response is returned by the internal server to the external server in a reply email. The reply email includes an attachment containing the results of the processing performed by the internal server. The external server allows the user to access these results via an external graphical user interface.

Abstract: Embodiments of the disclosure relate to identifying email resources associated with client devices, identifying resource rules, determining whether the email resources satisfy the resource rules, and modifying the email resources as well as the ability to access the email resources based on the resource rules if the resource rules are not satisfied by the email resources.

Abstract: Methods and systems for child authentication are described. In one embodiment, a communication enablement request may be received to enable electronic communications between a first child and a second child. A confirmation acceptance code may be electronically generated. The confirmation acceptance code may be associated with the first child and the second child. The confirmation acceptance code may be received from a parental representative of the second child. The electronic communication may be enabled between the first child and the second child based on the receiving of the confirmation acceptance code from the parental representative of the second child. Additional methods and systems are disclosed.

Abstract: Application programming interface (API) for starting and accessing distributed routing table (DRT) functionality. The API facilitates bootstrapping into the DRT by one or more devices of a group of devices (a mesh) seeking to collaborate over a serverless connection, establishing a node of the DRT, where each node is an instance of an application that is participating in the mesh, and node participation by allowing the application to search for keys published by other nodes in the mesh, or by becoming part of the mesh by publishing a key. The API facilitates optimization of the routing table for quickly finding a root of a specific key in the mesh by finding the key directly in a cache or by asking a root node of the key that is in the local routing table that is closest numerically to the key being searched.

Abstract: An apparatus and method for generating a group key using the status of a wireless channel are provided. The apparatus includes a representative channel response selection unit for selecting a representative channel response signal from among pilot signals received from slave terminals. A key generation unit generates a group key based on a representative channel response value of the representative channel response signal. A hash value generation unit generates a hash value corresponding to the group key. A transmission pilot control unit adjusts power intensities of transmission pilots of the respective slave terminals using the channel response value of the representative channel response signal and channel response values and transmission power intensities of the slave terminals. A communication unit is individually connected to the slave terminals and configured to transmit pilot signals, power intensities of which have been adjusted, and the hash value to the slave terminals.

Abstract: A method and apparatus for authenticating a signal received at a wireless node. The signal is received at the wireless node. The wireless node is one of a plurality of wireless nodes in a communications network. A set of parameters is identified for the signal. A distance between the wireless node and a source of the signal is identified using a location of the wireless node and the set of parameters for the signal. A determination as to whether the source of the signal is an authorized source is made using the distance identified.