Abstract: In an example embodiment, a system for allowing one or more password errors may store a correct password for a user and receive an attempted login from a user device. The attempted login may include (1) an attempted password with one or more errors and (2) metadata. The system may assign a metadata risk score to the metadata, assign a password risk score to the attempted password, aggregate the scores, and grant or deny access to the user based on the aggregated score and a predetermined threshold.

Abstract: Systems and methods for authenticating a user are provided. A method may comprise providing interactive media on a computing device associated with a user. The interactive media may comprise a plurality of images. The plurality of images may be presented on a graphical display of the computing device. The method may also comprise receiving input data from the computing device when the user selects a sequence of images from the plurality of images on the graphical display of the computing device. The selected sequence of images may correspond to a sequence of grammatical words. The method may further comprise analyzing the input data by comparing the sequence of grammatical words to a passcode, and authenticating the user when the sequence of grammatical words is equal to the passcode.

Abstract: A device may obtain an animation, wherein the animation comprises a set of frames to emulate a moving image. The device may obtain a label to associate with the animation. The device may generate a human authentication challenge, wherein the human authentication challenge includes a display using the animation, and directions for a user to complete a task by interpreting the animation. The device may generate instructions to cause a user device to display the human authentication challenge. The device may send, to the user device, the instructions to cause the user device to display the human authentication challenge. The device may receive an input to the human authentication challenge regarding the animation. The device may analyze the input using the label to determine whether to authenticate the user. The device may perform an action based on analyzing the input using the label to determine whether to authenticate the user.

Abstract: The invention relates to a method for carrying out a sensitive operation in the course of a communication between a processing unit and a first service server, said first server being accessible via a first domain name and/or first electronic address. The method comprises the step of using at least one second domain name different from the first and/or a second electronic address different from the first to carry out all or part of the sensitive operation. The invention also relates to a system corresponding to the method and comprising the server and/or the processing unit.

Abstract: Described herein is a methods and systems for providing a digital interactive experience. Interactive experiences include, but not limited to, synchronized video playback, video and text chat between two or more participants, and interactive live event participation combining synchronized video, text and video chatting. The system comprises persistent and non-persistent components to which a plurality of participants in the interactive experience may connect.

Abstract: Disclosed are various embodiments for malware detection by way of proxy servers. In one embodiment, a proxied request for a network resource from a network site is received from a client device by a proxy server application. The proxied request is analyzed to determine whether the proxied request includes protected information transmitted in an unsecured manner. It is then determined whether the network resource comprises malware based at least in part on an execution of the network resource or whether the proxied request includes the protected information transmitted in the unsecured manner. The proxy server application refrains from sending data generated by the network resource to the client device in response to the proxied request when the network resource is determined to comprise the malware.

Abstract: An identity authentication procedure of a user is initiated and a plurality of virtual reality articles is displayed. Selection operation information of the user is determined for the plurality of virtual reality articles. Whether the selection operation information matches predefined standard selection operation information is determined. In response to determining that the selection operation information matches the predefined standard selection operation information, whether the identity authentication procedure of the user succeeds is determined.

Abstract: A method and an information handling system (IHS) for authenticating unified extensible firmware interface (UEFI) images in an IHS. The method includes receiving, by a processor of the IHS, a request to authenticate an image. The method also includes determining a type of the image and retrieving, from an entry within a UEFI signature database, a certificate utilized to sign the image. The method further includes determining a verification entry of a verification database of the HIS that corresponds to the entry of the UEFI signature database and identifying, from the verification entry, a particular type of image which the certificate may be used to authenticate. The method further includes determining whether the type of the image is the particular type. In response to determining the type of the image is the particular type, the method includes authenticating the image using the certificate.

Abstract: The present disclosure is directed towards systems and methods for managing application delivery in a network. A device intermediary to a client and one or more servers that provide a plurality of applications, receives a request from the client to access a first application of the plurality of applications. The device holds the request and retrieves, while holding the request, configuration information for an instance of the first application from a configuration repository. The device configures a virtual internet protocol (“VIP”) server using the configuration information for the instance of the first application. The device processes the request via the VIP server.

Abstract: An apparatus in one embodiment comprises a client configured to perform client-side portions of one or more user authentication protocols carried out between the client and one or more authentication servers over a network. The client stores, for one or more instances of a given one of the user authentication protocols carried out for a particular user, an incorrect password history comprising identifiers of one or more passwords previously entered by the user and indicated as being incorrect passwords by at least one of the authentication servers, and determines, for an additional password entered by the user but not yet submitted by the client to the authentication servers, whether or not the additional password is part of the incorrect password history. Responsive to the additional password being part of the incorrect password history, the client generates an alert for presentation to the user to indicate that the additional password may be an incorrect password.

Abstract: Provided herein is an RFID reader system and method for determining an RFID tag distance. The RFID reader receives a first backscattered signal from an RFID tag in response to transmission of a first RF interrogation signal, and determines a first phase angle of the first backscattered signal. A radio transceiver device receives a second backscattered signal in response to transmission of a second RF interrogation signal, and determines a second phase angle of the second backscattered signal. A main control unit determines a plurality of first distances and a second distance between the RFID reader and the RFID tag based on the first phase angle and the second phase angle, and select one of the plurality of first distances with respect to the determined second distance as a final distance.

Abstract: An electronic device includes a communication interface that receives voice data and fingerprint data; and a processor that determines an access right to the electronic device based on at least one of a voice score obtained by comparing the received voice data with stored voice data and a fingerprint score obtained by comparing the received fingerprint data with stored fingerprint data.

Abstract: Embodiments provide a terminal authentication method and device. The method includes that: a Service Provider (SP) device receives a first authentication request sent by a first terminal, the first authentication request including a first identity credential of a user; the SP device determines an Identifier (ID) of the user and a priority of the first identity credential according to the first authentication request; the SP device sends context data of the user to the first terminal through a cloud service; and the SP device enables a first service for the first terminal according to the priority of the first identity credential. In the embodiments, the SP device loads the context data of the user for the terminal according to the identity credential, sent by the terminal, of the user, and provides the corresponding service.

Abstract: Techniques are disclosed for reclaiming resources within a distributed computing system. A reclamation application searches the distributed computing architecture for unused resources, classifies the unused resources, and determines an expiration period based on the classification. The reclamation application determines a candidate owner of the resource based on one or more characteristics of the resource. The reclamation application then notifies the candidate owner that the resource is to be reclaimed unless claimed by the candidate owner within the expiration period. If the candidate owner claims the resource within the expiration period, then the reclamation application terminates the reclamation of the resource. If the candidate owner does not claim the resource within the expiration period, then the reclamation application reclaims the resource after the duration of the expiration period.

Abstract: A method, apparatus, computer-readable medium, and/or system may comprise a user device configured to transmit, to a computing device, data indicative of a first routing network and data indicative of a second routing network. The computing device may comprise a processor and memory storing computer-executable instructions that, when executed by the processor, cause the computing device to receive, from the user device, the data indicative of the first routing network and the data indicative of the second routing network. The computing device may determine, based on the data indicative of the first routing network, a plurality of parameters for the first routing network. The computing device may determine, based on the data indicative of the second routing network, a plurality of parameters for the second routing network. The computing device may generate a secure session connection between the computing device and a server associated with the second routing network.

Abstract: A method implemented by a control server for configuring a security module connected to a telecommunication terminal. In particular, the control server allocates a unique activation code corresponding to a subscription including a plurality of N profiles to allocate to a fleet of N respective terminals. Thus the control server: a) after activation of the code with a first terminal, allocates a profile to the first terminal and records the profile allocation to the first terminal, and b) for a new profile allocation request corresponding to the activation code, repeats step a) if the N profiles have not already been allocated.

Abstract: The disclosed computer-implemented method for securing Universal Plug and Play connections may include (1) detecting, by a network device within a local network, an attempt by a remote device to establish a connection with a client device within the local network via a UPnP protocol, (2) identifying a forwarding rule applied by the network device on the client device based at least in part on an identity of the client device, (3) determining at least one restriction placed on UPnP connections between the client device and remote devices by the forwarding rule, and then in response to determining the restriction placed on UPnP connections between the client device and remote devices by the forwarding rule, (4) enforcing the restriction on the connection attempted by the remote device with the client device via the UPnP protocol. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Access is obtained to a plurality of intermediately transformed electronic documents (with a plurality of sections and subsections) which have been transformed, by topical analysis and text summarization techniques, from a plurality of original electronic documents comprising at least some unstructured electronic documents. Audit and retrieval agent code is appended to the sections and subsections to create a plurality of finally transformed electronic documents. Users are allowed to access the finally transformed electronic documents. The users are provided with accountability reminders contemporaneous with the access. The access of the users to the sections and subsections of the finally transformed electronic documents is logged. An audit report is provided based on the logging. Also provided is a cloud service for enterprise-level sensitive data protection with variable data granularity, using one or more one guest virtual machine images.

Abstract: A packet transmission method and an apparatus pertain to the field of network technologies. The method includes obtaining, by a terminal device, a source IP (Internet Protocol) address in a to-be-transmitted packet and N IP addresses of the terminal device, where N is an integer, and when the source IP address in the to-be-transmitted packet is different from any one of the N IP addresses of the terminal device, determining that the source IP address in the to-be-transmitted packet is forged, and prohibiting transmitting the to-be-transmitted packet. The application can solve the problem that a virus such as Trojan in the terminal device may be prevented from forging a source IP address of another device to randomly transfer an attack packet in the network to improve network security.

Abstract: A method of authenticating a mobile communication device subscriber.

Abstract: Systems and methods, as well as computing architecture for implementing the same, for decoy injection into an application. The systems and methods include splitting a standard test phase operation into two complementary phases, and add new unit tests to the process, dedicated to testing the proper coverage of the decoys and avoiding non-regression of the original code.

Abstract: Systems and methods of oracle authentication in a network using a plurality of memory physical unclonable functions (PUFs). Method starts with oracle receiving initialization vector including initial seed value from client device. Oracle generates template that includes a PUF array. Oracle computes template using a superset of combinations of PUFs included in the oracle and transmits template to client device. Oracle generates first seed value, first key, and first authentication nonce, using pseudorandom number generator and the initial seed value. When oracle has first data to be sent to the client device, oracle generates first token using PUF array and first authentication nonce. Oracle generates first message by encrypting first data and first token using first key. The oracle transmits first message to the client device. Other embodiments are also disclosed.

Abstract: In aspects of wireless connectivity information for a mobile device, a mobile device includes a connectivity module that determines that the mobile device is to wirelessly connect to a network. The connectivity module of the mobile device queries for a host device to provide wireless connectivity information, such as via a direct device-to-device query between the mobile device and the host device. The mobile device receives a query response from the host device, and the connectivity module obtains wireless connectivity information from the query response. The connectivity module utilizes the connectivity information to perform a focused scan for a network, such as a network identified in the query response. In response to detecting the network based on the focused scan, the connectivity module interacts with the network to establish a wireless connection between the mobile device and the network.

Abstract: A computer-implemented method according to one embodiment includes receiving a request to share predetermined data with a device, identifying the predetermined data as sensitive, calculating a current security level for the device, and conditionally sharing the predetermined data with the device, based on the current security level for the device.

Abstract: A speech interface device is configured to receive response data from a remote speech processing system for responding to user speech. This response data may be enhanced with information such as a remote ASR result(s) and a remote NLU result(s). The response data from the remote speech processing system may include one or more cacheable status indicators associated with the NLU result(s) and/or remote directive data, which indicate whether the remote NLU result(s) and/or the remote directive data are individually cacheable. A caching component of the speech interface device allows for caching at least some of this cacheable remote speech processing information, and using the cached information locally on the speech interface device when responding to user speech in the future. This allows for responding to user speech, even when the speech interface device is unable to communicate with a remote speech processing system over a wide area network.

Abstract: This invention discloses a novel system for securing and using payment token data in a system for processing electronic payment transactions that does not require down-time for rekeying encryption keys when the keys are rotated.

Abstract: A method, a device, and a non-transitory storage medium are described in which a connection service is provided based on a software development kit architecture for an end device that operates with an Android operating system. The connection service includes a library that, when called, sets-up a Hypertext Transfer Protocol connection between the end device and a proxy device using a function pointer and a portable operating system interface connect function. The connection service also generates and transmits a Hypertext Transfer Protocol CONNECT message, which includes a Proxy-Authorization header, to the proxy device, which triggers three-way handshaking between the proxy device and a target device, subsequent to an establishment of the connection with the proxy device.

Abstract: A computer system, method, and computer readable product are provided for managing passwords using steganography. In various embodiments, a computing system provides a password manager that a user provides a password to. The user then selects a service for which credentials will be generated or stored, and an image on the user's device that will be used to steganographically store the credentials. The computing system then generates a steganographic image that includes the credentials and stores that image with the other images on the user's device.

Abstract: A system for image classification is disclosed that includes a central system configured to provide high reliability image data processing and recognition and a plurality of endpoint systems, each configured to provide image data processing and recognition with a lower reliability than the central system and to generate probability data. A decision switch disposed at each of the plurality of endpoint systems is configured to receive the probability data and to determine whether to deny access, grant access or generate a referral message to the central system, wherein the referral message includes at least a set of image data generated at the endpoint system.

Abstract: A data management services architecture includes architectural components that run in both a storage and compute domains. The architectural components redirect storage requests from the storage domain to the compute domain, manage resources allocated from the compute domain, ensure compliance with a policy that governs resource consumption, deploy program code for data management services, dispatch service requests to deployed services, and monitor deployed services. The architectural components also include a service map to locate program code for data management services, and service instance information for monitoring deployed services and dispatching requests to deployed services. Since deployed services can be stateless or stateful, the services architecture also includes state data for the stateful services, with supporting resources that can expand or contract based on policy and/or service demand. The architectural components also include containers for the deployed services.

Abstract: Systems and methods for multifactor physical authentication are disclosed. In one embodiment, a method for accessing an entitlement at a facility using multifactor physical authentication may include (1) receiving, at a first electronic interface at a facility, an individual identifier from an individual; (2) at least one computer processor presenting a challenge to the individual; (3) the at least one computer processor receiving, at a second interface, a response to the challenge; (4) the at least one computer processor authenticating the individual based on the individual identifier and the response; (5) the at least one computer processor retrieving at least one authorized entitlement associated with the individual identifier; and (6) the at least one computer processor activating the entitlement at the facility associated with the authorized entitlement.

Abstract: A computer-implemented method includes selecting a prompt from a plurality of prompts stored in a prompt database, wherein the prompt comprises instructions to draw a mark, and wherein other prompts of the plurality of prompts comprise instructions to draw other marks different from the mark. The method also includes the steps of providing the prompt to a user as part of a logon process for an online account session, identifying behavioral characteristics of the user while the user draws the mark, comparing the behavioral characteristics to a behavioral profile previously developed based on prior behavioral characteristics of the user, and providing access to the online account session in response to determining that a variation between the behavioral characteristics and the behavioral profile is within a threshold.

Abstract: Disclosed is a system and method for visually verifying the exact item a customer will be receiving through the online grocery pick up of a retail store. The system allows for customers to order a fresh item, such as apples, and view images of the exact fresh item online before finalizing purchase for retail store pickup. The exact fresh item is scanned using three dimensional scanning. The customer views the images and approves or rejects the exact fresh item before finalizing purchase.

Abstract: In a device that is both NFC-enabled and trusted execution environment (TEE)-enabled, and has a secure element (SE), a host card emulation (HCE) based software application acts as a front-end/proxy and processes non-sensitive security functions, while a trusted application in the TEE and an applet on the SE cooperate to process security-sensitive functions. An end-to-end security relationship may be established between a subscriber identity module (SIM), the TEE and a SAM (Secure Authentication Module) provided for a second NFC-enabled device (e.g. a contactless reader) that communicates with the first device in a contactless manner. The solution integrates HCE, TEE, SE and SAM for enabling secure contactless applications, and it also supports advanced security measures.

Abstract: A system, method and program product for providing cognitive behavior security control (CBSC). A system is disclosed that includes: a repository having a plurality of challenges each including an interactive graphical task; a user interface for graphically presenting challenges to users; an enrollment system for assigning challenges to users and determining an authentic response for each user; an authentication system that collects an observed response from a user presented with an assigned challenge and determines a security control result based on a closeness of the observed response with the authentic response of the user.

Abstract: Disclosed embodiments relate to systems and methods for securely verifying encoded visual codes together with network address information. Techniques include: obtaining a first capture of a visual display, the visual display being generated on a display medium; applying a display detection technique based on the obtained first capture; determining, based on the display detection technique, whether a boundary of the display medium is identified; identifying, within the first capture, an encoded visual representation of a data element and a network address; determining whether the network address is valid; and determining whether to validate the encoded visual representation based on the determination of whether the network address is valid.

Abstract: A method for authenticating a user of a mobile electronic computing device to perform operations on a first electronic computing device includes receiving a request to access the first electronic computing device. In response to the request to access, a first identifier is sent to the mobile electronic computing device. A second identifier is received from a second electronic computing device. The second electronic computing device is different from the mobile electronic computing device. A determination is made as to whether the first identifier matches the second identifier. When the first identifier matches the second identifier, a trust score is calculated for the user. A determination is made as to whether the trust score is equal to or greater than a threshold. When the trust score is equal to or greater than the threshold, the user is authenticated to login to the first electronic computing device.

Abstract: Implementations of this disclosure provide an authentication system for handling authentication requests. An example method performed by a server includes receiving an access request that includes identification information to be used by the server for selecting a target authentication system, and determining that the access request does not have access permission. In response to determining that the access request does not have access permission, the server selects the target authentication system from at least two authentication systems, based on a predetermined authentication system selection policy and based on the identification information in the access request, and sends the access request to the selected target authentication system for authentication.

Abstract: A method and apparatus for risk scoring in a graph are disclosed. In the method and apparatus, a graph includes a first node that is connected with a node of a plurality of nodes using a communication link of a plurality of communication links. A plurality of link risk measures are then determined, whereby a link risk measure of the plurality of link risk measures pertains to the communication link of the plurality of communication links. Furthermore, a risk measure associated with the first node is determined based at least in part on the plurality of link risk measures. The risk measure is monitored to determine if one or more conditions placed on the risk measure are met and one or more actions are taken as a result of the one or more conditions being met.

Abstract: Embodiments herein achieve systems and methods for managing communication in a Mission Critical data (MCData) communication system. The proposed method and system provides file distribution and data streaming in the MCData communication system. The proposed method and system provides a functional model and mechanisms to support mission critical data services. The functional model to support file distribution and data streaming, and associated procedures including one-to-one, one-to-many, and group data communications. Further, the proposed method and system provides mechanisms for optimizing radio resource utilization and backhaul link utilization in the MCData communication system. The proposed method and system provides radio resource utilization of the PC5 interface for the MC service, when multiple group members are under a relay node.

Abstract: A dual-mode mobile device and a method for coordinating calls for the dual-mode mobile device over a first and second connection within a controlled environment is disclosed. The method includes communications between a monitoring server and the dual-mode mobile device over the first connection while the dual-mode mobile device conducts the call over the second connection. The monitoring server transmits control messages to the dual-mode mobile device to control operations of the dual-mode mobile device and establishment of the call and also monitors operations of the dual-mode mobile device as well as the communications transmitted and received by the dual-mode mobile device during the call.

Abstract: An information processing apparatus that transmits image information being displayed on a display unit to a client to causes the client to display the image information, when combining an image of a cursor with the image information being displayed on the display unit and storing a result of the combining, in a case that it is determined that the image information is information of a screen for inputting information having confidentiality, restricts viewing of the image of the cursor in the image information and transmits the image information in which the viewing of the image of the cursor is restricted to the client.

Abstract: Described herein are systems, methods, and software to enhance the management of encryption addressing across multiple virtual computing sites. In one implementation, a first edge gateway at a first computing site may obtain, via border gateway protocol (BGP), one or more internet protocol (IP) address prefixes from a second edge gateway of a second computing site. The first edge gateway may further update an access control list (ACL) at the first edge gateway based on the one or more prefixes, wherein the ACL provides permissions in IPSec communications between a plurality of virtual nodes at the first computing site and a plurality of virtual nodes at the second site. Once the ACL is updated, the first edge gateway may forward communications based on the ACL using IPSec protocol.

Abstract: Aspects of the disclosure relate to preventing unauthorized access to secure enterprise information systems using a multi-intercept system. A computing platform may monitor, in a passive operational state, first communications across a plurality of computer systems in a protected zone of a computing environment using a plurality of communication monitoring nodes deployed in the protected zone of the computing environment. Subsequently, the computing platform may generate current data movement pattern data. If the computing platform determines that the current data movement pattern data is invalid, the computing platform may switch from the passive operational state to an active operational state and may generate and send an active intercept response command. The active intercept response command may redirect one or more requests from a malicious system into a virtual tunnel configured to route second communications from the malicious system out of the protected zone of the computing environment.

Abstract: According to one embodiment, a memory system includes: a non-volatile memory including a first area configured to hold first data received from an outside and a second area configured to hold second data; a volatile memory; and a controller. The non-volatile memory holds third data that associates a first address of the first data assigned to an instruction received from an outside with a second address of the first data that specifies a part of the first area. As a startup operation, the controller reads the third data from the non-volatile memory and holds the third data as fourth data in the volatile memory. The controller erases the fourth data from the volatile memory when the second data is held in the second area.

Abstract: Instead of utilizing a centralized server or hardware(routers/gateways) to enforce connectivity policy restrictions, the policy connectivity restrictions for media session traffic are enforced by an endpoint that is involved in the media communication. Based on the policy requirements, the client enforces the policy restrictions by restricting the candidates that may be selected for the establishment of the media path. For example, the enforcement may result in the client selecting a path from available candidates that avoids congested Wide Area Network (WAN) links, avoiding a low bandwidth link, or possibly even failing the communication completely. The clients may also provide periodic updates to the policy server to allow tracking of the utilization of managed WAN links.

Abstract: Techniques are disclosed for restricting access to resources accessible in a SSO session. An access management system may provide access one or more resources by implementing an SSO system to provide a SSO session. An SSO session may provide an authenticated user with access to protected resources to which the user is entitled to access. In some instances, a user sharing a computer with other users may want to access a particular protected resource so as to restrict other users sharing the computer from accessing other protected resources accessible to the user in an SSO session. The access management system may enable the user to dynamically choose, such as during login, the protected resources which to restrict and/or permit. Upon successful authentication, a session may be established for only those protected resources that are permitted based on the user's selection, while the other resources are restricted.

Abstract: Methods and systems for malicious non-human user detection on computing devices are described. The method includes collecting, by a processing device, raw data corresponding to a user action, converting, by the processing device, the raw data to features, wherein the features represent characteristics of a human user or a malicious code acting as if it were the human user, and comparing, by the processing device, at least one of the features against a corresponding portion of a characteristic model to differentiate the human user from the malicious code acting as if it were the human user.

Abstract: A system and method for determining authorization of individuals at a premises is disclosed. The system (e.g. security system) includes interrogator devices such as mobile computing devices that are carried through the premises by an interrogator. The interrogator devices send challenge beacons for triggering responses from target user devices carried by users. A management system then confirms whether users of the target user devices are authorized users based on the responses received by the interrogator devices. Examples of target user devices include mobile computing devices such as smart phones/tablet devices, and auxiliary devices such as smart badges and wallets. In embodiments, the interrogator can also carry an auxiliary device having an integrated camera system that captures image data of the users, where the management system additionally confirms whether the users are authorized by comparing the image data along with information in the responses to stored records of authorized users.

Abstract: A system including a host and a guest device, where the guest device can be implemented on a single packaged integrated circuit or a multichip circuit and have logic to use a physical unclonable function to produce a security key. The device can include logic on the guest to provide the PUF key to the host in a secure manner. The physical unclonable function can use entropy derived from non-volatile memory cells to produce the initial key. Logic is described to disable changes to PUF data, and thereby freeze the key after it is stored in the set.