Abstract: A method of ending a subscription performed in a network entity is disclosed. The method comprises receiving, from a device comprising an Embedded Universal Integrated Circuit Card, eUICC, a signed confirmation of a profile having been deleted in the device, the profile being associated with a subscription for the device; sending, to a Subscription Manager Data Preparation entity, a command for deletion of the profile; and deleting the user subscription and related profile in case an acknowledgement of the deletion of the profile is received from the Subscription Manager Data Preparation entity. Method in a device, method in a Subscription Manager Data Preparation entity, devices and entities, computer programs and computer program products are also provided.

Abstract: A system for providing network services is provided. The system includes a device configured to interface with the network to receive a container, where the container is configured to interface with an operating system of the device and a plurality of applications operating on the device. The container is further configured to interface with a network services provider of one or more network services and one or more third party service providers.

Abstract: Methods and apparatuses are described for automatic validation of a hybrid digital document. A server computing device downloads a hybrid digital document from a remote computing device, the hybrid digital document comprising an image content file and a hypertext content file. The server computing device determines content validation rules based upon one or more attributes associated with the hybrid digital document. The server computing device converts the image content file to a text content file. The server computing device validates one or more data elements in the text content file using the content validation rules. The server computing device validates one or more data elements in the hypertext content file using the content validation rules. The server computing device transmits a notification to the remote computing device indicating an outcome of the data elements validation.

Abstract: The present invention comprises a computer-implemented zero-trust authentication method that utilizes the Bitcoin Lightning Network, which is the sole protocol offering immediate, immutable, and cost-free Bitcoin settlement. A user requests access to the resource of a service provider and the user provides authentication material necessary to securely access the service provider. The service provider initiates a Hold Invoice via a cryptographic function to generate a pre-image hash, instructing the user to authorize release of Bitcoin in an amount stipulated by the Hold Invoice. Bitcoin is held in the Hold Invoice until an authentication attempt is either successful or unsuccessful. If successful, the user is issued an access token to login into the resource, the Hold Invoice is canceled and Bitcoin is released to the user. If unsuccessful, the pre-image is revealed, the user is denied access, and Bitcoin is transferred to the service provider as a settled payment transaction.

Abstract: An overlay to existing infrastructure that establishes trusted paths in a communication network to fulfill a fundamental need to identify and protect a trusted plane of devices and/or applications on a need specific basis is described. Establishing trusted paths operationally fulfills a fundamental need to identify and protect a trusted plane of devices and/or applications on a need specific basis as an overlay to the existing relatively unsecured network.

Abstract: Described implementations obtain credential information including an encrypted digital identity (ID). The encrypted digital ID may include a public component of a credential and identity data. Furthermore, the credential information may include cryptographically obfuscated data based on the identity data and a private component of the credential. A proof is obtained that includes proof data. The proof data may confirm that the credential information was correctly generated. Verification of the proof data, and confirmation that the cryptographically obfuscated data is not associated in a collection of cryptographically obfuscated data, cause a computer-implemented service to issue a pseudonym. The pseudonym is usable to generate a relationship associated with a computer-implemented service.

Abstract: Provided is a process including: obtaining criteria to select plain-text values in a lower-trust database; selecting, based on the criteria, a first plain-text value; in response, determining a first reference value; storing the first plain-text value in a higher-trust database in a second entry identified by the first reference value; storing the first reference value in the first entry of the lower-trust database; selecting another instance of the first plain-text value stored requested to be stored in a third entry in the lower-trust database; and in response, storing the first reference value in the third entry.

Abstract: Provided are an information processing apparatus, an information processing method, and an electronic device capable of appropriately perform update of a license provided by an information processing apparatus and used in an electronic device. The electronic device includes a key generation unit that generates a device unique key that is a key unique to every device, and a license management unit that updates a license in a case where an extension code generated by a predetermined method on the basis of the device unique key, first data different for every installation of the license provided by an information processing apparatus, and second data different depending on the number of times of update of the license coincides with an input extension code.

Abstract: A management apparatus that manages a plurality of image forming apparatuses, the management apparatus includes: a storage that stores histories of user operations on the image forming apparatuses for the plurality of image forming apparatuses, respectively; and a hardware processor that determines an image forming apparatus recommended to be operated from among the plurality of image forming apparatuses based on the histories of the user operations of the image forming apparatuses and outputs a notification indicating the determined recommended image forming apparatus.

Abstract: Techniques and systems for optimizing and cleaning rules for network-based authentication transactions are provided herein. A network-based authentication system may determine a plurality of rules that were previously used to evaluate a plurality of transactions. The network-based authentication system may also generate a false positive rate for one or more of the plurality of rules, A cleaning coefficient for a first rule of the plurality of rules may be generated by the network-based authentication system. Based on the cleaning coefficient and the false positive rate, the network-based authentication system may identify one or more rules from the plurality of rules to eliminate from the plurality of rules. The network-based authentication system may eliminate the one or more rules to generate a modified set of rules. Using the modified set of rules, the network-based authentication system may authenticate a network transaction.

Abstract: According to an embodiment, a method receives one or more messages associated with connecting a client and a first host. At least one of the messages comprises an encrypted portion indicating the first host and at least one of the messages comprises a cleartext portion indicating a second host. The method determines first and second sets of links associated with the first and second host, respectively. The first set is determined based on monitoring a result of connecting the client and the first host. The second set is determined based on observing behavior associated with connecting to the second host. The method detects domain fronting in response to determining, based on comparing the first set of links and the second set of links, that the first host differs from the second host.

Abstract: A method including pre-authenticating, by an infrastructure device, a user device for obtaining communication services from a server, the pre-authenticating including determining a given duration of time and a communication parameter associated with a pre-authentication request received from the user device; and operating, by the infrastructure device, a port associated with the server in an activated mode for the given duration of time to enable the user device to transmit an authentication request indicating the communication parameter prior to an expiration of the given duration of time. Various other aspects are contemplated.

Abstract: The disclosure provides for analyzing upgrade and migration readiness. Embodiments include receiving an indication to upgrade a software product and a selected upgrade path identifying a target-upgrade version. Embodiments include accessing an array of pre-upgrade procedures comprising code for identifying one or more conditions that must be met before the software product can be upgraded based on the accessed array being associated with the software product. Embodiments include executing one or more of the pre-upgrade procedures in advance of upgrading the software product. Embodiments include accessing one or more autonomous remediation scripts from the repository based on identification of one or more failed pre-upgrade procedures. Embodiments include executing the one or more autonomous remediation scripts to cure the one or more failed pre-upgrade procedures and initiating an upgrade of the software product based on identifying that the array of pre-upgrade procedures successfully completed execution.

Abstract: A computing device includes an interface configured to interface and communicate with a dispersed storage network (DSN), a memory that stores operational instructions, and a processing module operably coupled to the interface and memory such that the processing module, when operable within the computing device based on the operational instructions, is configured to perform various operations. The computing device is operable to receive a memory access request for a data object stored within the DSN, determine a realm for the memory access request, determine an authorization service for the realm and generate an authorization request for the memory access request. The computing device is further operable to transmit the authorization request to an authorization service, receive an authorization request response from the authorization service, determine whether the memory access request is authorized and process the memory access request.

Abstract: A method for managing a virtual electronic card is applicable to a secure chip installed in a first terminal, and the method includes: receiving a management request from a trusted mobile application on the first terminal, the management request being used to manage a target virtual electronic card on the secure chip, and permissions of the virtual electronic card being configured by a chip operating system of the secure chip; determining, from the secure chip, a target card management program corresponding to the target virtual electronic card, the different virtual electronic cards corresponding to the different card management programs; sending the management request to the target card management program; and calling, through the target card management program, a card management command corresponding to the management request in a card management system on the secure chip, to manage the target virtual electronic card.

Abstract: An approach for monitoring a data transmission system that uses a data transmission means such as a vehicle bus or a vehicle network of a motor vehicle. This system includes a monitoring device that transmits a request message to a transmitting device and to a receiving device. The transmitting device generates a particular transmitter response on the basis of the request message, where the transmitter response is transmitted to the monitoring device. The receiving device generates a particular receiver response on the basis of the request message, where the receiver response is transmitted to the monitoring device. The monitoring device receives the transmitter response and the receiver response and checks compliance with a trigger condition which depends on the transmitter response and the receiver response, the compliance of which indicates an event relevant to monitoring.

Abstract: A device may receive data identifying malicious behavior by a compromised endpoint device associated with a network and may receive user identity data identifying a user of the compromised endpoint device associated with the network. The device may receive endpoint device data identifying the compromised endpoint device and other endpoint devices associated with the network and may receive network device data identifying network devices associated with the network. The device may utilize the data identifying malicious behavior, the user identity data, and the endpoint device data to generate, based on an identity of the user, a security policy to isolate the malicious behavior. The device may cause the security policy to be provided to the network devices and the other endpoint devices based on the network device data and the endpoint device data.

Abstract: A method (30) and system (10) for controlling wireless local area network (WLAN) user quality in a multi-access point environment is provided. In order to ensure good quality of service/user experience in a multi-access point Wi-Fi™ setup in which a user roams with a station (14), the access points (11, 12) continuously or at intervals assess the wireless environment's quality and report to a control entity (13). The control entity (13) determines, from the assessment data, alternative target access points (11, 12) that could be used in case the link quality of a current connection between an access point (11) and the station (14) falls below a pre-defined value. The control entity (13) then instructs the access point (11) to actively disconnect the station (14) and selects a new target access point (12) to accept the stations (14) connection request.

Abstract: Access to a first instant messaging service using an online identity that is associated with a second instant messaging service is enabled. A profile is accessed. The profile indicates that another instant messaging service is to be provided with presence information regarding the use of the online identity to access the first instant messaging service. The other instant messaging service is provided with the presence information regarding the use of the online identity to access the first instant messaging service.

Abstract: A system and method for remotely generating an original signature provided by a signatory as a user of a first mobile device are disclosed. According to one embodiment, the system comprises a cloud server having a signature transmission API, and a video stream module configured to facilitate a live video stream. The system further includes a pen plotter having a plotter controller communicatively coupled to the cloud server by the signature transmission API. The pen plotter has a mechanical arm configured to receive an ink pen, and a video capture device communicatively coupled to the video stream module of the cloud server and configured to capture video of the pen plotter and transmit to the video stream module.

Abstract: Examples of renewal of security certificates of supplicant devices are described. In an example, a request to authenticate a supplicant device based on a security certificate is received by an authenticator device and from a supplicant device. The request comprises information relating to the security certificate which is expired. A login history of the supplicant device and presence of a valid account associated with the supplicant device in a directory database is determined. An authentication successful message is sent to the supplicant device based on the login history and presence of the valid account in the directory database. The supplicant device is redirected to a captive web portal for authentication of the supplicant device based on the login credential. In response to a successful authentication of the supplicant device in the captive web portal, a renewed security certificate for the supplicant device is provided.

Abstract: Inline package name based supply chain attack detection and prevention is disclosed. An indication that a client device has made a request to a remote server for a package is received. A data appliance then performs an action responsive to the received indication. In an example implementation, the data appliance makes a determination of whether the request for the package is associated with a nonexisting package.

Abstract: The present specification describes computer-implemented methods and systems for secure storage and transmission of data in a distributed network environment. In embodiments, each piece of data is transformed in to multiple pieces of metadata. Each piece of metadata is transmitted and stored on a different server, which is selected from separate pools of servers.

Abstract: Systems and method are provided for a temporary network slice usage barring service within a core network. A network device in the core network receives a slice barring information message for an application function (AF). The slice barring information message includes a unique subscriber identifier associated with a user equipment (UE) device to be barred from a network slice and indicates a barring expiration time. The network device stores barring parameters based on the slice barring information message. The barring parameters include a slice identifier associated with the AF, the unique subscriber identifier, and the barring expiration time. The network device sends a barring instruction message to another network device associated with the network slice. The barring instruction message includes the unique subscriber identifier and the barring expiration time. The other network device enforces temporary barring of the UE device from the network slice based on the barring instruction message.

Abstract: A method of authenticating a device subscribed to a first wireless communication network on a second wireless communication network, the method including: deriving at a node within the first wireless communication network a set of one or more network keys for the second wireless communication network from one or more network keys of the first wireless communication network that uniquely identify the device within the first wireless communication network; communicating the derived set of one or more network keys to the device; storing a first copy of the derived set of one or more network keys within an identification module at the device and a second copy of the derived set of one or more network keys within a secure area of the device; and authenticating the device on the second wireless communication network using the second copy of the derived set of one or more network keys stored in the secure area of the device.

Abstract: The present disclosure relates to systems and methods for live streaming. The system may receive a play request associated with a live stream from a terminal device. The system may determine whether there are one or more cached fragments associated with the live stream, wherein the one or more cached fragments are cached from a stream source via a first protocol. In response to determining that there are one or more cached fragments associated with the live stream, the system may determine whether the play request is a request that the terminal device requests the live stream for the first time. In response to determining that the play request is the request that the terminal device requests the live stream for the first time, after a caching of a current fragment is completed, the system may transmit an index file corresponding to the current fragment and at least one of the one or more cached fragments to the terminal device via a second protocol.

Abstract: A method in a conferencing system terminal device includes detecting, with one or more processors during a videoconference, a communication device electronically in communication with both a content presentation companion device having a display and one or more remote electronic devices engaged in the videoconference. User input requesting for content to be shared from the conferencing system terminal device with the one or more remote electronic devices engaged in the videoconference is received. Prior to causing the communication device to share the content with the one or more remote electronic devices during the videoconference the one or more processors present, on the display of the content presentation companion device, a content verification presentation and receive a content share confirmation in response to the content verification presentation.

Abstract: An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.

Abstract: The technology disclosed relates to a steering logic for policy enforcement on IoT devices. In particular, the technology disclosed provides a system. The system comprises an in-network intermediary. The in-network intermediary is configured to receive outbound network traffic from a plurality of special-purpose devices on a network segment of a network. The outbound network traffic is directed at one or more out-of-network servers. The in-network intermediary is further configured to determine, from the outbound network traffic, metadata required for policy enforcement. The in-network intermediary is further configured to append the metadata to the outbound network traffic, and send the outbound network traffic appended with the metadata to a policy enforcement point for policy enforcement.

Abstract: This disclosure describes techniques for providing multiple namespace support to application(s) in containers under Kubernetes without breaking containment boundaries or escalating privileges of the application(s). A namespace service executing on a physical server may communicate with contained processes executing on the physical server by utilizing a Unix Domain Socket (UDS) endpoint in the filesystem of each of the containers. the namespace service may execute on the physical server with escalated privileges, allowing the namespace service to create a socket in a namespace and provide access and rights to utilize the socket to process(es) in a separate namespace.

Abstract: A computer program product configured to execute a method for exchanging electronic data. The method includes receiving, using an API, a request to transmit data from a source trading partner to a destination trading partner; querying a name server, using a domain name system protocol, the name server comprising a subdomain of the destination trading partner to send the data to, wherein the subdomain is mapped to a destination access point, wherein a name of the subdomain conforms to a common format, wherein an address of the subdomain conforms to another common format; determining the address of the subdomain based on the querying of the name server; addressing the data, using another API, to be sent to the address of the subdomain; and transmitting the data, using the another API, to the destination access point by virtue of the subdomain's mapping to the destination access point.

Abstract: An intelligent trust enabler system for a 5G IoT (fifth-generation Internet of Things) environment includes: an IoT trust enabler mounted on an edge and gateway on a fifth-generation (5G) IoT infrastructure, for providing trust information based on data collected from IoT devices and performing operation and management of connected IoT resources; and an IoT trust agent for providing a legacy environment for the IoT trust enabler.

Abstract: An intelligent wireless broadband network and content delivery management within a network includes at least one datacenter, at least one network tower and a plurality of smart nodes may be provided. Each of the plurality of smart nodes may be deployed as a micro point of presence (micro POP) at the at least one datacenter the at least one tower and at each of a plurality of hub-homes within the network. An artificial intelligence (AI) capable compute unit may be configured to provide customization of the plurality of smart nodes based on usage pattern of the plurality of homes at a neighborhood level, and thereby facilitating a dynamic edge network distribution solution for better Internet experience to the end-users.

Abstract: Networked devices in a communications network share a common firmware key. Using the common firmware key, one networked device can encrypt configuration data it uses to operate in the network for distribution to other networked devices of the same or similar type. The networked devices that receive the encrypted configuration data then use the common firmware key to decrypt the encrypted configuration data, and using the decrypted configuration data, self-configure to operate on the network. This allows for the secure distribution of configuration data, as well as the self-configuration of networked devices without exposing the sensitive data needed for such configuration to a human.

Abstract: A method and an apparatus for controlling user equipment (UE) context between a plurality of nodes are provided. The method includes transmitting, to a second node, a first message to request a user equipment (UE) context update, receiving, from the second node, a second message indicative of a completion of the UE context update or a third message indicative of a failure of the UE context update in response to the transmission of the first message, and determining whether to retransmit the first message to the second node based on the reception of the second message or the third message. The procedure of the UE context update may be initiated by the transmission of a message to request an operation of the UE context update to be performed between a UE and a third node from the second node to the third node.

Abstract: A secure private network connectivity system (SNCS) within a cloud service provider infrastructure (CSPI) is described that provides secure private network connectivity between external resources residing in a customer's on-premise environment and the customer's resources residing in the cloud. The SNCS provides secure private bi-directional network connectivity between external resources residing in a customer's external site representation and resources and services residing in the customer's VCN in the cloud without a user (e.g., an administrator) of the enterprise having to explicitly configure the external resources, advertise routes or set up site-to-site network connectivity.

Abstract: Technologies are shown for function level permissions control for smart contract execution to implement permissions policy on a blockchain. Permissions control rules control function calls at a system level utilizing function boundary detection instrumentation in a kernel that executes smart contracts. The detection instrumentation generates a call stack that represents a chain of function calls in the kernel for a smart contract. The permissions control rules are applied to the call stack to implement permissions control policy. Permissions control rules can use dynamic state data in the function call chain. If the dynamic state data observed in function call chains does not meet the requirements defined in the permissions control rules, then the function call can be blocked from executing or completing execution. The permissions control rules can be generated for a variety of different entities, such as a domain, user or resource.

Abstract: A method including transmitting, by a user device to an infrastructure device, a first pre-authentication request associated with requesting communication services from a server, the first pre-authentication request indicating a communication parameter associated with the user device; determining, by the user device while obtaining the communication services from the server, a change in the communication parameter such that the user device is associated with a new communication parameter; and transmitting, by the user device to the infrastructure device, a second pre-authentication request associated with obtaining the communication services from the server, the second pre-authentication request indicating the new communication parameter. Various other aspects are contemplated.

Abstract: A method for managing a virtual electronic card is applicable to a secure chip installed in a first terminal, and the method includes: receiving a management request from a trusted mobile application on the first terminal, the management request being used to manage a target virtual electronic card on the secure chip, and permissions of the virtual electronic card being configured by a chip operating system of the secure chip; determining, from the secure chip, a target card management program corresponding to the target virtual electronic card, the different virtual electronic cards corresponding to the different card management programs; sending the management request to the target card management program; and calling, through the target card management program, a card management command corresponding to the management request in a card management system on the secure chip, to manage the target virtual electronic card.

Abstract: Computer systems and methods are disclosed to implement a role manager that automatically analyzes code accessing various resources to generate a role with the necessary resource permissions to execute the code. In embodiments, the role manager may be implemented as part of a workflow orchestration or resource provisioning system that employs code requiring access to different types of resources. In embodiments, the role manager may analyze a code segment to identify the different resources accessed by the code segment and the permissions needed for each access, and generate a role that has the needed permissions. In embodiments, the role manager may automatically manage these roles based on changes to associated code segments. Advantageously, the disclosed role manager removes the need to manually create roles need by code segments ahead of time, and creates roles with minimal privileges required for the code, thereby simplifying achievement of system security.

Abstract: A first server computing device, including a processor configured to receive, from a first application instance, a first access request for a file. The first access request may include a first modification privilege request and a modification privilege sharing request. The processor may determine that the file is not locked for editing and grant the first application instance access to the file with modification privileges indicated by the first modification privilege request and without modification privilege sharing permissions indicated by the modification privilege sharing request. The processor may set the file to be locked for editing. The processor may receive, from a second application instance, a second access request including a second modification privilege request. The processor may determine that the file is locked for editing and deny the second application instance access to the file.

Abstract: A wireless local area network (WLAN) access method includes sending, by a terminal, a request for querying an available wireless access point to a server. The method further includes sending, by the server according to the query request, obtained information about the available wireless access point. The method further includes receiving, by the terminal, wireless access point information returned by the server, and determining a specific wireless access point from the received wireless access point information. The method further includes sending, by the terminal, an authentication information request of the specific wireless access point to the server. The method further includes when receiving the request, sending, by the server, authentication information corresponding to the specific wireless access point to the terminal, where the authentication information is used to connect the terminal to the specific wireless access point.

Abstract: A user equipment device (UE) establishes a communication session with a wireless network, and receives, from the wireless network, a message that includes scheduling data that schedules a power-saving mode (PSM) at the UE. The UE interrupts, at a first time based on the scheduling data, a supply of power to a modem of the UE. The UE provides, based on the scheduling data at a second time that is subsequent to the first time, power to the modem.

Abstract: An information processing apparatus according to an embodiment includes a list storage unit and processor. The list storage unit stores therein allow lists for module processing types, and each allow list describes an execution-permitted system operation. The processor functions as an operation detecting unit, a process specifying unit, a log specifying unit, a type specifying unit, and an output unit. The operation detecting unit detects execution of any of system operations. The process specifying unit specifies a target process that has executed execution-detected system operation. The log specifying unit specifies a target operation log. The type specifying unit specifies a type of target module processing that executed execution-detected system operation by analyzing the target operation log. The output unit outputs anomaly information when the allow list for the target module processing type does not include the execution-detected system operation.

Abstract: A system for managing communication between building management system (BMS) devices includes a memory and a controller. The memory includes instructions stored thereon. The controller is configured to execute the instructions to implement an agent manager, a zone manager, and a channel manager. The agent manager is configured to generate an agent for each of the BMS devices. The zone manager is configured to define at least one zone relating to a physical location zone or a building control zone. The channel manager is configured to generate a communication channel associated with the at least one zone. The channel manager is further configured to manage registration of an agent to the communication channel, wherein an agent is configured to communicate over a communication channel in response to being registered to the communication channel.

Abstract: Systems and methods for managing data security are described. In an embodiment, the method comprises receiving a data access request from a first application that runs in a first operating environment of a mobile device, wherein the authentication request contains credentials of the first application, communicating with a second application that runs in a second operating environment in parallel to the first environment of the mobile device, wherein the second application is a trusted application that runs in a secure environment, and wherein the communicating includes transferring the credentials of the first application to the second application, and receiving data from the trusted application responsive to the data access request, based on the credentials of the first application.

Abstract: Disclosed are various embodiments for decentralizing the authentication or verification of data. An identity key can be generated for a data item. A request can then be sent to an authentication provider for authentication of the data item, the request comprising the identity key and the data item. A verified claim for the data item can then be received in response. Subsequently, an identity document is generated, the identity document comprising the identity key for the data item and the verified claim. Finally, the identity document can be stored in a distributed ledger.

Abstract: A private communication set-up service enables scalable private connectivity between producers and consumers residing within a public cloud environment. A producer exposes metadata information about a new or updated resource within the public cloud environment using a tag. The system monitors the public cloud environment for tagged metadata about new resources and configures a producer-side service to a private link. Subsequently, the system exposes metadata information about the private link. The system monitors for tagged metadata about private links and configures the consumer-side private link endpoint to the private link. The producer and the consumer communicate using the configured private link.

Abstract: A domain proxy receives a request from a base station for allocation of a first portion of a frequency band to support cellular communication in a geographic area that is indicated in the request. The frequency band is available for exclusive allocation to an incumbent device. The base station is required to vacate the first portion of the frequency band in response to the incumbent device arriving in the geographic area and being allocated a second portion of the frequency band that overlaps with the first portion. The domain proxy accesses a policy for the base station from a database and, based on the policy, selectively provides the request to a spectrum access server (SAS) that is responsible for allocating portions of the frequency band.

Abstract: An embodiment includes identifying which of a plurality of participants of a web conference is an identified participant associated with a selected cluster of a plurality of clusters of audio feed data of an audio feed of the web conference based on a self-introduction in the selected cluster. The embodiment also generates a first preliminary leadership score for the identified participant based on a speaking duration value associated with the identified participant and generates a second preliminary leadership score for the identified participant using a selected video segment as an input for a machine learning classifier model. The embodiment calculates a final leadership score for the identified participant based on the first and second preliminary leadership scores. The final leadership score is representative of a likelihood that the identified participant is a supervisor, and is indicative of the identified participant being a supervisor if it exceeds a designated threshold value.