Abstract: A user of a mobile device selects data to be shared with other users and engages a lock button installed on the mobile device. As a result of engaging the lock button installed on the mobile device, one or more regions of a display unit installed on the mobile device may be disabled such that the other users cannot access other applications and data stored on the mobile device. If a user attempts to interact with the mobile device after the lock button has been engaged, the user is presented with a PIN input box. Accordingly, a user may input a PIN into the PIN input box that, if correct, causes the one or more regions of the display unit installed on the mobile device to be restored.

Abstract: This disclosure describes an approach to detect replay attacks while having multiple cores in a multi-core processor manage an established tunneling session. The tunneling session includes a number of flows. One of the cores is assigned to manage one of the flows, and another core is assigned to manage another of the flows. A replay attack over the tunneling session is inhibited by maintaining a flow-based sequence context at each of the flows, and the flow-based sequence context is maintained by the core that is managing the respective flow.

Abstract: Systems and methods for maintaining zero client sessions between different servers and a zero client device are presented herein.

Abstract: An information processing system includes a service utilizing device and at least one information processing device to provide a service for the service utilizing device. A temporary code issuing unit to issue a temporary code is provided in the information processing device. A device authentication token generation unit is provided in the service utilizing device and generates a device authentication token by using the temporary code obtained from the information processing device. A device authentication ticket issuing unit is provided in the information processing device and verifies whether the device authentication token obtained from the service utilizing device is valid by using the temporary code and issues a device authentication ticket depending on a verification result. An access unit is provided in the service utilizing device and accesses a resource in the information processing device by using the device authentication ticket obtained from the information processing device.

Abstract: Aspects of the subject disclosure may include, for example, receiving an image, delivery instructions, and metadata associated with the image from a first device associated with a first user. The delivery instructions indicate to deliver the image to a second device associated with a second user, and the delivery instructions comprise security features and the metadata comprises a plurality of security preferences for delivery. Further, the plurality of security features and the plurality of security preferences are implemented on the image. In response to determination of a security risk due to the implemented security features or security preferences, the image is not delivered to the second device and a message is delivered to the first device indicating that the image was not delivered. Other embodiments are disclosed.

Abstract: Systems, apparatus, methods, and computer program products are provided for determining a user's authentication requirements/credentials for a specific network access session based on the current location of the user in comparison to predetermined boundaries of location that have altered authentication requirements, in the form of, increased or decreased authentication requirements/credentials that differ from the standard authentication requirements.

Abstract: Systems and methods for DNS resolution based on user identities are provided herein. In the DNS name resolution process, a DNS resolver can construct and send DNS queries to different DNS name servers depending on the identities of the users requesting the name resolution. One embodiment may be a DNS forwarder configured in a home router, where DNS requests from a certain user group (e.g., kids) may be forwarded to OpenDNS Family Shield, while DNS requests from another user group (e.g., parents) may be forwarded to the ISP's default DNS servers or Google Public DNS. In another embodiment, the DNS resolver may be integrated within an authenticating proxy server, wherein the DNS resolver may use different DNS name servers to perform DNS name resolution for different users authenticated by the proxy server.

Abstract: A mobile network-based tenant network service implementation method and system and network elements are disclosed. The method includes: an MME of a mobile network performing identity authentication of a tenant network to which UE belongs on the UE; after the UE passes the identity authentication of tenant network, the MME selecting a local exchange node for the UE; the MME transmitting a creation/update message of a local exchange forwarding table to the local exchange node; the local exchange node creating or updating the local exchange forwarding table and generating a forwarding table entry of UE, wherein the forwarding table entry comprises identification information of UE; after UE bearers establishment are completed, the local exchange node writing UE bearer information into the forwarding table entry of UE; and the local exchange node implementing message forwarding of the tenant network according to the local forwarding table, thereby implementing a tenant network service.

Abstract: There is provided a method for authenticating an attempt at establishment of a network connection by allowed code, comprising: providing a dataset having previously observed stack trace templates each representing a stack trace pattern prevailing in stack traces recorded by monitoring stacks of clients executing an allowed code during a connection establishment process for establishing network connections related to the allowed code; receiving a new stack trace recorded during a new connection establishment process for a new network connection by a new client; measuring a similarity between the new stack trace and the plurality of stack trace templates to identify a match to a stack trace template; evaluating the matched stack trace template for a predefined rule requirement; and updating a rule-set database with the matched stack trace template to authenticate new network connection establishments associated with stack templates matching the matched stack trace template.

Abstract: In an example embodiment, invisible two factor authentication is performed by receiving, at a first machine, a registration request from a second machine, with the registration request encrypted using a common hash key. Then, in response to the receiving of the registration request, a server key is generated that is unique to the first machine and to the second machine. The registration request is responded to with the server key encrypted using the common hash key. Encrypted data is then received from the client machine, and this encrypted data is decrypted using the server key. In another example embodiment, in response to a determination that a data source has changed, incremental dynamic data processing is performed by identifying dynamic data relevant to records in the data source marked for distribution and, based on the existence of a state for each piece of dynamic data, marking the dynamic data for distribution.

Abstract: Systems and methods are described herein for blocking sections of media using censoring techniques adaptive to context of the user environment. For example, by first determining features of the user environment such as location, time of day, attention level of the user, number of users, the type of media system being used, or the layout of a user environment, different methods of censorship and blocking may be implemented. A group of friends watching television with rapt attention may be shown a highlight reel; a single user not paying attention to a movie may be shown a synopsis of the plot; or a child watching a cartoon on a smart-phone may be presented with a social media update to seamlessly distract their attention. Thus unwanted content is blocked in an intelligent fashion, and overall user experience is enhanced.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to secure communications for multiple hosts in an address translation environment and provide a method, system and computer program product for IPsec SA management for multiple clients sharing a single network address. In one embodiment, a computer implemented method for IPsec SA management for multiple hosts sharing a single network address can include receiving a packet for IPsec processing for a specified client among the multiple clients sharing the single network address. A dynamic SA can be located among multiple dynamic SAs for the specified client using client identifying information exclusive of a 5-tuple produced for the dynamic SA. Finally, IPsec processing can be performed for the packet.

Abstract: Disclosed is a system comprising: an authentication datastore; a device presence engine; a traffic monitor engine; an authentication presence monitor engine; an authentication server selection engine; and a traffic routing engine. In operation: the device presence engine is configured to detect presence of a user device on a trusted network; the traffic monitor engine is configured to monitor, in response to the detection, traffic on the trusted network from the device; the authentication presence monitor engine is configured to evaluate onboarding characteristics of the user device in response to the monitoring; the authentication server selection engine is configured to select one of a plurality of authentication servers to authenticate the user device to the trusted network, the selecting based on the onboarding characteristics; and the traffic routing engine is configured to route traffic from the user device to the selected authentication server.

Abstract: A search engine system with privacy protection, including a data indexer configured to create an index of data, a search engine configured to search the index of the data in response to a query, and create a search result set including excerpts from the data, and a privacy protector configured to identify at least one data entity within at least one excerpt of the search result set that meets at least one predefined entity extraction criterion, redact the search result set by removing the data entity from the excerpt, and present the redacted search result set on a computer output device.

Abstract: A mobile computing device for transmitting token data to a key card reading device having an activation mechanism is provided. The computing device is programmed to receive token data representing access data of a key card, generate a transmission signal representing the access data of the key card based on the token data in response to receiving the token data, and output the transmission signal to the key card reading device. The access data causes the key card reading device to activate the activation mechanism. The transmission signal causes the key card reading device to activate the activation mechanism when the mobile computing device is placed near the key card reading device and the transmission signal is authenticated by the key card reading device.

Abstract: In accordance with an embodiment, described herein is a system and method for integrating a transactional middleware platform with a centralized audit framework for a SOA middleware platform. An audit provider in the centralized audit framework can be provided as a plug-in module to the transactional middleware platform, and registered as an internal audit service therein. The internal audit service can be advertised on an audit server, and can process audit requests from within the transactional middleware platform. One or more configuration files can be provided to the audit provider, for use in generating audit data for audit events occurring in one or more components in the transactional middleware platform. The audit provider itself can be configured to represent an audit aware component within the centralized audit framework, thereby utilizing a plurality of functionalities available in the centralized audit framework, including saving the audit data in a central data store.

Abstract: An image processing apparatus and method includes inputting user information, setting folder information about a specified user based on the user information as a destination of image data, registering the set folder information, and performing control so as not to register folder information corresponding to a transmission protocol set to be disable from among a plurality of transmission protocols.

Abstract: A smart home accessing a main server providing a service, by using a local network is provided. The smart home includes: at least one first electronic device accessing an access point connected to the main server and having preset AP information and preset authentication information; and at least one second electronic device connected to the access point and the at least one first electronic device to perform wireless communication and having AP information matching the preset AP information, wherein the at least one first electronic device transmits the access point information and the preset authentication information to the at least one second electronic device, when the at least one second electronic device having the AP information matching the preset AP information is found.

Abstract: Methods and systems are provided for fine tuning access control by remote, endpoint systems to host systems. Multiple conditions/states of one or both of the endpoint and host systems are monitored, collected and fed to an analysis engine. Using one or more of many different flexible, adaptable models and algorithms, an analysis engine analyzes the status of the conditions and makes decisions in accordance with pre-established policies and rules regarding the security of the endpoint and host system. Based upon the conditions, the policies, and the analytical results, actions are initiated regarding security and access matters. In one described embodiment of the invention, the monitored conditions include software vulnerabilities.

Abstract: Techniques are disclosed for discovery of Wi-Fi serial bus and Wi-Fi docking services. Such networks include (but are not limited to) IEEE 802.11 networks.

Abstract: A network node enables a wireless device to communicate with a local service device, such as a printer or a projector, of a Local Area Network (LAN) or Wireless Local Area Network (WLAN). The network node is connected both to a communication network and to the LAN or WLAN. The method includes identifying a multicast Domain Name System (mDNS) request, where the mDNS request is received from the wireless device, and assigning a LinkLocal (LL)-address for the wireless device. The method retrieves a local IP-address of an Authentication and Authorization Service (AA-S) having authorization information regarding a local service device, and authenticates, with the AA-S which type of services, that the wireless device is authorized to use. A local IP-address of the local service device is retrieved, and service data is conveyed between the wireless device and the local service device, by applying the LL-address of the local service device.

Abstract: An information processing apparatus includes first and second wireless communication interfaces and circuitry. The first wireless communication interface performs wireless communication with a wireless-communication mediation device according to a first wireless communication method. The second wireless communication interface performs, using communication information, wireless communication according to a second wireless communication method.

Abstract: A communication apparatus identifies an access point with which the communication apparatus can perform wireless communication and transmits information indicating the identified access point to a communication partner apparatus by way of the wireless communication. In response to this, an access point designated by the communication partner apparatus is registered as a relay access point.

Abstract: A method for detecting an attack in a computer network having a plurality of computers includes: receiving a plurality of warning messages from the computers, the warning messages being based on different types of anomalies in the computer network; comparing a number of warning messages from the plurality of received warning messages with a predetermined event threshold, the number of warning messages being based on a single type of anomaly in the computer network; and outputting an alarm signal if the number of warning messages based on the same type of anomaly in the computer network falls below the event threshold.

Abstract: A method for providing a transparent asynchronous network flow exchange is provided. The method may include receiving a query request from a requester, whereby the received query request is associated with a network packet. The method may also include determining if the network packet contains a plurality of defined signatures. The method may further include in response to determining that the network packet contains a plurality of defined signatures, authenticating a plurality of information associated with the network packet. The method may additionally include determining a plurality of flow related security information associated with the network packet based on the authentication of the plurality of information. The method may include sending the determined plurality of flow related security information to the requester.

Abstract: A log information generation apparatus includes: a process information generation unit which generates first identification information for temporally and spatially uniquely identifying a process that is an execution subject of an application program at a start of a process behavior constituted by a series of events of the process, in a space of a system including a plurality of computers, and which generates process information including the first identification information; an event information generation unit which generates event type information indicating an event type for each of the events and which generates event information including the event type information; and a log information generation unit which generates, for each of the events, log information including the process information generated by the process information generation unit and the event information generated by the event information generation unit.

Abstract: A system and method for providing access credentials for a wireless network is provided. The system and method comprises sending a request for access credentials for a wireless network never previously accessed from a requesting client device to a connection helper service hosted by a server. The connection helper service determines a subset of user accounts that have the access credentials for the wireless network stored in an associated remote database. The connection helper service then searches social media to determine whether any of the subset of user accounts are connected with a user account associated with the requesting client device. If there is a connection, then the connection helper service facilitates requesting permission to acquire the access credentials from a remote database associated with a user account for the connection with the access credentials. In this manner, access to the wireless network is provided without manually entering access credentials.

Abstract: A method for managing network access is provided. The method includes determining whether there is a network connection request from at least one application, checking at least one attribute information item of the application, determining an access point name (APN) corresponding to the application based on the at least one attribute information item, and transmitting and receiving data of the application to/from a network using the determined APN.

Abstract: Embodiments of the invention provide methods, devices and computer programs arranged to control provisioning of device-to-device (D2D) communication services in a communication network. One embodiment includes an apparatus including a processing system arranged to cause the apparatus to: assign a credential of a first type to a first D2D device; store an association between a validity condition and the credential of the first type, wherein the validity condition is dependent on a characteristic of a D2D communication service; transmit data indicative of the credential of the first type for reception by the first D2D device, said credential being for use in verification of said D2D communication service to be provided by the first D2D device to a second, different, D2D device; and maintain an operative state for the D2D communication in dependence on said association.

Abstract: A wireless LAN connection method using signal strength is provided. The wireless LAN connection method is carried out by an access point, and includes the steps of: measuring wireless signal strength of a signal which is received from a terminal having transmitted a connection request; determining whether the wireless signal strength is equal to or greater than a predetermined threshold; checking whether the terminal is registered in an available list which is information on terminals having had signal strength equal to or greater than the predetermined threshold when the wireless signal strength is less than the predetermined threshold; and permitting connection of the terminal to a wireless LAN only when the terminal is registered in the available list.

Abstract: Embodiments include method, systems and computer program products for onboarding a new employee to an organization. Aspects include receiving, by a processor, employee data comprising an employee group associated with the new employee of the organization. Identifying other employees that belong to the employee group and obtaining a set of permissions associated with each of the other employees. Determining a set of group permissions based on a combination of the set of permissions of each of the other employees. Aspects also include calculating an access score for each of the set of group permissions, and determining a set of suggested access permissions for the new employee based on the set of group permissions and the access score.

Abstract: The claimed subject matter provides a system and/or method that facilitates employing safety within an industrial environment. An enhancing component can implement at least one of a security level, authentication, authorization, or an access right to a validated action to at least one of the controller or the controller engine instance. The enhancing component can further separate two or more entities within the industrial environment, the first entity related to process control and the second entity related to process safety. Additionally, the enhancing component can employ at least one of a backup controller or a backup controller engine instance in the event of at least one of a software error or a hardware error within the industrial environment.

Abstract: Methods, systems, and devices are provided for authenticating API messages using PKI-based authentication techniques. A client system can generate a private/public key pair associated with the client system and sign an API message using the private key of the private/public key pair and a PKI-based cryptographic algorithm, before sending the signed API message to a server system. The server system (e.g., operated by a service provider) can authenticate the incoming signed API message using a proxy authenticator located in less trusted zone (e.g., a perimeter network) of the server system. In particular, the proxy authenticator can be configured to verify the signature of the signed API message using the public key corresponding to the private key and the same cryptographic algorithm. The authenticated API message can then be forwarded to a more trusted zone (e.g., an internal network) of the server system for further processing.

Abstract: An approach is provided for authorizing one or more services from service providers in a communications network. The approach includes receiving a request from a first service provider, the request having an associated primary token and a secondary token identifier, the secondary token identifier relating to resources of a second service provider. Based, at least in part, on the secondary token identifier, a secondary token is identified; and then the secondary token is sent to the first service provider, wherein the first service provider and the second service provider belong to different trust domains and the first service provider can use the secondary token to access resources of the second service provider.

Abstract: Systems, apparatus, methods, and computer program products are provided for determining a user's authentication requirements/credentials for a specific network access session based on the current location of the user in comparison to known boundaries of location associated with the user, such as patterns of movement or the like. As such, the present invention serves to expedite the process for authenticating a user who desires to gain access to a network service, such as a banking application or the like.

Abstract: A social trust network is implemented in combination with a communication network capable of monitoring one or more parameters of communications. The social trust network includes a database containing trust data and possibly profiles of respective entities can be searched to return identities of entities such as subject matter experts with whom a user such as a decision-maker may wish to communicate; which communication may be facilitated by communication contact information corresponding to entities returned by the search. A plurality of trust metrics are computed from the trust data and search results are ordered based on a weighted sum of trust metrics, possibly including ratings of entities, where the relative weights may be manipulated at the will of the user. The monitored parameters of such communications are represented in data stored as trust data in a database which is thus adaptively developed through use of the social trust network.

Abstract: A mobile device operating system level routine obtains social network access parameters that allow access to one or more social network accounts of a user of the device. The access parameters are stored in operating system level memory of the mobile device. Through an operating system interface of the mobile device, a user can create a social network message to be communicated via the one or more social network accounts using the stored access parameters. A single social network message may be communicated via multiple social network accounts with multiple social network platforms. The uniform operating system interface allows a user to communicate messages via multiple social network accounts without using multiple user level applications.

Abstract: In a computer-implemented method and system, an electronic target document is provided in a data communication network. At least one computer program in a first domain in the data communication network provides a link to open a digital first form in the first domain. Upon activation of the link, redirection to a second domain takes place, and a second electronic form is provided in the second domain. The second form comprises a retrieval field which is configured to provide, when the retrieval field is activated, a plurality of domain access fields. After receipt of an activation of a selected one of the domain access fields, a third domain linked to the selected domain access field is accessed to retrieve target document data from the third domain. The second domain uploads the target document associated with the target document data to the first form of the first domain.

Abstract: In one embodiment, a mobile device connecting to a Wi-Fi hotspot first performs a connectivity check to determine whether the wireless connection is trapped in the walled garden of a captive portal by transmitting a connectivity check message to one or more external endpoints in the public IP network. If no response is received, the mobile device determines that it is in the captive portal state, and generates a browser window bound to the Wi-Fi state tracker of the mobile device displaying the portal page for the captive portal. In such a manner, the mobile device does not offload any traffic from its wireless cellular interface to its Wi-Fi interface until it is certain the Wi-Fi interface may access the public IP network, thereby preventing data interruption for mobile applications.

Abstract: A computer-implemented online conferencing transactional platform system comprising an interaction module, a video-conferencing module, and a storage device may allow multiple participants in a video-conference to access, co-browse, collaboratively edit, and sign a transactional document. An interaction module fetches an image of a transactional document and a field identifier for an interactive transactional document element to be filled out from a remotely-connected secure signature API, and displays the image of the document, along with the interactive transactional document element on a webpage interface to a moderator and a signer end user in a video-conference. The interaction module receives a filled-out transactional document in an I-frame from the secure signature API, allowing the signer end user to sign the transactional document using a secure embedded signature process.

Abstract: A method includes transmitting a request to a server from a mobile device. The request may be initiated by an application executing on the mobile device. The method includes receiving a message at the mobile device from the server. The message may include first validation information and information indicating a location where the mobile device can retrieve content. The method includes retrieving the content from the location indicated in the message, and generating second validation information based on the retrieved content. The method includes validating the content based on a comparison of the first validation information and the second validation information. The method includes selectively storing the content based on whether the validation of the content indicates the content is valid. The content may be stored for subsequent publication at the mobile device via the application. The content may be published while the mobile device is offline.

Abstract: A loss of connection between a wireless access point and a network is reported to a network-based service platform by the wireless access point by automatically establishing wireless contact with a second wireless access point, and transmits a predetermined fault report message to a predetermined network platform address by way of the second wireless access point and the second network interface. Authentication credentials are stored in the access point allowing automatic access to the service platform without user intervention, to allow the report to be generated without user intervention. The message may include data on recent usage of the access point, or may be repeated when a user attempts to use the access point, in order to prioritize the fault reported at the service platform.

Abstract: Systems and/or methods provide a user of a first computing device with the ability to authenticate themselves on a remotely provided process or service using a second computing device on which the user is already authenticated. For example, the techniques of this disclosure provide a user with the ability to securely log into a remotely provided service or application (such as e-mail, cloud computing service, etc.) on a first computing device (e.g., a desktop computer, laptop, tablet, etc.) using a second computing device (e.g., mobile phone) on which the user is already logged into the service or application, without requiring manual entry of authentication information on the first computing device.

Abstract: In one aspect of the teachings herein, a Services Capability Layer, SCL, within a Machine-to-Machine, M2M, network generates unique identifiers, for use in identifying individual application instances within the M2M domain. According to such operation, an SCL receives or otherwise obtains an application identifier for an application instance registering at the SCL, and generates a globally unique identifier for the application instance using the application identifier or an alias corresponding to it. As an example, the SCL appends to the application identifier or alias its own identifier, which is unique to that SCL, along with a random value. The resultant identifier is guaranteed to be unique for the individual application instance and the SCL uses the resultant identifier for identifying the application instance to other entities within the M2M domain.

Abstract: In one embodiment, a method includes accessing at least two determinations of the location of a mobile computing device, with each determined location having been determined without reference to explicit location information manually input by a user of the mobile computing device. At least one first determined location is compared with at least one second determined location, with comparisons being made between location determinations made based on different location determination input. A functionality associated with the mobile computing device is allowed if the first determined location corresponds to at least one of the second determined locations.

Abstract: A system and method for detecting encoding errors in a template used to generate a Web page. The template is analyzed using static analysis in a source code format, without rendering the Web page. A report can be generated including details on the detected errors and provide options on how to address the errors.

Abstract: Approaches for protecting a computing device against malicious code using an attack vector involving a USB device. A computing device prevents a USB device from communicating operational input to the computing device using a USB port residing on or coupled to the computing device unless consent data is stored on the computing device. Consent data is data that affirms consent provided by a user of the computing device to allow the USB device to communicate with the computing device using the USB port. Note that the lack of consent data stored on the computing device does not prohibit the USB device from identifying itself to the computing device. In this way, if the USB device comprises malicious code or has been designed in a malicious manner, the USB device will be unable to submit operational input to the computing device without the consent of the user.

Abstract: A multi-content media communications method, apparatus, and system which implement switching between media captures of multiple sites, and media content receiving and sending parties can negotiate about switching content and a switching policy includes, sending a first media advertisement message to a first media using apparatus, receiving a first media configuring message sent by the first media using apparatus, where the first media configuring message includes an individual media capture and/or a multi-content media capture that is selected by the first media using apparatus according to the first media advertisement message, and sending a corresponding media stream to the first media using apparatus according to the selected individual media capture and/or multi-content media capture.

Abstract: Disclosed are various embodiments for controlling access to data on a network. Upon receiving a request comprising a device identifier and at least one user credential to access a remote resource, the request may be authenticated according to at least one compliance policy. If the request is authenticated, a resource credential associated with the remote resource may be provided.

Abstract: Embodiments of intelligent facility devices for use in controlled facility environments are described. In various embodiments, the intelligent facility devices provide limited or controlled access to data networks for inmates of a controlled facility. An embodiment of a method may include receiving a request for access to a network from a user interface device. The method may also include determining an authorized duration of network access for the user interface device. Additionally, the method may include establishing a temporary network access session between the user interface device and the network for the authorized duration of network access.