Abstract: Systems and methods are provided for automatically monitoring a compliance of web pages and graphical user interfaces with governmental and self-regulatory privacy and security policies. In accordance with one implementation, a method is provided that comprises instructing the execution of an operation on content associated with at least one web page is generated. The operation may include at least one of (i) a scanning operation that generates forensic data corresponding to the web page or (ii) an analytical operation that analyzes at least a portion of the forensic data corresponding to the web page. The method further comprises obtaining output data associated with the executed operation, and generating information indicative of a compliance of the web page with at least one of a privacy regulation or a security regulation, the information being generated based on the output data.

Abstract: According to an embodiment, a key management device includes a key exchange processing unit, a transmission unit, and an update unit. The key exchange processing unit is configured to perform a key exchange process for executing an exchange of a shared key together with authentication between the key management device and a communication device. The transmission unit is configured to transmit update information for updating a device key of the communication device authenticated to the communication device, when the communication device has not been authenticated before performing the key exchange process, and not to transmit the update information, otherwise. The update unit is configured to update the device key using the update information, when the communication device has not been authenticated before performing the key exchange process, and not to update the device key, otherwise.

Abstract: Techniques for secure data extraction in a virtual or cloud environment are presented. Desired data from a Virtual Machine (VM) or an entire VM is extracted and encrypted with a key. This key is sealed to a machine or a group of machines. The encrypted data is then migrated and successfully used on startup for instances of the VM by having the ability to access the sealed key (and unsealing it) to decrypt the encrypted data.

Abstract: A computer implemented method and a cloud security system are provided for securing data in a cloud storage environment. The cloud security system receives data of multiple types from multiple sources and decodes the received data. The cloud security system stores the decoded data in one or more of multiple storage locations within the cloud storage environment and allocates one or more of multiple security actions to be performed on the stored data in each of the storage locations. The cloud security system applies multiple security algorithms to perform the allocated security actions on the stored data in each of the storage locations. The cloud security system encodes resultant data obtained from the application of the security algorithms to the stored data with a security identifier in combination with one or more of a user's authentication information, biometric data, and supplementary parameters for facilitating secure access to the resultant data.

Abstract: Generating an inverted index is disclosed. Semi-structured data from a plurality of sources is parsed to extract structure from at least a portion of the semi-structured data. The inverted index is generated using the extracted structure. The inverted index includes a location identifier and a data type identifier for one or more entries of the inverted index.

Abstract: A method for serving visitor subscribers in a mobile communication system has been disclosed. The method, which is performed by a virtual visitor subsystem, VSS, included in the mobile communication system, comprises the following steps: detecting a roaming event on an MSISDN of a mobile station, MS, operating in the mobile communication system; determining a mobile network operator in the mobile communication system, having an HPLMN which covers a geographic area of the MS, to be a visitor mobile network operator of the MS; receiving a visitor IMSI from the visitor mobile network operator; assigning the visitor IMSI to the MSISDN of the MS; transmitting the visitor IMSI to the MS; intercepting an authentication initiation towards the visitor mobile network operator; authenticating the MS towards a home mobile network operator of the MS; and activating a visitor subscription identified by the visitor IMSI based on an authentication response received from the home mobile network operator.

Abstract: Techniques for segregating one or more logs of at least one multitasking user to derive at least one behavioral pattern of the at least one multitasking user are provided. The techniques include obtaining at least one of at least one action log, configuration information, domain knowledge, at least one task history and open task repository information, correlating the at least one of at least one action log, configuration information, domain knowledge, at least one task history and open task repository information to determine a task associated with each of one or more actions and segregate the one or more logs based on the one or more actions, and using the one or more logs that have been segregated to derive at least one behavioral pattern of the at least one multitasking user. Techniques are also provided for deriving intelligence from at least one activity log of at least one multitasking user to provide information to the at least one user.

Abstract: Techniques from the proposed invention relate to providing enhanced security. For example, techniques described herein allow a computer system, such as a mobile device, to support a wide variety of security functions and security sensitive applications on a mobile device by providing enhanced security via secure input and output data transmission and verification through a secure module. The secure module may cause user interfaces to be provided to users by providing obfuscated user interface data to the operating system that do not reveal elements that are part of the user interfaces. The secure module may receive obfuscated user input values representing user input values, and de-obfuscate these user input values, whereby the actual input values are not exposed to the underlying operating system. The secure module may track the flow of user input/output data through the computing device to ensure the integrity and authenticity of this data.

Abstract: A method and system for providing secure internet access and services are disclosed. The method includes receiving a request for services from a user terminal, the request including user terminal data; sending the user terminal data to a security server; and receiving a security level of the user terminal from the security server. The security server determines the security level of the user terminal based on historical user data related to the user terminal. The method further includes initiating a verification process based on the security level of the user terminal.

Abstract: A method, device and system for network security protection comprise: according to a received scan task, a network security device performs a security bug scan of the scan task appointed web site, and when a scan result is obtained, transmits the scan result to a network application firewall, so that the network application firewall can configure a individuality security strategy for the web site according to the received scan result. The problem that it can not he implemented complete individuality security configuration of the web site can be solved in this way.

Abstract: In a cloud computing environment, a production server virtualization stack is minimized to present fewer security vulnerabilities to malicious software running within a guest virtual machine. The minimal virtualization stack includes support for those virtual devices necessary for the operation of a guest operating system, with the code base of those virtual devices further reduced. Further, a dedicated, isolated boot server provides functionality to securely boot a guest operating system. The boot server is isolated through use of an attestation protocol, by which the boot server presents a secret to a network switch to attest that the boot server is operating in a clean mode. The attestation protocol may further employ a secure co-processor to seal the secret, so that it is only accessible when the boot server is operating in the clean mode.

Abstract: Systems and methods of the present invention provide for one or more server computers communicatively coupled to a network and configured to: receive a request for the change key from a registrant of the domain name; generate the change key comprising a random string not stored on the server computer; identify the timeout period within the database; transmit the change key to: a contact for the registrant; and a domain name registry; determine whether the change key is received by the server computer during the timeout period; and if so, update the domain name.

Abstract: A system determines a value of an online account, and uses that value to identify a security-related mechanism for the account. The system determines the account value by taking as input various quantified characteristics of the account. The system weights each characteristic according to various criteria. The system may then use the weighted signals as inputs of an algorithm to calculate the account value for the account, and it may determine a security-related action that corresponds to the account value.

Abstract: Apparatus and methods to evaluate computing systems' vulnerability implement a series of steps wherein a system may be selected, and a specific component identified. Obtaining component information may include methods for accessing its configuration address space. Creation of a list of control or configuration addresses is followed by filtering to identify documented, reserved addresses, documented reserved test addresses, and undocumented addresses. A filtered subset is tested by accessing each address contained in the subset, and verifying continuity of operation of the tested component, then accesses by reading, writing, or both to subset addresses to classify as benign to component and system. Failure may constitute data damage, component damage, system damage, component failure, or system failure.

Abstract: A communication device may be configured to control access to geolocation services for applications on the communication device utilizing a first privacy access level setting that enables access to the geolocation services when selected, a second privacy access level setting that disables access to the geolocation services when selected, and other privacy access level settings that are different from, and fall between, the first privacy access level setting and the second privacy access level setting, and enable one time access to the geolocation services for the communication device when selected. The applications can include applications on the communication device that are managed and/or handled by a particular application service provider. The privacy access level settings comprise an anonymous one-time access and a non-anonymous one-time access.

Abstract: Techniques are disclosed for discovery of Wi-Fi serial bus and Wi-Fi docking services. Such networks include (but are not limited to) IEEE 802.11 networks.

Abstract: A method includes transmitting a request to a server from a mobile device. The request may be initiated by an application executing on the mobile device. The method includes receiving a message at the mobile device from the server. The message may include first validation information and information indicating a location where the mobile device can retrieve content. The method includes retrieving the content from the location indicated in the message, and generating second validation information based on the retrieved content. The method includes validating the content based on a comparison of the first validation information and the second validation information. The method includes selectively storing the content based on whether the validation of the content indicates the content is valid. The content may be stored for subsequent publication at the mobile device via the application. The content may be published while the mobile device is offline.

Abstract: A method embodiment for network authentication includes selecting, by a user equipment (UE), an access network for establishing a network connection and receiving one or more network authentication status indications for a network associated with the access network. The method further includes implementing a network authentication and selection policy in accordance with the one or more network authentication status indications.

Abstract: A cloud deployment appliance (or other platform-as-a-service (IPAS) infrastructure software) includes a mechanism to deploy a product as a “shared service” to the cloud, as well as to enable the product to establish a trust relationship between itself and the appliance or IPAS. The mechanism further enables multiple products deployed to the cloud to form trust relationships with each other (despite the fact that each deployment and each product typically, by the nature of the cloud deployment, are intended to be isolated from one another). In addition, once deployed and provisioned into the cloud, a shared service can become part of a single sign-on (SSO) domain automatically. SSO is facilitated using a token-based exchange. Once a product registers with a token service, it can participate in SSO. This approach enables enforcement of consistent access control policy across product boundaries, and without requiring a user to perform any configuration.

Abstract: In an approach to improving resource downloads, one or more computer processors detect a request to download a resource from an original source to a user's computing device. The one or more computer processors determine a cost of the download of the requested resource from the original source. The one or more computer processors determine whether the cost of the download of the requested resource from the original source exceeds a predefined threshold. The one or more computer processors determine a group of trusted network connected endpoints. The one or more computer processors determine whether the requested resource exists in the group of trusted network connected endpoints. Responsive to determining the requested resource exists in the group of trusted network connected endpoints, the one or more computer processors download the requested resource from at least one of the trusted network connected endpoints.

Abstract: A one-time password may be used and generated using transformation rules. A one-time password transformation rule is received. The one-time password is sent to a user. A response to the one-time password is received. The user is selectively authenticated based on the response corresponding to the one-time password as transformed by the one-time password transformation rule. The one-time password transformation rule may include one or more operations, such as mathematical operations that may be static operations or dynamic operations that change as a function of time. Related systems, devices, methods and computer program products are described.

Abstract: A subscriber identity is changed for a mobile terminal (10) through the initiation of a sending of an instruction to the mobile terminal (10), via a first mobile communication system (18, 30) to which the mobile terminal is attached, to change subscriber identity from a first subscriber identity (IMSI1) used in the first mobile communication system to a second subscriber identity (IMSI2) for use in a second mobile communication system, and the initiation, after obtaining knowledge of the mobile terminal having attached to the second mobile communication system based on the second subscriber identity, a detachment procedure in the first mobile communication system in relation to the first subscriber identity. The mobile terminal (10) receives the instruction to change, attaches to the second mobile communication system based on the second subscriber identity and detach from the first mobile communication system after having attached to the second mobile communication system.

Abstract: Method of determining user's life change based on behavioral abnormality starts with processor receiving first location data and first proximity information from first mobile device. First proximity information includes identification of mobile devices within proximity sensitivity radius of first mobile device. Processor determines whether first location data and first proximity information are included in historical location data and historical proximity information, respectively, associated with first mobile device. When first location data and first proximity information is not included, processor determines whether subsequent location data and subsequent proximity information received from first mobile device over predetermined time period is included.

Abstract: Systems and methods associated with virtual machine security are described herein. One example method includes instantiating a guest virtual machine in a virtual computing environment. The method also includes installing a life cycle agent on the guest virtual machine, assigning an identifying certificate, a set of policies, and an encryption key to the guest virtual machine, and providing the certificate, policies, and encryption key to the guest virtual machine. The certificate, policies, and encryption key may then be used by the guest virtual machine to authenticate itself within the virtual computing environment and to protect data stored on the guest virtual machine.

Abstract: A handover method and apparatus for facilitating a handover of a user equipment to a femto cell in a wireless communication system supporting both the femto and macro cells. When a handover condition is detected, the user equipment acquires identity information of a target femto cell base station from system information transmitted by the target femto cell base station, decides whether to handover to the target femto cell base station, based on the identity information; and transmits a measurement report message including the identity information to a serving base station of the user equipment, when the handover is to be made.

Abstract: An apparatus and a method for configuring security for connection between a portable terminal supporting a Wireless-Fidelity (Wi-Fi) function and an Access Point (AP) are provided. More particularly, an apparatus and a method are provided for preventing access failure caused by an access request of a portable terminal while an AP of an un-configured mode, which is completing security setup using a Wi-Fi Protected Setup (WPS) function, is rebooted. The apparatus includes an AP for providing a terminal with a time taken to reboot after configuring security information based on a WPS function in an un-configured mode, wherein the terminal sends a request to access the AP after the rebooting has completed by determining the time taken to reboot received from the AP of the un-configured mode.

Abstract: A method for operating an electronic device includes transmitting a first message including a first partial security key being a portion of a first security key to a first network; outputting a sound into which a second partial security key being a remaining portion of the first security key is loaded, after transmitting the first message; receiving a second message including a second security key from a second network; and establishing a link for connecting the electronic device and an external device through the second network if the second security key corresponds to the first security key.

Abstract: A method is provided in a node in a radio access network for packet data communication in a wireless communication network, the method includes intercepting, by the node, a first PDP context message between a mobile station and a core network. The message includes PDP context related information. The interception is performed to detect the PDP context related information. The method further includes establishing, by the node, based on the intercepted PDP context related information, a second PDP context between the node and the mobile station, thus enabling prioritizing packets in the radio access network. The disclosure also concerns a corresponding apparatus.

Abstract: The present invention proposes the device, system and method used for the non-contact security information interaction. Said system used for the non-contact security information interaction comprises: a terminal for setting a parameter configuration in a non-contact IC card programmable read-write device, and initiating an information interaction with a server and said non-contact IC card programmable read-write device; and a non-contact IC card programmable read-write device for performing communication with a non-contact IC card and said terminal based on a predetermined parameter configuration in order to complete the security information interaction. The device, system and method used for the non-contact security information interaction disclosed in the present invention realize the support and selection for the multi-application on the non-contact IC card programmable read-write device, and can execute the on-line based application.

Abstract: A method for creating a deployable zone template of a source zone, involving receiving, from the user an instruction to create the deployable zone template of a source zone including a zonepath dataset (ZPDS) and an application image (AI), where the ZPDS is a hierarchy of file systems in which an operating system image of the source zone is installed, creating a zonepath image file of the ZPDS, creating an application image file of the AI, collecting auxiliary zone data describing a dependency of the source zone and configuration a parameter of the source zone, creating an archive file including the zonepath image file, the application image file, and the auxiliary zone data, and combining the archive file and an executable wrapper script to obtain the deployable zone template.

Abstract: Access to some aspect of a service may be limited until a user has invested in performing some amount of computation. Legitimate users typically have excess cycles on their machines, which can be used to perform computation at little or no cost to the user. By contrast, computation is expensive for for-profit internet abusers (e.g., spammers). These abusers typically use all of their computing resources to run “bots” that carry out their schemes, so computation increases the abuser's cost by forcing him or her to acquire new computing resources or to rent computer time. Thus, the providers of free services (e.g., web mail services, blogging sites, etc.), can allow newly registered users to use some limited form of the service upon registration. However, in order to make more extensive use of the service, the user can be asked to prove his legitimacy by investing in some amount of computation.

Abstract: In accordance with embodiments disclosed herein, there are provided systems, apparatuses, and methods for implementing cryptographic enforcement based on mutual attestation for cloud services.

Abstract: Various systems, computer-readable media, and computer-implemented methods of providing improved data privacy, anonymity, and security by enabling subjects to which data pertains to remain “dynamically anonymous,” i.e., anonymous for as long as is desired—and to the extent that is desired—are disclosed herein. This concept is also referred to herein as Just-In-Time-Identity, or “JITI.” Embodiments include systems that create, access, use, store and/or erase data with increased privacy, anonymity and security—thereby facilitating the availability of more qualified information—via the use of temporally unique, dynamically changing de-identifiers (“DDIDs”). In some embodiments, specialized JITI keys may be used to “unlock” different views of the same DDID (or its underlying value), thereby providing granular control over the level of detail or obfuscation visible to each user based on the context of said user's authorized use of data, e.g.

Abstract: A verified software system may be executable on secure hardware. Prior to being executed, the software system may be verified as conforming to a software specification. First credentials attesting to an identity of the software system may be sent to an external application. Second credentials signed by a provider of the secure hardware may be sent to the external application. The second credentials may attest to an identity of the secure hardware. The external application may securely exchange one or more messages with a software application of the software system. For example, the one or more messages may be decryptable only by the external application and the software application to provide confidentiality for each message. As another example, an attestation may vouch for an identity of a sender of each of the one or more messages to attest to an integrity of each message.

Abstract: Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device, to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the identity provider device. The identity provider device uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server.

Abstract: A method of operating a mobile device comprises executing a trusted service application in a trusted operating system through secure access, executing a trusted web server module in the trusted operating system, wherein the trusted web server module is configured to transfer information using an internet protocol and the information is generated by execution of the trusted service application, and executing a user application in a rich operating system through normal access, wherein the user application is configured to relay communication between a remote web server and the trusted web server module through a security session.

Abstract: A computer-implemented system and method for validating call connections is provided. Metadata about a connecting party is collected during a call, wherein the call is received by or initiated by a user. A connection status for the call is verified. The connecting party metadata is compared with connecting party records stored in a database and an attempt to determine an identity of the connecting party is made based on the comparison. A determination as to whether a security certificate is present with the metadata is made. The connection status is determined based on the connecting party identity attempt and the identification of whether the security certificate is present. The determined connection status is provided to the user.

Abstract: A method and a system for authenticating a program are provided. A user system receives a program developed by a developer system and an authentication key, creates an additional authentication key by applying a preset authentication algorithm to the received program, and uses the received program if the received authentication key is matched to the additional authentication key.

Abstract: A method of dynamically applying a control policy to a network is described. A network layer of a plurality of network layers associated with user traffic is determined. A portion of a control policy corresponding to the network layer and the user traffic is accessed. Then, the portion is sent to a security device associated with the network layer, the portion being configured to be applied by the security device to the network layer and the user traffic.

Abstract: Embodiments of the present application relate to a method of controlling float-out messages, a system for controlling float-out messages, an instant messaging client for controlling float-out messages, and a computer program product for controlling float-out messages. A method of controlling float-out messages is provided.

Abstract: A gateway may respond to a data-connection request, relating to a request to establish a packet data connection for a requesting wireless communication device (WCD), based on a request rate determined from the number of other data-connection requests that the gateway has received during a particular period of time. If the request rate is below a first threshold, the gateway may initiate an authentication process to authenticate the requesting WCD and either accept or reject the data-connection request based on whether the authentication process is successful or unsuccessful. If the request rate is greater than the first threshold and less than a second threshold, the gateway may accept the data-connection request without initiating the authentication process. If the request rate is greater than the second threshold, the gateway may reject the data-connection request without initiating the authentication process.

Abstract: A validity determination method includes having a receiving apparatus of electronic data identify a public key corresponding to an electronic signature attached to the received electronic data among one or more public keys having respective valid terms, send a resend-request of the electronic data if the identified public key is not valid, and determine validity of the electronic data based on whether the electronic data is resent in response to the resend-request; and having a sending apparatus of the electronic data resend the electronic data to the receiving apparatus in response to receiving the resend-request if the sending apparatus has sent the electronic data relevant to the resend-request in a past.

Abstract: Systems and methods for replicating a client data set on a computer includes replicating the client data set using an application software on the computer; generating a manifest of a target data set during replication containing state of target data reflecting post-update state; and determining differences between the local data and manifest to determine required backup operations.

Abstract: A module for authenticating a user of a mobile device. The mobile device has an orientation sensor and a touch screen sensor. The module includes: a behavioral biometrics conversion element, used to perform calculation by matching timestamps with a plurality of behavioral data of operations, sensed by the orientation sensor and the touch screen sensor, on the mobile device to acquire a plurality of behavioral biometrics quantities, and convert, by using a statistical method, multiple sets of the behavioral biometrics quantities into a behavioral biometrics pattern in a histogram constructing manner; and an authentication mechanism core element, used to determine whether the behavioral biometrics pattern conforms to a behavioral biometrics model pattern in a histogram manner. The present invention further includes a method and a computer program product for authenticating a user of a smart phone.

Abstract: A method provided in one embodiment includes determining a first resource indicator indicative of a first resource capability of a first network element, determining a second resource indicator indicative of a second resource capability of the first network element, determining a third resource indicator indicative of a third resource capability of the first network element, and sending the first resource indicator, the second resource indicator, and the third resource indicator to a second network element. The second network element is configured to determine a first metric value for the first network element based upon the first resource indicator, the second resource indicator, and the third resource indicator. The second network element is further configured to utilize the first metric value to determine a list of one or more acceptable network elements for a wireless device to establish a connection therewith.

Abstract: An image processing apparatus and method includes inputting user information, setting folder information about a specified user based on the user information as a destination of image data, registering the set folder information, and performing control so as not to register folder information corresponding to a transmission protocol set to be disable from among a plurality of transmission protocols.

Abstract: Associating a network packet with biometric information for a user includes identifying biometric identification information for a user of a network device, including an identifier of the biometric identification information in at least one of a header and a trailer of a network packet without including biometric identification information in a payload of the network packet, and sending the packet via a network, wherein the identifier identifies the network packet as having originated from the user.

Abstract: Disclosed in one example is a method of authenticating with multiple social network services. The method may include storing first authentication information associated with a user for a first social networking service using at least one computer processor, receiving second authentication information associated with the user for a second social networking service from a social networking application, and sending to the social networking application the first authentication information. The first authentication information may enable the social networking application to utilize a protected application programming interface call for the first social networking service and the second authentication information may enable the social networking application to utilize a protected application programming interface call for the second social networking service.

Abstract: In accordance with the exemplary embodiments of the invention there is at least a method and apparatus to perform operations including triggering, with an entity of a device, an attestation with a trusted platform module/mobile platform module of the device; and in response to the triggering, sending information comprising a platform configuration register value towards the entity, where the platform configuration register depends on measurements of the entity triggering the attestation.

Abstract: A clipboard in an electronic system protects sensitive data by copying data into a clipboard of an electronic system as an entry and selectively blocking access to the sensitive data. An entry protect status is associated with a clipboard entry that is arranged to store copied data that is sensitive. The entry protect status is changed to indicate the entry protect status is set to block access to the copied data. Access to the copied data for which the entry protect status has been changed is selectively blocked.