Abstract: An exemplary method comprises generating receiving an authentication request from a graphical user interface on a first computing device; generating a first encrypted media element; displaying the encrypted media element on the GUI; receiving a second encrypted media element from a second computing device; upon determining that the first and second encrypted media elements have a positive match, querying an identification value associated with the second computing device; receiving the identification value associated with the second computing device; upon the identification value matching a data record within a database, determining an account associated with the data record within the database; and authenticating the first computing device by granting the first computing device access to the account associated with the second computing device.

Abstract: A system for facilitating sending and receiving of security alerts may include a processor communicatively coupled to a memory and a network interface, the network interface communicatively coupled to a network. A fixed location manager and a roving location manager may be communicatively coupled to the network interface and the network and may be configured to: (i) receive security messages from a plurality of user mobile devices coupled with the network, (ii) create a fixed forum security message and a roving forum security message, each of which is associated with a geographic location of one of the security messages, and (iii) send the fixed forum security message and the roving forum security message to all of the plurality of user mobile devices that comprise a fixed alert area or a roving alert area associate with the geographic location.

Abstract: A method, computer program product, and system includes a processor(s) obtaining a signal from an implanted device within a given vicinity of the one or more processors. The processor(s) identifies a device that when active, has a pre-defined probability of impacting regular functionality of the implanted device. The processor(s) determines coordinates of a perimeter around the device, where the pre-defined probability of the device impacting the regular functionality of the implanted device is realized inside the perimeter. The processor(s) generate a geofence boundary around the device. The processor(s) initiate an action to decrease the pre-defined probability of the device impacting the regular functionality of the implanted device.

Abstract: Systems and methods related to establishing a temporary trusted relationship between a network-based media service and a device that does not have a trusted relationship with the network-based media service are disclosed. In one embodiment, a method of operation of a first device having a trusted relationship with a network-based media service to establish a temporary trusted relationship between the network-based media service and a second device that does not have a trusted relationship with the network-based media service is provided. In one embodiment, the method of operation of the first device includes obtaining a certificate of the second device, generating a temporary token for the second device based on the certificate of the second device, and sending the temporary token for the second device to a server that provides the network-based media service to thereby pre-authorize the second device for temporary media service.

Abstract: A skill-based training system includes a processing system having a processor, memory coupled to the processor with executable instructions stored therein, and an input-output controller coupled to the processor and to input and output devices. The memory includes lesson plans that outline skill-based tasks and activities, and predetermined performance criteria. The processor is configured by the instructions to present interfaces on the output devices simulating a virtual training environment. The processor is configured to receive input signals representative of performing the tasks and activities in the virtual environment, and to evaluate the performance by comparing the performed tasks and activities to the criteria, to determine a score and to present the score on the output devices.

Abstract: Methods to securely remediate a captive portal are provided. In these methods, a processor of a user device detects a connection, via a network, to a captive portal. Based on the detected connection to the captive portal, the processor launches a dedicated secure web browser, and selectively restricts access of the user device to the network in order to only allow, via the dedicated secure web browser, communications related to remediation with the captive portal.

Abstract: User permissions for a search on content managed by a content management system (CMS) can be evaluated in a search engine based on a user identity of a user providing a query input for the query rather than after return of an initial results set to the CMS or some other front-end application. The search engine can constrain possible results returned from a search for the query input using a content index of a plurality of content items maintained in a repository of the content management system. The constraining can include limiting the search engine from adding a content item of the plurality of content items to a permissions-filtered results set unless the evaluating of the user permissions and the search for the query input against the content index do not exclude the content item. Other aspects can support index updating by selective use of a metadata index.

Abstract: An information handling system may include a management controller configured to direct a basic input/output system to generate an advanced configuration power interface (ACPI) event that is triggered by an update of a host interface attribute. A processor provides at least one function to publish and configure a host interface, where the host interface is associated with a management service. The processor may also detect the ACPI event triggered by the update of the host interface attribute. Subsequent to the detection of the ACPI event, a structure of the host interface associated with the management service and a supported authentication type and security information associated with the supported authentication type may be determined. The processor may authenticate to the host interface via the supported authentication type using the security information and update an operating system variable associated with the update of the host interface attribute.

Abstract: Embodiments of the present disclosure relate to a method and apparatus for controlling traffic. A method may include: acquiring node identifiers of a plurality of traffic control nodes in a distributed system and a resource identifier of at least one kind of resource controlled by the distributed system; determining, according to the identifiers and at least one resource identifier, at least one traffic control node for controlling the at least one kind of resource in the distributed system being a resource control node; acquiring a configuration quota of the at least one kind of resource; and sending at least one configuration quota to a resource control node controlling a corresponding resource, for the resource control node to determine control quotas for the traffic control nodes in the distributed system.

Abstract: A system for exchanging authentication data between edge-nodes is provided. The system may include an edge-node network. The network may include a plurality of edge-nodes. Each edge-node may include a pairing module. Each pairing module may receive an instruction to pair with another edge-node. Each pairing module pair with another edge-node. The pairing module may continually transmit verification communications to other edge-nodes. The pairing module may continually discover responsive communications from other edge-nodes. The pairing module may continually receive responsive verification communications from other edge-nodes. Each edge-node may include an executable module. The executable module may determine occurrence of an event. Upon determination of the occurrence of an event, the executable module may analyze a stored event protocol. The protocol including an algorithm for implementing executables in response to an event.

Abstract: An analysis apparatus has a transfer path matching unit that is provided with a real browser log La and a browser emulator log Lb as input and identifies, as a specific transfer path, a transfer path that is not transferred to a malicious URL on a pseudo-browser where the transfer path is transferred to the malicious URL on a real browser, based on the malicious URL information in a malicious URL database, and an analysis avoidance code identification unit that identifies an analysis avoidance code that avoids analysis by utilizing a browser-specific function or an implementation difference between the real-browser and the pseudo-browser, among script codes that are executed on a website, based on the specific transfer path.

Abstract: A method, apparatus and computer program product for use in identifying and blocking operation of compromised or potentially compromised IoT device(s) on a network, such as a local network behind a router or firewall. To this end, the technique provides for automated and seamless on-boarding of a “guard” system for IoT devices, preferably as those devices join (or re-join) into the network via a Dynamic Host Configuration Protocol message exchange. In operation, and in response to receipt of a DHCP discover message that includes a network location, a DHCP server uses the network location to locate and retrieve a set of flow attributes for the device. Those attributes are then associated with the IP address to be assigned to the IoT device in a network control device. The network control device then selectively identifies and/or blocks operation of the IoT device when the IoT device is compromised or potentially compromised, thereby protecting the network (or network resources) from damage or misuse.

Abstract: A method, computer program product, and system includes a processor(s) obtaining a signal from an implanted device within a given vicinity of the one or more processors. The processor(s) identifies a device that when active, has a pre-defined probability of impacting regular functionality of the implanted device. The processor(s) determines coordinates of a perimeter around the device, where the pre-defined probability of the device impacting the regular functionality of the implanted device is realized inside the perimeter. The processor(s) generate a geofence boundary around the device. The processor(s) initiate an action to decrease the pre-defined probability of the device impacting the regular functionality of the implanted device.

Abstract: A system provides authorization of resource requests based on cryptographic computations and federated hash verifications. In particular, the system may receive requests for resources or processes from external devices. In response, the system may require that the external device complete additional authorization steps (e.g., a cryptographic computation) before being granted access to the resources or processes. The system may further federate the cryptographic computations across multiple external devices, thereby distributing the computing load that would otherwise be processed by internal systems. In this way, the system may prevent unauthorized or unintended access to the system's resources or processes.

Abstract: A computer-implemented method includes: receiving, by a computing device, a user query; determining, by the computing device, a response to the user query; determining, by the computing device, a sensitivity level of the response; generating, by the computing device, presentation instructions for presenting the response based on the sensitivity level; and presenting, by the computing device, the response in accordance with the presentation instructions.

Abstract: A device that may configure itself is disclosed. The device may include an interface that may be used for communications with a chassis. The interface may support a plurality of transport protocols. The device may include a Vital Product Data (VPD) reading logic to read a VPD from the chassis and a built-in self-configuration logic to configure the interface to use one of the transport protocols and to disable alternative transport protocols, responsive to the VPD.

Abstract: To enable satisfactory decoding processing corresponding to a decoding capability on a reception side. Image data of pictures constituting moving image data are sorted into multiple hierarchies, image data of pictures of each of the sorted hierarchies are encoded, and video data including the encoded image data of the pictures of each of the hierarchies is generated. A container of a predetermined format including the video data is transmitted. The multiple hierarchies are divided into a predetermined number of hierarchy groups, the predetermined number being two or more, and identification information for identifying a hierarchy group to which encoded image data of each picture included in the video data belongs is inserted into a packet as a container of the video data.

Abstract: A network controller configured to provide network access to client devices, receives a network access request from a client device. The network access request includes a media access control (MAC) address of the client device and information about a first private key. The network controller sends to a server an authentication request, which includes the MAC address of the client device. The network controller receives an authentication response from the server, which includes a second private key. The network controller determines whether the first private key is the same as the second private key. In response to determining that the first private key is different from the second private key, network access is denied to the client device, and in response to determining that the first private key is the same as the second private key, network access is granted to the client device.

Abstract: An internet protocol (IP) access point sends, to a requesting device, a modified version of a first web page comprising first modifications made in accordance with policy handling information, and receives, from the requesting device, a request for a second web page. Responsive to detecting that the request for the second web page comprises one or more of the first modifications, the IP access point sends a modified version of the second web page comprising second modifications made in accordance with the policy handling information to the requesting device.

Abstract: An image forming apparatus including a detailed print setting UI and a simple print setting UI as print extension applications. The image forming apparatus restricts display of the detailed print setting UI based on whether or not a CPU satisfies a predetermined condition for the display of the detailed print setting UI, and thus enables to display an appropriate print setting UI even when processing capacity of the CPU is low.

Abstract: Provided are methods and systems for a Transmission Control Protocol (TCP) state handoff of a data traffic flow. A method for a TCP state handoff of a data traffic flow comprises determining a TCP state at predetermined times by a state machine unit. The TCP state includes data concerning a session between a client and a server. The TCP state for the predetermined times is stored to a database. A request to apply a predetermined policy to the session is received by a transaction processing unit and, in response to the request, a session request associated with the session between the client and the server is sent to an access control unit. The session request is processed by the access control unit based on the TCP state and according to the predetermined policy.

Abstract: A computer-implemented method includes identifying a plurality of protected pieces from a conversation. The computer-implemented method further includes generating one or more confidence scores for each protected piece, wherein a confidence score is a degree of associativity between a protected piece and a type of sensitive information. The computer-implemented method further includes determining that the protected piece is associated with the type of sensitive information. The computer-implemented method further includes determining a type of protection action for each protected piece in the plurality of protected pieces. The computer-implemented method further includes performing the type of protection action for each protected piece in the plurality of protected pieces to form a modified conversation that is devoid of the sensitive information. A corresponding computer system and computer program product are also disclosed.

Abstract: Systems and methods for secure network communications of data using quantum key distribution (QKD) are presented. Source data is provided. The source data is encrypted to produce encrypted data and key data corresponding to the encrypted data. Using QKD, the key data is transmitted from a first network location to a second network location. Successful transmission of the key data to the second location is verified, and upon verification, the encrypted data is transmitted from the first network location to the second network location using QKD. Successful transmission of the encrypted data to the second location is verified, and upon verification, the encrypted data is decrypted with the key data to provide a data output.

Abstract: A method (100) for establishing a new identity for a constrained device is disclosed, wherein the device has an existing identity and is associated with an asymmetric key pair comprising a device public key and a device private key. The method comprises applying a hash function to the existing identity (106) and setting the resulting value as the new identity for the constrained device (108), wherein the existing identity comprises at least a first generation hash value of a hash chain formed by applying the hash function to the device public key. Also disclosed is a method (200) for managing an identity of a constrained device, the device being associated with an asymmetric key pair comprising a device public key and a device private key.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that, among other things, automatically populate, in real-time, portions of digital interfaces based on dynamically generated contextual data. For example, a network-connected apparatus may receive, from a device, a portion of an identifier of a first counterparty to an exchange of data. The apparatus may perform operations determine a second counterparty to the data exchange based on at least one of a current geographic position of the first device, a first element of profile data associated with the first device, or the received portion of the first counterparty identifier, and may transmit an identifier of the second counterparty to the device. The device may execute an application program that presents the second counterparty identifier within a corresponding portion of an interface associated with the data exchange.

Abstract: The present disclosure relates to a PUF apparatus and method for generating a persistent, random number. The generated number is random in that each particular instance of PUF apparatus should generate a randomly different number to all other instances of PUF apparatus, and is persistent in that each particular instance of the PUF apparatus should repeatedly generate the same number, within acceptable error correction tolerances. The persistent, random number is determined by selecting one or more PUF cells, each comprising a matched pair of transistors that are of identical design, and comparing an on-state characteristic of the pair (e.g., turn-on threshold voltage or gate-source voltage). The difference in on-state characteristic of each selected pair of transistors is caused by random manufacturing differences between the transistors. This causes the randomness between each different instance of PUF apparatus, and should be relatively stable over time to provide persistence of the generated number.

Abstract: Provided is a user authentication method including reproducing sound data of which a sound source in a first position of a space around a user is virtually localized using a Head-Related Transfer Function (HRTF) of the user toward the user, acquiring a second position of the space around the user, the second position being estimated by the user who has listened to the reproduced sound data as a position of the sound source; and authenticating the user according to a coincidence between the first position and the second position.

Abstract: Systems, methods, and computer-readable media for providing network assurance across a network. In some embodiments, network traffic data of a cluster of nodes in a network environment can be gathered based on first network traffic flowing through the nodes using a first group of sensors implemented in the network environment. Network events occurring in the network environment can be identified, e.g. using sensors deployed in an infrastructure of the network environment. Subsequently, the network events can be correlated with the network traffic data to generate correlated network data for the network environment. The correlated network data for the network environment can be used to provide assurance between at least one server in the cluster of nodes and the network infrastructure of the network environment as part of providing assurance across the network environment.

Abstract: Novel tools and techniques for are provided for implementing a hybrid spectrum access system and access probe framework. A system includes a base station coupled to a network, a spectrum access system, and user equipment coupled to the base station and the spectrum access system. The user equipment is configured to transmit, to the base station, a first network access request following a first access sequence while transmitting signals under a first power limit. If no response is obtained from the base station, the user equipment is configured to transmit a second network access request above the first power limit, but under a second power limit. The user equipment is configured to obtain spectrum access from the spectrum access system and transmit a second network access request to the base station.

Abstract: Systems, methods, and devices configured to build and utilize an intelligent cipher transfer object are provided. The intelligent cipher transfer object includes a set of participants protected by cloaking patterns. A portable dynamic rule set, which includes executable code for managing access to the protected set of participants, is included within the intelligent cipher transfer object. For a given user, the intelligent cipher transfer object may provide access to some of the participants while preventing access to other participants, based on the portable dynamic rule set therein.

Abstract: Disclosed are various embodiments for preventing the unintended leakage of cookie data. In one embodiment, a browser application stores cookie data from a first network site having a high-level domain in a client computing device. A classification is assigned to a second network site having the high-level domain. The cookie data is sent to the second network site based at least in part on the classification rather than the default behavior of the browser application.

Abstract: A disclosure of the present specification provides a method for processing a NAS request message by an MMF node. The method may comprise the steps of: when it is identified that an NAS request message has been received through a second access network, checking whether a first MM context and a first security context are included therein; and acquiring a second security context from an authentication CP node, and generating a second MM context.

Abstract: An example operation may include one or more of registering, by a data sharing node, a first service node and a second service node for accessing a common data store, causing, by the data sharing node, a first client node associated with the first service node to provide a data access request token key and a receipt key to a second client node associated with the second service node based on a data access request received from the second client node, assigning, by the data sharing node, weights to the data access request token key and to the receipt key, and causing, by the data sharing node, the second service node to retrieve a result from the data source based on the assigned weights.

Abstract: A system for controlling playback of various types of content includes a first computing device that provides a unique identifier to a second computing device to establish an association there between. By virtue of the established association, the second computing device can send one or more messages to the first computing device, the one or more messages referencing a piece of content associated with a first media playing element of a plurality of media playing elements, and one or more commands corresponding to the first media playing element. The first computing device can select the first media playing element based on the received one or more messages, and control how the first media playing element plays the referenced piece of content utilizing the one or more commands.

Abstract: A node includes: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and storing a target application and an access control application, wherein the memory stores instructions that when executed by the processor, cause the node to: detect a network access event of the target application to a destination network through the access control application, identify whether a tunnel corresponding to identification information of the target application and the destination network and authorized by an external server exists, transmit a data packet of the target application through the authorized tunnel using the communication circuit, when the authorized tunnel exists, and drop the data packet of the target application, when the authorized tunnel does not exist.

Abstract: Disclosed are various approaches for remotely hosted management of network virtualization. In one approach, an administrative user at a client device is authenticated by a computing device for access to manage a network located remotely from the computing device. One or more commands are received from the client device to configure a software-defined networking rule for the network. The computing device communicates with one or more services on the network to implement the software-defined networking rule. A status of implementing the software-defined networking rule is reported to the client device.

Abstract: A method is described. The method includes receiving an access request from a router, the router having received the access request from a client device, the client device initiating the access request to obtain access to a website or application. The method also includes sending an authorization request to an authorizing user, the authorization request comprising the access request, thereby enabling the authorizing user to see information related to the access sought to be obtained. The method further includes receiving an authorization response from the authorizing user. The method additionally includes sending the authorization response to the router, enabling the router to act on the access request.

Abstract: A wireless communication device includes a network component, a wireless communication component, a memory, a trusted visitor management component and a primary user notification component. The network component can establish a primary wireless local area network and can establish a trusted visitor wireless local area network. The wireless communication component can receive a primary user identification and can receive a trusted visitor identification. The trusted visitor management component can generate a permission based on a stored trusted visitor identification and the trusted visitor identification. The primary user notification component can generate a primary user notification based on the permission. The network component can connect a trusted visitor wireless communication device to the trusted visitor wireless local area network based on the permission.

Abstract: Systems and methods for limiting calls to access a cloud-based system are disclosed. The systems and methods obtain a rate limiting policy including at least one attribute and a counting interval, the at least one attribute including at least one of a username associated with a client, an instance, an organization associated with the client, a resource being requested, a service being requested, a geographical access region, and an Application Programming Interface (API) being requested. The systems and methods also mark an entry, based on the rate limiting policy, in a database for each call the client makes. The systems and methods further enforce the rate liming policy by not processing calls from the client associated with the at least one attribute that are made for a count of calls marked that is beyond the counting interval.

Abstract: According to one embodiment, a semiconductor memory device includes a memory cell array, a data storage circuit and a control circuit. The data storage circuit holds first data to be written into the memory cell and holds 1 bit data calculated from the first data. The control circuit writes the data of n bits into the memory cell in a first write operation and then executes a second write operation. The control circuit carries out the following control in the second write operation. It reads data stored in the memory cell in the first write operation. It restores the first data based on the data read from the memory cell and the 1 bit data held in the data storage circuit. It writes the restored first data into the memory cell.

Abstract: Systems and methods for authentication with resistance to replay attacks are provided. A device may be used to capture image data of a physical token to authenticate or identify a user. Authentication information may be obtained by processing and analyzing the captured image data. Data about a state of the imaging device and the captured image data may be used for fraud detection. The data may be collected when the image data is processed and analyzed. The state of the imaging device and captured image data are unlikely to be repeated. The detected repetition of a state of the imaging device and captured image data may be a cause for increasing the likelihood that a replay attack is taking place. The device may be used to perform a transaction.

Abstract: The present disclosure relates to a system, method, and computer-program product for identifying and tagging users. Embodiments may include receiving, using at least one processor, a first content request. Embodiments may further include associating a user-access identifier with a first portion of data from the first content request based upon a second portion of the data from the first content request. Embodiments may also include storing the first portion of data from the first content request and the user-access identifier within a memory system. Embodiments may further include receiving a second content request. Embodiments may also include generating a user-identifier tag based upon the user-access identifier stored in the memory system, the first portion of data from the first content request, and a first portion of data from the second content request. Embodiments may further include providing a response to the second content request, the response including the user-identifier tag.

Abstract: Techniques for establishing mutual authentication of software layers of an application are described. During initialization of the application, the software layers execute a binding algorithm to exchange secrets to bind the software layers to one another. During subsequent runtime of the software application, the software layers execute a runtime key derivation algorithm to combine the secrets shared during initialization with dynamic time information to generate a data encryption key. The software layers can then securely transfer data with each other by encrypting and decrypting data exchanged between the software layers using the dynamically generated data encryption key.

Abstract: Disclosed herein is a system for facilitating determining contextual and semantic meaning from an image scan. The system may include a communication device configured for receiving a plurality of images from at least one source device, receiving an image scan from at least one user device and transmitting an interpretability notification to the at least one user device. Further, the system may include a processing device configured for analyzing the plurality of images, identifying an image metadata based on the analyzing, analyzing the image scan, identifying an image scan metadata based on the analyzing of the image scan, comparing the image scan metadata and the image metadata, determining an interpretability of the image scan based on the comparing, and generating the interpretability notification based on the determining.

Abstract: Techniques are described for client registration for authorizing an aggregator service to access data on behalf of an application, through self-registration of an application client identifier and issuance of authorization token(s) based on the application client identifier. Implementations provide a technique for dynamic client registration that avoids the need for manual vetting and manual generation of the client credential grant. Additionally, the implementations described herein enforce domain values around the scope and/or purpose of the client grant. This allows for support of application providers through a single point of registration that supports multi-layer and channel. This also allows for support of a scalable authorization solution for any suitable number of clients. The dynamic client registration process adds an additional layer of security through the OAuth client grant and mutual authentication.

Abstract: Methods, computer program products, and systems are presented. The method computer program products, and systems can include, for instance: examining ledger data of a blockchain ledger; examining node data of a plurality of candidate nodes, wherein the examining node data includes examining data of candidate nodal networks associated to respective ones of the plurality of candidate nodes; and transitioning blockchain ledger access in dependence on the examining of the ledger data and in dependence on the examining of the node data, wherein the transitioning blockchain ledger access includes transitioning blockchain ledger access between a first candidate node and a second candidate node of the plurality of candidate nodes.

Abstract: Methods, computer program products, and systems are presented. The method computer program products, and systems can include, for instance: examining ledger data of a blockchain ledger; examining node data of a plurality of candidate nodes, wherein the examining node data includes examining data of candidate nodal networks associated to respective ones of the plurality of candidate nodes; and transitioning blockchain ledger access in dependence on the examining of the ledger data and in dependence on the examining of the node data, wherein the transitioning blockchain ledger access includes transitioning blockchain ledger access between a first candidate node and a second candidate node of the plurality of candidate nodes.

Abstract: Systems and methods are described herein for providing multiple, different types of information for mobile devices and associated users to requesting systems, such as customer service systems provided by telecommunications carriers. The systems and methods may generate a single API that, when called by a requesting system (e.g., via a request transmitted by the requesting system that includes subscriber or device information), provides data collected from multiple, disparate data sources back to the requesting system via the single API.

Abstract: Disclosed herein are methods, systems, and processes for managing and controlling the collective behavior of deception computing system fleets. A malicious attack initiated by a malicious attacker received by a honeypot that is part of a network along with other honeypots is detected. Information associated with the malicious attack is received from the honeypot. Based on the received information, a subset of honeypots other than the honeypot are configured to entice the attacker to engage with the subset of honeypots or avoid the subset of honeypots.

Abstract: The disclosed computer-implemented method for controlling access to information stored in an information retention system may include (1) receiving, at a computing device, metadata associated with an object type of respective objects, where at least two of the respective objects are in different domains, (2) determining, from the metadata, the respective object types of at least two objects, (3) forming a hierarchy of the at least two objects based on relative features of the respective object types, and (4) performing a security action comprising (A) receiving at least one access rule controlling access by at least one user to the at least two objects and (B) storing, in at least one storage device in the information retention system, the at least one access rule, the hierarchy of the objects, and the at least two objects. Various other methods, systems, and computer-readable media are also disclosed.