Abstract: A system for “horizontal” salting of database tables, text files, and data feeds utilizes a key field and character position within that field (the “Key Character”) and a Salting Field, which contains content that can legitimately be in one of at least two states without impacting the usefulness of the data. A unique identifier, which is assigned to the recipient of the data, is hidden within the data by using the variations of the states in the Salting Field to represent a binary 0 or 1, with the value of the Key Character identifying the bit position of the binary 0 or 1 within the unique identifier. This type of salting is invisible to the recipient of the data file, does not alter the accuracy of the data, and can be made unique for a particular party receiving data files or unique for each data file.

Abstract: Methods and systems for implementing single sign on (SSO) and/or conditional access for client applications are described herein. The system may comprise an identity provider gateway, and the system may authenticate a user of the client application using the identity provider gateway. In some aspects, a secure communication tunnel may be established between the client application and the identity provider gateway, and the secure communication tunnel may use, for example, a client certificate. The identity provider gateway may grant or deny the client application access to one or more resources based on information associated with the client certificate.

Abstract: A method of verifying the integrity of a virtual machine in a cloud computing deployment comprises: creating a virtual machine image derived from a trusted virtual machine, wherein the trusted virtual machine has a Keyless Signature Infrastructure signature stored in a signature store; and verifying that a computation resource can be trusted. If it is verified that a computation resource can be trusted, the method further comprises: submitting the virtual machine image to the trusted computation resource; checking a signature of the virtual machine image against the stored signature of the trusted virtual machine; launching the virtual machine image on the trusted computation resource, and creating a Keyless Signature Infrastructure signature of the virtual machine image; and storing the signature of the virtual machine image in a signature store.

Abstract: The current document is directed to reverse federated identity-management systems and to reverse-federated-identity-management methods employed by the reverse federated identity-management systems. The currently disclosed reverse-federated-identity-management systems automatically provision local proxy identities in distributed computers systems from which distributed resource-distribution systems allocate resources on behalf of users and clients of the distributed resource-distribution systems. In addition, the currently disclosed reverse-federated-identity-management systems automatically record associations of local proxy identities with users and clients of the distributed resource-distribution systems so that the users can be subsequently identified to auditing and monitoring organizations should the need for detailed auditing and monitoring subsequently arise.

Abstract: A system includes a plurality of servers, a control plane to determine a first partition of a plurality of devices and to determine a subset of the plurality of servers to assign as candidate servers for the first partition, and a common data store comprising a first stream and a second stream. The control plane is to store, in the first stream, a first message indicating the first partition, the candidate servers, the second stream, and a first message tag, the candidate servers elect a primary server of the first partition from the candidate servers using the first stream, and the elected primary server inserts read and write updates associated with the plurality of devices of the first partition into the second stream.

Abstract: Technology is described for registering Internet of Things (IoT) devices. A hub device may receive a request for hub registration from an IoT device. The request for hub registration may include IoT device information. The hub device may validate the request for hub registration at the hub device based on the IoT device information. The hub device may retrieve registration information from an IoT service. The registration information may include a dedicated security certificate for the IoT device. The hub device may forward the registration information to the IoT device to enable the IoT device to communicate IoT device data to the IoT service.

Abstract: A system for determining a calculation utilizing differential privacy including an interface and a processor. The interface is configured to receive a request to determine a result of a calculation using multitenanted data. The processor is configured to determine result data by performing the calculation on the multitenanted data; determine a deterministic modification in the event that the deterministic modification is needed to ensure privacy; modify the result data using the deterministic modification to determine modified result data; and provide the modified result data.

Abstract: The systems, methods and apparatuses described herein provide a computing device that is configured to attest itself to a communication partner. In one aspect, the computing device may comprise a communication port configured to receive an attestation request from the communication partner, and an application-specific integrated circuit (ASIC). The ASIC may be configured to receive the attestation request from the communication port. The attestation request may include a nonce generated at the communication partner. The ASIC may be further generate a verification value and send the verification value to the communication port to be transmitted back to the communication partner. The verification value may be a computation result of a predefined function taking the nonce as an initial value. In another aspect, the communication partner is configured to attest the computing device using speed of computation attestation.

Abstract: A method for execution by one or more processing modules of one or more computing devices of a dispersed storage network (DSN), the method begins by determining a DSN node configuration automatically during deployment. The method continues by modifying the DSN node configuration to enable/disable specific hardware features. The method continues by modifying the DSN node configuration to test hardware failure scenarios. The method continues by modifying the DSN node configuration for component replacement procedures. The method continues by reporting the modified DSN node configuration to a DSN management unit and providing a status on component and health of the DSN node to an operator of the DSN.

Abstract: Embodiments of the present disclosure are directed to, among other things, improving data security with respect to data collection, verification, and authentication techniques associated with obtaining and transmitting identity information. For example, an identity credential may be secured using biometric information associated with a user, the biometric information being obtained using a first biometric input method of a plurality of biometric input methods. When the user is later authenticated, the authentication may be based at least in part on determining that the user has selected a biometric input method that matches the biometric input method used to secure the credential as well as providing biometric information that matches the biometric information used to secure the identity credential.

Abstract: Authentication with security in wireless networks may be provided. A first confirm message comprising a first send-confirm element and a first confirm element may be received. Next, an Authenticator Number Used Once (ANonce) may be generated and a second confirm message may be sent comprising the ANonce, a second send-confirm element, and a second confirm element. Then an association request may be received comprising a Supplicant Number Used Once (SNonce) and a Message Integrity Code (MIC). An association response may be sent comprising an encrypted Group Temporal Key (GTK), an encrypted Integrity Group Temporal Key (IGTK), the ANonce, and the MIC. An acknowledgment may be received comprising the MIC in an Extensible Authentication Protocol (EAP) over LAN (EAPoL) key frame and a controller port may be unblocked in response to receiving the acknowledgment.

Abstract: Systems and methods for device-agnostic, multi-factor network authentication are disclosed. In some embodiments, a wireless network connection can authenticate a device over secure authentication means with a certificate that confirms a device identity. After authenticating the device, a user can be prompted to provide credentials in a captive portal. The captive portal can be inaccessible to devices that have not already authenticated using a certificate. After providing approved credentials to the captive portal, the user can access the network. This embodiment and additional embodiments are readily integrated into private wireless networks and others.

Abstract: A device comprises: a receiver configured to receive a client certificate; a processor coupled to the receiver and configured to: authenticate the client certificate, extract, in response to the authentication, attributes from the client certificate, and create, in response to the extraction, a message comprising reformatted attributes based on the attributes, wherein the reformatted attributes can be trusted; and a transmitter coupled to the processor and configured to transmit the message. A device comprises: a processor configured to: process a client certificate comprising a certificate identifier (ID) attribute, a tenant ID attribute, and a role ID attribute, and package the client certificate in a request for a shared service; and a transmitter coupled to the processor and configured to transmit the request.

Abstract: Embodiments of the present invention provide an automated network security system for dynamically managing network security rules. The system uses a cognitive engine to capture network traffic and analyze behavioral data about said network traffic. Based on analysis of the behavioral data, the system may identify one or more vulnerabilities in the network security system and determine one or more changes to the network security rules to remedy the one or more vulnerabilities. The system further uses a robotic process automation system to test and simulate the one or more changes.

Abstract: Among other things, this document describes systems, methods, and apparatus for monitoring and protecting a user credential issued by an organization when that credential is used outside that organization's network security perimeter. For example, a reverse proxy server (RPS) receives a client request directed to a content provider's site. The RPS initiates a process that involves parsing the request message and extracting a user credential. The RPS locates a credential policy from the credential owner based on the user credential. The RPS can issue an API request to a credential service that is authoritative for the credential. That credential service may return a directive to the RPS specifying how to handle the client request message. Preferably, the operation is transparent to the content provider whose site was the target of the client's request message. Activity records can be presented in visualizations that enhance security analysts' tactical comprehension at a glance.

Abstract: A technique and system provide protection to a protected document while being viewed on a Web browser or mobile application on a mobile device, such as a smartphone or tablet. Methods, techniques, and systems control access to protected documents and use of content in protected documents to support information management policies.

Abstract: A vehicle includes a controller, programmed to responsive to wirelessly connecting to a mobile device using a mobile credential issued from a server within a time frame specified in the mobile credential, issue an access token to the mobile device, and responsive to receiving a command authorized by the access token from the mobile device, route the command to a vehicle subsystem for execution.

Abstract: Methods, apparatus, and systems are provided to secure access to an account of a user. The account may have a system administrator. The user may have a credential for accessing the secure data on the account. The methods, apparatus, and systems involve setting a universal reset credential associated with the account, denying the system administrator of the account permission to change the first credential of the access feature, and permitting the system administrator to reset the access feature from the first credential to the universal reset credential.

Abstract: Authentication translation is disclosed. A request to access a resource is received at an authentication translator, as is an authentication input. The authentication input corresponds to at least one stored record. The stored record is associated at least with the resource. In response to the receiving, a previously stored credential associated with the resource is accessed. The credential is provided to the resource.

Abstract: The present disclosure relates to techniques for helping targeted users determine whether it is safe to supply personal information requested by a web site. In one embodiment, a method generally includes extracting textual content from a web page that requests information from a user and determining, based on the textual content, the type of information requested. A service type the web page provides is also determined based on the textual content. The service type and the information type are then compared to a set of predefined rules to determine a risk level associated with the web page. A visual indicator of the risk level is then displayed with the web page.

Abstract: Technology for interoperability is disclosed by enabling the sharing of application state data for an application experience across computing devices, operating systems, applications, or locations. In one aspect, a secondary application shares encrypted state data along with a non-encrypted hint that describes the application experience reflected in the state data with a primary application. The primary application is then able to use the hint to determine that a user is interested in returning to the experience in the secondary application. The primary application then transfers the encrypted state data to the secondary application which uses the state data to return the application to the application experience. A platform and application programming interface (API) are provided for computer applications and services to store and retrieve application state data associated with an event.

Abstract: There is disclosed a method of establishing trust between an agent device and a verification apparatus, the method comprising: obtaining, at the agent device, a trust credential, wherein the trust credential relates to an aspect of the agent device and comprises authentication information for identifying at least one party trusted by the verification apparatus and/or device data relating to the agent device; transmitting, from the agent device to the verification apparatus, the trust credential; obtaining, at the verification apparatus, the trust credential; analysing, at the verification apparatus, the trust credential; determining, at the verification apparatus, whether the agent device is trusted based on the analysis; and responsive to determining the agent device is trusted, establishing trust between the agent device and the verification apparatus.

Abstract: Embodiments of the present invention enable setup synchronization of an end user medical device such as a blood glucose meter. Some embodiments may include a controller including a memory; a transceiver operatively coupled to the controller; and a host computer interface operative to couple the controller to a host computer, wherein the memory is operative to store instructions executable on the controller. The instructions are adapted to cause the controller to scan for an advertising medical device using the transceiver, establish a communications connection with a medical device advertising for synchronization, and transmit synchronization data to a medical device once a communication connection has been estabilshed. Numerous other aspects are disclosed.

Abstract: A shared communication system associates a plurality of owner profiles with the device and processes user interaction requests based on information included in the owner profiles. The communication system classifies incoming requests based on whether the results of a request should be personal to one user, shared among several users, or generic to all users, and processes requests according to the classification. In one embodiment, the user request is targeted at establishing a video call session between a user of the communication system and one or more other target recipient users of a communications system. The communication system determines which user to associate with the outgoing video call based on which user has the target recipient in an associated contacts list.

Abstract: A system and method for a secure remote payments process and for generation of one-time only remote payment cards is presented. Use of the one-time payment (OTP) cards can use multi-factor authentication where one factor is a biometric technique. A process can include generating an OTP card number based on a first encryption algorithm, an expiry date, and a security code based on a second encryption algorithm. A purchase amount, and the OTP card information are decrypted by an issuer to approve payment for a remote payment, after which the OTP card is no longer valid.

Abstract: An information processing system includes a first sound reception apparatus, a first server, and a second server. The first sound reception apparatus includes an input unit and a communication unit. The input unit receives an input password. The communication unit transmits the input password and identification information regarding the first sound reception apparatus. The second server includes a generation unit, a determination unit, and an information generation unit. The determination unit determines whether the input password and the generated password match. The information generation unit generates first association information on the basis of a result of the determination made by the determination unit.

Abstract: A computer security protection may be provided by dynamic computer system certification. User usage of a computer system may be monitored. Based on the monitoring a role of the user in the usage of the computer system is determined. A certification required for the role and whether the user has the certification sufficient for the role are determined. Responsive to determining that the user does not have the certification sufficient for the role, a certification process is initiated.

Abstract: A processing device in an illustrative embodiment includes a processor coupled to a memory and is configured to receive user credentials from a user device in conjunction with an access request, to apply one or more automated tests in order to determine one or more device identifiers of the user device, to generate a risk score for the access request based at least in part on the received user credentials and the one or more determined device identifiers, and to grant or deny the access request based at least in part on the risk score.

Abstract: A computer implemented method for controlling a device on a software defined network (SDN) in response to environmental data. The method comprises receiving environmental data. A master SDN controller is provided for controlling the SDN network. Control data is generated by the master SDN controller in response to the environmental data. A co-controller is generated by the master SDN controller containing the control data. The co-controller is dispatched to the device for residing thereon. The device is controlled in response to the control data.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, to provide digital identification. One of these methods includes comparing the location of a requester of a digital identification to the location of an owner of the digital identification. The method also includes providing information about the digital identification to the requester based at least in part on determining that the requester and the owner are within a predetermined distance.

Abstract: A verification information update method includes: receiving a first request message for binding to a smart device from a terminal device, the first request message carrying a universally unique identifier (UUID) of the smart device; determining a binding relationship between the UUID and a user identifier of the terminal device, and generating a session random number corresponding to the binding relationship; and generating a new verification number and a new verification password of the smart device based on the session random number. The technical solution of the present disclosure implement dynamic update of verification information during a session, thus increasing the difficulty in monitoring the verification information during update.

Abstract: A computer implemented method for controlling a software defined network (SDN). Comprising providing one or more voice-user interfaces which are configured for facilitating users controlling networked devices. Generating control data based on speech input received from users via the voice-user interfaces. Provising a master SDN controller for managing data flow control on the SDN network. The master SDN controller being operable to generate control data for the networked devices. Generating by the master SDN controller a plurality of discrete co-controllers each associated with a particular end user. Each SDN co-controller including at least one of control data and routing data for an associated networked device. Dispatching the SDN co-controller by the master SDN controller to the networked devices associated with the respective end users for controlling thereof. Installing the SDN co-controller on the networked devices.

Abstract: An emergency communication server is provided for collaboration of an emergency response. The server comprises a processing system including a processor. The processing system is configured to receive an input from an electronic device, the electronic device being operated by a member from an originating communication group, upon receipt of the input from the electronic device, generate a notification based on the received input and send the generated notification to at least one member in the originating communication group, determine one or more receiving communication groups for the received input, send the notification to at least one member in each of the determined one or more receiving communication groups, and enable the at least one member in each of the determined one or more receiving communication groups to communicate with one or more members of the originating communication group.

Abstract: Methods, apparatuses, and computer programs for increasing the efficiency of throughput in a communications network are disclosed. To maintain link throughput even when packet loss is detected, deep packet inspection data is used for determining whether to temporary elevate scheduling priority of a stream, and if the decision is to elevate, the scheduling priority of the stream is elevated temporarily. Thus, an example method includes detecting at an intermediate network node an incoming packet; determining deep packet inspection data from the packet; using the deep packet inspection data to determine whether to temporary elevate scheduling priority of the stream the packet belongs to; and causing, in response to determining to elevate scheduling priority of the stream, a temporary elevation of the scheduling priority of the stream.

Abstract: Disclosed are various approaches for relaying and caching authentication credentials. A single sign-on (SSO) token is received, the SSO token representing a user account authenticated with an identity manager. An authentication request is then sent to a service that is federated with the identity manager in response to receipt of the SSO token, the authentication request including the SSO token. An access token is received in response to the authentication request, the access token providing access to the service for the user account authenticated with the identity manager for a predefined period of time. The access token and a link between the access token and the SSO token are then cached.

Abstract: A method for enhancing customer authentication and consent for finalizing an offer to a customer of a product and/or a service is provided. The method may include using a first receiver to receive an authentication request from an initiator. The authentication request may include a customer name and a customer phone number. The method may also include using a first processor to generate a pin number and transmit the pin number to the customer phone number. The pin number may include an identifier associated with the product and/or service. The method may further include using a second receiver, included in a mobile phone, to receive the pin number, and using a second processor, included on the mobile phone, to authenticate the pin number. The authentication may include verifying a match between the customer phone number and a mobile phone number associated with the mobile phone.

Abstract: Disclosed herein is a technique for managing permissions associated with the control of a host device that are provided to a group of wireless devices. The host device is configured to pair with a first wireless device. In response to pairing with the first wireless device, the host device grants a first level of permissions for controlling the host device to the first wireless device. Subsequently, the host device can receive a second request from a second wireless device to pair with the host device. In response to pairing with the second wireless device, the host device can grant a second level of permissions for controlling the host device to second wireless device, where the second level of permissions is distinct from the first level of permissions.

Abstract: Temporary biometric templates for maintaining a user authenticated state are described herein. In some implementation, an electronic device receives an input to unlock using a first secure authentication technique to initiate a current unlock session. A temporary biometric template of a biometric feature of a user unlocking the electronic device is created effective to initiate a user authenticated state. The biometric feature of the user associated with the temporary biometric template is tracked during the current unlock session. The user authenticated state is maintained based on a comparison of the tracked biometric feature of the user with the biometric feature of the temporary biometric template. When the biometric feature of the user can no longer be tracked, the user authenticated state is terminated and the temporary biometric template is invalidated.

Abstract: Systems and methods for embodiments of a graph based artificial intelligence systems for identity management are disclosed. Embodiments of the identity management systems disclosed herein may utilize a network graph approach to analyzing identities or entitlements of a distributed networked enterprise computing environment. Specifically, in certain embodiments, an artificial intelligence based identity management systems may utilize the peer grouping of an identity graph (or peer grouping of portions or subgraphs thereof) to identify roles from peer groups or the like.

Abstract: A device-to-device (D2D) communication method is provided. According to an inventive concept, the method comprises, storing, by a first device, first authentication data including a hash chain, which is a sequential concatenation of hash values, and storing, by a second device, second authentication data including an initial hash value of the hash chain, transmitting, by the first device, a final hash value of the hash chain to the second device, determining, by the second device, whether authentication between the first and second devices has succeeded by repeatedly hashing the initial hash value stored in the second device until a hash value identical to the final hash value is returned, and if a determination is made that authentication between the first and second devices has succeeded, performing, by the first and second devices, a connection establishment process for establishing a connection between the first and second devices.

Abstract: The invention relates to method and apparatus for generating and applying a homepage ID number used as user identification of a user in a homepage system. The method includes obtaining a homepage ID number generation class; when the homepage ID number generation class is a user-type-based generation manner, obtaining a user type of a user, and searching for a matching first number segment according to the user type; receiving a second number segment input by the user, or displaying multiple second number segments for the user to select from and receiving a second number segment determined by the user; generating, according to the first number segment and the second number segment input or selected by the user, a homepage ID number for identifying user identity of the user.

Abstract: A method for controlling an electronic picture frame and corresponding devices. An electronic picture frame cloud platform is configured to verify account information of a mobile terminal after receiving a request for operating the electronic picture frame sent by the mobile terminal through the Internet protocol address of the electronic picture frame. It is configured to allow the mobile terminal to operate the electronic picture frame through the Internet protocol address of the electronic picture frame if the account information is verified to be the pre-stored account information bound to the Internet protocol address of the electronic picture frame; otherwise, it prohibits the mobile terminal to operate the electronic picture frame through the Internet protocol address of the electronic picture frame.

Abstract: A vehicle includes a controller, programmed to responsive to receiving a command from a non-customer party, send an authorization request based on the command and a predefined vehicle parameter to a server; and responsive to receiving a signed command from the server, execute the signed command.

Abstract: Authentication translation is disclosed. A request to access a resource is received at an authentication translator, as is an authentication input. The authentication input corresponds to at least one stored record. The stored record is associated at least with the resource. In response to the receiving, a previously stored credential associated with the resource is accessed. The credential is provided to the resource.

Abstract: A method of recognizing a biological feature is provided. In an example, the method includes: first biological feature data is obtained; a first recognition operation is performed according to the first biological feature data and biological feature template data to obtain a first recognition result; when the first recognition result indicates a match failure, second biological feature data is obtained; and a re-recognition operation is performed according to the second biological feature data and the biological feature template data to obtain a second recognition result. The second biological feature data and the first biological feature data are collected by a same biological feature collector at different moments in a same biological feature recognition process.

Abstract: Various embodiments include a lamp control unit coupled to or part of one or more light emitting diode (LED) based lamps. The lamp control unit can receive, from a lamp commissioning application of a mobile device via a wireless protocol, one or more commissionable lighting parameters to configure light output of the LED based lamps. The lamp control unit can lock access to change the commissionable lighting parameters with a password. One or more operational lighting parameters of the lamp control unit can be adjusted via a control interface (e.g., an adjustable voltage dimmer) other than the wireless protocol. The lamp control unit can drive the LED-based lamps based on the operational lighting parameters and the commissionable lighting parameters.

Abstract: Systems and methods for recording and communicating engine data are provided. One example embodiment is directed to a system for testing communications. The system includes an electronic engine controller. The system includes a wireless communication unit in communication with the electronic engine controller. The wireless communication unit includes one or more memory devices. The wireless communication unit includes one or more processors. The one or more processors are configured to provide a resource to a remote computing device. The one or more processors are configured to receive input from the remote computing device via the resource. The one or more processors are configured to cause a connectivity test to be performed in response to the received input. The one or more processors are configured to transmit a result of the connectivity test to the remote computing device.

Abstract: Various methods and systems are provided for autonomous management for a managed service identity. A first token request, for a secret, is generated at a managed service. The secret supports authenticating the managed service for performing operations in a distributed computing environment. The first token request includes an identity identifier of the managed service. The first token request is communicated to a credentials manager which is associated with a secrets management service (“SMS”) that can be utilized to store, renew and distribute secrets in the distributed computing environment. Based on communicating the first token request to credentials manager, the token is received, via the credentials manager, from the secret token service. The token is received based in part on the credentials manager generating a second token request for the token and communicating the second token request and a secret associated with the managed service to the secret token service.

Abstract: Systems and methods for providing services are disclosed. One aspect comprises authenticating a user associated with a first service, receiving a selection of a second service, generating an opaque identifier associated with the user and the first service, wherein the opaque identifier facilitates the anonymous collection of data relating to the second service. Another aspect can comprise transmitting the opaque identifier to the second service, and receiving data relating to the second service.

Abstract: A method performed by an enterprise search system to conduct an automated, computerized search for select operational attributes of a plurality of network devices is shown. The method comprises initiating the search via a user interface based on receipt of input information, which is used to form a query. The method then determines based on the query, one or more audits each specifying one or more tasks to be performed by at least a first network device to search for the select operational attributes. Subsequently, the method makes the one or more audits available to the first network device via a network, and receives, from the first network device, one or more responses to the query. The method may include generating one or more filter conditions to apply to results of executing the one or more tasks to yield the select operational attributes when included in the results.