Abstract: A system for mitigation of cyberattacks employing an advanced cyber decision platform comprising a time series data store, a directed computational graph module, an action outcome simulation module, and observation and state estimation module, wherein the state of a network is monitored and used to produce a cyber-physical graph representing network resources, simulated network events are produced and monitored, and the network events and their effects are analyzed to produce security recommendations.
Abstract: Techniques for providing security for Cellular Internet of Things (CIoT) in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for enhanced security for CIoT in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a subscriber identity for a new session, in which the session is associated with a CIoT device; determining an application identifier for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the subscriber identity and the application identifier.
Type:
Grant
Filed:
June 14, 2020
Date of Patent:
May 3, 2022
Assignee:
Palo Alto Networks, Inc.
Inventors:
Sachin Verma, Leonid Burakovsky, Jesse C. Shu, Lei Chang
Abstract: Techniques for mobile equipment identity and/or IoT equipment identity and application identity based security enforcement in service provider networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for mobile equipment identity and/or IoT equipment identity and application identity based security enforcement in service provider networks includes monitoring network traffic on a service provider network at a security platform to identify a device identifier for a new session; determining an application identifier for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the device identifier and the application identifier.
Type:
Grant
Filed:
May 21, 2020
Date of Patent:
May 3, 2022
Assignee:
Palo Alto Networks, Inc.
Inventors:
Sachin Verma, Leonid Burakovsky, Jesse C. Shu, Chang Li
Abstract: A computer-implemented method for authentication using a hashed fried password may include receiving a password value of a user, a salt key, a pepper key, and/or a temporary and randomly generated fry key, or otherwise modifying/appending the password with the salt key, pepper key, and/or fry key. The method may include hashing the modified password, such as performing a hash operation similar to Hash (Password, Salt Key, Pepper Key, Temporary Fry Key). The randomly generated fry key is not saved or otherwise stored, either locally or remotely. A remote server attempting to authenticate the user's password may check for each possible fry key, such as checking against a set of preapproved fry keys, that the hashed fried password may have been modified with in parallel. As a result, an online customer experience requiring a password is not impacted or impeded, while an attacker's attempts to learn the password are frustrated.
Type:
Grant
Filed:
May 10, 2018
Date of Patent:
May 3, 2022
Assignee:
State Farm Mutual Automobile Insurance Company
Abstract: A distributed ledger, e.g., blockchain, enabled operating environment includes a user device that accesses services of a service device by leveraging the decentralized blockchain. For example, a user device can lock/unlock a door (e.g., service device) by interfacing with a smart contract stored on the decentralized blockchain. The user device provides parameters, such as payment, that satisfies the variables of the smart contract such that the user device can access the service device. The service device regularly retrieves information stored in the smart contract on the decentralized blockchain. For example, the retrieved information can specify that the user device is authorized to access the service device or that the service device is to provide a service. Therefore, given the retrieved information, the service device provides the service to the user device.
Type:
Grant
Filed:
April 9, 2020
Date of Patent:
April 26, 2022
Assignee:
BC DEVELOPMENT LABS GMBH
Inventors:
Christoph Jentzsch, Simon Jentzsch, Stéphane Tual
Abstract: A system and method to identify and prevent cybersecurity attacks on modern, highly-interconnected networks, to identify attacks before data loss occurs, using a combination of human level, device level, system level, and organizational level monitoring.
Abstract: A secured system includes at least one semiconductor chip comprising information processing circuitry. An array of contact pads is disposed on a surface of the chip and is electrically coupled to the information processing circuitry. The secured system includes one or more semiconductor chiplets. Each chiplet comprises at least a portion of at least one hardware trusted platform module that cryptographically secures the information processing circuitry. An array of electrically conductive microsprings is disposed on a surface of the chiplet and is electrically coupled between the hardware trusted platform module and the contact pads.
Type:
Grant
Filed:
April 20, 2017
Date of Patent:
March 29, 2022
Assignee:
Palo Alto Research Center Incorporated
Inventors:
Warren B. Jackson, Vanishree Rao, Eugene M. Chow
Abstract: A system and a method for analyzing files using visual cues in the presentation of the file is provided. These visual aids may be extracted using a convolutional neural network, classified, and used in conjunction with file metadata to determine if a provided document is likely to be malicious. This methodology may be extended to detect a variety of social engineering-related attacks including phishing sites or malicious emails. A method for analyzing a received file to determine if the received file comprises malicious code begins with generating an image that would be displayed if the received file is opened by the native software program. Then the image is analyzed, and object boundaries data is generated. Metadata is also extracted from the received file. Then, a maliciousness score is generated based on the object boundaries data, the metadata, and a reference dataset.
Abstract: Techniques for establishing a secure communication channel between a trusted portion of a system and another portion of the system and providing data over the secure communication channel are described herein. For example, a system may implement a Trusted Execution Environment (TEE) and a TEE component associated with the TEE. The TEE component may establish a secure communication channel with a Network Interface Controller (NIC) on the system, such as a smart NIC that is configured to encrypt/decrypt data and/or perform other operations. The TEE component may receive one or more cryptographic keys from a service provider and provide the one or more cryptographic keys to the NIC via the secure communication channel. The NIC may use the one or more cryptographic keys to encrypt data to send to another device, decrypt data that is received from another device, or otherwise encrypt/decrypt data.
Abstract: A method for execution by a dispersed storage and task (DST) processing unit includes: generating an encoded data slice from a dispersed storage encoding of a data object and determining when the encoded data slice will not be stored in local dispersed storage. When the encoded data slice will not be stored in the local dispersed storage, the encoded data slice is stored via at least one elastic slice in an elastic dispersed storage, cryptographic material and an elastic storage pointer indicating a location of the elastic slice in the elastic dispersed storage are generated, and the cryptographic material and the elastic storage pointer are stored in the local dispersed storage.
Type:
Grant
Filed:
June 25, 2019
Date of Patent:
February 15, 2022
Assignee:
INTERNATIONAL BUSINESS MACHINES CORPORATION
Inventors:
Wesley B. Leggette, Manish Motwani, Brian F. Ober, Jason K. Resch
Abstract: A proxy node protects at least one edge node in a network of nodes. The proxy node includes a communications module for communicatively coupling the proxy node with the edge node so that all communications to and from that edge node go through the proxy node. The proxy node also has at least one isolated area that is associated with the at least one edge node. The isolated area stores application software for the associated edge node.
Abstract: Various techniques for split tunneling based on content type are disclosed. In some embodiments, a system, process, and/or computer program product for split tunneling based on content type includes monitoring session traffic received at a data appliance; determining if the session traffic is associated with a first content type; and redirecting the session traffic if the session traffic is associated with the first content type based on a policy.
Type:
Grant
Filed:
April 30, 2018
Date of Patent:
February 1, 2022
Assignee:
Palo Alto Networks, Inc.
Inventors:
Yongjie Yin, Joby Menon, Andrey Tverdokhleb, Kevin Yao
Abstract: A communication device for communication with a network device during EAP-AKA?. The communication device is operative to receive a first Perfect Forward Secrecy, PFS, parameter value and at least one attribute value indicating a choice of a Diffie-Hellman group from the network device. The communication device is also operative to receive a cipher key, CK, and an integrity key, IK. Generate a modified cipher key, CK?, and a modified integrity key, IK? based on CK, IK and an access network identity. Operations include calculating a second PFS parameter value. Send the second PFS parameter value to the network device. Calculate a third PFS parameter value. Derive, using a Pseudo-random function, a key based on the third PFS parameter value, CK?, IK? and an identity associated with the communication device. A network device, methods, further communication devices, a server, computer programs and a computer program product are also disclosed.
Type:
Grant
Filed:
October 30, 2018
Date of Patent:
January 18, 2022
Assignee:
Telefonaktiebolaget LM Ericsson (publ)
Inventors:
Jari Arkko, Karl Norrman, Vesa Torvinen
Abstract: Disclosed embodiments relate to systems and methods for identifying vulnerabilities for virtualized execution instances to escape their operating environment and threaten a host environment. Techniques include identifying a virtualized execution instance configured for deployment on a host in a virtual computing environment; performing a privileged configuration inspection for the virtualized execution instance, the privileged configuration inspection analyzing whether the virtualized execution instance has been configured with one or more attributes that can permit operation of the virtualized execution instance to perform operations, beyond an environment of the virtualized execution instance, on an environment of the host; and implementing, based on the privileged configuration inspection, a control action for controlling the virtualized execution instance's ability to perform operations on the environment of the host.
Abstract: A system and method is provided for improving data movement perimeter monitoring, and detecting non-compliant data movement within a computing environment. The perimeter monitoring process includes generating a forwarding configuration associated with activity logs, such as activity logs associated with a test environment. The forwarding configuration may include specific fields and file types or the contents of those specific fields and files that facilitate, or are necessary for, perimeter monitoring or otherwise determining which activity log data elements are needed by the “operational intel tool” to reduce, or even substantially reduce, the amount of data input or analyzed by the operational intel tool, and thus, to reduce its processing load. The forwarding configuration is input into an “operational intel tool”. Mainframe data is normalized and analyzed to identify abnormal data flows and generate electronic alerts to facilitate perimeter monitoring.
Type:
Grant
Filed:
April 30, 2020
Date of Patent:
January 4, 2022
Assignee:
STATE FARM MUTUAL AUTOMOBILE INSURANCE COMPANY
Inventors:
Richard J. Bush, Jr., Zebediah R. Black
Abstract: This specification relates to methods and systems for content management. One of the methods includes: receiving data identifying a user; verifying that the user is an authorized user; receiving initial content from the authorized user; encrypting the initial content using an encryption key to produce encrypted content; forwarding the encrypted content for storage; creating content storage metadata; encrypting the content storage metadata to provide encrypted content storage metadata; and forwarding the encrypted content storage metadata to a blockchain such as a public ledger.
Abstract: Embodiments of the present invention provide an authenticating service of a chip having an intrinsic identifier (ID). In a typical embodiment, an authenticating device is provided that includes an identification (ID) engine, a self-test engine, and an intrinsic component. The intrinsic component is associated with a chip and includes an intrinsic feature. The self-test engine retrieves the intrinsic feature and communicates it to the identification engine. The identification engine receives the intrinsic feature, generates a first authentication value using the intrinsic feature, and stores the authentication value in memory. The self-test engine generates a second authentication value using an authentication challenge. The identification engine includes a compare circuitry that compares the first authentication value and the second authentication value and generates an authentication output value based on the results of the compare of the two values.
Type:
Grant
Filed:
November 6, 2019
Date of Patent:
December 28, 2021
Assignee:
International Business Machines Corporation
Inventors:
Srivatsan Chellappa, Subramanian S. Iyer, Toshiaki Kirihata, Sami Rosenblatt
Abstract: Systems and methods for encrypting system level data structures are described. A storage system may include a storage drive and at least one controller for the storage drive. In some embodiments, the at least one controller may be configured to identify user data assigned to be stored on the storage drive, encrypt the user data, identify a system data structure generated in relation to the user data, and encrypt the system data structure. In some cases, the data structure may include at least one of metadata, system data, and data encapsulation relative to the user data. In some embodiments, the user data and the data structure may be encrypted with one or more encryption keys programmed on the storage drive.
Type:
Grant
Filed:
July 15, 2016
Date of Patent:
December 28, 2021
Assignee:
SEAGATE TECHNOLOGY LLC
Inventors:
Robert W. Moss, Stacey Secatch, Kristofer C. Conklin, Dana L. Simonson
Abstract: The embodiments of the disclosure provide a method for authentication and authorization and the authentication server. The disclosure provides a user management mechanism required by multiple applications, so each of the applications does not need to have its own user management mechanism. In this manner, the security mechanism can be provided by the authentication server to improve the security of the user data.