Patents by Inventor Marc E. Mosko
Marc E. Mosko has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11956135Abstract: Embodiments described herein provide a system for facilitating dynamic content distribution in an enterprise environment. During operation, the system determines a set of logical groups based on a set of grouping criteria. A respective logical group can include one or more devices managed by a controller and a network that provides connections among the one or more devices. The system categorizes the set of logical groups based on exogenous information associated with a respective logical group and determines a corresponding condition of measurement for a respective category of links in the enterprise environment. The system then schedules a link for measurement based on the condition of measurement and the categorization of the set of logical groups.Type: GrantFiled: November 7, 2018Date of Patent: April 9, 2024Assignee: Xerox CorporationInventor: Marc E. Mosko
-
Patent number: 11930046Abstract: A system is provided for determining vulnerability metrics for graph-based configuration security. During operation, the system generates a multi-layer graph for a system with a plurality of interconnected components. The system determines, based on the multi-layer subgraph, a model for a multi-step attack on the system by: calculating, based on a first set of variables and a first set of tunable parameters, a likelihood of exploiting a vulnerability in the system; and calculating, based on a second set of variables and a second set of tunable parameters, an exposure factor indicating an impact of exploiting a vulnerability on the utility of an associated component. The system determines, based on the model, a set of attack paths that can be used in the multi-step attack and recommends a configuration change in the system, thereby facilitating optimization of system security to mitigate attacks on the system while preserving system functionality.Type: GrantFiled: June 17, 2021Date of Patent: March 12, 2024Assignee: Xerox CorporationInventors: Massimiliano Albanese, Marc E. Mosko
-
Patent number: 11803645Abstract: Embodiments provide a system and method for modeling a shared resource in a multi-layer reasoning graph based on configuration security. During operation, the system can obtain a multi-layer graph for a system with a plurality of components that can include a set of subgroups of components. The system can generate, based on the multi-layer graph, an abstract component to represent a shared resource model for a respective subgroup of components. The shared resource model can be associated with a set of resource constraints. The system can generate a set of values for resource configuration parameters that satisfy the resource constraints. The system can map the shared resource model to a respective component and can then determine, based on the mapping and the set of values for the resource configuration parameters, a set of values for the component configuration parameters thereby facilitating optimization of a security objective function.Type: GrantFiled: March 12, 2021Date of Patent: October 31, 2023Assignee: Xerox CorporationInventor: Marc E. Mosko
-
Publication number: 20230344856Abstract: A system determines an on/off feature and vulnerability and dependency nodes in a graph which represents a system of components. The feature enables vulnerability nodes based on a probability that a vulnerability will be exploited, and a vulnerability degrades a utility of one or more components based on an exposure factor. The system calculates, for a path in the graph to a component, a loss of utility of a given dimension of multiple dimensions based on a combiner operator and a logic operator. The combiner operator takes inputs which represent a weighted probability that the given dimension is degraded, and the logic operator defines the inputs based on a probability and exposure factor. The system aggregates calculated losses of utility across the multiple dimensions for the system components. The system selects a combination of possible on/off feature values which results in a lowest loss of utility for the components.Type: ApplicationFiled: November 29, 2022Publication date: October 26, 2023Applicant: Palo Alto Research Center IncorporatedInventors: Marc E. Mosko, Massimiliano Albanese, Ibifubara Iganibo
-
Publication number: 20230344855Abstract: A system determines, in a graph which represents a system of components: vulnerability nodes representing known vulnerabilities to the system, including exposed and non-exposed vulnerability nodes associated with an exploitation likelihood; and dependency nodes representing components in the system, including direct and indirect dependency nodes associated with an exposure factor indicating an amount of degradation based on exploitation of an associated vulnerability. The system calculates, across all non-exposed vulnerability nodes and all direct dependency nodes, a score which indicates an attack volume based on at least: a respective second likelihood associated with a non-exposed vulnerability node; an exposure factor associated with a dependency node which represents a component directly degraded based on exploitation of a vulnerability; and a loss of utility of the component.Type: ApplicationFiled: June 3, 2022Publication date: October 26, 2023Applicant: Palo Alto Research Center IncorporatedInventors: Massimiliano Albanese, Ibifubara Iganibo, Marc E. Mosko, Alejandro E. Brito
-
Patent number: 11729222Abstract: Embodiments provide a system and method for extracting configuration-related information for reasoning about the security and functionality of a composed system. During operation, the system determines, by a computing device, information sources associated with hardware and software components of a system, wherein the information sources include at least specification sheets, standard operating procedures, user manuals, and vulnerability databases. The system selects a set of categories of vulnerabilities in a vulnerability database, and ingests the information sources to obtain data in a normalized format. The system extracts, from the ingested information sources, configuration information, vulnerability information, dependency information, and functionality requirements to create a model for the system.Type: GrantFiled: July 1, 2020Date of Patent: August 15, 2023Assignee: Palo Alto Research Center IncorporatedInventors: Hamed Soroush, Milad Asgari Mehrabadi, Shantanu Rane, Marc E. Mosko
-
Patent number: 11625228Abstract: Embodiments described herein provide a round-trip engineering system. During operation, the system can maintain an intermediate system representation (ISR) for a set of artifacts of a piece of software. The set of artifacts can include a piece of code and a development model. The ISR can remain persistent upon synchronization of the set of artifacts. The system can incorporate, in a respective component of the ISR, a reference to a code block in the piece of code and a corresponding element in the development model. If the system determines a first update in a first segment of a first artifact of the set of artifacts, the system can identify a second segment in a second artifact from the set of artifacts based on a corresponding component in the ISR. The system can then propagate a second update to the second segment to reflect the first update in the first segment.Type: GrantFiled: September 30, 2020Date of Patent: April 11, 2023Assignee: Palo Alto Research Center IncorporatedInventors: Marc E. Mosko, Eric A. Bier
-
Publication number: 20230086475Abstract: A system and method are provided to facilitate securing windows discretionary access control. During operation, the system determines a Windows domain model including: user-specified desired effective permissions as capability assignments of principals on resources, wherein a respective capability assignment comprises a permission of a respective principal to a respective resource and wherein a respective principal comprises a user or a group of users; and user-specified policies and rules for relationships between principals, groups, and resources. The system creates a domain graph and an access control graph based on the Windows domain model. The domain graph maps paths between nodes representing users, groups, and resources based on the policies and rules. The access control graph allows for calculation of actual permissions of principals on resources based on the desired effective permissions.Type: ApplicationFiled: August 31, 2022Publication date: March 23, 2023Applicant: Palo Alto Research Center IncorporatedInventor: Marc E. Mosko
-
Patent number: 11588809Abstract: A certified application is installed onto a content creation device and a mobile certified application is installed onto a mobile device, the applications establish first and second trust relationships with the cloud service. The certified application and mobile certified application establish the third trust relationship via a proximity network. The mobile certified application generates a first ephemeral key pair having a private part. The certified application generates a second ephemeral key pair having a private part. The mobile certified application requests a service from the content creation device involving the transfer of data between the content creation device and the cloud service. The data is protected by at least one of the first and second ephemeral key pairs in response to invocation of the service. The service results in the data being stored at the cloud service and/or rendered at the content creation device.Type: GrantFiled: September 10, 2020Date of Patent: February 21, 2023Assignee: Palo Alto Research Center IncorporatedInventors: Alejandro E. Brito, Eric A. Bier, Marc E. Mosko, Shantanu Rane
-
Publication number: 20220407891Abstract: A system is provided for determining vulnerability metrics for graph-based configuration security. During operation, the system generates a multi-layer graph for a system with a plurality of interconnected components. The system determines, based on the multi-layer subgraph, a model for a multi-step attack on the system by: calculating, based on a first set of variables and a first set of tunable parameters, a likelihood of exploiting a vulnerability in the system; and calculating, based on a second set of variables and a second set of tunable parameters, an exposure factor indicating an impact of exploiting a vulnerability on the utility of an associated component. The system determines, based on the model, a set of attack paths that can be used in the multi-step attack and recommends a configuration change in the system, thereby facilitating optimization of system security to mitigate attacks on the system while preserving system functionality.Type: ApplicationFiled: June 17, 2021Publication date: December 22, 2022Applicant: Palo Alto Research Center IncorporatedInventors: Massimiliano Albanese, Marc E. Mosko
-
Publication number: 20220292199Abstract: Embodiments provide a system and method for modeling a shared resource in a multi-layer reasoning graph based on configuration security. During operation, the system can obtain a multi-layer graph for a system with a plurality of components that can include a set of subgroups of components. The system can generate, based on the multi-layer graph, an abstract component to represent a shared resource model for a respective subgroup of components. The shared resource model can be associated with a set of resource constraints. The system can generate a set of values for resource configuration parameters that satisfy the resource constraints. The system can map the shared resource model to a respective component and can then determine, based on the mapping and the set of values for the resource configuration parameters, a set of values for the component configuration parameters thereby facilitating optimization of a security objective function.Type: ApplicationFiled: March 12, 2021Publication date: September 15, 2022Applicant: Palo Alto Research Center IncorporatedInventor: Marc E. Mosko
-
Publication number: 20220100477Abstract: Embodiments described herein provide a round-trip engineering system. During operation, the system can maintain an intermediate system representation (ISR) for a set of artifacts of a piece of software. The set of artifacts can include a piece of code and a development model. The ISR can remain persistent upon synchronization of the set of artifacts. The system can incorporate, in a respective component of the ISR, a reference to a code block in the piece of code and a corresponding element in the development model. If the system determines a first update in a first segment of a first artifact of the set of artifacts, the system can identify a second segment in a second artifact from the set of artifacts based on a corresponding component in the ISR. The system can then propagate a second update to the second segment to reflect the first update in the first segment.Type: ApplicationFiled: September 30, 2020Publication date: March 31, 2022Applicant: Palo Alto Research Center IncorporatedInventors: Marc E. Mosko, Eric A. Bier
-
Publication number: 20220078181Abstract: A certified application is installed onto a content creation device and a mobile certified application is installed onto a mobile device, the applications establish first and second trust relationships with the cloud service. The certified application and mobile certified application establish the third trust relationship via a proximity network. The mobile certified application generates a first ephemeral key pair having a private part. The certified application generates a second ephemeral key pair having a private part. The mobile certified application requests a service from the content creation device involving the transfer of data between the content creation device and the cloud service. The data is protected by at least one of the first and second ephemeral key pairs in response to invocation of the service. The service results in the data being stored at the cloud service and/or rendered at the content creation device.Type: ApplicationFiled: September 10, 2020Publication date: March 10, 2022Inventors: Alejandro E. Brito, Eric A. Bier, Marc E. Mosko, Shantanu Rane
-
Patent number: 11182114Abstract: One embodiment provides a system for facilitating device discovery. During operation, the system detects, by a computing device, a first message which is broadcast from a source device based on a network communication protocol. The system determines a classification which is a type for the source device based on a MAC address of the source device extracted from the first message. The system generates a second message which indicates the MAC address, an IP address of the source device obtained based on the first message, and the classification. The system sends the second message to a device management system, which causes the device management system to add the source device as a managed device. The system enhances device discovery by eliminating a direct scan of all devices on a sub-network by the device management system for devices of a same type as the type for the source device.Type: GrantFiled: August 24, 2020Date of Patent: November 23, 2021Assignee: Palo Alto Research Center IncorporatedInventor: Marc E. Mosko
-
Patent number: 11140128Abstract: Embodiments described herein provide a system for facilitating hierarchical geographic naming. During operation, the system receives a service request comprising location information associated with a requesting device and determines a hierarchical name corresponding to the location information. The hierarchical name can include a plurality of name segments. A respective name segment of the plurality of name segments can correspond to a recursively subdivided grid of geographic grid referencing. The system then performs a recursive search using the hierarchical name for a service requested by the service request.Type: GrantFiled: October 5, 2018Date of Patent: October 5, 2021Assignee: PALO ALTO RESEARCH CENTER INCORPORATEDInventor: Marc E. Mosko
-
Patent number: 10956412Abstract: One embodiment provides a system that facilitates a flexible strategy for matching content objects and interests. During operation, the system receives, by a computing device, an interest which includes a set of attributes, wherein a respective attribute has one or more values. In response to not obtaining a matching entry for the interest in a pending interest table, the system adds to the pending interest table a first entry which indicates the interest based on the attributes and their values. The system determines whether a received content object satisfies the interest indicated in the first entry based on the attributes of the first entry and attributes of the content object. In response to determining that the content object satisfies the interest, the system forwards the content object, thereby facilitating a flexible strategy for matching content objects to interests.Type: GrantFiled: August 9, 2016Date of Patent: March 23, 2021Assignee: CISCO TECHNOLOGY, INC.Inventors: Christopher A. Wood, Ignacio Solis, Marc E. Mosko
-
Patent number: 10942686Abstract: Embodiments described herein provide a system for facilitating a printer recommendation in an enterprise environment. During operation, the system receives, from a user device in the enterprise environment, a print task for a file. The system then determines a list of printers accessible from the enterprise environment based on metadata associated with the file from a printer database. The printer database stores information associated with a respective printer accessible from the enterprise environment. A respective printer in the list of printers can be available and feasible for the print task. The system then ranks the list of printers with respect to an objective of the print task and presents the ranked list as a printer recommendation for the print task in a user interface to the user.Type: GrantFiled: November 19, 2018Date of Patent: March 9, 2021Assignee: Palo Alto Research Center IncorporatedInventor: Marc E. Mosko
-
Publication number: 20210014263Abstract: Embodiments provide a system and method for extracting configuration-related information for reasoning about the security and functionality of a composed system. During operation, the system determines, by a computing device, information sources associated with hardware and software components of a system, wherein the information sources include at least specification sheets, standard operating procedures, user manuals, and vulnerability databases. The system selects a set of categories of vulnerabilities in a vulnerability database, and ingests the information sources to obtain data in a normalized format. The system extracts, from the ingested information sources, configuration information, vulnerability information, dependency information, and functionality requirements to create a model for the system.Type: ApplicationFiled: July 1, 2020Publication date: January 14, 2021Applicant: Palo Alto Research Center IncorporatedInventors: Hamed Soroush, Milad Asgari Mehrabadi, Shantanu Rane, Marc E. Mosko
-
Patent number: 10884966Abstract: A first bus interface is coupled to communicate with a first controller area network (CAN) bus. A second bus interface is coupled to communicate with a node device, the node device configured to communicate with a second CAN bus. A logic circuit is coupled between the first and second bus interfaces and is operable to monitor communications by the node device via the second bus interface. If the logic circuit determines that the node device is transmitting a message that is not allowed for the node device, it prevents the message from being transmitted onto the first CAN bus in response thereto.Type: GrantFiled: December 4, 2018Date of Patent: January 5, 2021Assignee: Palo Alto Research Center IncorporatedInventor: Marc E. Mosko
-
Patent number: 10873564Abstract: Embodiments described herein provide a system. The system stores, in a storage device, a first and a second data structures. The first data structure maps a logical Internet Protocol (IP) address of a device to a site IP address of the device at a customer site. The second data structure maps the logical IP address to a message queue (MQ) name identifying a queue, which is associated with the customer site and facilitated by a message queuing service. During operation, the system identifies a command packet for the device. The destination address of the command packet can be the logical IP address. The system then replaces, in the command packet, the logical IP address with the site IP address based on the first data structure to generate a modified packet and forwards an MQ message comprising the modified packet to the queue using the message queuing service.Type: GrantFiled: September 20, 2018Date of Patent: December 22, 2020Assignee: Palo Alto Research Center IncorporatedInventor: Marc E. Mosko