Patents by Inventor Shane Bradley Weeden
Shane Bradley Weeden has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11943370Abstract: A method allows access to computer resources to authorized native applications on a client device. An authorization server receives, from a native application on a device, an initial authorization grant, a public key of a private/public key pair generated on the device, and an attestation of authenticity of the native application. The authorization server receives, from the native application on the device, a refresh token and a digital signature of the refresh token that is created with the private key. The authorization server recognizes the refresh token only if the refresh token is verified with the public key that has been previously registered. The authorization server validates the digital signature of the refresh token, and transmits a new access token and a new refresh token to the native application on the device, thus allowing the native application on the device to access the computer resource.Type: GrantFiled: November 10, 2021Date of Patent: March 26, 2024Assignee: International Business Machines CorporationInventors: Shane Bradley Weeden, Craig Pearson, Carsten Hagemann
-
Publication number: 20230141966Abstract: A method allows access to computer resources to authorized native applications on a client device. An authorization server receives, from a native application on a device, an initial authorization grant, a public key of a private/public key pair generated on the device, and an attestation of authenticity of the native application. The authorization server receives, from the native application on the device, a refresh token and a digital signature of the refresh token that is created with the private key. The authorization server recognizes the refresh token only if the refresh token is verified with the public key that has been previously registered. The authorization server validates the digital signature of the refresh token, and transmits a new access token and a new refresh token to the native application on the device, thus allowing the native application on the device to access the computer resource.Type: ApplicationFiled: November 10, 2021Publication date: May 11, 2023Inventors: SHANE BRADLEY WEEDEN, CRAIG PEARSON, CARSTEN HAGEMANN
-
Patent number: 11095668Abstract: Aspects of the present disclosure relate to techniques for managing transactions, including receiving a first transaction request directed to an account of a first web application. Additionally, initiating, by a rate-limiting engine, a rate-limiting process in response to the first transaction request. The techniques further include obtaining a rate-limiting identifier, where the rate limiting identifier uniquely identifies the first web application, and where the rate-limiting identifier identifies an account owner. The techniques further include determining an alternate notification method exists for the account owner and sending a verification request to the account owner, where the verification request is sent using the alternate notification method. The techniques further include receiving a response to the verification request, performing a risk assessment, and adjusting a first security parameter in response to the risk assessment.Type: GrantFiled: April 3, 2019Date of Patent: August 17, 2021Assignee: International Business Machines CorporationInventors: Leo Michael Farrell, Shane Bradley Weeden
-
Patent number: 10834133Abstract: A technique to enforce mobile device security policy is based on a “risk profile” of the individual device, where the risk profile is fine-grained and based on the types of applications installed on the device, the services they are accessing, and the operation(s) the user granted the device authorization to perform. Thus, the approach takes into account not only the actual applications installed on the device (and those actively in use), but also the services those applications are accessing, and the scope of operations the user has granted the device authorization to perform. By combining this information to create the risk profile, a suitable security policy, including one that does not unnecessarily degrade device usability, may then be applied.Type: GrantFiled: December 4, 2012Date of Patent: November 10, 2020Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, David Paul Moore, Shane Bradley Weeden, Stephen Viselli
-
Publication number: 20200322358Abstract: Aspects of the present disclosure relate to techniques for managing transactions, including receiving a first transaction request directed to an account of a first web application. Additionally, initiating, by a rate-limiting engine, a rate-limiting process in response to the first transaction request. The techniques further include obtaining a rate-limiting identifier, where the rate limiting identifier uniquely identifies the first web application, and where the rate-limiting identifier identifies an account owner. The techniques further include determining an alternate notification method exists for the account owner and sending a verification request to the account owner, where the verification request is sent using the alternate notification method. The techniques further include receiving a response to the verification request, performing a risk assessment, and adjusting a first security parameter in response to the risk assessment.Type: ApplicationFiled: April 3, 2019Publication date: October 8, 2020Inventors: Leo Michael Farrell, Shane Bradley Weeden
-
Patent number: 9722991Abstract: A confidence-based authentication discovery scheme is implemented at a proxy. The scheme assumes that some level of unauthenticated browsing is allowed prior to enforcing authentication at the proxy. Once a known and trusted set of identity providers has been accessed and the user is required to authenticate at the proxy (e.g., as a result of policy), the proxy initiates Federated Single Sign-On (F-SSO) to one or more (or, preferably, all) known sites accessed by the browser. This F-SSO operation is performed seamlessly, preferably without the user's knowledge (after the user allows an initial trust decision between the proxy acting as a service provider and the external identity provider). The proxy collates the results and, based on the trust it has with those sites, produces a confidence score. That score is then used as input into policy around whether or not a user should be permitted to access a particular site.Type: GrantFiled: January 4, 2016Date of Patent: August 1, 2017Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, Simon Winston Gee, Shane Bradley Weeden
-
Patent number: 9348991Abstract: A computer implemented method, a computer program product, and a data processing system manage a set of federated log-in authentications at secure web sites. A client logs into a security context using a first alias from a list of existing federated single sign-on authentication aliases associated with an account. Responsive to logging into the security context, the client can receive the list of existing federated single sign-on authentication aliases. The client can then manage the list of authentication aliases.Type: GrantFiled: May 20, 2008Date of Patent: May 24, 2016Assignee: International Business Machines CorporationInventor: Shane Bradley Weeden
-
Publication number: 20160119327Abstract: A confidence-based authentication discovery scheme is implemented at a proxy. The scheme assumes that some level of unauthenticated browsing is allowed prior to enforcing authentication at the proxy. Once a known and trusted set of identity providers has been accessed and the user is required to authenticate at the proxy (e.g., as a result of policy), the proxy initiates Federated Single Sign-On (F-SSO) to one or more (or, preferably, all) known sites accessed by the browser. This F-SSO operation is performed seamlessly, preferably without the user's knowledge (after the user allows an initial trust decision between the proxy acting as a service provider and the external identity provider). The proxy collates the results and, based on the trust it has with those sites, produces a confidence score. That score is then used as input into policy around whether or not a user should be permitted to access a particular site.Type: ApplicationFiled: January 4, 2016Publication date: April 28, 2016Inventors: Simon Gilbert Canning, Simon Winston Gee, Shane Bradley Weeden
-
Patent number: 9264436Abstract: A technique for intelligent automated consent is described by which a client may be automatically authorized to access a resource owner's protected information (e.g., a profile) based on the owner's previous authorization decisions and/or other client classifications. Using this approach to granting consent, the resource owner is not required to intervene during the authorization step for each client that is requesting access. Clients may be categorized, and authorization given to individual clients based on the category to which they belong and/or the scope of the access request. The technique may be implemented with user-centric identity protocols, as well as with delegated authorization protocols. The technique provides for policy-based consent grants.Type: GrantFiled: May 8, 2013Date of Patent: February 16, 2016Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, Shane Bradley Weeden, Codur Sreedhar Pranam
-
Patent number: 9246907Abstract: A confidence-based authentication discovery scheme is implemented at a proxy. The scheme assumes that some level of unauthenticated browsing is allowed prior to enforcing authentication at the proxy. Once a known and trusted set of identity providers has been accessed and the user is required to authenticate at the proxy (e.g., as a result of policy), the proxy initiates Federated Single Sign-On (F-SSO) to one or more (or, preferably, all) known sites accessed by the browser. This F-SSO operation is performed seamlessly, preferably without the user's knowledge (after the user allows an initial trust decision between the proxy acting as a service provider and the external identity provider). The proxy collates the results and, based on the trust it has with those sites, produces a confidence score. That score is then used as input into policy around whether or not a user should be permitted to access a particular site.Type: GrantFiled: July 12, 2012Date of Patent: January 26, 2016Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, Simon Winston Gee, Shane Bradley Weeden
-
Patent number: 9172694Abstract: An approach is provided to access resources at legacy systems. In this approach, a resource request destined to a legacy system is receiving from a requestor with the resource request including an access token and being on behalf of a resource owner. A validation process is performed on the access token. If the access token is valid, the approach identifies the resource owner and one or more legacy access tokens used to access the legacy system. Another request is formed with the new request including the legacy access tokens. The new request is transmitted to the legacy system and a response is received back from the legacy system. The response received from the legacy system is transmitted back to the requestor.Type: GrantFiled: May 22, 2012Date of Patent: October 27, 2015Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, Neil Ian Readshaw, Stephen Viselli, Shane Bradley Weeden
-
Publication number: 20140337914Abstract: A technique for intelligent automated consent is described by which a client may be automatically authorized to access a resource owner's protected information (e.g., a profile) based on the owner's previous authorization decisions and/or other client classifications. Using this approach to granting consent, the resource owner is not required to intervene during the authorization step for each client that is requesting access. Clients may be categorized, and authorization given to individual clients based on the category to which they belong and/or the scope of the access request. The technique may be implemented with user-centric identity protocols, as well as with delegated authorization protocols. The technique provides for policy-based consent grants.Type: ApplicationFiled: May 8, 2013Publication date: November 13, 2014Applicant: International Business Machines CorporationInventors: Simon Gilbert Canning, Shane Bradley Weeden, Codur Sreedhar Pranam
-
Patent number: 8832857Abstract: A method, apparatus and computer program product for detecting that a computing device may not be secure based on inconsistent identity associations identified during Federated Single Sign-On (F-SSO). A detection proxy detects when a user with a particular session is accessing an identity provider (IdP) that is associated with an account that is not the current user's account. When a user performs a login to an F-SSO-enabled IdP, the proxy performs an F-SSO, and the results are compared with known aliases for that particular federation partner. If an anomaly is detected (e.g., the in-line device sees that a user logs into a web site as someone else), a workflow is initiated to perform a given action, such as blocking access, issuing an alert, or the like.Type: GrantFiled: July 12, 2012Date of Patent: September 9, 2014Assignee: International Business Machines CorporationInventors: John William Court, Simon Gilbert Canning, Simon Winston Gee, Shane Bradley Weeden
-
Publication number: 20140157351Abstract: A technique to enforce mobile device security policy is based on a “risk profile” of the individual device, where the risk profile is fine-grained and based on the types of applications installed on the device, the services they are accessing, and the operation(s) the user granted the device authorization to perform. Thus, the approach takes into account not only the actual applications installed on the device (and those actively in use), but also the services those applications are accessing, and the scope of operations the user has granted the device authorization to perform. By combining this information to create the risk profile, a suitable security policy, including one that does not unnecessarily degrade device usability, may then be applied.Type: ApplicationFiled: December 4, 2012Publication date: June 5, 2014Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Simon Gilbert Canning, David Paul Moore, Shane Bradley Weeden, Stephen Viselli
-
Publication number: 20140020077Abstract: A method, apparatus and computer program product for detecting that a computing device may not be secure based on inconsistent identity associations identified during Federated Single Sign-On (F-SSO). A detection proxy detects when a user with a particular session is accessing an identity provider (IdP) that is associated with an account that is not the current user's account. When a user performs a login to an F-SSO-enabled IdP, the proxy performs an F-SSO, and the results are compared with known aliases for that particular federation partner. If an anomaly is detected (e.g., the in-line device sees that a user logs into a web site as someone else), a workflow is initiated to perform a given action, such as blocking access, issuing an alert, or the like.Type: ApplicationFiled: July 12, 2012Publication date: January 16, 2014Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: John William Court, Simon Gilbert Canning, Simon Winston Gee, Shane Bradley Weeden
-
Publication number: 20140020078Abstract: A confidence-based authentication discovery scheme is implemented at a proxy. The scheme assumes that some level of unauthenticated browsing is allowed prior to enforcing authentication at the proxy. Once a known and trusted set of identity providers has been accessed and the user is required to authenticate at the proxy (e.g., as a result of policy), the proxy initiates Federated Single Sign-On (F-SSO) to one or more (or, preferably, all) known sites accessed by the browser. This F-SSO operation is performed seamlessly, preferably without the user's knowledge (after the user allows an initial trust decision between the proxy acting as a service provider and the external identity provider). The proxy collates the results and, based on the trust it has with those sites, produces a confidence score. That score is then used as input into policy around whether or not a user should be permitted to access a particular site.Type: ApplicationFiled: July 12, 2012Publication date: January 16, 2014Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Simon Gilbert Canning, Simon Winston Gee, Shane Bradley Weeden
-
Publication number: 20130318569Abstract: An approach is provided to access resources at legacy systems. In this approach, a resource request destined to a legacy system is receiving from a requestor with the resource request including an access token and being on behalf of a resource owner. A validation process is performed on the access token. If the access token is valid, the approach identifies the resource owner and one or more legacy access tokens used to access the legacy system. Another request is formed with the new request including the legacy access tokens. The new request is transmitted to the legacy system and a response is received back from the legacy system. The response received from the legacy system is transmitted back to the requestor.Type: ApplicationFiled: May 22, 2012Publication date: November 28, 2013Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Simon Gilbert Canning, Neil Ian Readshaw, Stephen Viselli, Shane Bradley Weeden
-
Patent number: 8447857Abstract: An approach is provided where an HTTP request is received and a Request for Security Token (RST) is created. Parameters are selected from the request and mappings are retrieved corresponding to the parameters. Context attributes are created in the RST corresponding to the parameters. A context attribute type value is set based on an HTTP section where the parameter is located within the HTTP request. The RST is sent to a security token service for processing. In another approach, a Request Security Token Response (RSTR) is received and an HTTP response is created. RSTR parameters are selected and parameter mappings are retrieved corresponding to the selected RSTR parameters from a mapping table with a TYPE value being identified based on the retrieved parameter mapping. Context attributes are added to the HTTP response based on the identified TYPE values. The HTTP response is transmitted to a remote computer system.Type: GrantFiled: March 25, 2011Date of Patent: May 21, 2013Assignee: International Business Machines CorporationInventors: Scott Anthony Exton, Davin John Holmes, Stephen Viselli, Shane Bradley Weeden
-
Publication number: 20120246312Abstract: An approach is provided where an HTTP request is received and a Request for Security Token (RST) is created. Parameters are selected from the request and mappings are retrieved corresponding to the parameters. Context attributes are created in the RST corresponding to the parameters. A context attribute type value is set based on an HTTP section where the parameter is located within the HTTP request. The RST is sent to a security token service for processing. In another approach, a Request Security Token Response (RSTR) is received and an HTTP response is created. RSTR parameters are selected and parameter mappings are retrieved corresponding to the selected RSTR parameters from a mapping table with a TYPE value being identified based on the retrieved parameter mapping. Context attributes are added to the HTTP response based on the identified TYPE values. The HTTP response is transmitted to a remote computer system.Type: ApplicationFiled: March 25, 2011Publication date: September 27, 2012Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Scott Anthony Exton, Davin John Holmes, Stephen Viselli, Shane Bradley Weeden
-
Patent number: 8055680Abstract: Methods, apparatuses, and computer program products are provided for assigning Access Control Lists (‘ACLs’) to a hierarchical namespace to optimize ACL inheritance. Embodiments include creating an entitlement matrix for a plurality of resources; creating a tree structure having a plurality of nodes for the hierarchical namespace in dependence upon the entitlement matrix; creating a plurality of ACLs in dependence upon the entitlement matrix; identifying a plurality of attachment points in the hierarchical namespace for the ACLs in dependence upon ACL attachment rules; and attaching the ACLs to the attachment points. Creating an entitlement matrix for a plurality of resources may be carried out by creating a matrix of resources and permissions for users.Type: GrantFiled: April 19, 2005Date of Patent: November 8, 2011Assignee: International Business Machines CorporationInventor: Shane Bradley Weeden