Abstract: Techniques for bridging a honey network to a suspicious device in a network (e.g., an enterprise network) are disclosed. In some embodiments, a system for bridging a honey network to a suspicious device in an enterprise network includes a device profile data store that includes a plurality of attributes of each of a plurality of devices in the target network environment; a virtual clone manager executed on a processor that instantiates a virtual clone of one or more devices in the target network environment based on one or more attributes for a target device in the device profile data store; and a honey network policy that is configured to route an internal network communication from a suspicious device in the target network environment to the virtual clone for the target device in the honey network.
Abstract: A method, operated by a Software Defined Networking (SDN) controller associated with an Autonomous System (AS) with one or more peering points, each peering point with an associated router communicatively coupled to the SDN controller, the method for detecting and defending against Distributed Denial of Service (DDoS) attacks, and the method includes receiving data from the one or more peering points; detecting malicious traffic at the one or more peering points; determining a peer quality measurement for the one or more peering points; and communicating the peer quality measurement and other data associated with the malicious traffic to one or more other SDN controllers, associated with Autonomous Systems connected through the one or more peering points, to facilitate convergence of the peer quality measurement back to a nominal level.
Type:
Grant
Filed:
October 1, 2014
Date of Patent:
December 5, 2017
Assignee:
Ciena Corporation
Inventors:
Aung Htay, Roger Michael Elbaz, Sachin Subhedar, Logan Blyth
Abstract: One feature pertains to generating a unique identifier for an electronic device by combining static random access memory (SRAM) PUFs and circuit delay based PUFs (e.g., ring oscillator (RO) PUFs, arbiter PUFs, etc.). The circuit delay based PUFs may be used to conceal either a challenge to, and/or response from, the SRAM PUFs, thereby inhibiting an attacker from being able to clone a memory device's response.
Type:
Grant
Filed:
August 23, 2013
Date of Patent:
October 10, 2017
Assignee:
QUALCOMM Incorporated
Inventors:
Xu Guo, David M. Jacobson, Yafei Yang, Adam J. Drew, Brian Marc Rosenberg
Abstract: A method and apparatus including units configured to send a request from a first network entity to a user equipment for an identifier and receive a message indicating that a public key is required from the user equipment by the first network entity. The method and apparatus also includes units configured to send, by the first network entity, the public key to the user equipment and receive an encrypted identifier by the first network entity, wherein upon authenticating the public key, the user equipment encrypts at least part of the identifier using the public key, thereby enabling further processing between the network entity and the user equipment.
Abstract: Techniques to provide persistent uniform resource locators (URLs) for client applications acting as web services are described herein. In one or more implementations, the techniques utilize standard protocols and libraries (e.g., standard HTTP) without relying upon custom/propriety plug-ins. An intermediary server functions as a tunnel service is configured to provide functionality for handling communications between endpoints on behalf of client applications. Additionally, the tunnel service provides a mechanism to generate and assign persistent URLs (or comparable addresses) to client applications. Entities seeking to interact with the client applications use corresponding URLs to direct requests via the tunnel service and down to the appropriate client application.
Abstract: The disclosed computer-implemented method for on-demand provisioning of access-point accounts may include receiving, at an access point, a first request from an unknown guest to access a secured network. The guest may not yet have an account with the access point that allows the guest to access the secured network, and the first request may include authentication information that was generated from a credential of the unknown guest that is required by the access point to provision the account for the guest. The computer-implemented method may further include (1) receiving a second request that includes the credential from an administrator of the secured network to provision the account for the guest using the credential, (2) provisioning the account for the guest using the credential, and (3) enabling the guest to access the secured network using the account for the guest. Various other methods, systems, and computer-readable media are also disclosed.
Abstract: In a data structure of a multimedia file format, a movie box and a media data box are provided. In each box, a non-encrypted size field, a non-encrypted type field and box data field are provided. In box data of the movie box, information data regarding multimedia data is stored. The multimedia data is encrypted and stored in box data of the media data box. The information data is obtained by referring to the container in the movie box. This information data is held as encryption and encoding information data. By referring to the information data, a data unit of the encrypted multimedia data in the media data box is obtained, and the unit data is decrypted.
Abstract: A halting key derivation function is provided. A setup process scrambles a user-supplied password and a random string in a loop. When the loop is halted by user input, the setup process may generate verification information and a cryptographic key. The key may be used to encrypt data. During a subsequent password verification and key recovery process, the verification information is retrieved, a user-supplied trial password obtained, and both are used together to recover the key using a loop computation. During the loop, the verification process repeatedly tests the results produced by the looping scrambling function against the verification information. In case of match, the trial password is correct and a cryptographic key matching the key produced by the setup process may be generated and used for data decryption. As long as there is no match, the loop may continue indefinitely until interrupted exogenously, such as by user input.
Abstract: Embodiments of the present invention provide an authenticating service of a chip having an intrinsic identifier (ID). In a typical embodiment, an authenticating device is provided that includes an identification (ID) engine, a self-test engine, and an intrinsic component. The intrinsic component is associated with a chip and includes an intrinsic feature. The self-test engine retrieves the intrinsic feature and communicates it to the identification engine. The identification engine receives the intrinsic feature, generates a first authentication value using the intrinsic feature, and stores the authentication value in memory. The self-test engine generates a second authentication value using an authentication challenge. The identification engine includes a compare circuitry that compares the first authentication value and the second authentication value and generates an authentication output value based on the results of the compare of the two values.
Type:
Grant
Filed:
March 16, 2015
Date of Patent:
June 27, 2017
Assignee:
International Business Machines Corporation
Inventors:
Srivatsan Chellappa, Subramanian S. Iyer, Toshiaki Kirihata, Sami Rosenblatt
Abstract: Methods, systems, and techniques for securing access to stored data are provided. Example embodiments provide a Storage Management System (“SMS”) that is configured to facilitate protected information sharing. The SMS may restrict access to shared information based on one or more criteria that validate an entity's right to access the information. For example, the SMS may restrict access to entities that are located in a particular geographic region, that are using a particular type of hardware or software, that hold particular credentials, or the like. In some cases, the SMS may require that an entity's claim to meet on or more required criteria be validated by a trusted third party.
Abstract: Scalable session management is achieved by generating a cookie that includes an encrypted session key and encrypted cookie data. The cookie data is encrypted using the session key. The session key is then signed and encrypted using one or more public/private key pairs. The encrypted session key can be decrypted and verified using the same private/public key pair(s). Once verified, the decrypted session key can then be used to decrypt and verify the encrypted cookie data. A first server having the private/public key pair(s) may generate the cookie using a randomly generated session key. A second server having the same private/public key pair(s) may decrypt and verify the cookie even if the session key is not initially installed on the second server. A session key cache may be used to provide session key lookup to save public/private key operations on the servers.
Type:
Grant
Filed:
October 31, 2013
Date of Patent:
June 6, 2017
Assignee:
Microsoft Technology Licensing, LLC
Inventors:
Wei Jiang, Adam Back, John D. Whited, Yordan I. Rouskov, Ismail Cem Paya, Wei-QUiang Michael Guo
Abstract: A system for smart device networking includes an endpoint that enables communication with a connected device, a bridge that communicates with the endpoint over a PAN and relays PAN communications to a WAN, and a router that connects to the bridge through the WAN and routes communication to and from the endpoint.
Type:
Grant
Filed:
October 21, 2015
Date of Patent:
May 23, 2017
Assignee:
Helium Systems, Inc.
Inventors:
Amir Haleem, Andrew Thompson, Eric Gnoske, Blake Leverett, Mike Vidales, Sean Carey, Theo Wilson
Abstract: A network component has a set of one or more rules, each of which has a match component and an action component. If an incoming packet maps to the match component of a rule, then the packet is handled according to the rule's action component. If the rule also includes a limit component, then if the packet maps to the rule's match component, a family history of the rule is updated, and the packet is handled according to the rule's action component only if the rule's family history satisfies the rule's limit component.
Abstract: Described is an electronic credentialing system that allows personal identity devices to interact; each interacting device has an installed identity engine that acquires, holds, issues and uses electronic credentials (e-credentials), these electronic credentials can be installed on personal identity devices, such as: smart phones, tablets, laptops, embedded systems, and/or personal computers.
Abstract: Systems and methods for accessing digital content using electronic tickets and ticket tokens are disclosed. In one system, a user device includes a processor, a network interface, and memory configured to store an electronic ticket, and a ticket token, and the processor is configured by an application to send a request for digital content, receive a ticket token from a merchant server, wherein the ticket token is generated by a DRM server and associated with an electronic ticket that enables playback of the requested digital content, send the ticket token to a DRM server, receive an electronic ticket that enables playback of requested digital content, request the digital content associated with the electronic ticket, and play back the requested digital content using the electronic ticket.
Abstract: A device implemented, carrier independent packet delivery universal addressing networking protocol for communication over a network between network nodes utilizing a packet. The protocol has an IP stack having layers. At least some of the layers have privacy preserving source node attribution and network admission control. The packet is admitted to the network only if a source node of the network nodes admits the packet.
Abstract: An approach is provided in which a cognitive digital security assistant intercepts a personal data request from a client that is requesting personal data from a user. The cognitive digital security assistant analyzes the personal data request against the user's security statements to determine whether to provide the user's personal data to the client. During the analysis, the cognitive digital security assistant determines whether the personal data request includes benefits that meet the user's benefit thresholds included in the user's security statements. When the benefits meet the user's benefit thresholds, the cognitive digital security assistant provides the requested personal data to the client in exchange for the benefit from the client.
Type:
Grant
Filed:
October 1, 2014
Date of Patent:
March 21, 2017
Assignee:
International Business Machines Corporation
Abstract: A method may include obtaining a match vector that indicates one or more filter rules that are potentially applicable to a packet. The method may include partitioning the match vector into a plurality of segments. The method may include generating a summary vector that identifies one or more portions of the match vector that include one or more match bits. A match bit may indicate one of the one or more filter rules that is potentially applicable to the packet. The method may include obtaining a relevant segment of the match vector. The relevant segment may include at least one of the portions of the match vector identified by the summary vector. The method may include determining a filter rule to apply based on the match vector and based on the one or more match bits. The method may include applying the filter rule to the packet.
Type:
Grant
Filed:
April 27, 2015
Date of Patent:
March 14, 2017
Assignee:
Juniper Networks, Inc.
Inventors:
Deepak Goel, Patrick Kerharo, Jigar K. Savla
Abstract: An exemplary system that includes a computing device that stores an abstraction and unification module, the abstraction and unification module being executable by a processor of the computing device to receive from a frontend component a request for information located within a backend component of the computing device and validate that the frontend component is authorized to receive the information specified in the request. The abstraction and unification module may further pass the request to an abstraction engine that extracts the information from the backend component and provides the information extracted from the backend component to frontend component.
Abstract: In some implementations, encrypted data (e.g., application data, keychain data, stored passwords, etc.) stored on a mobile device can be accessed (e.g., decrypted, made available) based on the context of the mobile device. The context can include the current device state (e.g., locked, unlocked, after first unlock, etc.). The context can include the current device settings (e.g., passcode enabled/disabled). The context can include data that has been received by the mobile device (e.g., fingerprint scan, passcode entered, location information, encryption key received, time information).
Type:
Grant
Filed:
September 30, 2014
Date of Patent:
January 31, 2017
Assignee:
Apple Inc.
Inventors:
Andrew Roger Whalley, Wade Benson, Conrad Sauerwald