Patents Examined by Ellen Tran
  • Patent number: 11188647
    Abstract: Computer system security can be threatened by users who manipulate their software to avoid detection of malicious activities—such as account takeover. Web browser software, for example, can be altered so the browser will report false information about the browser itself and/or the system on which it is running. By providing such false information, a user can try to avoid his system being fingerprinted (e.g. identified) so that the user can more effectively instigate electronic attacks without being detected. This disclosure describes techniques that allow for detection of when a user has tampered with their web browser (e.g., by overriding native code functions in the browser). Detecting that a browser has been tampered with can allow a computer server system to take mitigation actions against potentially malicious users, thus improving computer security.
    Type: Grant
    Filed: February 28, 2019
    Date of Patent: November 30, 2021
    Assignee: PayPal, Inc.
    Inventors: Yuri Shafet, Ilya Chernyakov
  • Patent number: 11190498
    Abstract: A method for encrypting plaintext data is enclosed that includes operations of receiving the plaintext data, the plaintext data including a plurality of data portions, encrypting each of the plurality of data portions using a specific key for each data portion, merging each of the plurality of data portions together to form a single data stream, generating a data map of the single data stream, appending the data map to the single data stream, and performing a master cipher to form an encrypted distributable stream. Operations of the encrypting include: an additive operation on each byte of the first data portion using the additive table, an XOR operation on each byte of the first data portion as modified by the additive operation, a substitution operation on each byte of the first data portion using the substitution table as modified by the XOR operation.
    Type: Grant
    Filed: January 10, 2019
    Date of Patent: November 30, 2021
    Inventors: Robert Coleridge, Richard Blech, Michael Feinberg
  • Patent number: 11188674
    Abstract: A method for encrypting database data includes generating an encryption key for a first file stored in a data store, wherein a table in a database comprises an entry pointing to the first file. The method includes generating a second file by encrypting the data the first file in the data store using the encryption key without modifying the first file. The method includes, in response to generating the second file, modifying the entry in the table to point to the second file, wherein the modification of the entry is performed atomically. A process for rekeying from the first file to the second file may happen in the background without blocking, interfering, or otherwise obstructing user interaction with a database system.
    Type: Grant
    Filed: April 12, 2021
    Date of Patent: November 30, 2021
    Assignee: Snowflake Inc.
    Inventors: Benoit Dageville, Peter Povinec, Philipp Thomas Unterbrunner, Martin Hentschel
  • Patent number: 11176528
    Abstract: Disclosed herein are representative embodiments of methods, apparatus, and systems for facilitating the use and exchange of customized third-party content in a distributed computing environment that allows for third-party hosting. Embodiments of the disclosed technology concern an application store within an application (e.g., an “in-app app store”). The application store can offer downloadable digital content and/or roaming entitlements to a user of the application. Further, in particular embodiments, the downloadable content and/or entitlements are generated by a third party (e.g., a party different than the provider/publisher of the application and the user of the application). Also disclosed are methods and mechanisms for copy-protecting such content.
    Type: Grant
    Filed: January 22, 2020
    Date of Patent: November 16, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: John M. Thornton, Jason M. Cahill
  • Patent number: 11178105
    Abstract: Techniques for implementing a secure enclave-based guest firewall are provided. In one set of embodiments, a host system can load a policy enforcer for a firewall into a secure enclave of a virtual machine (VM) running on the host system, where the secure enclave corresponds to a region of memory in the VM's guest memory address space that is inaccessible by processes running in other regions of the guest memory address space (including privileged processes that are part of the VM's guest operating system (OS) kernel). The policy enforcer can then, while running within the secure enclave: (1) obtain one or more security policies from a policy manager for the firewall, (2) determine that an event has occurred pertaining to a new or existing network connection between the VM and another machine, and (3) apply the one or more security policies to the network connection.
    Type: Grant
    Filed: June 17, 2019
    Date of Patent: November 16, 2021
    Assignee: VMWARE, INC.
    Inventors: Shirish Vijayvargiya, Alok Nemchand Kataria, Deep Shah
  • Patent number: 11171920
    Abstract: A novel method for distributing firewall configuration of a software defined data center is provided. The network manager of the data center receives update requests from tenants of the data center and correspondingly generates update fragments and delivers the generated update fragment to local control planes controlling the enforcing devices. Each local control plane in turn integrates the update fragments it receives into its firewall rules table. For each rule and/or section thusly integrated, the local control plane uses the rule or the section's assigned priority number to establish ordering in the firewall rules table of the local control plane.
    Type: Grant
    Filed: January 31, 2017
    Date of Patent: November 9, 2021
    Assignee: NICIRA, INC.
    Inventors: Kaushal Bansal, Uday Masurekar, Subrahmanyam Manuguri, Jingmin Zhou, Shadab Shah, Igor Ganichev
  • Patent number: 11163887
    Abstract: A bare metal resource includes a trusted portion and an untrusted portion. The trusted portion includes trusted hardware, an image repository, and a clearance manager. The clearance manager is executable during bootup of the bare metal resource to perform a clearance process on the untrusted portion, including deleting the BIOS in the untrusted portion and loading a trusted BIOS from the image repository on the untrusted hardware, to place the untrusted portion in a trusted state. The bare metal resource may be provisioned to a tenant of a cloud provider after being placed in the trusted state.
    Type: Grant
    Filed: December 28, 2018
    Date of Patent: November 2, 2021
    Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC
    Inventors: Bryan W. Tuttle, Carlos Jose Cela, Ho-Yuen Chau, Melur K. Raghuraman, Saurabh M. Kulkarni, Yimin Deng
  • Patent number: 11163913
    Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.
    Type: Grant
    Filed: December 28, 2018
    Date of Patent: November 2, 2021
    Assignee: INTEL CORPORATION
    Inventors: Luis Kida, Krystof Zmudzinski, Reshma Lal, Pradeep Pappachan, Abhishek Basak, Anna Trikalinou
  • Patent number: 11159520
    Abstract: Systems, apparatuses, methods, and computer program products are disclosed for providing passive continuous session authentication. An example method includes authenticating a session for a user of a client device. The example method further includes capturing a video stream and sensor data over a duration of time. The example method further includes deriving, from the captured video stream, a set of biometric attributes of the user. The example method further includes deriving, from the captured sensor data, a set of behavioral attributes of the user. Subsequently, the example method includes re-authenticating the session based on the derived set of biometric attributes and the derived set of behavioral attributes.
    Type: Grant
    Filed: December 20, 2018
    Date of Patent: October 26, 2021
    Assignee: WELLS FARGO BANK, N.A.
    Inventors: Abhijit Rao, Masoud Vakili
  • Patent number: 11157658
    Abstract: The present invention relates to a method to securely load set of sensitive data hardware registers with sensitive data on a chip supporting hardware cryptography operations, said method comprising the following steps monitored by software instructions, at each run of a software: select a set of available hardware registers listed in a predefined list listing, in the chip architecture, the unused hardware registers and other relevant hardware registers not handling sensitive data and not disrupting chip functionality when loaded, establish an indexible register list of the address of the sensitive data hardware registers and of the hardware registers in the set of available hardware registers, in a loop, write each hardware register in this register list with random data, a random number of times, in random order except the last writing in each of the sensitive data hardware registers where a part of the sensitive data is written.
    Type: Grant
    Filed: June 14, 2017
    Date of Patent: October 26, 2021
    Assignee: THALES DIS FRANCE SA
    Inventors: Nicholas Xing Long Eu, Annus Bin Khalid Syed, Juan Manolo Alcasabas
  • Patent number: 11159535
    Abstract: A method for controlling a device includes: sending a command signed by an operator's signature to a server; verifying, in the server, that the operator is authenticated to transmit the command; assigning, in the server, a criticality level and an authorization level to the command; depending on the criticality level and the authorization level, sending an approval request relating to the command to at least one control user; approving or denying the approval request by at least a subset of the at least one control user; sending the denied or approved approval request back to the server; determining, in the server, whether the command was approved by sufficiently many control users based on the criticality level and the authorization level; and sending the command to the device for being carried out by the device in case the command was approved by sufficiently many control users, wherein at last one of the at least one control user and the operator is remote from each other.
    Type: Grant
    Filed: October 16, 2018
    Date of Patent: October 26, 2021
    Assignee: ABB Schweiz AG
    Inventors: Roman Schlegel, Thomas Locher
  • Patent number: 11151235
    Abstract: Techniques are disclosed relating to biometric authentication, e.g., facial recognition. In some embodiments, a device is configured to verify that image data from a camera unit exhibits a pseudo-random sequence of image capture modes and/or a probing pattern of illumination points (e.g., from lasers in a depth capture mode) before authenticating a user based on recognizing a face in the image data. In some embodiments, a secure circuit may control verification of the sequence and/or the probing pattern. In some embodiments, the secure circuit may verify frame numbers, signatures, and/or nonce values for captured image information. In some embodiments, a device may implement one or more lockout procedures in response to biometric authentication failures. The disclosed techniques may reduce or eliminate the effectiveness of spoofing and/or replay attacks, in some embodiments.
    Type: Grant
    Filed: July 31, 2018
    Date of Patent: October 19, 2021
    Assignee: Apple Inc.
    Inventors: Deepti S. Prakash, Lucia E. Ballard, Jerrold V. Hauck, Feng Tang, Etai Littwin, Pavan Kumar Anasosalu Vasu, Gideon Littwin, Thorsten Gernoth, Lucie Kucerova, Petr Kostka, Steven P. Hotelling, Eitan Hirsh, Tal Kaitz, Jonathan Pokrass, Andrei Kolin, Moshe Laifenfeld, Matthew C. Waldon, Thomas P. Mensch, Lynn R. Youngs, Christopher G. Zeleznik, Michael R. Malone, Ziv Hendel, Ivan Krstic, Anup K. Sharma, Kelsey Y. Ho
  • Patent number: 11146402
    Abstract: In one embodiment, the present disclosure is directed to a system for digital authentication, the system including a server and a device. The device includes a first processor and a second processor separate and distinct from the first processor and dedicated solely to security functionality. The second processor is programmed to generate a public key and a private key, and to use the private key and to-be-signed signature data to generate digital signatures, including a first digital signature. The device transmits the public key and the first digital signature to the server. The server stores the public key to uniquely identify the device or a user of the device in subsequent communications between the server and device.
    Type: Grant
    Filed: November 16, 2018
    Date of Patent: October 12, 2021
    Inventors: Harold Smith, III, Stephen Thompson
  • Patent number: 11140171
    Abstract: A user device can verify a user's identity to a server while protecting user privacy by not sharing personal data with any other device. To ensure user privacy, the user device performs an enrollment process in which the user performs an action sequence. The user device collects action data from the action sequence and uses the action data locally to generate a set of public/private key pairs (or other representation) from which information about the action sequence cannot be extracted. The public keys, but not the underlying action data, are sent to a server to store. To verify user identity, a user device can repeat the collection of action data and the generation of the key pairs. If the device can prove to the server its possession of the private keys to a sufficient degree, the user's identity can be verified.
    Type: Grant
    Filed: July 3, 2019
    Date of Patent: October 5, 2021
    Assignee: Apple Inc.
    Inventors: Eric D. Friedman, Nathaniel C. Bush, Jefferson Provost, Vignesh Kumar, Gregory J. Kuhlmann, Tal Tversky, Ritwik K. Kumar, Eric M. Gottschalk, Lucas O. Winstrom
  • Patent number: 11128600
    Abstract: A method of defining distributed firewall rules in a group of datacenters is provided. Each datacenter includes a group of data compute nodes (DCNs). The method sends a set of security tags from a particular datacenter to other datacenters. The method, at each datacenter, associates a unique identifier of one or more DCNs of the datacenter to each security tag. The method associates one or more security tags to each of a set of security group at the particular datacenter and defines a set of distributed firewall rules at the particular datacenter based on the security tags. The method sends the set of distributed firewall rules from the particular datacenter to other datacenters. The method, at each datacenter, translates the firewall rules by mapping the unique identifier of each DCN in a distributed firewall rule to a corresponding static address associated with the DCN.
    Type: Grant
    Filed: December 21, 2016
    Date of Patent: September 21, 2021
    Assignee: NICIRA, INC.
    Inventors: Kaushal Bansal, Uday Masurekar
  • Patent number: 11128436
    Abstract: A processor device with a white-box masked implementation of the cryptographic algorithm AES implemented thereon, which comprises a SubBytes transformation. The white-box masked implementation is hardened in that white-box round input values x? are supplied at the round input of rounds instead of the round input values x, said white-box round input values being formed from a concatenation of: (i) the round input values x that are masked by means of the invertible masking mapping A and (ii) obfuscation values y that are likewise masked with the invertible masking mapping A; wherein from the white-box round input values x? only the (i) round input values x are fed to the SubBytes transformation T, and (ii) the masked obfuscation values y are not.
    Type: Grant
    Filed: July 12, 2017
    Date of Patent: September 21, 2021
    Assignee: GIESECKE+DEVRIENT MOBILE SECURITY GMBH
    Inventor: Sven Bauer
  • Patent number: 11115382
    Abstract: A method of defining distributed firewall rules in a group of datacenters is provided. Each datacenter includes a group of data compute nodes (DCNs). The method sends a set of security tags from a particular datacenter to other datacenters. The method, at each datacenter, associates a unique identifier of one or more DCNs of the datacenter to each security tag. The method associates one or more security tags to each of a set of security group at the particular datacenter and defines a set of distributed firewall rules at the particular datacenter based on the security tags. The method sends the set of distributed firewall rules from the particular datacenter to other datacenters. The method, at each datacenter, translates the firewall rules by mapping the unique identifier of each DCN in a distributed firewall rule to a corresponding static address associated with the DCN.
    Type: Grant
    Filed: June 29, 2016
    Date of Patent: September 7, 2021
    Assignee: NICIRA, INC.
    Inventors: Kaushal Bansal, Uday Masurekar
  • Patent number: 11101893
    Abstract: A pseudo-random cipher stream is used to band-spread an optical carrier signal with coded data. A legitimate receiver uses an agreed-upon key to modulate its local oscillator and a resulting beat signal uncovers the band-spread signal. An eavesdropper who does not have the key finds the spread signal with too low signal-to-noise ratio to perform any useful determination of the message sequence. Theoretical bounds based on Shannon's Theory of Secrecy are used to show strength of the encoding scheme and predict it to be superior to the prior art.
    Type: Grant
    Filed: June 29, 2016
    Date of Patent: August 24, 2021
    Assignee: Massachusetts Institute of Technology
    Inventor: Vincent W. S. Chan
  • Patent number: 11102017
    Abstract: Duplicate processing of events registered at a root server is avoided. An electronic subscriber identity module (eSIM) server pushes, to a root server, data in the form of notification data portions indicating that commands or events need to be processed by a device. The device includes an embedded universal integrated circuit card (eUICC). The device pulls a notification list from the root server. The notification list includes one or more notification data portions. The device checks a given notification data portion to see if it represents a duplicate before communicating with the eSIM server to perform further processing related to the event. The device bases the check for duplication on an event history and/or on a hash value where the hash value is based on one or more eSIMs installed in the eUICC. The device is able to prioritize notification data portions before processing them.
    Type: Grant
    Filed: April 6, 2020
    Date of Patent: August 24, 2021
    Assignee: Apple Inc.
    Inventors: Xiangying Yang, Li Li, Avinash Narasimhan, Jean-Marc Padova
  • Patent number: 11089046
    Abstract: Embodiments of the present invention provide techniques, systems, and methods for remote, agent-less enterprise computer threat data collection, malicious threat analysis, and identification and reporting of potential and real threats present on an enterprise computer system. Specifically, embodiments are directed to a system that securely identifies and maps sensitive information from computers across the enterprise. Secure and sensitive information may be internally encrypted and analyzed for indicators of compromise, threatening behavior, and known vulnerabilities. The remote, agent-less collection, analysis, and identification process can be repeated periodically to detect and map additional sensitive information over time, and may delete itself after completion to avoid detection.
    Type: Grant
    Filed: March 27, 2020
    Date of Patent: August 10, 2021
    Assignee: KIVU CONSULTING, INC.
    Inventors: Elgan David Jones, Thomas Langer, Winston Krone