Patents by Inventor Charles G. Jeffries
Charles G. Jeffries has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10885189Abstract: A host operating system running on a computing device monitors resource access by an application running in a container that is isolated from the host operating system. In response to detecting resource access by the application, a security event is generated describing malicious activity that occurs from the accessing the resource. This security event is analyzed to determine a threat level of the malicious activity. If the threat level does not satisfy a threat level threshold, the host operating system allows the application to continue accessing resources and continues to monitor resource access. When the threat level satisfies the threat level threshold, the operating system takes corrective action to prevent the malicious activity from spreading beyond the isolated container. Through the use of security events, the host operating system is protected from even kernel-level attacks without using resources required to run anti-virus software in the isolated container.Type: GrantFiled: May 22, 2017Date of Patent: January 5, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Charles G. Jeffries, Benjamin M. Schultz, Giridhar Viswanathan, Frederick Justus Smith, David Guy Weston, Ankit Srivastava, Ling Tony Chen, Hari R. Pulapaka
-
Patent number: 10855725Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.Type: GrantFiled: June 2, 2016Date of Patent: December 1, 2020Assignee: Microsoft Technology Licensing, LLCInventors: Navin Narayan Pai, Charles G. Jeffries, Giridhar Viswanathan, Benjamin M. Schultz, Frederick J. Smith, Lars Reuther, Michael B. Ebersol, Gerardo Diaz Cuellar, Ivan Dimitrov Pashov, Poornananda R. Gaddehosur, Hari R. Pulapaka, Vikram Mangalore Rao
-
Publication number: 20180336351Abstract: A host operating system running on a computing device monitors resource access by an application running in a container that is isolated from the host operating system. In response to detecting resource access by the application, a security event is generated describing malicious activity that occurs from the accessing the resource. This security event is analyzed to determine a threat level of the malicious activity. If the threat level does not satisfy a threat level threshold, the host operating system allows the application to continue accessing resources and continues to monitor resource access. When the threat level satisfies the threat level threshold, the operating system takes corrective action to prevent the malicious activity from spreading beyond the isolated container. Through the use of security events, the host operating system is protected from even kernel-level attacks without using resources required to run anti-virus software in the isolated container.Type: ApplicationFiled: May 22, 2017Publication date: November 22, 2018Applicant: Microsoft Technology Licensing, LLCInventors: Charles G. JEFFRIES, Benjamin M. SCHULTZ, Giridhar VISWANATHAN, Frederick Justus SMITH, David Guy WESTON, Ankit SRIVASTAVA, Ling Tony CHEN, Hari R. PULAPAKA
-
Publication number: 20170353496Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.Type: ApplicationFiled: June 2, 2016Publication date: December 7, 2017Applicant: Microsoft Technology Licensing, LLCInventors: Navin Narayan Pai, Charles G. Jeffries, Giridhar Viswanathan, Benjamin M. Schultz, Frederick J. Smith, Lars Reuther, Michael B. Ebersol, Gerardo Diaz Cuellar, Ivan Dimitrov Pashov, Poornananda R. Gaddehosur, Hari R. Pulapaka, Vikram Mangalore Rao
-
Patent number: 9037620Abstract: Data stored on a storage medium can be referenced by multiple independently addressable active symbolic links, with each active symbolic link representing the data through a different transformation. The active symbolic links can be in the form of file system objects, such as files or directories. A single active symbolic link can reference the data stored in multiple collections, or, conversely, a subset of data from a single collection. Active symbolic links can be automatically created for common data transformations. Searching across active symbolic links referencing encrypted data can be performed by multiple protection-specific search engines, or a single search engine that can generate a protection-level aware search index.Type: GrantFiled: December 16, 2009Date of Patent: May 19, 2015Assignee: Microsoft Technology Licensing, LLCInventors: Carl Melvin Ellison, Charles G. Jeffries
-
Patent number: 8745386Abstract: Single-use authentication methods for accessing encrypted data stored on a protected volume of a computer are described, wherein access to the encrypted data involves decrypting a key protector stored on the computer that holds a volume-specific cryptographic key needed to decrypt the protected volume. Such single-use authentication methods rely on the provision of a key protector that can only be used once and/or that requires a new access credential for each use. In certain embodiments, a challenge-response process is also used as part of the authentication method to tie the issuance of a key protector and/or access credential to particular pieces of information that can uniquely identify a user.Type: GrantFiled: June 21, 2010Date of Patent: June 3, 2014Assignee: Microsoft CorporationInventors: Octavian T. Ureche, Nils Dussart, Charles G. Jeffries, Cristian M. Ilac, Vijay G. Bharadwaj, Innokentiy Basmov, Stefan Thom, Son VoBa
-
Patent number: 8689015Abstract: A portable secure data file includes an encrypted data portion and a metadata portion. When a request associated with a current user of a device to access a portable secure data file is received, one or more records in the metadata portion are accessed to determine whether the current user is permitted to access the file data in the encrypted data portion. If a record indicates the user is permitted to access the file data, a content encryption key in that record is used to decrypt the encrypted data portion.Type: GrantFiled: January 16, 2013Date of Patent: April 1, 2014Assignee: Microsoft CorporationInventors: Charles G. Jeffries, Vijay G. Bharadwaj, Michael J. Grass, Matthew C. Setzer, Gaurav Sinha, Carl M. Ellison
-
Patent number: 8661534Abstract: A security system is provided for use with computer systems. In various embodiments, the security system can analyze the state of security of one or more computer systems to determine whether the computer systems comply with expressed security policies and to remediate the computer systems so that they conform with the expressed security policies. In various embodiments, the security system can receive compliance documents, determine whether one or more computer systems comply with portions of security policies specified in the compliance documents, and take actions specified in the compliance documents to cause the computer systems to comply with the specified security policies. The security system may provide a common, unified programming interface that applications or tools can employ to verify or enforce security policies.Type: GrantFiled: June 26, 2007Date of Patent: February 25, 2014Assignee: Microsoft CorporationInventors: Arindam Chatterjee, Anders Samuelsson, Nils Dussart, Charles G. Jeffries, Amit R. Kulkarni
-
Patent number: 8462955Abstract: An online key stored by a remote service is generated or otherwise obtained, and a storage media (as it applies to the storage of data on a physical or virtual storage media) master key for encrypting and decrypting a physical or virtual storage media or encrypting and decrypting one or more storage media encryption keys that are used to encrypt a physical or virtual storage media is encrypted based at least in part on the online key. A key protector for the storage media is stored, the key protector including the encrypted master key. The key protector can be subsequently accessed, and the online key obtained from the remote service. The master key is decrypted based on the online key, allowing the one or more storage media encryption keys that are used to decrypt the storage media to be decrypted.Type: GrantFiled: June 3, 2010Date of Patent: June 11, 2013Assignee: Microsoft CorporationInventors: Octavian T. Ureche, Nils Dussart, Michael A. Halcrow, Charles G. Jeffries, Nathan T. Lewis, Cristian M. Ilac, Innokentiy Basmov, Magnus Bo Gustaf Nyström, Niels T. Ferguson
-
Patent number: 8364984Abstract: A portable secure data file includes an encrypted data portion and a metadata portion. When a request associated with a current user of a device to access a portable secure data file is received, one or more records in the metadata portion are accessed to determine whether the current user is permitted to access the file data in the encrypted data portion. If a record indicates the user is permitted to access the file data, a content encryption key in that record is used to decrypt the encrypted data portion.Type: GrantFiled: March 13, 2009Date of Patent: January 29, 2013Assignee: Microsoft CorporationInventors: Charles G. Jeffries, Vijay G. Bharadwaj, Michael J. Grass, Matthew C. Setzer, Gaurav Sinha, Carl M. Ellison
-
Patent number: 8161560Abstract: A security health reporting system provides an application program interface (API) for use by independent software vendors (ISVs) to extend the security health reporting capabilities of the security health reporting system. An ISV security solution can register with the security health reporting system, create a schema that describes a new security class, and use the API to publish an instance of the schema for the new security class with the security health reporting system. When an instance of a schema for a new security class is published, the security health reporting system creates the new security class, and recognizes the definition for the security class within the security health reporting system. Registered ISV security solutions can then use the published schema to report their health statuses for the new security class.Type: GrantFiled: February 9, 2011Date of Patent: April 17, 2012Assignee: Microsoft CorporationInventors: Charles G. Jeffries, Doug Coburn, Barry Gerhardt, Randall K. Winjum, Arindam Chatterjee
-
Publication number: 20110314279Abstract: Single-use authentication methods for accessing encrypted data stored on a protected volume of a computer are described, wherein access to the encrypted data involves decrypting a key protector stored on the computer that holds a volume-specific cryptographic key needed to decrypt the protected volume. Such single-use authentication methods rely on the provision of a key protector that can only be used once and/or that requires a new access credential for each use. In certain embodiments, a challenge-response process is also used as part of the authentication method to tie the issuance of a key protector and/or access credential to particular pieces of information that can uniquely identify a user.Type: ApplicationFiled: June 21, 2010Publication date: December 22, 2011Applicant: MICROSOFT CORPORATIONInventors: Octavian T. Ureche, Nils Dussart, Charles G. Jeffries, Cristian M. Ilac, Vijay G. Bharadwaj, Innokentiy Basmov, Stefan Thom, Son VoBa
-
Publication number: 20110302398Abstract: An online key stored by a remote service is generated or otherwise obtained, and a storage media (as it applies to the storage of data on a physical or virtual storage media) master key for encrypting and decrypting a physical or virtual storage media or encrypting and decrypting one or more storage media encryption keys that are used to encrypt a physical or virtual storage media is encrypted based at least in part on the online key. A key protector for the storage media is stored, the key protector including the encrypted master key. The key protector can be subsequently accessed, and the online key obtained from the remote service. The master key is decrypted based on the online key, allowing the one or more storage media encryption keys that are used to decrypt the storage media to be decrypted.Type: ApplicationFiled: June 3, 2010Publication date: December 8, 2011Applicant: MICROSOFT CORPORATIONInventors: Octavian T. Ureche, Nils Dussart, Michael A. Halcrow, Charles G. Jeffries, Nathan T. Lewis, Cristian M. Ilac, Innokentiy Basmov, Bo Gustaf Magnus Nystr+e,uml o+ee m, Niels T. Ferguson
-
Publication number: 20110145296Abstract: Data stored on a storage medium can be referenced by multiple independently addressable active symbolic links, with each active symbolic link representing the data through a different transformation. The active symbolic links can be in the form of file system objects, such as files or directories. A single active symbolic link can reference the data stored in multiple collections, or, conversely, a subset of data from a single collection. Active symbolic links can be automatically created for common data transformations. Searching across active symbolic links referencing encrypted data can be performed by multiple protection-specific search engines, or a single search engine that can generate a protection-level aware search index.Type: ApplicationFiled: December 16, 2009Publication date: June 16, 2011Applicant: MICROSOFT CORPORATIONInventors: Carl Melvin Ellison, Charles G. Jeffries
-
Publication number: 20110131659Abstract: A security health reporting system provides an application program interface (API) for use by independent software vendors (ISVs) to extend the security health reporting capabilities of the security health reporting system. An ISV security solution can register with the security health reporting system, create a schema that describes a new security class, and use the API to publish an instance of the schema for the new security class with the security health reporting system. When an instance of a schema for a new security class is published, the security health reporting system creates the new security class, and recognizes the definition for the security class within the security health reporting system. Registered ISV security solutions can then use the published schema to report their health statuses for the new security class.Type: ApplicationFiled: February 9, 2011Publication date: June 2, 2011Applicant: Microsoft CorporationInventors: Charles G. Jeffries, Doug Coburn, Barry Gerhardt, Randall K. Winjum, Arindam Chatterjee
-
Patent number: 7908659Abstract: A security health reporting system provides an application program interface (API) for use by independent software vendors (ISVs) to extend the security health reporting capabilities of the security health reporting system. An ISV security solution can register with the security health reporting system, create a schema that describes a new security class, and use the API to publish an instance of the schema for the new security class with the security health reporting system. When an instance of a schema for a new security class is published, the security health reporting system creates the new security class, and recognizes the definition for the security class within the security health reporting system. Registered ISV security solutions can then use the published schema to report their health statuses for the new security class.Type: GrantFiled: November 10, 2006Date of Patent: March 15, 2011Assignee: Microsoft CorporationInventors: Charles G. Jeffries, Doug Coburn, Barry Gerhardt, Randall K. Winjum, Arindam Chatterjee
-
Publication number: 20100235649Abstract: A portable secure data file includes an encrypted data portion and a metadata portion. When a request associated with a current user of a device to access a portable secure data file is received, one or more records in the metadata portion are accessed to determine whether the current user is permitted to access the file data in the encrypted data portion. If a record indicates the user is permitted to access the file data, a content encryption key in that record is used to decrypt the encrypted data portion.Type: ApplicationFiled: March 13, 2009Publication date: September 16, 2010Applicant: MICROSOFT CORPORATIONInventors: Charles G. Jeffries, Vijay G. Bharadwaj, Michael J. Grass, Matthew C. Setzer, Gaurav Sinha, Carl M. Ellison
-
Publication number: 20090007264Abstract: A security system is provided for use with computer systems. In various embodiments, the security system can analyze the state of security of one or more computer systems to determine whether the computer systems comply with expressed security policies and to remediate the computer systems so that they conform with the expressed security policies. In various embodiments, the security system can receive compliance documents, determine whether one or more computer systems comply with portions of security policies specified in the compliance documents, and take actions specified in the compliance documents to cause the computer systems to comply with the specified security policies. The security system may provide a common, unified programming interface that applications or tools can employ to verify or enforce security policies.Type: ApplicationFiled: June 26, 2007Publication date: January 1, 2009Applicant: Microsoft CorporationInventors: Arindam Chatterjee, Anders Samuelsson, Nils Dussart, Charles G. Jeffries, Amit R. Kulkarni
-
Publication number: 20080115218Abstract: A security health reporting system provides an application program interface (API) for use by independent software vendors (ISVs) to extend the security health reporting capabilities of the security health reporting system. An ISV security solution can register with the security health reporting system, create a schema that describes a new security class, and use the API to publish an instance of the schema for the new security class with the security health reporting system. When an instance of a schema for a new security class is published, the security health reporting system creates the new security class, and recognizes the definition for the security class within the security health reporting system. Registered ISV security solutions can then use the published schema to report their health statuses for the new security class.Type: ApplicationFiled: November 10, 2006Publication date: May 15, 2008Applicant: Microsoft CorporationInventors: Charles G. Jeffries, Doug Coburn, Barry Gerhardt, Randall K. Winjum, Arindam Chatterjee