Abstract: Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system.

Abstract: A proximity matching system may use broadcast wireless identifiers transmitted by users' devices to match users with other nearby users. The identifiers may be collected by a plurality of agents, then the identifiers may be matched with pre-defined profiles to generate physically proximate users by a remote service. The group of proximate users may be provided to various applications and consumed with summarized properties or individual properties, depending on the approved privacy settings as selected by the users. In some embodiments, the broadcast wireless identifiers may be personal area network identifiers, local area network identifiers, cellular network identifiers, or other broadcast identifier. In some embodiments, the agents may not establish a peer to peer or other connection with the broadcasting device. The agents may be fixed or mobile agents, and the proximity of users may be generated through links between nearby agents in a meshed fashion.

Abstract: Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.

Abstract: In the field of computing, many scenarios involve the execution of an application within a virtual environment of a device (e.g., web applications executing within a web browser). Interactions between applications and device components are often enabled through hardware abstractions or component application programming interfaces (API), but such interactions may provide more limited and/or inconsistent access to component capabilities for virtually executing applications than for native applications. Instead, the device may provide hardware interaction as a service to the virtual environment utilizing a callback model, wherein applications within the virtual environment initiate component request specifying a callback, and the device initiates the component requests with the components and invokes associated callbacks upon completion of a component request.

Abstract: Discovery of intermediate network devices is performed using a technique that piggybacks upon the existing standard TCP (Transport Control Protocol) “SACK” (Selective Acknowledgment) option in a SYN/ACK packet so that discovery information may be shared between pair-wise-deployed peer intermediate devices when a TCP/IP connection (Transport Control Protocol/Internet Protocol) is first established between network endpoints using a conventional three-way handshake. Use of the SACK option is combined with another technique which comprises modifying the original 16-bit value of the TCP receive window size to a special arbitrary value to mark a SYN packet as being generated by a first peer device. The marked SYN when received by the second peer device triggers that device's discovery information to be piggybacked in the SACK option of the SYN/ACK packet. The first device then piggybacks its discovery information in the SACK option of the ACK packet which completes the three-way handshake.

Abstract: Architecture that facilitates power conservation in mobile devices such as cell phones using prediction. The architecture is an algorithmic-based solution that transforms infrequently-captured geolocation data of an entity into a continuous probable location approximation. Given the location history and additional data about the recent location of the mobile device, the current location of the device can be estimated with some probability. Additionally, given the location history and additional data about the recent location of the device, the probability of the device actually being at a given point on a map is computed.

Abstract: In the field of computing, many scenarios involve the execution of an application within a virtual environment (e.g., web applications executing within a web browser). In order to perform background processing, such applications may invoke worker processes within the virtual environment; however, this configuration couples the life cycle of worker processes to the life cycle of the application and/or virtual environment. Presented herein are techniques for executing worker processes outside of the virtual environment and independently of the life cycle of the application, such that background computation may persist after the application and/or virtual environment are terminated and even after a computing environment restart, and for notifying the application upon the worker process achieving an execution event (e.g., detecting device events even while the application is not executing).

Abstract: A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. The security system provides a user interface through which a user can define a security rule that specifies both a firewall policy and a connection policy. After the security rule is specified, the security system automatically generates a firewall rule and a connection rule to implement the security rule. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules.

Abstract: Architecture that enables location based notifications (e.g., geo-fences) using standard polygons the capture of complex regions. As applied to geo-fencing, it extends geo-fencing beyond the mere representation of the virtual perimeter (fenced) area. More specifically, the architecture takes into consideration geographical and demographical features, such as the layout of the roads and streets, the types of available of transportation (e.g., car, bus, walk, biking, etc.), the traffic conditions, and the dynamic properties of a point of interest (POI) such as opening hours, total wait time, etc.

Abstract: Embodiments of the invention described herein are directed to a mechanism for determining whether at least one operation will be effective in view of at least one security policy. In exemplary implementations, determining whether at least one operation will be effective in view of at least one security policy may comprise determining a merged security policy for a computer system by merging security policies for the computer system from two or more sources. The security policies may be security policies set by a user and/or an administrator of the computer system, may be security policies of a computer network to which the computer system is connected, or may be security policies of one or more other computer systems that are above the computer system in a computer network hierarchy.

Abstract: Architecture that embeds a server (a local server) inside a mobile device operating system (OS) close to the data (but under the OS services) such that the server has access to native capabilities, and offers an Internet-like frontend with which a browser or application can communicate. The local server appears as a web server, and small programs can be pushed into the local server from the browser or a remote server such that the local server can be made to perform work more effectively. Local and remote events can be triggered such as launching a browser (or other application(s)), initiating remote server calls, triggering battery save mode, locking the phone, etc. The local server can run a script execution environment such as node.js, an event driven I/O model where callbacks are invoked to handle emergent conditions (e.g., explicit requests, state changes, etc.).

Abstract: Exploration outside of a person's normal area may be detected and rewarded. In one example, a game (or other type of application) may be built around such exploration. A device carried by a user (pursuant to appropriate permission obtained from the user) may report the user's location to a presence detector. The presence detector may use this information to build a heat map, indicating the user's areas of common presence. When the location information received from the device indicates that the user has ventured outside of the user's area of common presence, this exploration event may be rewarded with an increase in the user's score. The user's score may be published on social media.

Abstract: A host firewall can determine and consider whether unsolicited traffic is inbound from beyond the edge of the network and allow or block such traffic based at least in part upon this characteristic. In one implementation, an edge traversal parameter can be set on a host firewall rule, which typically includes other parameters such as port, protocol, etc. If the unsolicited traffic received via an edge traversal interface matches a host firewall rule that has the edge traversal criterion, then the firewall does not block the traffic. On the other hand, if the unsolicited traffic received via an edge traversal interface fails to satisfy the edge traversal criterion on any firewall rule, then the firewall blocks the traffic.

Abstract: Discovery of intermediate network devices is performed using a technique that piggybacks upon the existing standard TCP (Transport Control Protocol) “SACK” (Selective Acknowledgment) option in a SYN/ACK packet so that discovery information may be shared between pair-wise-deployed peer intermediate devices when a TCP/IP connection (Transport Control Protocol/Internet Protocol) is first established between network endpoints using a conventional three-way handshake. Use of the SACK option is combined with another technique which comprises modifying the original 16-bit value of the TCP receive window size to a special arbitrary value to mark a SYN packet as being generated by a first peer device. The marked SYN when received by the second peer device triggers that device's discovery information to be piggybacked in the SACK option of the SYN/ACK packet. The first device then piggybacks its discovery information in the SACK option of the ACK packet which completes the three-way handshake.

Abstract: Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system.

Abstract: Exploration outside of a person's normal area may be detected and rewarded. In one example, a game (or other type of application) may be built around such exploration. A device carried by a user (pursuant to appropriate permission obtained from the user) may report the user's location to a presence detector. The presence detector may use this information to build a heat map, indicating the user's areas of common presence. When the location information received from the device indicates that the user has ventured outside of the user's area of common presence, this exploration event may be rewarded with an increase in the user's score. The user's score may be published on social media.

Abstract: Discovery of intermediate network devices is performed using a technique that piggybacks upon the existing standard TCP (Transport Control Protocol) “SACK” (Selective Acknowledgment) option in a SYN/ACK packet so that discovery information may be shared between pair-wise-deployed peer intermediate devices when a TCP/IP connection (Transport Control Protocol/Internet Protocol) is first established between network endpoints using a conventional three-way handshake. Use of the SACK option is combined with another technique which comprises modifying the original 16-bit value of the TCP receive window size to a special arbitrary value to mark a SYN packet as being generated by a first peer device. The marked SYN when received by the second peer device triggers that device's discovery information to be piggybacked in the SACK option of the SYN/ACK packet. The first device then piggybacks its discovery information in the SACK option of the ACK packet which completes the three-way handshake.

Abstract: Architecture that provides location broker services which share the user location with other parties (e.g., based on user consent). Stationary computing devices can also determine the location of the user operator and interact accordingly. In one embodiment, the user location is retrieved from the user mobile device (e.g., smart phone) and is transmitted to other mobile or non-mobile devices with which the user interacts. Moreover, existing infrastructure and systems can be employed using a device driver that emulates the user location so that any software that uses the location services does not need modification.

Abstract: The disclosed architecture facilitates the capture of data associated with a specific geographic location, as captured by a mobile device of a user at the geographic location, for the purpose of guiding the user back to that specific geographic location. When applied to vehicles or other types of user mobility (e.g., walking) the architecture automatically detects that a user has controlled a means of transportation to a stationary (or parked) state, such as associated with a parked car. When the stationary state is reached, the location is detected (e.g., using user device sensing systems). Detection can include recording images, sounds, speech, geolocation data, etc., associated with the location and/or means of transportation. The user can configure a reminder to activate at the location to assist in the user recalling the location when returning to the means of transportation.

Abstract: Architecture that enables location based notifications (e.g., geo-fences) using standard polygons the capture of complex regions. As applied to geo-fencing, it extends geo-fencing beyond the mere representation of the virtual perimeter (fenced) area. More specifically, the architecture takes into consideration geographical and demographical features, such as the layout of the roads and streets, the types of available of transportation (e.g., car, bus, walk, biking, etc.), the traffic conditions, and the dynamic properties of a point of interest (POI) such as opening hours, total wait time, etc.