Patents by Inventor Khaja E. Ahmed
Khaja E. Ahmed has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9560068Abstract: A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be to indicated and protective action may be taken.Type: GrantFiled: July 12, 2013Date of Patent: January 31, 2017Assignee: MICROSOFT TECHNOLOGY LICENSING LLC.Inventors: Igal Figlin, Arthur Zavalkovsky, Lior Arzi, Efim Hudis, Jennifer R. Lemond, Robert Eric Fitzgerald, Khaja E. Ahmed, Jeffrey S. Williams, Edward W. Hardy
-
Patent number: 9111079Abstract: Embodiments of the invention make the issuance of trustworthy device claims available to client devices as a service, so that a client device to which device claims are issued may use the device claims in relation to an attempt to access a network application. The service may conduct an assessment of the device's characteristics and/or state, characterize the results of this assessment in device claims, and issue the device claims to the device. The service may be accessible to a client device from outside administrative boundaries of an entity that makes a network application accessible, and thus may be useful to entities making network applications accessible in business-to-consumer (B2C) and business-to-business (B2B) topologies, such as over the publicly accessible Internet.Type: GrantFiled: January 27, 2011Date of Patent: August 18, 2015Assignee: Microsoft Technology Licensing, LLCInventors: Eugene (John) Neystadt, Daniel Alon, Yair Tor, Mark Novak, Khaja E. Ahmed, Yoav Yassour
-
Patent number: 8881247Abstract: Architecture that utilizes the strong authentication mechanisms of network operators to provide authentication to mobile applications by identity federation. When a mobile client initiates request for access to an application outside the network operation infrastructure, the request is passed to an associated application secure token service. The application secure token service has an established trust and identity federation with the network operator. The application secure token service redirects the request to a network operator security token server, which then passes the request to a network operator authentication server for authentication against an operator identity service. Proof of authentication is then issued and returned from the network operator security token server to the application secure token service and the application, which allows the mobile client to access the application.Type: GrantFiled: September 24, 2010Date of Patent: November 4, 2014Assignee: Microsoft CorporationInventors: Meir Mendelovich, John Neystadt, Khaja E. Ahmed
-
Patent number: 8769277Abstract: Content retrieval techniques are described. In an implementation, a determination is made as to whether a client is permitted to receive content requested by the client. When the client is permitted to receive the content, a communication is formed to be communicated via a wide area network that includes a hash list having a hash of each of a plurality of blocks of the content, each hash being configured to enable the client to locate a corresponding one of the blocks of the content via a local area network.Type: GrantFiled: June 23, 2008Date of Patent: July 1, 2014Assignee: Microsoft CorporationInventors: Ravi T. Rao, Khaja E. Ahmed, R. Scott Briggs, Sandeep K. Singhal
-
Publication number: 20130305371Abstract: A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be to indicated and protective action may be taken.Type: ApplicationFiled: July 12, 2013Publication date: November 14, 2013Applicant: MICROSOFT CORPORATIONInventors: Igal Figlin, Arthur Zavalkovsky, Lior Arzi, Efim Hudis, Jennifer R. Lemond, Robert Eric Fitzgerald, Khaja E. Ahmed, Jeffrey S. Williams, Edward W. Hardy
-
Patent number: 8543808Abstract: A networked computer system in which a trusted intermediary device is allowed access to packets transmitted through a secured connection. An endpoint to a secured connection identifies a trusted intermediary device, such as by certificate provided by the intermediary device or by using identification information provided by a trusted server. The endpoint shares with the trusted intermediary device connection information that enables the intermediary device to access packets transmitted through the secured connection. Using the connection information, the intermediary device may modify authenticated packets, such as to perform network address translation, without disrupting the underlying secured connection. Similarly, the intermediary device may use the security information to read encrypted information and perform functions such as network traffic monitoring or filtering of unwanted network traffic.Type: GrantFiled: August 24, 2006Date of Patent: September 24, 2013Assignee: Microsoft CorporationInventor: Khaja E. Ahmed
-
Patent number: 8516576Abstract: A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be indicated and protective action may be taken.Type: GrantFiled: January 13, 2010Date of Patent: August 20, 2013Assignee: Microsoft CorporationInventors: Igal Figlin, Arthur Zavalkovsky, Lior Arzi, Efim Hudis, Jennifer R. LeMond, Robert Eric Fitzgerald, Khaja E. Ahmed, Jeffrey S. Williams, Edward W. Hardy
-
Publication number: 20120084851Abstract: Embodiments of the invention make the issuance of trustworthy device claims available to client devices as a service, so that a client device to which device claims are issues may use the device claims in relation to an attempt to access a network application. The service may conduct an assessment of the device's characteristics and/or state, characterize the results of this assessment in device claims, and issue the device claims to the device. The service may be accessible to a client device from outside administrative boundaries of an entity that makes a network application accessible, and thus may be useful to entities making network applications accessible in business-to-consumer (B2C) and business-to-business (B2B) topologies, such as over the publicly accessible Internet.Type: ApplicationFiled: January 27, 2011Publication date: April 5, 2012Applicant: Microsoft CorporationInventors: Eugene (John) Neystadt, Daniel Alon, Yair Tor, Mark Novak, Khaja E. Ahmed, Yoav Yassour
-
Publication number: 20120079569Abstract: Architecture that utilizes the strong authentication mechanisms of network operators to provide authentication to mobile applications by identity federation. When a mobile client initiates request for access to an application outside the network operation infrastructure, the request is passed to an associated application secure token service. The application secure token service has an established trust and identity federation with the network operator. The application secure token service redirects the request to a network operator security token server, which then passes the request to a network operator authentication server for authentication against an operator identity service. Proof of authentication is then issued and returned from the network operator security token server to the application secure token service and the application, which allows the mobile client to access the application.Type: ApplicationFiled: September 24, 2010Publication date: March 29, 2012Applicant: Microsoft CorporationInventors: Meir Mendelovich, John Neystadt, Khaja E. Ahmed
-
Patent number: 8112477Abstract: Described is a technology in which client content requests to a server over a wide area network (WAN) are responded to with hash information by which the client may locate the content among one or more peer sources coupled to the client via a local area network (LAN). The hash information may be in the form of a segment hash that identifies multiple blocks of content, whereby the server can reference multiple content blocks with a single hash value. Segment boundaries may be adaptive by determining them according to criteria, by dividing streamed content into segments, and/or by processing the content based on the content data (e.g., via RDC or content/application type) to determine split points. Also described is content validation using the hash information, including by generating and walking a Merkle tree to determine higher-level segment hashes in order to match a server-provided hash value.Type: GrantFiled: August 11, 2011Date of Patent: February 7, 2012Assignee: Microsoft CorporationInventors: Ravi T. Rao, Khaja E. Ahmed, R. Scott Briggs, Scott A. Plant
-
Publication number: 20110295948Abstract: Described is a technology in which client content requests to a server over a wide area network (WAN) are responded to with hash information by which the client may locate the content among one or more peer sources coupled to the client via a local area network (LAN). The hash information may be in the form of a segment hash that identifies multiple blocks of content, whereby the server can reference multiple content blocks with a single hash value. Segment boundaries may be adaptive by determining them according to criteria, by dividing streamed content into segments, and/or by processing the content based on the content data (e.g., via RDC or content/application type) to determine split points. Also described is content validation using the hash information, including by generating and walking a Merkle tree to determine higher-level segment hashes in order to match a server-provided hash value.Type: ApplicationFiled: August 11, 2011Publication date: December 1, 2011Applicant: MICROSOFT CORPORATIONInventors: Ravi T. Rao, Khaja E. Ahmed, R. Scott Briggs, Scott A. Plant
-
Patent number: 8019882Abstract: Described is a technology in which client content requests to a server over a wide area network (WAN) are responded to with hash information by which the client may locate the content among one or more peer sources coupled to the client via a local area network (LAN). The hash information may be in the form of a segment hash that identifies multiple blocks of content, whereby the server can reference multiple content blocks with a single hash value. Segment boundaries may be adaptive by determining them according to criteria, by dividing streamed content into segments, and/or by processing the content based on the content data (e.g., via RDC or content/application type) to determine split points. Also described is content validation using the hash information, including by generating and walking a Merkle tree to determine higher-level segment hashes in order to match a server-provided hash value.Type: GrantFiled: June 27, 2008Date of Patent: September 13, 2011Assignee: Microsoft CorporationInventors: Ravi T. Rao, Khaja E. Ahmed, R. Scott Briggs, Scott A. Plant
-
Publication number: 20110173699Abstract: A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be indicated and protective action may be taken.Type: ApplicationFiled: January 13, 2010Publication date: July 14, 2011Inventors: Igal Figlin, Arthur Zavalkovsky, Lior Arzi, Efim Hudis, Jennifer R. LeMond, Robert Eric Fitzgerald, Khaja E. Ahmed, Jeffrey S. Williams, Edward W. Hardy
-
Patent number: 7921173Abstract: The present invention provides for generating inputs that can be provided to a message classification module to facilitate more reliable classification of electronic messages, such as, for example, as unwanted and/or unsolicited. In one embodiment, a sending messaging server provides an appropriate response to address verification data thereby indicating a reduced likelihood of the sending messaging server using a forged network address. In another embodiment, it is determined if a messaging server is authorized to send electronic messages for a domain. In yet another embodiment, electronic message transmission policies adhered to by a domain are identified. In yet a further embodiment, a sending computer system expends computational resources to solve a computational puzzle and includes an answer document in an electronic message. A receiving computer system receives the electronic message and verifies the answer document.Type: GrantFiled: April 7, 2009Date of Patent: April 5, 2011Assignee: Microsoft CorporationInventors: Robert George Atkinson, Joshua T. Goodman, James M. Lyon, Roy Williams, Khaja E. Ahmed, Harry Simon Katz, Robert L. Rounthwaite, Andrew V. Goldberg, Cynthia Dwork
-
Patent number: 7734924Abstract: A system and method are disclosed for transparently providing certificate validation and other services without requiring a separate service request by either a relying customer or subscribing customer. In a preferred embodiment, after the subscribing customer digitally signs a document (e.g., a commercial document such as a purchase order), it forwards the document to a trusted messaging entity which validates the certificates of both the subscribing customer and relying customer and the respective system participants of which they are customers. If the certificates are valid, the trusted messaging entity appends a validation message to the digitally-signed document and forwards the document to the relying customer. A validation message is also preferably appended to a digitally-signed receipt from the relying customer and transmitted to the subscribing customer. In this way, both the relying customer and subscribing customer obtain certification of their respective counterparty to the transaction.Type: GrantFiled: January 26, 2006Date of Patent: June 8, 2010Assignee: IdenTrust, Inc.Inventors: Lawrence R. Miller, Guy S. Tallent, Jr., Khaja E. Ahmed
-
Publication number: 20090327505Abstract: Described is a technology in which client content requests to a server over a wide area network (WAN) are responded to with hash information by which the client may locate the content among one or more peer sources coupled to the client via a local area network (LAN). The hash information may be in the form of a segment hash that identifies multiple blocks of content, whereby the server can reference multiple content blocks with a single hash value. Segment boundaries may be adaptive by determining them according to criteria, by dividing streamed content into segments, and/or by processing the content based on the content data (e.g., via RDC or content/application type) to determine split points. Also described is content validation using the hash information, including by generating and walking a Merkle tree to determine higher-level segment hashes in order to match a server-provided hash value.Type: ApplicationFiled: June 27, 2008Publication date: December 31, 2009Applicant: MICROSOFT CORPORATIONInventors: Ravi T. Rao, Khaja E. Ahmed, R. Scott Briggs, Scott A. Plant
-
Publication number: 20090320099Abstract: Content retrieval techniques are described. In an implementation, a determination is made as to whether a client is permitted to receive content requested by the client. When the client is permitted to receive the content, a communication is formed to be communicated via a wide area network that includes a hash list having a hash of each of a plurality of blocks of the content, each hash being configured to enable the client to locate a corresponding one of the blocks of the content via a local area network.Type: ApplicationFiled: June 23, 2008Publication date: December 24, 2009Applicant: MICROSOFT CORPORATIONInventors: Ravi T. Rao, Khaja E. Ahmed, R. Scott Briggs, Sandeep K. Singhal
-
Patent number: 7617322Abstract: A system, apparatus, method, and computer-readable medium are provided for secure P2P caching. In one method, a requesting peer obtains a hash of requested data from a server. The requesting peer then transmits a request for the data to other peers. The request proves that the requesting peer has the hash. If a caching peer has the data, it generates a reply to the request that proves that it has the requested data. If the requesting peer receives a reply from a caching peer, the requesting peer establishes a connection to the caching peer and retrieves the data from the caching peer. If the requesting peer does not receive a reply to the request from any other peer, the requesting peer establishes a connection to the server and retrieves the data from the server. The requesting peer stores the data for use in responding to requests from other peers.Type: GrantFiled: September 29, 2006Date of Patent: November 10, 2009Assignee: Microsoft CorporationInventors: Khaja E. Ahmed, Daniel R. Simon
-
Patent number: 7607008Abstract: A user is authenticated for a relying computing entity (e.g., an enterprise) through an authentication broker service, wherein a trust relationship exists between the relying computing entity and the authentication broker service. The authentication broker service has a trust relationship with the relying computing entity and the authentication service that issued the identity of the user. The relying computing entity asks the authentication broker service to authenticate the identity of the user. The authentication broker service captures the user's credential (or directs the authentication service to do so) and sends an authentication response (e.g., a token) to the relying computing entity in order to authenticate the identity of the user to the relying computing entity. The relying computing entity verifies the authentication response based on the trust relationship between the relying computing entity and the authentication broker service.Type: GrantFiled: April 1, 2004Date of Patent: October 20, 2009Assignee: Microsoft CorporationInventors: John Hal Howard, Daniel Salvatore Schiappa, Khaja E. Ahmed, Kyle S. Young
-
Publication number: 20090193093Abstract: The present invention provides for generating inputs that can be provided to a message classification module to facilitate more reliable classification of electronic messages, such as, for example, as unwanted and/or unsolicited. In one embodiment, a sending messaging server provides an appropriate response to address verification data thereby indicating a reduced likelihood of the sending messaging server using a forged network address. In another embodiment, it is determined if a messaging server is authorized to send electronic messages for a domain. In yet another embodiment, electronic message transmission policies adhered to by a domain are identified. In yet a further embodiment, a sending computer system expends computational resources to solve a computational puzzle and includes an answer document in an electronic message. A receiving computer system receives the electronic message and verifies the answer document.Type: ApplicationFiled: April 7, 2009Publication date: July 30, 2009Applicant: Microsoft CorporationInventors: Robert George Atkinson, Joshua T. Goodman, James M. Lyon, Roy Williams, Khaja E. Ahmed, Harry Simon Katz, Robert L. Rounthwaite, Andrew V. Goldberg, Cynthia Dwork