Patents by Inventor Simon Gilbert Canning
Simon Gilbert Canning has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10834133Abstract: A technique to enforce mobile device security policy is based on a “risk profile” of the individual device, where the risk profile is fine-grained and based on the types of applications installed on the device, the services they are accessing, and the operation(s) the user granted the device authorization to perform. Thus, the approach takes into account not only the actual applications installed on the device (and those actively in use), but also the services those applications are accessing, and the scope of operations the user has granted the device authorization to perform. By combining this information to create the risk profile, a suitable security policy, including one that does not unnecessarily degrade device usability, may then be applied.Type: GrantFiled: December 4, 2012Date of Patent: November 10, 2020Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, David Paul Moore, Shane Bradley Weeden, Stephen Viselli
-
Patent number: 9722991Abstract: A confidence-based authentication discovery scheme is implemented at a proxy. The scheme assumes that some level of unauthenticated browsing is allowed prior to enforcing authentication at the proxy. Once a known and trusted set of identity providers has been accessed and the user is required to authenticate at the proxy (e.g., as a result of policy), the proxy initiates Federated Single Sign-On (F-SSO) to one or more (or, preferably, all) known sites accessed by the browser. This F-SSO operation is performed seamlessly, preferably without the user's knowledge (after the user allows an initial trust decision between the proxy acting as a service provider and the external identity provider). The proxy collates the results and, based on the trust it has with those sites, produces a confidence score. That score is then used as input into policy around whether or not a user should be permitted to access a particular site.Type: GrantFiled: January 4, 2016Date of Patent: August 1, 2017Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, Simon Winston Gee, Shane Bradley Weeden
-
Publication number: 20160119327Abstract: A confidence-based authentication discovery scheme is implemented at a proxy. The scheme assumes that some level of unauthenticated browsing is allowed prior to enforcing authentication at the proxy. Once a known and trusted set of identity providers has been accessed and the user is required to authenticate at the proxy (e.g., as a result of policy), the proxy initiates Federated Single Sign-On (F-SSO) to one or more (or, preferably, all) known sites accessed by the browser. This F-SSO operation is performed seamlessly, preferably without the user's knowledge (after the user allows an initial trust decision between the proxy acting as a service provider and the external identity provider). The proxy collates the results and, based on the trust it has with those sites, produces a confidence score. That score is then used as input into policy around whether or not a user should be permitted to access a particular site.Type: ApplicationFiled: January 4, 2016Publication date: April 28, 2016Inventors: Simon Gilbert Canning, Simon Winston Gee, Shane Bradley Weeden
-
Patent number: 9264436Abstract: A technique for intelligent automated consent is described by which a client may be automatically authorized to access a resource owner's protected information (e.g., a profile) based on the owner's previous authorization decisions and/or other client classifications. Using this approach to granting consent, the resource owner is not required to intervene during the authorization step for each client that is requesting access. Clients may be categorized, and authorization given to individual clients based on the category to which they belong and/or the scope of the access request. The technique may be implemented with user-centric identity protocols, as well as with delegated authorization protocols. The technique provides for policy-based consent grants.Type: GrantFiled: May 8, 2013Date of Patent: February 16, 2016Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, Shane Bradley Weeden, Codur Sreedhar Pranam
-
Patent number: 9246907Abstract: A confidence-based authentication discovery scheme is implemented at a proxy. The scheme assumes that some level of unauthenticated browsing is allowed prior to enforcing authentication at the proxy. Once a known and trusted set of identity providers has been accessed and the user is required to authenticate at the proxy (e.g., as a result of policy), the proxy initiates Federated Single Sign-On (F-SSO) to one or more (or, preferably, all) known sites accessed by the browser. This F-SSO operation is performed seamlessly, preferably without the user's knowledge (after the user allows an initial trust decision between the proxy acting as a service provider and the external identity provider). The proxy collates the results and, based on the trust it has with those sites, produces a confidence score. That score is then used as input into policy around whether or not a user should be permitted to access a particular site.Type: GrantFiled: July 12, 2012Date of Patent: January 26, 2016Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, Simon Winston Gee, Shane Bradley Weeden
-
Patent number: 9203922Abstract: An intermediary (such as a web reverse proxy), which is located between a web browser and one or more backend applications, manages cookies that are provided by the backend applications and returned to the web browser during a user session. When a session sign-off event is initiated in the reverse proxy, HTTP “Set-Cookie” headers are sent back to the web browser to destroy the cookies (in the browser) that represent sessions with the one or more backend application(s).Type: GrantFiled: May 25, 2010Date of Patent: December 1, 2015Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, Scott Anthony Exton, Neil Ian Readshaw
-
Patent number: 9172694Abstract: An approach is provided to access resources at legacy systems. In this approach, a resource request destined to a legacy system is receiving from a requestor with the resource request including an access token and being on behalf of a resource owner. A validation process is performed on the access token. If the access token is valid, the approach identifies the resource owner and one or more legacy access tokens used to access the legacy system. Another request is formed with the new request including the legacy access tokens. The new request is transmitted to the legacy system and a response is received back from the legacy system. The response received from the legacy system is transmitted back to the requestor.Type: GrantFiled: May 22, 2012Date of Patent: October 27, 2015Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, Neil Ian Readshaw, Stephen Viselli, Shane Bradley Weeden
-
Publication number: 20140337914Abstract: A technique for intelligent automated consent is described by which a client may be automatically authorized to access a resource owner's protected information (e.g., a profile) based on the owner's previous authorization decisions and/or other client classifications. Using this approach to granting consent, the resource owner is not required to intervene during the authorization step for each client that is requesting access. Clients may be categorized, and authorization given to individual clients based on the category to which they belong and/or the scope of the access request. The technique may be implemented with user-centric identity protocols, as well as with delegated authorization protocols. The technique provides for policy-based consent grants.Type: ApplicationFiled: May 8, 2013Publication date: November 13, 2014Applicant: International Business Machines CorporationInventors: Simon Gilbert Canning, Shane Bradley Weeden, Codur Sreedhar Pranam
-
Patent number: 8832857Abstract: A method, apparatus and computer program product for detecting that a computing device may not be secure based on inconsistent identity associations identified during Federated Single Sign-On (F-SSO). A detection proxy detects when a user with a particular session is accessing an identity provider (IdP) that is associated with an account that is not the current user's account. When a user performs a login to an F-SSO-enabled IdP, the proxy performs an F-SSO, and the results are compared with known aliases for that particular federation partner. If an anomaly is detected (e.g., the in-line device sees that a user logs into a web site as someone else), a workflow is initiated to perform a given action, such as blocking access, issuing an alert, or the like.Type: GrantFiled: July 12, 2012Date of Patent: September 9, 2014Assignee: International Business Machines CorporationInventors: John William Court, Simon Gilbert Canning, Simon Winston Gee, Shane Bradley Weeden
-
Publication number: 20140157351Abstract: A technique to enforce mobile device security policy is based on a “risk profile” of the individual device, where the risk profile is fine-grained and based on the types of applications installed on the device, the services they are accessing, and the operation(s) the user granted the device authorization to perform. Thus, the approach takes into account not only the actual applications installed on the device (and those actively in use), but also the services those applications are accessing, and the scope of operations the user has granted the device authorization to perform. By combining this information to create the risk profile, a suitable security policy, including one that does not unnecessarily degrade device usability, may then be applied.Type: ApplicationFiled: December 4, 2012Publication date: June 5, 2014Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Simon Gilbert Canning, David Paul Moore, Shane Bradley Weeden, Stephen Viselli
-
Patent number: 8738692Abstract: An intermediary (such as a web reverse proxy), which is located between a web browser and one or more backend applications, manages cookies that are provided by the backend applications and returned to the web browser during a user session. The intermediary decides which cookies should be sent to the browser and which cookies should be stored therein. Preferably, this determination is made in an automated manner by examining the response for any cookie-dependent code (e.g., scripting) included in the response.Type: GrantFiled: February 28, 2013Date of Patent: May 27, 2014Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, Scott Anthony Exton, Neil Ian Readshaw
-
Patent number: 8701163Abstract: An authorization method is implemented in an authorization engine external to an authorization server. The authorization server includes a cache. The external authorization engine comprises an authorization decision engine, and a policy analytics engine. The method begins when the authorization decision engine receives a request for an authorization decision. The request is generated (at the authorization server) following receipt of a client request for which an authorization decision is not then available at the server. The authorization decision engine determines an authorization policy to apply to the client request, applies the policy, and generates an authorization decision. The authorization decision is then provided to the policy analytics engine, which stores previously-generated potential cache directives that may be applied to the authorization decision. Preferably, the cache directives are generated in an off-line manner (e.g.Type: GrantFiled: June 3, 2011Date of Patent: April 15, 2014Assignee: International Business Machines CorporationInventors: Christopher John Hockings, Simon Gilbert Canning, Scott Anthony Exton, Neil Ian Readshaw
-
Patent number: 8650249Abstract: An intermediary (such as a web reverse proxy), which is located between a web browser and one or more backend applications, manages cookies that are provided by the backend applications and returned to the web browser during a user session. The intermediary decides which cookies should be sent to the browser and which cookies should be stored therein. Preferably, this determination is made in an automated manner by examining the response for any cookie-dependent code (e.g., scripting) included in the response.Type: GrantFiled: October 13, 2010Date of Patent: February 11, 2014Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, Scott Anthony Exton, Neil Ian Readshaw
-
Publication number: 20140020077Abstract: A method, apparatus and computer program product for detecting that a computing device may not be secure based on inconsistent identity associations identified during Federated Single Sign-On (F-SSO). A detection proxy detects when a user with a particular session is accessing an identity provider (IdP) that is associated with an account that is not the current user's account. When a user performs a login to an F-SSO-enabled IdP, the proxy performs an F-SSO, and the results are compared with known aliases for that particular federation partner. If an anomaly is detected (e.g., the in-line device sees that a user logs into a web site as someone else), a workflow is initiated to perform a given action, such as blocking access, issuing an alert, or the like.Type: ApplicationFiled: July 12, 2012Publication date: January 16, 2014Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: John William Court, Simon Gilbert Canning, Simon Winston Gee, Shane Bradley Weeden
-
Publication number: 20140020078Abstract: A confidence-based authentication discovery scheme is implemented at a proxy. The scheme assumes that some level of unauthenticated browsing is allowed prior to enforcing authentication at the proxy. Once a known and trusted set of identity providers has been accessed and the user is required to authenticate at the proxy (e.g., as a result of policy), the proxy initiates Federated Single Sign-On (F-SSO) to one or more (or, preferably, all) known sites accessed by the browser. This F-SSO operation is performed seamlessly, preferably without the user's knowledge (after the user allows an initial trust decision between the proxy acting as a service provider and the external identity provider). The proxy collates the results and, based on the trust it has with those sites, produces a confidence score. That score is then used as input into policy around whether or not a user should be permitted to access a particular site.Type: ApplicationFiled: July 12, 2012Publication date: January 16, 2014Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Simon Gilbert Canning, Simon Winston Gee, Shane Bradley Weeden
-
Publication number: 20130318569Abstract: An approach is provided to access resources at legacy systems. In this approach, a resource request destined to a legacy system is receiving from a requestor with the resource request including an access token and being on behalf of a resource owner. A validation process is performed on the access token. If the access token is valid, the approach identifies the resource owner and one or more legacy access tokens used to access the legacy system. Another request is formed with the new request including the legacy access tokens. The new request is transmitted to the legacy system and a response is received back from the legacy system. The response received from the legacy system is transmitted back to the requestor.Type: ApplicationFiled: May 22, 2012Publication date: November 28, 2013Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Simon Gilbert Canning, Neil Ian Readshaw, Stephen Viselli, Shane Bradley Weeden
-
Publication number: 20130066943Abstract: An approach is provided in which a number of requests are received from a variety of clients over a computer network. The system uses a processor to calculate request priority values pertaining to the received requests. The calculation of the request priority values is based on one or more attributes that correspond to the respective requests. For example, the attributes could include network level attributes, session attributes, and application specific attributes. Each of the requests is assigned a request priority value. A request may receive the same request priority value as other requests. The requests are queued in a memory based on the request priority values that were assigned to the requests. The queued requests are then serviced in order of request priority so that queued requests assigned higher request priority values are processed before queued requests with lower request priority values.Type: ApplicationFiled: September 13, 2011Publication date: March 14, 2013Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Simon Gilbert Canning, Scott Anthony Exton, Neil Ian Readshaw
-
Patent number: 8346866Abstract: Special interest subgroups are formed by a group of participants by establishing a profile for each participant. The profile defines contribution attributes dealing with contributions the profiled participant might make to a subgroup and attribution attributes dealing with benefits the profile participant might receive from participating in the subgroup. For each possible pairing of participants in the group, an overall contribution score and an overall benefit score is calculated for each participant. A mutual benefit score is calculated by combining the benefit scores for both participants in the pair. Participants are assigned to subgroups as a function of participant contribution and mutual benefit scores.Type: GrantFiled: May 5, 2010Date of Patent: January 1, 2013Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, Craig Robert William Forster, Neil Ian Readshaw
-
Publication number: 20120311674Abstract: An authorization method is implemented in an authorization engine external to an authorization server. The authorization server includes a cache. The external authorization engine comprises an authorization decision engine, and a policy analytics engine. The method begins when the authorization decision engine receives a request for an authorization decision. The request is generated (at the authorization server) following receipt of a client request for which an authorization decision is not then available at the server. The authorization decision engine determines an authorization policy to apply to the client request, applies the policy, and generates an authorization decision. The authorization decision is then provided to the policy analytics engine, which stores previously-generated potential cache directives that may be applied to the authorization decision. Preferably, the cache directives are generated in an off-line manner (e.g.Type: ApplicationFiled: June 3, 2011Publication date: December 6, 2012Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Christopher John Hockings, Simon Gilbert Canning, Scott Anthony Exton, Neil Ian Readshaw
-
Publication number: 20120096068Abstract: An intermediary (such as a web reverse proxy), which is located between a web browser and one or more backend applications, manages cookies that are provided by the backend applications and returned to the web browser during a user session. The intermediary decides which cookies should be sent to the browser and which cookies should be stored therein. Preferably, this determination is made in an automated manner by examining the response for any cookie-dependent code (e.g., scripting) included in the response.Type: ApplicationFiled: October 13, 2010Publication date: April 19, 2012Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Simon Gilbert Canning, Scott Anthony Exton, Neil Ian Readshaw