Patents Issued in April 20, 2017
-
Publication number: 20170111328Abstract: A plurality of system nodes coupled via a dedicated private network is described herein. The nodes offer an end-to-end solution for protecting against network-based attacks. For example, a single node can receive and store user data via a data flow that passes through various components of the node. The node can be designed such that communications internal to the node, such as the transmission of encryption keys, are partitioned or walled off from the components of the node that handle the publicly accessible data flow. The node also includes a key management subsystem to facilitate the use of encryption keys to encrypt user data.Type: ApplicationFiled: October 14, 2016Publication date: April 20, 2017Inventor: John Leon
-
Publication number: 20170111329Abstract: A service access method and an apparatus. A secure transmission proxy apparatus performs verification and management on service permission, which reduces networking costs of a service server side and workload of reconstruction and maintenance of the service server side, and enhances communication security. A solution includes: decrypting, by a secure transmission proxy apparatus, a service request message sent by a client, where the service request message includes a service type; performing verification on service permission of a decrypted service request message according to the service type; performing protocol conversion on the decrypted service request message if the service permission verification succeeds; and sending a service request message obtained after the protocol conversion to a service server side, so that the service server side executes a corresponding service according to the service request message obtained after the protocol conversion.Type: ApplicationFiled: December 27, 2016Publication date: April 20, 2017Inventor: Cheng Liu
-
Publication number: 20170111330Abstract: One embodiment provides a system that facilitates selective encryption of bit groups of a message. During operation, the system determines, by a content requesting device or content producing device, a message that includes a plurality of bit groups, each corresponding to a type, a length, and a set of values, wherein one or more bit groups are marked for encryption, and wherein the message indicates a name that is a hierarchically structured variable-length identifier comprising contiguous name components ordered from a most general level to a most specific level. The system computes a plurality of cipher blocks for the message based on an authenticated encryption protocol. The system encrypts the one or more bit groups marked for encryption based on one or more symmetric keys, wherein the marked bit groups include one or more name components. Subsequently, the system indicates the encrypted bit groups as encrypted.Type: ApplicationFiled: October 16, 2015Publication date: April 20, 2017Applicant: Palo Alto Research Center IncorporatedInventors: Marc E. Mosko, Christopher A. Wood
-
Publication number: 20170111331Abstract: A method may include, based on a set of capabilities, requesting access to data, metadata or both protected by a composite wrapper comprising a first wrapper and a second wrapper. The wrappers are each defined by different mathematical transformations performed by a component separate from the computing device. Based on an access privilege for the data, the metadata or both determined from the set of capabilities, visibility may be granted through at least one of the first or second wrapper based on independent evaluations of the first and second wrappers relative to the access privilege.Type: ApplicationFiled: December 29, 2016Publication date: April 20, 2017Applicant: Microsoft Technology Licensing, LLCInventors: Rahul V. Auradkar, Roy Peter D'Souza
-
Publication number: 20170111332Abstract: A method for asymmetrical key derivation by a signing entity for a terminal including introducing identical cryptographic material into the signing entity and into the terminal; deriving in each case a private key from the cryptographic material in the signing entity and in the terminal; calculating in each case a public key from the private key in the signing entity and in the terminal; generating a signature and/or a signed public key in the signing entity; transferring the signature and/or the signed public key from the signing entity into the terminal; and appending the signature of the signing entity to the public key in the terminal.Type: ApplicationFiled: October 11, 2016Publication date: April 20, 2017Inventors: Alexander TSCHACHE, Timo WINKELVOS
-
Publication number: 20170111333Abstract: In one embodiment, an apparatus comprises a processor to execute instructions and having at least a first logic to execute in a trusted execution environment, a secure storage to store a platform group credential, and a first logical device comprising at least one hardware logic. The platform group credential may be dynamically provisioned into the apparatus and corresponding to an enhanced privacy identifier associated with the apparatus. The first logical device may have a first platform group private key dynamically provisioned into the first logical device and corresponding to an enhanced privacy identifier associated with the first logical device, to bind the first logical device to the apparatus. Other embodiments are described and claimed.Type: ApplicationFiled: December 21, 2015Publication date: April 20, 2017Inventors: Ned M. Smith, Sven Schrecker
-
Publication number: 20170111334Abstract: An infrastructure delivery platform provides a RSA proxy service as an enhancement to the TLS/SSL protocol to off-load, from an edge server to an external cryptographic server, the decryption of an encrypted pre-master secret. The technique provides forward secrecy in the event that the edge server is compromised, preferably through the use of a cryptographically strong hash function that is implemented separately at both the edge server and the cryptographic server. To provide the forward secrecy for this particular leg, the edge server selects an ephemeral value, and applies a cryptographic hash the value to compute a server random value, which is then transmitted back to the requesting client. That server random value is later re-generated at the cryptographic server to enable the cryptographic server to compute a master secret. The forward secrecy is enabled by ensuring that the ephemeral value does not travel on the wire.Type: ApplicationFiled: December 26, 2016Publication date: April 20, 2017Inventors: Charles E. Gero, Philip A. Lisiecki
-
Publication number: 20170111335Abstract: A method comprising: storing a plurality of device records, at least one device record including a digital device identifier that identifies at least one digital device in non-persistent communication, a current password associated with the digital device identifier, and a policy identifier that identifies at least one policy indicating when an updated password will be generated for the at least one digital device identified by the digital device identifier. The example method further comprises determining whether at least one condition identified by the at least one policy is satisfied, generating an updated password only if the at least one condition is satisfied, receiving a password update request initiated from a security agent executing on the at least one digital device, and providing the updated password to replace at least one password on the at least one digital device only if the at least one condition is satisfied.Type: ApplicationFiled: December 26, 2016Publication date: April 20, 2017Inventors: Brad Hibbert, Gyle Iverson, Julie Lustig-Rusch, James Mitchell, Jeffery Nielsen
-
Publication number: 20170111336Abstract: A system for enabling an endpoint residing in an external network to perform resource operations on an internal resource, the system including a directory service managing authentication and authorization operations for the internal resource, a gatekeeper device residing in the external network, and a gateway device residing in an internal network. The gatekeeper device is configured to receive a resource operation request from the endpoint, the resource operation request is associated with a user and transmit the resource operation request to the gateway device. The gateway device is configured to receive the resource operation request from the gatekeeper device, authenticate with the directory service as the user, using credentials of the user, authorize the resource operation request with the directory service, and initiate the resource operation request with the internal resource.Type: ApplicationFiled: October 14, 2015Publication date: April 20, 2017Inventors: Charles A. Davis, Danny Kim, Michael Hilton Manlief, Matthew Randall Sousley
-
Publication number: 20170111337Abstract: A multi-factor user authentication framework using asymmetric key includes a host device, a user agent, a gesture system, and an authentication system. The multiple factors include a user credential as well as a user gesture that indicates that the user is present. The user interacts with the user agent via the host device in order to obtain access to something for which user authentication is needed. The authentication system maintains the user credentials, which are provided to authenticate the user in response to the authentication system determining that the user is present (which can be determined in different manners, such as using a personal identification number (PIN), biometric information regarding the user, geographic location of the gesture system, etc.). The user agent, gesture system, and authentication system can be implemented on the same device (e.g., the host device), or alternatively implemented across one or more different devices.Type: ApplicationFiled: October 14, 2015Publication date: April 20, 2017Applicant: Microsoft Technology Licensing, LLCInventors: Anooshiravan Saboori, Nelly Porter, Vijay G. Bharadwaj, Alexander Thomas Weinert, Octavian T. Ureche, Benjamin Richard Vincent, Tarek Bahaa El-Din Mahmoud Kamel
-
Publication number: 20170111338Abstract: A network access service operates as an intermediary between client applications and network services. The network access service is configured to perform one or more authentication processes required by the network services on behalf of the client applications. This includes the network access service obtaining and managing access tokens on behalf of the client applications. The network access service reuses access tokens and automatically acquires new access tokens upon expiration. The network access service is also configured to format data from a client application into a format required by a network service and to provide application program interface and language support required by a network service.Type: ApplicationFiled: October 19, 2015Publication date: April 20, 2017Applicant: RICOH COMPANY, LTD.Inventors: Rathnakara Malatesha, Lana Wong, Hiroshi Kitada
-
Publication number: 20170111339Abstract: A method is provided for facilitating service-specific security while avoiding a full authentication and key agreement exchange each time a service is activated on a device. Multiple services on a single device and sharing the same session link (e.g., radio link or radio bearer) and the same physical network may nonetheless obtain distinct service-specific network connectivity root keys from which service-specific security/session keys may be derived. In such case, instead of performing a full authentication and key agreement exchange with an operator or provider (e.g., home subscription server or HSS), the device may authenticate a network slice using a security credential established during a prior authentication with another network slice.Type: ApplicationFiled: April 7, 2016Publication date: April 20, 2017Inventors: Soo Bum Lee, Anand Palanigounder
-
Publication number: 20170111340Abstract: A determination apparatus according to an embodiment includes a receiving unit, an acquisition unit, and a determination unit. The receiving unit receives a request for authentication of identity of a user who uses a terminal device. The acquisition unit acquires context information that is information indicating a context of the terminal device. The determination unit performs determination related to authentication requested by the terminal device, on the basis of the context information acquired by the acquisition unit. For example, the determination unit determines whether an authentication procedure for an authentication request received by the receiving unit is needed on the basis of a change between context information that is acquired upon reception of an authentication request by the receiving unit and context information that has been acquired upon reception of a past authentication request.Type: ApplicationFiled: July 21, 2016Publication date: April 20, 2017Applicant: YAHOO JAPAN CORPORATIONInventors: Hidehito GOMI, Teruhiko TERAOKA
-
Publication number: 20170111341Abstract: Provided is a system and method for authenticating a user using history of the user. One or more example embodiments provide a system and method that enables a server to perform an authentication or an additional authentication of a user based on use history of the user associated with a service when the server provides the service to an electronic device over a network.Type: ApplicationFiled: August 30, 2016Publication date: April 20, 2017Applicant: LINE CorporationInventors: Seonggu HUH, lryoung JEONG, Ho Sung KANG
-
Publication number: 20170111342Abstract: The present invention relates to an application that is configured to provide secure access to confidential information. To protect the confidential information, the application may include functions that utilize a decoy application to disguise the functionality of the application. A unique sequence of inputs received through an interface associated with the decoy application may permit a user to access the confidential information. An authorized user that has been provided access to the confidential information may access configuration interfaces that permit the user to define the inputs that will serve as login credentials and to customize the appearance and functionality of the decoy application.Type: ApplicationFiled: December 29, 2016Publication date: April 20, 2017Inventor: Joseph Fitzgerald
-
Publication number: 20170111343Abstract: Methods and apparatus for authenticating a user equipment device (UE) requesting services through a session border controller (SBC) are described. In some embodiments the SBC stores the challenge and response for a successfully authenticated UE and uses this information to authenticate the UE when the UE seeks access to a service, e.g., establishing a new TCP connection. In some other embodiments, in response to receiving an Invite request from a UE requesting service the SBC generates and sends a Registration request to an authentication entity on behalf of the UE to trigger an authentication process. If the UE is authenticated the SBC allows service access, e.g., allows a call to proceed, otherwise denies service to the UE.Type: ApplicationFiled: December 30, 2016Publication date: April 20, 2017Inventor: Tolga Asveren
-
Publication number: 20170111344Abstract: A method and system for performing data processing. A request for agent software is acquired by an agent computer system from a user computer system and in response, the agent computer system retrieves the agent software from a repository of agents and migrates the retrieved agent software to the user computer system. The agent computer system acquires an itinerary and N sets of run time instructions from the user computer system. N is at least 2. The itinerary specifies a path along which the agent software is to migrate to perform a portion of the data processing on N computer systems using the N sets of run time instructions. The agent computer system provides the received itinerary and the N sets of run time instructions to the agent software at the user computer system.Type: ApplicationFiled: January 3, 2017Publication date: April 20, 2017Inventor: Ock K. Baek
-
Publication number: 20170111345Abstract: According to one embodiment, a system includes a memory comprising instructions, an interface, and a processor communicatively coupled to the memory and the interface. The interface is configured to receive, from a user device, a request to create a token associated with user identification information. The processor is configured, when executing the instructions, to generate, based on the request, a token associated with the user identification information and the user device. The interface is further configured to send the generated token to the user device for storage, and the processor is further configured to generate a token record associated with the generated token.Type: ApplicationFiled: October 16, 2015Publication date: April 20, 2017Inventors: Andrew S. Heiman, Phillip W. Mork, Zafer Mohamed, William J. Wied
-
Publication number: 20170111346Abstract: Disclosed are systems, methods, and computer-readable storage media for Bluetooth low energy (BLE) double authentication between a mobile device and server nodes. A system using BLE authentication can receive at a mobile device, an identifier of a dongle attached to a server that enables wireless communication and can establish a wireless low energy connection with the dongle without paring. The system can receive a server identifier and can determine whether the server has previously been authenticated to yield a determination. When the determination is that the server has not previously been authenticated, the system can receive a baseband management controller username and a password. When the determination is that the server has previously been authenticated, the system can determine whether to perform a double authentication to yield a second determination. The system can perform the double authentication when the second determination indicates that the double authentication should be performed.Type: ApplicationFiled: October 16, 2015Publication date: April 20, 2017Inventor: Yen-Ping TUNG
-
Publication number: 20170111347Abstract: A security method and apparatus for an electric vehicle (EV) power transfer system can prevent abuse of privacy information or financial information which is stored in an in-vehicle controller, and block fee charging and authentication. A security method for the EV power transfer system, performed by a charging controller installed in an EV, includes steps of: receiving an authentication request from a communication controller installed in the EV; authenticating second key information included in the authentication request based on first key information which is learned or stored beforehand; and when the authentication succeeds, starting a charging process.Type: ApplicationFiled: October 11, 2016Publication date: April 20, 2017Inventors: Do Hoon Kim, Kang Hoon Lee
-
Publication number: 20170111348Abstract: The present invention is directed toward an RFID device that includes a motion sensing mechanism. The motion sensing mechanism is adapted to sense motion of the RFID device and then selectively allow or restrict the RFID device's ability to transmit messages, which may include sensitive data, when the RFID device is placed in an RF field. Thus, the motion sensing mechanism is utilized to control access to data on the RFID device to only instances when the holder of the RFID device moves the RFID device in a predefined sequence of motion(s).Type: ApplicationFiled: December 15, 2016Publication date: April 20, 2017Inventor: Michael Lawrence Davis
-
Publication number: 20170111349Abstract: A portable electronic card system and a verifying method thereof are provided. The portable electronic card system includes: a portable personal electronic device, a rewritable card, and a writing device. The portable personal electronic device is used for obtaining a certificated code and a personal information from a remote controller. When a bidirectional verifying communication is performed between the remote controller and the portable electronic device to download the personal information, security code stored in the rewritable card be compared with security code stored in the portable electronic device for verifying and writing the personal information into the rewritable card, and another security code is generated to update or replace the original security code stored in the portable electronic device and the rewritable card.Type: ApplicationFiled: December 30, 2016Publication date: April 20, 2017Inventor: Pinsheng SUN
-
Publication number: 20170111350Abstract: Techniques are described for controlling data and resource access. For example, methods and systems can facilitate controlled token distribution across systems and token processing in a manner so as to limit access to and to protect data that includes access codes.Type: ApplicationFiled: December 23, 2016Publication date: April 20, 2017Inventors: Phillip Volini, John Raymond Werneke, Carl Schumaler, Michael Smith, Frank Giannantonio, Vito Iaia, Sean Moriarty
-
Publication number: 20170111351Abstract: Features are disclosed for authentication of mobile device applications using a native, independent browser using a single-sign-on system. An authentication module within the mobile application can direct the mobile device's native browser to a URL to initiate authentication with an authentication appliance. The mobile browser can receive and store a browser-accessible token to indicate previous authentication performed by the user. The mobile application can receive from the application appliance and store a client application ID token that may be presented to network services for access. A second mobile device application may direct the same browser to the authentication appliance. The authentication appliance may inspect the persistent browser-accessible token and issue a second client application ID identity to the second application without collecting additional authentication information, or collecting additional authentication information that is different from the first authentication information.Type: ApplicationFiled: June 13, 2016Publication date: April 20, 2017Inventors: Garret Florian Grajek, Jeff Chiwai Lo, Robert Jason Phillips, Shu Jen Tung
-
Publication number: 20170111352Abstract: There is provided a method for automatically intercepting two or more data packets transported over a computer network, where the data packets originated from client terminal(s), and each data packet comprising transport layer security protocol message(s). The data packets are automatically analyzed to identify secure connection request(s) to an unsecure domain hosted on web server(s), where the secure connection request(s) was received from one or more of the client terminal(s). A digital security certificate is automatically retrieved for the unsecure domain from a trusted certification authority. The digital security certificate is automatically associated with the unsecure domain, thereby converting the unsecure domain to a secure domain. The digital security certificate is automatically sent to a second client terminal in response to a future secure connection request, thereby facilitating a secure connection between the second client terminal and the secure domain.Type: ApplicationFiled: January 6, 2016Publication date: April 20, 2017Applicant: TEWAMInventors: Robert Schmaholz, Mario Witte, Benjamin Schwenk
-
Publication number: 20170111353Abstract: A method for performing certification by a control device of a vehicle including generating a first signed certificate, which has at least one public key, and generating an associated private key; single-time introduction of the first signed certificate and of the associated private key into the control device; producing a second certificate; signing a further public key in the control device, using the private key and the second certificate; and making available the signed further public key together with the first signed certificate.Type: ApplicationFiled: October 11, 2016Publication date: April 20, 2017Inventors: Alexander TSCHACHE, Timo WINKELVOS
-
Publication number: 20170111354Abstract: A method for booting and dumping a confidential image on a trusted computer system. Embodiments of the present invention disclose deploying a secure boot image and encrypted client data from a client to a trusted computer system. Embodiments of the present invention disclose booting a confidential image on a trusted computer system. Embodiments of the present invention also disclose a process of dumping a confidential image on the trusted computer system.Type: ApplicationFiled: October 16, 2015Publication date: April 20, 2017Inventors: Reinhard T. Buendgen, James A. O'Connor, William J. Rooney
-
Publication number: 20170111355Abstract: A mechanism is described for facilitating remote access of device and user credentials for at computing devices according to one embodiment of the invention. A method of embodiments of the invention includes remotely accessing, by a first computing device, credentials of a second computing device. The credentials may facilitate the first computing device to perform one or more tasks. The method may further include performing, at the first computing device, the one or more tasks based on the accessed credentials and according to capabilities of the first computing device.Type: ApplicationFiled: December 30, 2016Publication date: April 20, 2017Inventor: John LIGHT
-
Publication number: 20170111356Abstract: A wearable device is used to authenticate a user into a user account at a user device of the user. In particular, the wearable device may include a sensor configured to detect a body chemistry of the user. The wearable device may send a signal, such as a short range wireless signal, Bluetooth Low Energy or the like, to the user device to communicate the detected body chemistry to the user device. The user device may authenticate the user based on the body chemistry condition detected at the wearable device. In an embodiment, the wearable device may include an olfactory sensor configured to detect certain smell or scent of the user.Type: ApplicationFiled: December 23, 2016Publication date: April 20, 2017Inventors: Kevin Keith Tijerina, Abraham Doris-Down, Matthew Alexander Wilczynski, Miguel Angel Escobedo
-
Publication number: 20170111357Abstract: A controller and a first device perform mutual authentication, create a group key, and share the group key, and the first device is set as a reference device. Thereafter, at a group key update timing when the controller and the reference device update the group key to an updated group key, the controller and a second device, which is not the reference device, perform mutual authentication, and the updated group key is also shared by the second device. Further, encrypted data is generated by encrypting transmission data by using the group key, a MAC (Message Authentication Code) is generated from the transmission data, a header, a transmission source address, and a transmission destination address, and a message that includes the encrypted data, the header, the transmission source address, the transmission destination address, and the MAC is broadcast.Type: ApplicationFiled: December 28, 2016Publication date: April 20, 2017Inventors: YUJI UNAGAMI, MANABU MAEDA, HIDEKI MATSUSHIMA
-
Publication number: 20170111358Abstract: Systems, methods, and non-transitory computer-readable medium are disclosed includes for secure online credential authentication. One method includes receiving, over an electronic network, identification information from an identity provider; accessing, from a database, previously stored hashed identification information stored in association with a previous identity provider; comparing the identification information to previously stored hashed identification information; and storing the identification information in association with the identity provider that provided the identification information in the database when the hashed identification information does not match previously stored hashed identification information.Type: ApplicationFiled: October 14, 2016Publication date: April 20, 2017Inventor: Blake HALL
-
Publication number: 20170111359Abstract: In accordance with one embodiment, a method for securing data is disclosed. The method includes sensing multi-dimensional motion of a body part of a user to generate a multi-dimensional signal; in response to the multi-dimensional signal and user calibration parameters, generating a neuro-mechanical fingerprint; and encrypting data with an encryption algorithm using the neuro-mechanical fingerprint as a key.Type: ApplicationFiled: December 29, 2016Publication date: April 20, 2017Applicant: Aerendir Mobile Inc.Inventors: Martin Zizi, Hugh Sharkey
-
Publication number: 20170111360Abstract: A computer-implemented method is provided for a management entity to detect where a rogue access point is connected to the network infrastructure. The management entity receives from a wireless network controller an indication of an unauthorized frame wirelessly intercepted by an authorized access point. The unauthorized frame carries data between a rogue access point and a wireless client device. The rogue access point is connected to a compromised network element in a managed network at a compromised port of the compromised network element. The management entity extracts a client network address and a gateway network address from the indication of the unauthorized frame. The management entity traces a path through the managed network from a gateway network element associated with the gateway network address to the compromised network element. The management entity determines the compromised port in the compromised network element at which the rogue access point is connected.Type: ApplicationFiled: October 14, 2015Publication date: April 20, 2017Inventors: Sanjay Kumar Hooda, Poon Kuen Leung, Liu Huang, Vishwas Vijendra Bhat, Shweta Arvind Saraf
-
Publication number: 20170111361Abstract: A container that manages access to protected resources using rules to intelligently manage them includes an environment having a set of software and configurations that are to be managed. A rule engine, which executes the rules, may be called reactively when software accesses protected resources. The engine uses a combination of embedded and configurable rules. It may be desirable to assign and manage rules per process, per resource (e.g. file, registry, etc.), and per user. Access rules may be altitude-specific access rules.Type: ApplicationFiled: December 23, 2016Publication date: April 20, 2017Applicant: Numecent Holdings, Inc.Inventors: Arthur S. Hitomi, Robert Tran, Peter J. Kammer, Doug Pfiffner, Huy Nguyen
-
Publication number: 20170111362Abstract: The present invention discloses a file downloading method, a server, a download access node, and a distributed storage system, which pertains to the field of communications technologies, and is designed to resolve a problem in the prior art that load on the server increases, and an authentication speed and a response speed for downloading a file are reduced. The file downloading method includes: acquiring, by a server, download permission that is set, and generating an access control list parameter of the download permission; and releasing, by the server, a download link that includes the access control list parameter, so that a terminal acquires the download link and generates a download request that includes the access control list parameter.Type: ApplicationFiled: March 24, 2014Publication date: April 20, 2017Applicant: Huawei Technologies Co., Ltd.Inventors: Qingdong Xie, Kaifu Xu, Xiaoming Li
-
Publication number: 20170111363Abstract: Embodiments regard security descriptors for record access queries. An embodiment of a method includes: receiving a record access query, the query regarding records for a certain one or more users at a certain access level; searching one or more sharing tables of entities in a computing environment for security descriptors, each security descriptor being associated with a set of one or more users having access to one or more records of a set of records at an access level; identifying any security descriptors in the one or more sharing tables that relate to the certain one or more users with at least the certain access level; and searching the one or more records associated with each of the identified security descriptors according to the record access query.Type: ApplicationFiled: December 30, 2016Publication date: April 20, 2017Inventor: Venkat Chandrasekaran
-
Publication number: 20170111364Abstract: A system can receive sets of contact information from a plurality of devices. Each set of contact information can be associated with a user account of a plurality of user accounts. The system can determine connection information for the plurality of user accounts based on the received sets of contact information. The system can identify a first subset of user accounts is identified as being trusted and a second subset of user accounts is identified as being fraudulent, and subsequently, identify one or more user accounts that are not in the first subset and not in the second subset as being trusted or fraudulent based, at least in part, on the connection information for the plurality of user accounts, and the identified first subset and the identified second subset.Type: ApplicationFiled: October 14, 2015Publication date: April 20, 2017Inventor: Sachin Rawat
-
Publication number: 20170111365Abstract: Implementations of PDB Sandboxing in layers and mapping to different operating systems are described. In exemplary implementations, one or more pluggable databases (PDBs) are encapsulated on common container databases to form one or more PDB sandboxes. Encapsulating PDBs forms an isolation boundary layer configured to dynamically regulate security and isolation of the PDB sandboxes. Access by processes and resources to and from the PDBs inside respective PDB sandboxes through the isolation boundary layer, and access within PDB sandboxes, is regulated using dynamic access processes that dynamically vary access to resources and process disposed within and external to the PDB sandboxes.Type: ApplicationFiled: February 2, 2016Publication date: April 20, 2017Inventors: Nicolas Michael, Yixiao Shen, Glenn Faden
-
Publication number: 20170111366Abstract: Access to a user profile of a user device at a location may be provided to a destination device upon detecting that the location is within a proximity of a destination location. An expiring token may be generated, associated with the user profile, and communicated to the second device. Access to the user profile provided to the destination device may be terminated upon an expiration of the expiring token.Type: ApplicationFiled: January 9, 2017Publication date: April 20, 2017Inventors: Lisa Seacat DeLuca, Lydia M. Do, Geetika T. Lakshmanan
-
Publication number: 20170111367Abstract: Aspects extend to methods, systems, and computer program products for controlling performance of a requested user operation. It is determined if a requested user operation can access data on behalf of a user based on an obtained user context associated with the user. The user context identifies the location of an object representing a user relative to other objects within a hierarchical data structure. The context is used to derive a role for the user. A control expression is accessed. The control expression governs access of the requested user operation for the derived role. A set of permissions is formed for the user by evaluating the control expression using the user context and a data context for the data. The user's authorization to perform the requested user operation is determined from the set of permissions. The requested user operation is performed according to the determined user's authorization.Type: ApplicationFiled: December 20, 2016Publication date: April 20, 2017Inventors: Sergei Ivanov, John August Barrows
-
Publication number: 20170111368Abstract: A method comprising storing a privilege rule, detecting an instruction to execute an application, and determining whether execution of the application requires an elevated privilege. The example method further comprises identifying, responsive to a determination the execution of the application requires the elevated privilege, one or more attributes of the application, and generating a request for the elevated privilege based on the privilege rule and the one or more attributes of the application. The method further comprises receiving the elevated privilege responsive to an approval of the request for the elevated privilege, and causing the execution of the application with the elevated privilege.Type: ApplicationFiled: December 26, 2016Publication date: April 20, 2017Inventors: Brad Hibbert, Gyle Iverson, Julie Lustig-Rusch, James Mitchell, Jeffery Nielsen
-
Publication number: 20170111369Abstract: Electronic content, for example, a web page, is configured for display by a web browser application to include content that is not included in or referenced by the web page. The web page includes a first locator for first content. A second locator for second content is associated with the first locator in a database or other memory structure. In response to a request for the web page, the second locator is obtained. Access to the second locator may be secured. The second locator may be swapped with the first locator to cause the web browser application to obtain the second content instead of the first content. In the alternative, the second content may be obtained and provided to the web browser instead of, or in addition to, the first content.Type: ApplicationFiled: December 29, 2016Publication date: April 20, 2017Inventor: Gary Stephen SHUSTER
-
Publication number: 20170111370Abstract: Information stored in a Hypertext Transfer Protocol (HTTP) session is monitored. Based on the monitoring, authentication information in the information stored in the HTTP session is identified.Type: ApplicationFiled: March 24, 2014Publication date: April 20, 2017Inventors: Ming Sum Sam NG, Ronald Joseph SECHMAN, Matias MADOU
-
Publication number: 20170111371Abstract: To prevent legitimate message recipients from forging new messages and to encrypt messages for a specific set of recipients (channel), a root key is encrypted and combined with a base session management key to render a combined root key, which in turn is encrypted with a public key of at least one recipient device render a session management key. The public key of each āNā intended recipient device encrypts the combined root key to render āNā session management keys. The session management keys are then combined with the combined root key to render a multicast root key, which is signed with a private key of a sending device. The signed multicast root key is combined with the session management keys to render an encrypted, signed multicast root key that is used to encrypt digital information prior to transmitting the digital information.Type: ApplicationFiled: October 14, 2015Publication date: April 20, 2017Inventor: Bryan Cotta
-
Publication number: 20170111372Abstract: A server system for sharing data from a first device using a first MSISDN with a second device using a second MSISDN. The system is arranged to: receive a first media identifier from the first device, wherein the first media identifier identifies a media item; receive a first contact identifier from the first device, wherein the first contact identifier comprises the second MSISDN; identify that the media item identified by the first media identifier corresponds to a media item identified by second media identifier, wherein the second media identifier is stored by the system; and send sharing data to the second device, wherein the sharing data identifies the media item.Type: ApplicationFiled: November 13, 2015Publication date: April 20, 2017Inventor: Ayman Zakaria Jamaa
-
Publication number: 20170111373Abstract: Various embodiments of the invention increase security of a network of interoperable devices. In certain embodiments, this is accomplished by a security module that is uses a user-definable security policy that sets forth one or more tests for validating input data or commands received from an IoT device. A validator receives the command via a command controller and performs a security analysis of the command according to the security policy. Responsive to the security analysis, the validator generated a validation signal in order to authorize or reject further processing of the command.Type: ApplicationFiled: October 16, 2015Publication date: April 20, 2017Applicant: DELL PRODUCTS L.P.Inventors: Michael John Morton, Aaron Kenneth Blackwell, Richard A. Backhouse
-
Publication number: 20170111374Abstract: Static analysis is applied to unrecognized software objects in order to identify and address potential anti-sandboxing techniques. Where static analysis suggests the presence of any such corresponding code, the software object may be forwarded to a sandbox for further analysis. In another aspect, multiple types of sandboxes may be provided, with the type being selected according to the type of exploit suggested by the static analysis.Type: ApplicationFiled: November 2, 2015Publication date: April 20, 2017Inventors: Mark David Harris, Daniel Stutz, Vincent Kevin Lynch
-
Publication number: 20170111375Abstract: Intrusion features of a landing page associated with sponsored content are identified. A feature score for the landing page based on the identified intrusion features is generated, and if the feature score for the landing page exceeds a feature threshold, the landing page is classified as a candidate landing page. A sponsor account associated with the candidate landing page can be suspended, or sponsored content associated with the candidate landing page can be suspended.Type: ApplicationFiled: December 28, 2016Publication date: April 20, 2017Applicant: Google Inc.Inventors: Niels Provos, Yunkai Zhou, Clayton W. Bavor, JR., Eric L. Davis, Mark Palatucci, Kamal P. Nigam, Christopher K. Monson, Panayiotis Mavrommatis, Rachel Nakauchi
-
Publication number: 20170111376Abstract: Methods and systems for event detection include defining a plurality of conditions that represent one or more synthetic events. Data from a plurality of data sources is aggregated across a period of time, multiple attack surfaces, and geographically distinct locations. The aggregated data is matched to the conditions to determine whether a synthetic event has occurred. A response to the synthetic event is formed to resist an attack.Type: ApplicationFiled: October 20, 2015Publication date: April 20, 2017Inventors: Robert R. Friedlander, James R. Kraemer, Jeb Linton, Christopher M. Poulin
-
Publication number: 20170111377Abstract: A network capable of detecting a DoS attack and a method of controlling the same, a gateway and a managing server included in the network are disclosed. The network capable of detecting a DoS attack comprises gateways. Here, each of the gateways receives packets, generates a self organizing map SOM by learning the packets and detects using the SOM whether or not a packet to be received is a packet of the DoS attack.Type: ApplicationFiled: February 4, 2016Publication date: April 20, 2017Inventors: Min Ho Park, Min Hoe Kim