Protection At A Particular Protocol Layer Patents (Class 713/151)
  • Patent number: 10348701
    Abstract: Described embodiments protect clients from open redirect security vulnerabilities in Web applications. A primary application receives a request for an operation to be performed on behalf of a secondary application. The request includes a return location parameter containing i) a return location, and ii) an encrypted portion. After completing the requested operation, the primary application retrieves the return location parameter and a cryptographic key uniquely associated with the secondary application. The primary application decrypts the encrypted portion of the return location parameter to generate a decrypted value, and uses the decrypted value to validate the return location contained in the return location parameter. The primary application transmits a redirect message to the client that causes the client to be redirected to the return location contained in the return location parameter only in response to the return location being successfully validated based on the decrypted value.
    Type: Grant
    Filed: March 2, 2017
    Date of Patent: July 9, 2019
    Assignee: Citrix Systems, Inc.
    Inventors: Javier Alejandro Figueroa, Kenneth Scott Bowden
  • Patent number: 10348706
    Abstract: Methods and apparati for permitting Computing Devices 200 to safely accept Payloads 220 from External Access Entity Devices 260, and to safely access external Networks 710. In an apparatus embodiment, a Computing Device 200 contains an Access Control Module 210 comprising an Access Verification Public Key 211 and a Device Signature Key 214. The Access Control Module 210 is configured to verify authorization of an External Access Payload 220 by verifying a digital signature affixed to the Payload 220 using the Access Verification Public Key 211. The authorized External Access Payload 220 is then permitted to execute on the Computing Device 200. The Access Control Module 210 is also configured to receive from a Network Access Device 600 information associated with a Network 710 access request, and to create a plurality of digital signatures, using the Device Signature Key 214, that link said information associated with the Network 710 access request with the Access Verification Public Key 211.
    Type: Grant
    Filed: May 4, 2017
    Date of Patent: July 9, 2019
    Inventor: Ernest Brickell
  • Patent number: 10338898
    Abstract: A system includes a user interface presented to a developer. The developer selects a first function to supplement functionality of a first application with external functionality available from third party applications. A code generation module provides a software object to the developer for incorporation into a first state of the first application. The first state includes a user interface element associated with an entity. User selection of the user interface element initiates preparation of a query wrapper including a combination of the entity's name and a predefined text string corresponding to the first function. The query wrapper is transmitted to a search system and a result set is received and displayed. A first item of the result set includes an access mechanism for a specified state of a target application. User selection of the first item causes the access mechanism to open the target application to the specified state.
    Type: Grant
    Filed: September 18, 2017
    Date of Patent: July 2, 2019
    Assignee: Samsung Electronics Co., Ltd.
    Inventors: Taher Savliwala, Eric Chen, Jonathan Ben-Tzur
  • Patent number: 10341822
    Abstract: A broadcast delivery system designed for the purpose of providing a broadcast delivery system that reduces the load on a wireless network control device comprises: a femto cell base station that provides a wireless connection to a terminal and forms one cell; a gateway device that relays data which the femto cell base station transmits to and receives from a core network; a wireless network control device that is connected to the gateway device; and a broadcast delivery device that transmits, to the wireless network control device, a broadcast delivery message addressed to the terminal connected to the femto cell base station. The gateway device controls the operating state of the femto cell base station and broadcast delivery to the terminal using, as a unit, a service area comprising one or more cells formed by the femto cell base station.
    Type: Grant
    Filed: March 29, 2016
    Date of Patent: July 2, 2019
    Inventor: Masashi Inagaki
  • Patent number: 10341979
    Abstract: Techniques for exchanging secure FTM messages are disclosed. An example of a wireless transceiver system for providing a secure Fine Timing Measurement (FTM) exchange includes a memory and a processor configured to obtain a initial-secure-token value and a secure-token-response value via an out-of-band signal, generate a FTM Request message including the initial-secure-token value, a transmitter to send the FTM Request message to a responding station, and a receiver to receive a FTM Response message including the secure-token-response value from the responding station, such that the at least one processor is configured to determine a Round Trip Time (RTT) value based at least in part on the FTM Response message.
    Type: Grant
    Filed: May 27, 2016
    Date of Patent: July 2, 2019
    Assignee: QUALCOMM Incorporated
    Inventors: Santosh Vamaraju, Carlos Horacio Aldana
  • Patent number: 10318209
    Abstract: Discussed herein are methods, devices, and systems for moving a file to a process. A device can include a kernel, a memory, and processing circuitry to: issue one or more move and rename instructions to the memory to change a location and name of a file requested by the second process, issue one or more update access control instructions to update permissions, perform a UAC to determine whether any processes other than the second process currently have the file open and whether any MMaps have the file open, and allow the second process to access the renamed and moved file only if it is determined that no other processes other than the second process have the file open and no MMaps have the file open.
    Type: Grant
    Filed: January 30, 2017
    Date of Patent: June 11, 2019
    Assignee: Forcepoint LLC
    Inventor: Gregory Alan Hildstrom
  • Patent number: 10311248
    Abstract: A method for permission management may include creating a relationship between a client and a firm, receiving, in response to creating the relationship, an assignment of a first role to the firm, receiving, in response to receiving the assignment of the first role, an assignment of a second role to an agent of the firm, and generating, for the agent, a runtime token including token permissions based on the first role and the second role.
    Type: Grant
    Filed: January 27, 2017
    Date of Patent: June 4, 2019
    Assignee: Intuit Inc.
    Inventors: Nadeem Mohammed Yusuf Ilkal, Andrew Ernest Goldfinch, Yi Zhang, Almira Hortensia Niciu-Chiuaru
  • Patent number: 10296397
    Abstract: This disclosure sets forth systems and methods for recommending candidate computing platforms for migration of data and data-related workload from an original computing platform. The systems and methods further describe determining recommendations of candidate computing platforms based on a comparison of key performance and utilization statistics of the original computing platform under a user-generated workload with candidate computing platforms under a synthetic workload. Key performance and utilization statistics may relate to CPU, memory, file I/O, network I/O, and database I/O operations on the respective computing platforms. The synthetic workload may be defined by parameters that simulate the key performance and utilization statistics of the original computing platform under the user-generated workload. Further, the synthetic workloads may be executed on individual candidate computing platforms to determine service level capabilities that are ultimately used to form the recommendation.
    Type: Grant
    Filed: May 18, 2016
    Date of Patent: May 21, 2019
    Assignee: Krystallize Technologies, Inc.
    Inventors: Roger Richter, Matthew Gueller, James Richard Nolan
  • Patent number: 10296739
    Abstract: According to an example, a confidence factor function may be applied to determine a confidence factor for a condition of a rule to correlate events. The confidence factor may be an approximation of whether an event or a set of events satisfies the condition in the rule. The confidence factor may be compared to a threshold to determine whether the condition is satisfied.
    Type: Grant
    Filed: March 11, 2013
    Date of Patent: May 21, 2019
    Inventors: Anurag Singla, Robert Block, Suranjan Pramanik
  • Patent number: 10298542
    Abstract: In one embodiment, a networking device in a local area network (LAN) establishes a virtual network overlay in the LAN to redirect traffic associated with a particular node in the LAN to a server for analysis. The networking device receives an indication from the server that at least a portion of the traffic associated with the particular node is trusted for local sending within the LAN and adjusts the virtual network overlay to locally send the trusted portion of the traffic associated with the particular node to one or more other nodes in the LAN without redirection to the server. The networking device collects characteristic information regarding the trusted portion of the traffic sent locally within the LAN via the adjusted virtual network overlay and sends the collected characteristic information to the server for analysis.
    Type: Grant
    Filed: April 12, 2017
    Date of Patent: May 21, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: Pascal Thubert, Jean-Philippe Vasseur, Patrick Wetterwald, Eric Levy-Abegnoli
  • Patent number: 10291475
    Abstract: A device designates a first set of computing resources, of a cloud computing environment, for management services. The management services include services that manage the cloud computing environment, and the first set of computing resources provides a particular quality of service for the management services. The device provisions the first set of computing resources with the management services, and designates a second set of computing resources for user services. The second set of computing resources is separate from the first set of computing resources, and the user services include services provided to users of the cloud computing environment. The device provisions the second set of computing resources with the user services, and designates a third set of computing resources for a pool of unused computing resources. The third set of computing resources is separate from the first set of computing resources and the second set of computing resources.
    Type: Grant
    Filed: August 5, 2013
    Date of Patent: May 14, 2019
    Assignee: Verizon Patent and Licensing Inc.
    Inventors: Michael J. Matczynski, Paul M. Curtis, Owen F. Kellett
  • Patent number: 10284535
    Abstract: Methods, systems, and apparatus, including a system that includes a secure hardware unit; and a database system including one or more processors; and a computer-readable medium having stored instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including: receiving a client request to perform a database operation using first encrypted data as an encrypted value of a field to be operated on by the database operation, where the first encrypted data has been encrypted by a database client using a first encryption key; providing, to the secure hardware unit, a system request for performing one or more data processing operations, the system request including (i) the first encrypted data and (ii) data identifying the first encryption key; and receiving, from the secure hardware unit, output data representing an output of the one or more data processing operations.
    Type: Grant
    Filed: December 13, 2016
    Date of Patent: May 7, 2019
    Assignee: Chronicle LLC
    Inventor: Carey Stover Nachenberg
  • Patent number: 10285200
    Abstract: An access point selects a channel access policy for an electronic device in a wireless local area network (WLAN). During operation, an interface circuit of the access point receives a channel access preference from the electronic device. The channel access preference includes: a multi-user trigger-based channel access technique, a single-user contention-based channel access technique, or both. The interface circuit selects the channel access policy for the electronic device based, at least in part, on the received channel access preference. The channel access policy can also be selected based at least in part on a communication performance metric associated with communication in the WLAN. The interface circuit communicates the selected channel access policy to the electronic device, which subsequently accesses a communication channel and communicates packets with the access point in accordance with the channel access policy.
    Type: Grant
    Filed: January 10, 2017
    Date of Patent: May 7, 2019
    Assignee: Apple Inc.
    Inventors: Guoqing Li, Christiaan A. Hartman, Ashok Ranganath, Joonsuk Kim, Matthew L. Semersky, Oren Shani, Su Khiong Yong, Yong Liu
  • Patent number: 10277624
    Abstract: The disclosed computer-implemented method for reducing infection risk of computing systems may include (i) determining a distance between a computing system that is connected to a local network and an additional computing system that is not connected to the local network but is connected to the computing system via a series of connected devices, (ii) detecting that the additional computing system is infected with malware, (iii) calculating an infection probability for the computing system that is based at least in part on the distance between the computing system and the additional computing system that is infected, and (iv) performing a security action on the computing system that reduces a risk of infection of the computing system in response to the infection probability for the computing system meeting a predetermined threshold for infection probability. Various other methods, systems, and computer-readable media are also disclosed.
    Type: Grant
    Filed: September 28, 2016
    Date of Patent: April 30, 2019
    Assignee: Symantec Corporation
    Inventor: Sujit Magar
  • Patent number: 10275267
    Abstract: Methods and systems for provisioning computing resource instances among implementation resources based on trust to reduce interference between computing resource instances implemented by the same implementation resources. In an embodiment, a trust rating is determined for a computing resource instance based at least in part on one or more trust factors. The suitability of an implementation resource to implement the given computing resource instance may be evaluated based at least in part on the trust rating of the computing resource instance and a trust rating of the implementation resource. In some embodiments, the trust rating of the implementation resource may be predefined or based on trust ratings of computing resource instances that are currently implemented by the implementation resource. An implementation resource may be selected to implement the computing resource instance based at least in part on its suitability thus determined.
    Type: Grant
    Filed: October 22, 2012
    Date of Patent: April 30, 2019
    Assignee: Amazon Technologies, Inc.
    Inventors: Christopher Richard Jacques de Kadt, James Alfred Gordon Greenfield, Gustav Karl Mauer
  • Patent number: 10277610
    Abstract: Some embodiments of reassembly-free deep packet inspection (DPD on multicore hardware have been presented. In one embodiment, a set of packets of one or more files is received at a networked device from one or more connections. Each packet is scanned using one of a set of processing cores in the networked device without buffering the one or more files in the networked device. Furthermore, the set of processing cores may scan the packets substantially concurrently.
    Type: Grant
    Filed: August 11, 2014
    Date of Patent: April 30, 2019
    Assignee: SONICWALL INC.
    Inventors: Aleksandr Dubrovsky, John E. Gmuender, Huy Minh Nguyen, Ilya Minkin, Justin M. Brady, Boris Yanovsky
  • Patent number: 10264010
    Abstract: A test apparatus (1) for testing a security of communication of a device under test, DUT, (4), wherein the test apparatus (1) comprises an RF unit (2) having an RF interface adapted to receive from the device under test, DUT, (4) an RF signal carrying Internet Protocol, IP, data including at least one IP address; and an IP unit (3) adapted to analyze IP data carried in the received RF signal to check communication security of the device under test, DUT, (4) using at least one security criterion, SC-CEP, related to a communication endpoint, CEP, addressed by the IP address.
    Type: Grant
    Filed: August 30, 2016
    Date of Patent: April 16, 2019
    Assignee: ROHDE & SCHWARZ GMBH & CO. KG
    Inventors: Stefan Diebenbusch, Christian Hof, Christoph Nufer
  • Patent number: 10255424
    Abstract: A method of verifying a challenge value may include receiving the challenge value from a client device; accessing an external data store to receive data rows that may be associated with a user of the client device; filtering data rows that are not sourced from computer systems associated with the challenge value; grouping the data rows into groups based on which of the computer systems each of the data rows were sourced; determining an input velocity for each of the groups; determining an interval value for each of the groups based on the input velocity; calculating a group value for each of the groups based on the interval value and the input velocity; calculating an estimated total value based on the group values; and determining whether the challenge value can be verified by determining whether the estimated total value is within a threshold of the challenge value.
    Type: Grant
    Filed: January 17, 2018
    Date of Patent: April 9, 2019
    Inventors: Todd Lunsford, Rodney Golpe, Steve Ghidro
  • Patent number: 10255440
    Abstract: This disclosure relates to systems and methods for enabling the use of secret digital or electronic information without exposing the sensitive information to unsecured applications. In certain embodiments, the methods may include invoking, by a client application executing in an open processing domain, a secure abstraction layer configured to interface with secret data protected by a secure processing domain. Secure operations may be securely performed on the secret data by the secure abstraction layer in the secure processing domain based on an invocation from a client application running in the open processing domain.
    Type: Grant
    Filed: May 26, 2016
    Date of Patent: April 9, 2019
    Assignee: Intertrust Technologies Corporation
    Inventors: Gilles Boccon-Gibod, Gary F. Ellison
  • Patent number: 10251061
    Abstract: The described computing system may have a first electronic device capable of being coupled to a first communications network, a second electronic device capable of being coupled to a second communications network, an out-of-band management device capable of communicating with the first electronic device and the second electronic device. The first electronic device may be capable of accessing a remote program via the out-of-band management device thereby providing access to a remotely located second electronic device. In a preferred embodiment, this is done utilizing mobile communications technology.
    Type: Grant
    Filed: December 19, 2016
    Date of Patent: April 2, 2019
    Inventor: Tadhg Kelly
  • Patent number: 10250620
    Abstract: Described is a technology by which a signature used by network traffic intrusion prevention/detection systems includes logic that helps a prevention/detection engine detect that signature. A signature to detect is compiled into executable logic that is executed to communicate with an engine that evaluates network traffic. The signature logic provides an expression set (such as group of regular expressions) for the engine to match against a token corresponding to the network traffic. When matched, the engine notifies the logic and receives a further expression set to match, or a communication indicative that that the signature was detected. The signature thus directs the analysis, facilitating a lightweight, generic engine. Safety of the signature logic is described as being accomplished through layers, including by publisher signing, and by compilation and execution (e.g., interpretation) in safe environments.
    Type: Grant
    Filed: June 30, 2016
    Date of Patent: April 2, 2019
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Vladimir Lifliand, Evgeney Ryzhyk, Yifat Sagiv, Maxim Uritsky
  • Patent number: 10243995
    Abstract: An image processing apparatus which is capable of restraining operation that does not comply with security policies even in a case where security policies are changed through setting of user modes. The security policies are set in advance in the image processing apparatus. The image processing apparatus has a UI operation unit that enables operation on the image processing apparatus. When settings of the image processing apparatus are changed via the UI operation unit, it is verified whether or not the changed settings match the security policies. Operation of the image processing apparatus is restrained until it is verified that the changed settings match the security policies.
    Type: Grant
    Filed: December 22, 2015
    Date of Patent: March 26, 2019
    Inventor: Naoki Tsuchitoi
  • Patent number: 10218790
    Abstract: Disclosed are systems, methods, and machine readable storage media that cause a storage computer and a client computer to perform a method of providing access to one or more resources on the storage computer for the client computer. The storage computer is operable for initiation of a network connection between the client computer and the storage computer. Initiation of the network connection between the client computer and the storage computer by the storage computer is enabled, and initiation of the network connection between the client computer and the storage computer by the client computer is disabled. The client computer and the storage computer are operable for maintaining the network connection between the client computer and the storage computer.
    Type: Grant
    Filed: April 9, 2018
    Date of Patent: February 26, 2019
    Inventors: Jakub Barc, Filip Barczyk, Marek Grochowski, Grzegorz Sawina
  • Patent number: 10218698
    Abstract: Attributes of a session, between a source device and a verification device, for sending first verification data, such as a password and an account identifier, are determined. The verification device generates user device data based on an identifier, such as a mobile device number (MDN), for a user device associated with the account identifier. An identifier, such as an MDN, associated with the source device and an encryption key associated with the verification device are determined based on session attributes. Second verification data is generated based on the identifier associated with the source device. The second verification data is encrypted using the encryption key and forwarded to the verification device. The verification device decrypts the second verification data and compares the identifier for the user device to the identifier for the source device to determine whether the first verification data was sent from the user device.
    Type: Grant
    Filed: October 29, 2015
    Date of Patent: February 26, 2019
    Assignee: Verizon Patent and Licensing Inc.
    Inventors: Fenglin Yin, Jianxiu Hao, Zhong Chen
  • Patent number: 10218734
    Abstract: The disclosure is directed to a system for improving security of SSL communications. The system can include an device intermediary between one or more servers, one or more clients, a plurality of agents, and a web service. The servers can be configured to receive SSL connections and issue SSL certificates. The device can include a virtual server associated with a respective one of the servers, such that the SSL certificate of the respective server is transmitted through the device. The device can generate service fingerprints for the one or more servers. Each service fingerprint can include information corresponding to an SSL certificate of the virtual server, one or more DNS aliases for a virtual IP address of the respective virtual server, one or more port numbers serving the SSL certificate, and an IP address serviced by the device. The device also can transmit the service fingerprints to a web service.
    Type: Grant
    Filed: May 6, 2016
    Date of Patent: February 26, 2019
    Assignee: Citrix Systems, Inc.
    Inventors: Anoop Reddy, Kenneth Bell, Georgios Oikonomou, Kurt Roemer
  • Patent number: 10218682
    Abstract: The present document describes systems and methods that utilize a cryptographic service for establishing a cryptographically protected communication session, such as a TLS connection, between a client computer system and a TLS termination point. The cryptographic service retains cryptographic material associated with a server that is represented by the TLS termination point. The TLS termination point uses the cryptographic service to perform cryptographic operations associated with establishing and maintaining the cryptographically protected communication session. The cryptographic service may be provided by the server itself, a cryptographic server, or a cryptographic accelerator such as an HSM. In some embodiments, the cryptographic service tokenizes unencrypted data to be provided to the TLS termination point. If a cryptographic accelerator is used, the cryptographic accelerator may include facilities to accelerate asymmetric cryptographic operations as well as symmetric cryptographic operations.
    Type: Grant
    Filed: January 19, 2016
    Date of Patent: February 26, 2019
    Assignee: Amazon Technologies, Inc.
    Inventors: Rami Kawach, Jesper Mikael Johansson
  • Patent number: 10216928
    Abstract: In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.
    Type: Grant
    Filed: July 28, 2017
    Date of Patent: February 26, 2019
    Assignee: Apple Inc.
    Inventors: Pierre-Olivier J. Martel, Kelly B. Yancey, Richard L. Hagy
  • Patent number: 10210511
    Abstract: A method is provided for completing an authenticated commercial transaction over an internet protocol (IP) network (40) for an account holder (60) engaged in the transaction via a non-IP based telecommunications platform (30).
    Type: Grant
    Filed: August 29, 2014
    Date of Patent: February 19, 2019
    Assignee: CardinalCommerce Corporation
    Inventors: Chandra Balasubramanian, Francis Sherwin, Michael A. Keresman, III
  • Patent number: 10204211
    Abstract: Embodiments are directed to monitoring communication over a network using a network monitoring computer (NMC). If one or more flows include healthcare traffic provided by one or more healthcare services, the NMC may perform further actions. Healthcare values from the one or more healthcare services may be provided from the network traffic. Values from one or more network traffic flows that are separate from the healthcare traffic may be provided. Other healthcare values from other flows may be provided that include healthcare traffic provided by the healthcare services. Accordingly, if a comparison of the healthcare values and the other healthcare values meet certain conditions, additional actions may be performed based on rules, or policies. The healthcare traffic may be compliant with one or more of Health Level Seven (HL7) standard, Digital Imaging and Communications in Medicine (DICOM) standard, or the like.
    Type: Grant
    Filed: February 3, 2016
    Date of Patent: February 12, 2019
    Assignee: ExtraHop Networks, Inc.
    Inventors: Eric Joseph Hammerle, Samuel Kanen Clement, Terry William Shaver, Matthew Couper Cauthorn
  • Patent number: 10200352
    Abstract: A system and method is disclosed for transporting application data through a communications tunnel between a host device and a guest device that each includes networked processors. The application data may be transported between the host device and the guest device through an allowed port of the host device, the communications tunnel, and a port of the guest device. Based on logon credentials, the guest device can be authenticated by a security server and a role may be determined. The role can include allowed ports and associated applications on the host that the guest is allowed to access. Remote access from the guest device to host devices or remote devices may be enabled without needing prior knowledge of their configurations. Secure access may be facilitated to remote host devices or remote devices, according to security policies that can vary on a per-session basis and takes into account various factors.
    Type: Grant
    Filed: March 14, 2014
    Date of Patent: February 5, 2019
    Inventors: Peter Holmelin, Valentin Palade, Dragos Ivan
  • Patent number: 10187873
    Abstract: A method for determining information about access barring includes the steps of: receiving a message set transmitted via a radio interface to a user equipment, the message set including at least a starting message that is a paging message; obtaining at least a first bit of a bit set from the starting message, wherein the bit set includes at least two bits and is intended for access barring; determining information of the bit set; the information at least disclosing whether the access barring is on or off; and receiving a system information block transmitted via the radio interface to the user equipment, the system information block comprising a scheduling information list that lists a further system information block that contains access barring parameters.
    Type: Grant
    Filed: November 17, 2016
    Date of Patent: January 22, 2019
    Assignee: Xiaomi H.K. Ltd.
    Inventors: Jianke Fan, Brian Martin
  • Patent number: 10182347
    Abstract: A wireless communications device, that is constituted from a control station and a slave station that perform encryption communication using an encryption key, includes a controller that monitors communication quality of a state of a call to the slave station and, in a case where the communication quality degrades to below the same level as a state that is determined in advance, operates in such a manner that a procedure for changing the encryption key, which is determined in advance, is not activated.
    Type: Grant
    Filed: March 30, 2015
    Date of Patent: January 15, 2019
    Inventor: Toshiyuki Sugitani
  • Patent number: 10171440
    Abstract: Key management methods and systems are provided, one of methods comprises, encrypting a service key used by an instance of a first user of a cloud service by using a master key, generating two or more key pieces for reconstructing the master key, distributing and storing the key pieces in two or more host servers included in a host group for providing the cloud service, receiving a request for the service key from the instance of the first user, receiving the key pieces from the two or more host servers and reconstructing the master key based on the received key pieces, and decrypting the encrypted service key by using the reconstructed master key.
    Type: Grant
    Filed: May 27, 2016
    Date of Patent: January 1, 2019
    Assignee: SAMSUNG SDS CO., LTD.
    Inventor: In Seon Yoo
  • Patent number: 10165049
    Abstract: A TCP handshake is distributed by having an initiator device send, to a server SYN(m) with the IP address of a terminator device as source address. The initiator device can then forget any TCP state for the SYN(m). The server responds with a SYN-ACK(m+1, n) according to the normal TCP handshake, but the response goes to the terminator device that receives the message, reconstructs the TCP handshake as if it had sent the initial SYN message, and sends an ACK(n+1) to the server. The TCP handshake method can be used to avoid allocation of resources in for example device monitoring.
    Type: Grant
    Filed: February 19, 2016
    Date of Patent: December 25, 2018
    Assignee: InterDigital CE Patent Holdings
    Inventors: Olivier Heen, Christoph Neumann
  • Patent number: 10148697
    Abstract: In one embodiment, a system includes a processing circuit and logic integrated with and/or executable by the processing circuit. The logic is configured to cause the processing circuit to receive security results, using an application and data protection layer (ADPL) operating on a first host, from an end point protection agent (EPPA) configured to protect the first host. The logic is also configured to cause the processing circuit to provide the security results to one or more local applications operating on the first host. According to another embodiment, a method includes receiving security results, using an ADPL operating on a first host, from an EPPA configured to protect the first host. The method also includes providing the security results to one or more local applications operating on the first host. Other systems, methods, and computer program products are described in accordance with more embodiments.
    Type: Grant
    Filed: June 16, 2016
    Date of Patent: December 4, 2018
    Inventor: Keshav Govind Kamble
  • Patent number: 10142290
    Abstract: Customers of a computing resource service provider may utilize computing resources of the computing resources service provided to implement one or more computer systems. Furthermore, the customer may cause a host-based firewall to be executed by the one or more computer systems. The host-based firewall may collect network traffic information. The customer may then be provided with the network traffic information and be prompted to provide decisions associated with the network traffic information. The decisions may be used to generate a set of rules which may be enforced by the host-based firewall.
    Type: Grant
    Filed: March 30, 2016
    Date of Patent: November 27, 2018
    Assignee: Amazon Technologies, Inc.
    Inventors: Eric Jason Brandwine, Robert Eric Fitzgerald, Alexander Robin Gordon Lucas
  • Patent number: 10129838
    Abstract: Methods, systems, and devices are described that provide for D2D synchronization. The methods, systems, and/or devices may include tools and techniques that provide for synchronizing a mobile device based on detection of a reliability alarm. A reliability alarm may be used between mobile devices, which is transmitted and/or received on specific D2D resources. Since the resources are reserved for the reliability alarm, a mobile device which was previously isolated from network synchronization will be able to receive the reliability alarm that a reliable synchronization signal is close when it moves within range of a reliable device. Once a reliability alarm is received the mobile device may free other resources to allow it to receive synchronization signals from the reliable devices. The mobile device may then synchronize with the network based on the received synchronization signals and transmit its own reliability alarm for subsequent isolated devices to use.
    Type: Grant
    Filed: May 23, 2014
    Date of Patent: November 13, 2018
    Assignee: QUALCOMM Incorporated
    Inventors: Navid Abedini, Nilesh Nilkanth Khude, Saurabha Rangrao Tavildar, Sébastien Henri, Junyi Li, Vincent Douglas Park
  • Patent number: 10111268
    Abstract: A reader device may generate a first identifier. The reader device may transmit the first identifier to a mobile device. The reader device may receive encrypted data and unencrypted data from the mobile device in which the encrypted data includes a second identifier. The reader device may evaluate whether the first identifier and the second identifier correspond to one another.
    Type: Grant
    Filed: April 12, 2016
    Date of Patent: October 23, 2018
    Assignee: Schlage Lock Company LLC
    Inventors: Jeffrey S. Neafsey, Michael W. Malone, Hamid Abouhashem
  • Patent number: 10110562
    Abstract: The present invention relates to a method and system for performing deep packet inspection of messages transmitted through a network switch in a Software Defined Network (SDN). Embodiments of the invention include a network switch, a controller, and a firewall in a software defined networking environment. In the present invention, the network switch is a simple network switch that is physically separate from the controller and the firewall. The invention may include a plurality of physically distinct network switches communicating with one or more controllers and firewalls. In certain instances, communications between the network switch, the controller, and the firewall are performed using the Open Flow standard communication protocol.
    Type: Grant
    Filed: December 29, 2017
    Date of Patent: October 23, 2018
    Assignee: SonicWALL Inc.
    Inventors: Hui Ling, Zhong Chen
  • Patent number: 10104108
    Abstract: A log analysis system for analyze a detection log detected in a monitoring target system includes an acquisition device for detecting detection target processes performed in the monitoring target system, and acquiring a detection log of the detection target processes; and a processor device for processing the detection log acquired by the acquirer. The processor device includes a plurality of processing blocks that perform processing on the detection log sequentially. The processor device performs processing while sending the detection log in order from a most-upstream processing block to downstream processing blocks. A most-downstream processing block of the processor device notifies the most-upstream processing block of the processor device that the detection log has been received.
    Type: Grant
    Filed: March 17, 2016
    Date of Patent: October 16, 2018
    Assignee: LAC CO., LTD.
    Inventors: Hiroshi Fujimoto, Toshihide Nakama
  • Patent number: 10097481
    Abstract: In some embodiments, a non-transitory processor-readable medium stores code representing instructions to be executed by a processor. The code causes the processor to receive, from a source peripheral processing device, a portion of a data packet having a destination address associated with a destination peripheral processing device. The code causes the processor to identify, based on the destination address, a service to be performed on the portion of the data packet. The code causes the processor to select, based on the service, an identifier of a service module associated with the service. The code further causes the processor to send the portion of the data packet to the service module via a distributed switch fabric such that the service module performs the service on the portion of the data packet and sends the portion of the data packet to the destination peripheral processing device via the distributed switch fabric.
    Type: Grant
    Filed: June 29, 2012
    Date of Patent: October 9, 2018
    Assignee: Juniper Networks, Inc.
    Inventors: Krishna Narayanaswamy, Jean-Marc Frailong, Anjan Venkatramani, Srinivasan Jagannadhan
  • Patent number: 10097485
    Abstract: A computer-implemented system and method for reformatting and delivering emails as conversations. The computer-implemented method includes: synchronizing with an email service and receiving an email message via a data network; parsing content of the received email message to identify and suppress email content not related to conversational content and retaining the conversational content; reformatting the received email message to include the conversational content in a chat style format as an expressive conversation; making the expressive conversation available to a client email application; and presenting the expressive conversation to a user via the client email application.
    Type: Grant
    Filed: March 22, 2016
    Date of Patent: October 9, 2018
    Inventors: He Huang, Chun Kit Lau
  • Patent number: 10084761
    Abstract: A variety of techniques for performing identity verification are disclosed. As one example, a verification request is received from a remote user. The verification request pertains to a cryptographic key. In response to receiving a confirmation from a local user of the local device, a verification process is initiated. A result of the verification process is transmitted to the remote user. As a second example, a verification request can be received at the local device, from a local user of the device. A verification process with respect to the local user is initiated, and a result of the verification process is transmitted to a remote user that is different from the local user.
    Type: Grant
    Filed: January 18, 2018
    Date of Patent: September 25, 2018
    Assignee: Wickr Inc
    Inventors: Christopher Howell, Robert Statica, Kara Lynn Coppa
  • Patent number: 10051019
    Abstract: A client device generates a plurality of application windows. For example, a first application window may be provided by a first application that has a first session established with a server system, and a second application window may be provided by a second application that has a second session established with the server system. The client device detects user activity in the first window. Based on the user activity in the first window, the client device sends a message to the server system. The message providing an indication of user activity in one or more of the plurality of windows. The message causes the server system to maintain the second session as active despite inactivity in the second application window.
    Type: Grant
    Filed: March 11, 2013
    Date of Patent: August 14, 2018
    Assignee: WELLS FARGO BANK, N.A.
    Inventors: Manuel Jasso, Arnaud Versini, Ryan Van Oss
  • Patent number: 10044745
    Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for computer network security risk assessment. One of the methods includes obtaining compromise likelihoods for user accounts. Information describing a network topology of a network is obtained, with the network topology being nodes each connected by an edge to other nodes, each node being associated with a compromise likelihood, and one or more nodes are high value nodes associated with a compromise value. Unique paths to each of the high value nodes are determined for a particular user account. An expected value for each path is determined based on the compromise likelihood of the particular user account, the compromise likelihood of each node included in the path, the communication weight of each edge included in the path, and the compromise value associated with the high value node. User interface data is generated describing at least one path.
    Type: Grant
    Filed: July 11, 2016
    Date of Patent: August 7, 2018
    Assignee: Palantir Technologies, Inc.
    Inventors: Samuel Jones, Joseph Staehle, Lucy Cheng
  • Patent number: 10028296
    Abstract: A node for determining a communication resource management algorithm is provided. The node includes a communication interface configured to obtain a measurement characteristic from a network device, and a circuitry containing instructions. When executed, the instructions cause the node to search a container repository to determine the existence of a measurement category for the measurement characteristic obtained from the network device, and when the container repository includes the measurement category for the network device, determine the communication resource management algorithm based at least on the measurement category.
    Type: Grant
    Filed: June 8, 2015
    Date of Patent: July 17, 2018
    Inventors: Alex Stephenne, Leonard Lightstone, DongSheng Yu
  • Patent number: 10021070
    Abstract: In one embodiment, a method includes receiving capability information from an end host at a centralized security matrix in communication with a firewall and a plurality of end hosts, verifying at the centralized security matrix, a trust level of the end host, assigning at the centralized security matrix, a firewall function to the end host based on the trust level and capability information, and notifying the firewall of the firewall function assigned to the end host. Firewall functions are offloaded from the firewall to the end hosts by the centralized security matrix. An apparatus and logic are also disclosed herein.
    Type: Grant
    Filed: December 22, 2015
    Date of Patent: July 10, 2018
    Assignee: Cisco Technology, Inc.
    Inventors: Jin Teng, Subharthi Paul, Thilan Niroshaka Ganegedara, Xun Wang, Saman Taghavi Zargar, Jayaraman Iyer
  • Patent number: 10015018
    Abstract: Cryptographic keys can include logging properties that enable those keys to be used only if the properties can be enforced by the cryptographic system requested to perform one or more actions using the keys. The logging property can specify how to log use of a respective key. A key can also include a mutability property for specifying whether the logging property can be changed, and if so under what circumstances or in which way(s). The ability to specify and automatically enforce logging can be important for environments where audit logs are essential. These can include, for example, public certificate authorities that must provide accurate and complete audit trails. In cases where the data is not to be provided outside a determined secure environment, the key can be generated with a property indicating not to log any of the usage.
    Type: Grant
    Filed: July 21, 2017
    Date of Patent: July 3, 2018
    Assignee: Amazon Technologies, Inc.
    Inventors: Gregory Alan Rubin, Gregory Branchek Roth
  • Patent number: 10009183
    Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.
    Type: Grant
    Filed: September 20, 2016
    Date of Patent: June 26, 2018
    Assignee: CLOUDFLARE, INC.
    Inventors: Sébastien Andreas Henry Pahl, Matthieu Philippe François Tourne, Piotr Sikora, Ray Raymond Bejjani, Dane Orion Knecht, Matthew Browning Prince, John Graham-Cumming, Lee Hahn Holloway, Nicholas Thomas Sullivan, Albertus Strasheim
  • Patent number: 10003678
    Abstract: The present invention provides an apparatus for processing at least one PDU (protocol data unit) in an N layer in a transmitting side of a broadcast system, the apparatus comprising a PDU processor for receiving at least one higher (N+1) layer PDU and generating a PDU including the received at least one higher (N+1) layer PDU and a PDU post-processor for post processing the generated PDU and transmitting the post-processed PDU to a lower (N?1) layer.
    Type: Grant
    Filed: December 3, 2014
    Date of Patent: June 19, 2018
    Assignee: LG Electronics Inc.
    Inventors: Woosuk Kwon, Sejin Oh, Woosuk Ko, Sungryong Hong, Kyoungsoo Moon