Protection At A Particular Protocol Layer Patents (Class 713/151)
  • Patent number: 8949591
    Abstract: The present invention is directed towards systems and methods for split proxying Secure Socket Layer (SSL) communications via intermediaries deployed between a client and a server. The method includes establishing, by a server-side intermediary, a SSL session with a server. A client-side intermediary may establish a second SSL session with a client using SSL configuration information received from the server-side intermediary. Both intermediaries may communicate via a third SSL session. The server-side intermediary may decrypt data received from the server using the first SSL session's session key. The server-side intermediary may transmit to the client-side intermediary, via the third SSL session, data encrypted using the third SSL session's session key. The client-side intermediary may decrypt the encrypted data using the third SSL session's session key. The client-side intermediary may transmit to the client the data encrypted using the second SSL session's session key.
    Type: Grant
    Filed: September 16, 2013
    Date of Patent: February 3, 2015
    Assignee: Citrix Systems, Inc.
    Inventor: Michael Ovsiannikov
  • Patent number: 8943306
    Abstract: A content issuer entity designates a transport security level for each of a plurality of electronic certificates and provides the electronic certificates to a first wireless device. A second wireless device establishes a communications link to transfer electronic certificate data associated with one or more electronic certificates stored on the first wireless device to the second wireless device via a wireless transaction and determines, for each stored electronic certificate, a transport security level previously designated at the content issuer entity. At the first wireless device, a highest transport security level is determined from among the respective transport security levels associated with the stored electronic certificates. The electronic certificate data is transferred from the first wireless device to the second wireless device via the communications link in accordance with a security measure that corresponds to the highest determined transport security level.
    Type: Grant
    Filed: December 20, 2011
    Date of Patent: January 27, 2015
    Assignee: Mastercard International Incorporated
    Inventors: Philippe Martin, Mohammad Khan, Jean-Christophe Raynon
  • Patent number: 8943304
    Abstract: Systems and methods are described for using a client agent operating in a virtual private network environment to intercept HTTP communications. Methods include: intercepting at the network layer, by a client agent executing on a client, an HTTP request from an application executing on the client; modifying the HTTP request; and transmitting, via a transport layer connection, the modified HTTP request to a server. Additional methods may comprise adding, removing, or modifying at least one cookie in the HTTP request. Still other methods may comprise modifying at least one name-value pair contained in the HTTP request. Corresponding systems are also described.
    Type: Grant
    Filed: August 3, 2006
    Date of Patent: January 27, 2015
    Assignee: Citrix Systems, Inc.
    Inventors: Junxiao He, Charu Venkatraman, Ajay Soni
  • Patent number: 8943305
    Abstract: A system and method for providing a variety of medium access and power management methods are disclosed. A defined frame structure allows a hub and a node to use said methods for secured or unsecured communications with each other. Contended access is available during a random access phase. The node uses an alternate doubling of a backoff counter to reduce interference and resolve collisions with other nodes attempting to communicate with the hub in the random access phase. Non-contended access is also available, and the hub may schedule reoccurring or one-time allocation intervals for the node. The hub and the node may also establish polled and posted allocation intervals on an as needed basis. The node manages power usage by being at active mode at times during the beacon period when the node is expected to transmit or receive frames.
    Type: Grant
    Filed: January 29, 2010
    Date of Patent: January 27, 2015
    Assignee: Texas Instruments Incorporated
    Inventor: Jin-Meng Ho
  • Publication number: 20150026453
    Abstract: A Network device including a security module to establish, in response to the network device being capable of operating in multiple frequency bands, and in response to the network device operating in a first frequency band, security for the frequency band and a second frequency band by performing a single authentication in the first frequency band prior to the network device switching operation form the first frequency band to the second frequency band. A session transfer module to transfer, subsequent to the network device switching operation from the first frequency band to the second frequency band, a communication session of the network device from the first frequency band to the second frequency band. The communication session resumes in the second frequency band using the security established for the second frequency band during the operation of the network device in the first frequency band.
    Type: Application
    Filed: August 14, 2014
    Publication date: January 22, 2015
    Inventors: Yong Liu, Paul A. Lambert
  • Patent number: 8938773
    Abstract: Systems and methods for adding context to prevent data leakage over a computer network are disclosed. Data is classified and contextual information of the data is determined. A transmission policy is determined in response to the classification and contextual information. The data is either transmitted or blocked in response to the classification and the contextual information.
    Type: Grant
    Filed: January 30, 2008
    Date of Patent: January 20, 2015
    Assignee: Websense, Inc.
    Inventor: Daniel Lyle Hubbard
  • Patent number: 8934633
    Abstract: High-security communications against information leakage as well as high-speed communications are realized using present optical fiber networks. The methods are as follows: (1) A seed key is shared between a transmitter and a receiver in advance. Random numbers are transmitted using carrier light accompanied by fluctuations and bases that are decided by random numbers. The transmitter and receiver compare a shared basis that is determined by the seed key with the random basis, and decompose the random numbers superimposed on each bit into two sequences, based on whether the shared basis coincides with the random basis or not. Error correction is processed for each sequence in the receiver, and then the random numbers are shared between the transmitter and the receiver. (2) The amount of the random numbers shared between the transmitter and the receiver is reduced to secret capacity through privacy amplification, and the resultant random numbers are used as a secret key.
    Type: Grant
    Filed: January 17, 2011
    Date of Patent: January 13, 2015
    Assignee: Hitachi, Ltd.
    Inventor: Tatsuya Tomaru
  • Patent number: 8931047
    Abstract: A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy.
    Type: Grant
    Filed: June 6, 2013
    Date of Patent: January 6, 2015
    Assignee: Stateless Networks, Inc.
    Inventors: Kelly Wanser, Andreas Markos Antonopoulos
  • Patent number: 8931105
    Abstract: The present invention relates to a method for transferring content to a device, the method including the steps of: receiving a request for content from the device; delivering a uniquely identifiable, ephemeral player to the device; and transferring content to the device, for presentation on the device by the player. The invention has particular application to digital rights management in respect of the distribution of audiovisual content such as film and television programs, advertisements and live event broadcasts over communication networks such as the Internet.
    Type: Grant
    Filed: March 3, 2008
    Date of Patent: January 6, 2015
    Assignee: Vividas Technologies Pty. Ltd.
    Inventors: Martin Lipka, Alexander Dubov
  • Patent number: 8931046
    Abstract: A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy.
    Type: Grant
    Filed: March 15, 2013
    Date of Patent: January 6, 2015
    Assignee: Stateless Networks, Inc.
    Inventors: Kelly Wanser, Andreas Markos Antonopoulos
  • Patent number: 8929548
    Abstract: An apparatus and method for establishing a communication connection between a first party and a second party using a secured communication connection object are provided. With the apparatus and method, a first party generates the secured communication connection object by setting parameters identifying and limiting the use of the secured communication connection object for establishing communication connections with the first party. These parameters are encapsulated with contact information for the first party such that the contact information is encrypted. The resulting secured communication connection object is then transmitted to a second party's communication device.
    Type: Grant
    Filed: October 3, 2008
    Date of Patent: January 6, 2015
    Assignee: International Business Machines Corporation
    Inventors: Herman Rodriguez, Newton James Smith, Jr., Clifford Jay Spinac
  • Patent number: 8924732
    Abstract: A method of cipher communication for management frame performed by station in wireless local area network system is provided. The method includes obtaining a first pseudonoise code sequence (PN) for a plaintext Medium Access Control (MAC) protocol data unit (MPDU), constructing an additional authentication data (AAD) by using fields in a header of the plaintext MPDU, constructing a Nonce value from the PN, an Address 2 and a Priority field in the header of the plaintext MPDU, generating a encrypted MPDU from the plaintext MPDU by using a temporal key, the AAD, and the Nonce value, and transmitting the encrypted MPDU to a peer station, wherein the plaintext MPDU is a management frame including a sequence number field, the sequence number field including access category field indicating category of data included in the plaintext MPDU, and the Nonce value includes a priority field matched with the access category field.
    Type: Grant
    Filed: September 9, 2011
    Date of Patent: December 30, 2014
    Assignee: LG Electronics Inc.
    Inventors: Eun Sun Kim, Yong Ho Seok
  • Patent number: 8924709
    Abstract: A method for encrypting print jobs that includes receiving output data, encrypting the output data with a randomly-generated symmetric session key, generating a session key header by encrypting the randomly-generated symmetric session key using an asymmetric user public key, and encrypting the session key header using a server public key.
    Type: Grant
    Filed: December 31, 2012
    Date of Patent: December 30, 2014
    Assignee: Lexmark International, Inc.
    Inventors: Forrest Steely, Albert Tyler Barnett
  • Patent number: 8925042
    Abstract: An intermediary device may be used to connect a telecommunications device to an existing secure network that is accessed by a computing device. The intermediary device may simplify connections to the secure network by connecting to the secure network without setting up a new connection to the secure network. The telecommunications device may connect to the computing device, via the intermediary device, using a secondary network, which enables the telecommunications device to access the secure network through the computing device. In some instances, the computing device may operate to bridge a connection with the telecommunications device and perform some or all of the functions of the intermediary device.
    Type: Grant
    Filed: April 28, 2011
    Date of Patent: December 30, 2014
    Assignee: T-Mobile USA, Inc.
    Inventors: Mark Drovdahl, Paulo Chow, Sinclair M. Temple
  • Publication number: 20140380038
    Abstract: An IPSec front-end may be configured to encrypt, decrypt and authenticate packets on behalf of a host on an insecure network and a peer on a secure network. For example, the IPSec front-end may receive internet protocol (IP) packets from the host and encrypt the data and format the data as an internet protocol security (IPsec) packet for transmission to the peer. When the peer responds with an IPSec packet, the IPSec front-end may decrypt the data and format the data as an IP packet. The IPSec front-end may be software executing on a Linux server.
    Type: Application
    Filed: June 19, 2013
    Publication date: December 25, 2014
    Applicant: Unisys Corporation
    Inventors: William O. Wilson, Barry C. Andersen, John A. Christensen
  • Patent number: 8918631
    Abstract: In one embodiment, a method includes receiving a first identifier and a private key after a network device has been included in a data center switch fabric control plane, authenticating the network device based on the private key, sending a second identifier to the network device, and sending a control signal to the network device based on the second identifier. The first identifier is associated with the network device and unique within a segment of the data center switch fabric control plane. The second identifier is unique within the segment of the data center switch fabric control plane.
    Type: Grant
    Filed: March 31, 2009
    Date of Patent: December 23, 2014
    Assignee: Juniper Networks, Inc.
    Inventors: Jainendra Kumar, Vineet Dixit, Prabhu Seshachellum
  • Publication number: 20140372747
    Abstract: An approach for reutilizing transport layer security (TLS) connections among separate application is provided. In one aspect, a computing system establishes a a transmission control program/Internet protocol (TCP/IP) connection between a first application of a first endpoint and a second application on a second endpoint. The computing system further performs a TLS handshake over the established TCP/IP connection. The computing system also transmits a request from a third application of the second endpoint to transfer a TLS context from the second application on the second endpoint. In response to the second application on the second endpoint accepting the transfer request, the second application utilizing via the one or more computer processors, a predetermined method of providing a TLS context to the third application, wherein the third application of the second endpoint and the first application of the first endpoint communicate securely.
    Type: Application
    Filed: June 12, 2013
    Publication date: December 18, 2014
    Inventors: Caspar G.J. Krieger, Billy Joe Soper, Kenichi Yoshimura
  • Patent number: 8913748
    Abstract: An expanded sequence number is added to PDUs in a Bluetooth® low energy system. The expanded sequence number provides more accurate identification of the PDUs and allows the system to avoid delaying transmission of PDUs while retransmitting other PDUs. A PDU security sequence number may also be added to the PDUs. The security sequence number is used to create a unique nonce for use in encrypting or decrypting and authenticating the PDU. Using the security sequence number, a failed connection can be reestablished between two devices without the need of generating an encryption key. The security sequence number allows the devices to perform encryption or decryption and authentication using an existing key and a nonce generated from the security sequence number.
    Type: Grant
    Filed: July 3, 2012
    Date of Patent: December 16, 2014
    Assignee: Texas Instruments Incorporated
    Inventors: Jin-Meng Ho, Ariton E. Xhafa, Gangadhar Burra
  • Patent number: 8914631
    Abstract: A packet processing type determiner includes a non-secure packet processing module configured to process packets received over a single socket using a non-secure protocol. The packet processing type determiner also includes a data indicator checking module configured to check the packets for a first indicator denoting a beginning of a secure data record. The packet processing type determiner further includes a secure packet processing module configured to use a secure protocol to process the packets when a packet with the first indicator is detected until a packet with a second indicator denoting an end of the secure data record is detected.
    Type: Grant
    Filed: July 1, 2009
    Date of Patent: December 16, 2014
    Assignee: Oracle International Corporation
    Inventor: Amitabh Shukla
  • Publication number: 20140365759
    Abstract: A Dynamic Adaptive Streaming over Hypertext Transport Protocol (DASH) server component is disclosed. The DASH server component may comprise a memory, a processor coupled to the memory, and a transmitter coupled to the processor. The processor may be configured to generate one or more keys containing content protection information for media content, associate the keys with one or more segments of media content, store the keys in a DASH metadata track in the memory, and generate a media presentation description (MPD) specifying an association between the keys and the segments of media content. The transmitter may be configured to transmit the keys to at least one client independently of transmitting the media content and transmit the MPD to the at least one client.
    Type: Application
    Filed: June 6, 2014
    Publication date: December 11, 2014
    Inventors: Xin Wang, Yongliang Liu, Shaobo Zhang
  • Publication number: 20140365760
    Abstract: Communication equipment includes a communication device (112) and a user interface device (101), e.g. a remote speaker-microphone, interconnected via a short-range data link. The user interface device includes a user interface (102) for receiving commands from a user. The user interface device includes a processor (104) for generating event data in accordance with the commands and for combining the event data with a digital data stream whose information is to be transmitted. The processor encrypts the result in accordance with cryptographic control data accessible to the processor. The encrypted digital data stream is delivered to a transceiver of the user interface device in order to transmit it to the communication device. As the encryption is carried out by the processor in accordance with the cryptographic control data, the transceiver does not need provide cryptographic functionality and the communication equipment can flexibly support different cryptographic algorithms.
    Type: Application
    Filed: November 1, 2011
    Publication date: December 11, 2014
    Inventor: Pasi Auranen
  • Patent number: 8909967
    Abstract: A technique for secure computation obfuscates program execution such that observers cannot detect what instructions are being run at any given time. Rather, program execution and memory access patterns are made to appear uniform. A processor operates based on encrypted inputs and produces encrypted outputs. In various examples, obfuscation is achieved by exercising computational circuits in a similar way for a wide range of instructions, such that all such instructions, regardless of their operational differences, affect the processor's power dissipation and processing time substantially uniformly. Obfuscation is further achieved by limiting memory accesses to predetermined time intervals, with memory interface circuits exercised regardless of whether a running program requires a memory access or not. The resulting processor thus reduces leakage of any meaningful information relating to the program or its inputs, which could otherwise be detectable to observers.
    Type: Grant
    Filed: December 31, 2012
    Date of Patent: December 9, 2014
    Assignee: EMC Corporation
    Inventor: Marten van Dijk
  • Patent number: 8909260
    Abstract: A method includes transmitting a paging indicator indicating to user equipment assigned to one or more groups that the user equipment are to attempt to receive paging messages including paging information targeted to at least one of the one or more groups; and transmitting in a channel the paging information in the paging messages. Another method includes receiving a paging indicator indicating a user equipment is to attempt to receive paging messages including paging information targeted to at least one of one or more groups; and receiving from a channel the paging information in the paging messages. A method includes sending a request message to user equipment assigned to one or more groups, the request message comprising an indication to cause the user equipment to read device trigger information in a system broadcast message; and sending the device trigger information in the system broadcast message.
    Type: Grant
    Filed: May 15, 2014
    Date of Patent: December 9, 2014
    Assignee: Nokia Siemens Networks Oy
    Inventors: Devaki Chandramouli, Guillaume Decarreau, Henri M. Koskinen, Lei Du, Woonhee Hwang, Xiao Tang Xie
  • Patent number: 8898451
    Abstract: A method for efficiently decrypting asymmetric SSL pre-master keys is divided into a key agent component that runs in user mode, and an SSL driver running in kernel mode. The key agent can take advantage of multiple threads for decoding keys in a multi-processor environment, while the SSL driver handles the task of symmetric decryption of the SSL encrypted data stream. The method is of advantage in applications such as firewalls with deep packet inspection in which all encrypted data traffic passing through the firewall must be decrypted for inspection.
    Type: Grant
    Filed: August 21, 2013
    Date of Patent: November 25, 2014
    Assignee: Trend Micro Incorporated
    Inventors: Dale Sabo, Gerrard Eric Rosenquist
  • Patent number: 8897448
    Abstract: The present invention employs in-band signaling between PTEs to provision and control session keys, which are used by the PTEs for encrypting and decrypting traffic that is carried from one PTE to another over a transport network. In operation, a first PTE will receive incoming traffic from a first edge network, map the traffic to frames, encrypt the traffic with a session key, and send the frames with the encrypted traffic over the transport network to a second PTE. The second PTE will extract the encrypted traffic from the frames, decrypt the encrypted traffic with a session key, and send the recovered traffic over a second edge network toward an intended destination. If symmetric encryption is employed, the session key used by the first PTE to encrypt the traffic will be identical to the session key used by the second PTE to decrypt the traffic.
    Type: Grant
    Filed: October 31, 2008
    Date of Patent: November 25, 2014
    Assignee: Ciena Corporation
    Inventors: Xiaoqing Hu, Frederic F. Simard
  • Patent number: 8898734
    Abstract: A security policy database identifies the intended security policies within a network, a traffic generator provides test traffic that is configured to test each defined security policy, and a simulator simulates the propagation of this traffic on a model of the network. The model of the network includes the configuration data associated with each device, and thus, if devices are properly configured to enforce the intended security policies, the success/failure of the simulated test traffic will conform to the intended permit/deny policy of each connection. Differences between the simulated message propagation and the intended security policies are reported to the user, and diagnostic tools are provided to facilitate identification of the device configuration data that accounts for the observed difference. Additionally, if a network's current security policy is unknown, test traffic is generated to reveal the actual policy in effect, to construct a baseline intended security policy.
    Type: Grant
    Filed: August 16, 2006
    Date of Patent: November 25, 2014
    Assignee: Riverbed Technology, Inc.
    Inventors: Pradeep K. Singh, Ankit Agarwal, Alain J. Cohen, Venuprakash Barathan, Vinod Jeyachandran
  • Patent number: 8898471
    Abstract: A method for generating and delivering a message via a web service is provided. A message for a recipient is converted to a URL and sent. A request is received from a sender to send a message to a recipient. A URL message is created in response to receiving the request to send the message to the recipient and the URL message is sent to the recipient. A URL message response is received from the recipient and a landing message is sent to the recipient in response to receiving the URL message response. The landing message includes a hint requesting an answer from the recipient. An answer is received from the recipient and the message is displayed to the recipient in response to receiving the answer.
    Type: Grant
    Filed: November 13, 2012
    Date of Patent: November 25, 2014
    Assignee: Unsene, Inc.
    Inventors: Christopher A. Kitze, Vinh H. Vo
  • Patent number: 8893222
    Abstract: A method of linking a security policy stored in a policy database that is specific to an application in the application layer with a new corresponding process launched in the LINUX layer in a security system for an operating system running on a device that comprises a LINUX-based kernel. The system architecture is defined by a middleware layer between the LINUX layer associated with the kernel and the higher application layer comprising the applications.
    Type: Grant
    Filed: October 4, 2013
    Date of Patent: November 18, 2014
    Assignee: Auckland Uniservices Ltd.
    Inventors: Giovanni Russello, Arturo Blas Jimenez, Habib Naderi, Wannes Van Der Mark
  • Patent number: 8892695
    Abstract: In a first embodiment of the present invention, a method for operating a user agent on a first device is provided, comprising: discovering, using a home networking protocol, a second device, wherein the second device includes a user input mechanism; retrieving information regarding the user input mechanism from the second device using the home networking protocol; determining whether to accept the connection based on the information regarding the user input mechanism; when it is determined to accept the connection, negotiating an out-of-band connection in a protocol other than the home networking protocol with the second device; receiving input command events from the second device via the out-of-band connection; and executing the input command events at the user agent to control an aspect of the first device.
    Type: Grant
    Filed: September 26, 2011
    Date of Patent: November 18, 2014
    Assignee: Samsung Electronics Co., Ltd.
    Inventor: Russell A. Berkoff
  • Patent number: 8892885
    Abstract: A system and method for authenticating a user that includes receiving an access-request of a network protocol at a challenge-response server; determining if an access-challenge message is required; delivering an active script component through a parameter of an access-challenge message of the network protocol when an access-challenge is required; receiving a challenge-response of a user; validating the challenge-response; and selectively sending an access-accept response for a valid challenge-response and sending an access-denied response for an invalid challenge-response.
    Type: Grant
    Filed: August 31, 2012
    Date of Patent: November 18, 2014
    Assignee: Duo Security, Inc.
    Inventors: Jon Oberheide, Douglas Song, Adam Goodman
  • Patent number: 8892877
    Abstract: A method and a device are provided for accessing data files of a secure file server, wherein a user or a process is authenticated; wherein access to the data files of the secure file server takes place by way of an encryption module of the secure file server; wherein the encryption module comprises an encryption agreement of a centralized security application; and wherein the access of the authenticated user or process to the secure file server takes place by way of an encrypted protocol taking into consideration the encryption agreement. Such a device may be included in a corresponding computer network.
    Type: Grant
    Filed: May 17, 2012
    Date of Patent: November 18, 2014
    Assignee: Bayerische Motoren Werke Akteingesellschaft
    Inventor: Sirko Molau
  • Publication number: 20140337613
    Abstract: An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies.
    Type: Application
    Filed: May 8, 2013
    Publication date: November 13, 2014
    Applicant: Phantom Technologies, Inc.
    Inventor: Paul Michael Martini
  • Patent number: 8886927
    Abstract: A method, an apparatus and a system for preventing DDoS (Distributed Denial of Service) attacks in a cloud system. The method for preventing DDoS attacks in a cloud system includes: monitoring, by a protection node in a cloud system, data traffic input into virtual machines, where the cloud system includes the protection node and multiple virtual machines, and data streams communicated between the virtual machines pass through the protection node; extracting data streams to be input into virtual machines if it is detected that the data traffic input into the virtual machines is abnormal; sending the extracted data streams to a traffic cleaning apparatus for cleaning; receiving the data streams cleaned by the traffic cleaning apparatus; and inputting the cleaned data streams into the virtual machines. The technical solutions provided in the embodiments of the present disclosure can effectively prevent DDoS attacks between virtual machines in the cloud system.
    Type: Grant
    Filed: January 14, 2013
    Date of Patent: November 11, 2014
    Assignee: Huawei Technologies Co., Ltd.
    Inventor: Wu Jiang
  • Patent number: 8886960
    Abstract: A microprocessor includes an architected register having a bit. The microprocessor sets the bit. The microprocessor also includes a fetch unit that fetches encrypted instructions from an instruction cache and decrypts them prior to executing them, in response to the microprocessor setting the bit. The microprocessor saves the value of the bit to a stack in memory and then clears the bit, in response to receiving an interrupt. The fetch unit fetches unencrypted instructions from the instruction cache and executes them without decrypting them, after the microprocessor clears the bit. The microprocessor restores the saved value from the stack in memory to the bit in the architected register, in response to executing a return from interrupt instruction. The fetch unit resumes fetching and decrypting the encrypted instructions, in response to determining that the restored value of the bit is set.
    Type: Grant
    Filed: October 29, 2013
    Date of Patent: November 11, 2014
    Assignee: VIA Technologies, Inc.
    Inventors: G. Glenn Henry, Terry Parks, Brent Bean, Thomas A. Crispin
  • Patent number: 8887265
    Abstract: A proxy device such as a firewall uses an internal socket namespace such as a text string such that connection requests must be explicitly redirected to a listening socket in the alternate namespace in order to connect to a service. Because external connections cannot directly address the listening socket or service, greater security is provided than with traditional firewall or proxy devices. To receive a redirected proxy connection, a service process creates a listening socket and binds a name in an alternate namespace to the socket before listening for connections.
    Type: Grant
    Filed: March 27, 2013
    Date of Patent: November 11, 2014
    Assignee: McAfee, Inc.
    Inventors: Michael Green, David F. Diehl, Michael J. Karels
  • Patent number: 8886938
    Abstract: A method and system for validating a form, that includes providing, to a client, the form comprising a primary token, receiving, in response to the client loading the page form, a request for a secondary token, providing the secondary token in response to receiving the request, and receiving the form comprising the primary token and a secondary token from a client. The method further includes validating the form, where validating the form includes obtaining a first primary token hash from the secondary token, applying a first hash function to the primary token to obtain a second primary token hash, and determining that the first primary token hash and the second primary token hash match. The method further includes accepting the form upon validating the form.
    Type: Grant
    Filed: December 31, 2012
    Date of Patent: November 11, 2014
    Assignee: Intuit Inc.
    Inventor: Matthew Greenwood
  • Patent number: 8886941
    Abstract: A method for generating and delivering a message via a web service is provided. A message for a recipient is converted to a URL and sent. A request is received from a sender to send a message to a recipient. A URL message is created in response to receiving the request to send the message to the recipient and the URL message is sent to the recipient. A URL message response is received from the recipient and a landing message is sent to the recipient in response to receiving the URL message response. The landing message includes a hint requesting an answer from the recipient. An answer is received from the recipient and the message is sent to the recipient in response to receiving the answer.
    Type: Grant
    Filed: November 13, 2012
    Date of Patent: November 11, 2014
    Assignee: Unsene, Inc.
    Inventors: Christopher A. Kitze, Vinh H. Vo
  • Patent number: 8881295
    Abstract: Methods and apparatus are provided for generating a garbled circuit for a client in a leakage-resilient manner, for use in secure function evaluation between the client and a server. The garbled circuit is generated by obtaining a token from the server, wherein said token comprises a leakage-protected area; querying the token gate-by-gate, wherein for each gate of said garbled circuit, the token interacts with the leakage-protected area to generate a garbled table for the gate; and receiving the garbled circuit from the token. The client can interact with the server to obtain garbled inputs; and then evaluate the garbled circuit on the garbled inputs to obtain a garbled output. A final output can be obtained by matching the garbled output with an output table in the garbled circuit.
    Type: Grant
    Filed: June 30, 2011
    Date of Patent: November 4, 2014
    Assignee: Alcatel Lucent
    Inventors: Vladimir Kolesnikov, Virendra Kumar
  • Patent number: 8881276
    Abstract: In one embodiment, detecting network data, retrieving a whitelist associated with the detected network data, and selectively applying an intrusion prevention policy based on the retrieved whitelist are provided.
    Type: Grant
    Filed: January 9, 2007
    Date of Patent: November 4, 2014
    Assignee: Cisco Technology, Inc.
    Inventors: Dean Kratzer, Anthony Hall
  • Patent number: 8881286
    Abstract: A method and device for clustering virus files is provided. The method involves statically analyzing binary data of virus files to be clustered, so as to obtain PE structure data of the virus files. Further, based on a comparison of the PE structure data, those virus files with PE structure data meeting a specific similarity may be categorized into the same category. The device may include a first data analyzing module configured to extract PE structure data of virus files to be clustered by static analysis of binary data of the virus files. A first clustering module of the device may compare the PE structure data and cluster the virus files having the PE structure data meeting a specific similarity into the same category. The solution may improve efficiency of clustering computer virus files, reduce resource consumption, and avoid the risk of virus infection caused by dynamically running the virus files.
    Type: Grant
    Filed: July 3, 2012
    Date of Patent: November 4, 2014
    Assignee: Tencent Technology (Shenzhen) Company Limited
    Inventor: Tao Yu
  • Patent number: 8880868
    Abstract: A secure deterministic fabric includes switches that segregate data traffic requiring disparate levels of authentication or having different safety levels. Data may be segregated physically, utilizing different hardware; or virtually, by allocating certain assets such as memory blocks exclusively for certain levels of authentication. The secure deterministic fabric may include elements for safety monitoring and multi-level security monitoring.
    Type: Grant
    Filed: June 15, 2012
    Date of Patent: November 4, 2014
    Assignee: Rockwell Collins, Inc.
    Inventors: Roger K. Shultz, Joshua Bertram, Raymond Knoff, James Marek, Max G. Taylor
  • Patent number: 8880869
    Abstract: A device receives capability information associated with a next hop device of a wireless local area network (WLAN). The device also determines, based on the capability information, whether the next hop device is capable of implementing security for traffic, where the security includes a media access control (MAC) security standard and a layer 2 link security standard. The device further creates, via the MAC security standard, a secure channel with the next hop device when the next hop device is capable of providing security for traffic.
    Type: Grant
    Filed: November 22, 2010
    Date of Patent: November 4, 2014
    Assignee: Juniper Networks, Inc.
    Inventors: Sandip Shah, Jeffrey L Pochop, Jr.
  • Patent number: 8880902
    Abstract: A microprocessor is provided with a method for decrypting encrypted instruction data into plain text instruction data and securely executing the same. The microprocessor includes a master key register file comprising a plurality of master keys. Selection logic circuitry in the microprocessor selects a combination of at least two of the plurality of master keys. Key expansion circuitry in the microprocessor performs mathematical operations on the selected master keys to generate a decryption key having a long effective key length. Instruction decryption circuitry performs an efficient mathematical operation on the encrypted instruction data and the decryption key to decrypt the encrypted instruction data into plain text instruction data.
    Type: Grant
    Filed: October 29, 2013
    Date of Patent: November 4, 2014
    Assignee: VIA Technologies, Inc.
    Inventors: G. Glenn Henry, Terry Parks, Brent Bean, Thomas A. Crispin
  • Patent number: 8880881
    Abstract: A method of establishing secure communication between a first mobile computing device and a second mobile computing device includes generating a first self-signed key at the first mobile computing device, pairing the first device with a second device, the pairing including receiving user input of a passcode and after receiving the user input sending the first public key to the second mobile computing device and receiving a second public key from the second mobile computing device, storing the second public key in a database of trusted devices, the database of trusted devices being stored in the first mobile computing device, receiving in the first mobile computing device a list of mobile computing devices connected to a mobile network, matching the list of mobile computing device against the database of trusted devices, and establishing secure communication between the first mobile computing device and the second mobile computing device.
    Type: Grant
    Filed: January 18, 2012
    Date of Patent: November 4, 2014
    Assignee: Square, Inc.
    Inventors: Shawn Morel, Diogo Monica, Eric Monti, Sam Wen, Nathan McCauley
  • Patent number: 8874896
    Abstract: This disclosure relates to systems and methods for enabling the use of secret digital or electronic information without exposing the sensitive information to unsecured applications. In certain embodiments, the methods may include invoking, by a client application executing in an open processing domain, a secure abstraction layer configured to interface with secret data protected by a secure processing domain. Secure operations may be securely performed on the secret data by the secure abstraction layer in the secure processing domain based on an invocation from a client application running in the open processing domain.
    Type: Grant
    Filed: June 17, 2011
    Date of Patent: October 28, 2014
    Assignee: Intertrust Technologies Corporation
    Inventors: Gilles Boccon-Gibod, Gary Ellison
  • Patent number: 8875231
    Abstract: A communications system comprising a service processing system configured to receive a privacy request indicating a communication comprising a first user associated with a first communication device and a second user associated with a second communication device, send a query indicating the communication to a privacy system, receive a privacy message indicating whether the second user is private, and send a privacy instruction to the first communication device; the privacy system configured to receive the query, determine a privacy list for the first user, process the query with the privacy list to determine whether the second user is on the privacy list, and send the privacy message to the service processing system indicating that the second user is private; and the first communication device configured to receive the privacy instruction, and update a log, wherein, according to the privacy instruction, the second user is not indicated.
    Type: Grant
    Filed: December 20, 2006
    Date of Patent: October 28, 2014
    Assignee: Sprint Communications Company L.P.
    Inventors: Larry H. Piercy, Trey A. Hilyard
  • Patent number: 8875222
    Abstract: A highly efficient access control system and method employing XACML standard based policies and rules provides high performance resource access control of information systems of large enterprises. The system and method extracts plain rules from the XACML policies, transforms the plain rules into atomic rules, and compresses and indexes the atomic rules for fast lookup and retrieval. Access requests are decomposed into atomic requests which are compressed using the same value mapping as the rules. Index keys derived from compressed atomic request triplets are used to look up applicable rules which are used to evaluate requests for access to information system resources.
    Type: Grant
    Filed: June 30, 2011
    Date of Patent: October 28, 2014
    Assignee: EMC Corporation
    Inventors: Lei Chang, Jeroen Van Rotterdam, David Choy
  • Patent number: 8874754
    Abstract: Described systems and methods allow a biometric authentication system to process authentication requests, such as requests to authenticate handwritten signatures, received from a plurality of client systems, each covered by a service level agreement (SLA). The biometric authentication system includes a load balancer configured to distribute authentication tasks to a plurality of worker machines. In some embodiments, task distribution is performed according to an ability of each worker to process urgent tasks, to an ability of each worker to process non-urgent tasks, and further according to a relationship between a count of urgent requests and a count of non-urgent requests received by the biometric authentication system.
    Type: Grant
    Filed: October 16, 2012
    Date of Patent: October 28, 2014
    Assignee: Softwin SRL Romania
    Inventors: Andreea Salinca, Ana M. Pricochi, Bogdan N. Ivascu, Mircea S. Rusu
  • Patent number: 8868998
    Abstract: Packet communication apparatus connects plural LANs to each other, in termination of a WAN that conducts data communication using handshake communication protocol. Apparatus buffers data packets between the LANs, and transfers, as a proxy, response packets and data packets to a terminal device. The apparatus stops transmission of data packets belonging to an arbitrary packet flow when the reception of the response packets belonging to the packet flow from the WAN is ceased for a network outage detection time or more set, while transmitting data packets belonging to the arbitrary packet flow. The apparatus retransmits a first data packet whose corresponding response packet is not received, belonging to the packet flow immediately after the data packet transmission stops, and retransmits all data packets whose corresponding response packets are not received, belonging to the packet flow, when receiving the response packets from the WAN.
    Type: Grant
    Filed: December 10, 2012
    Date of Patent: October 21, 2014
    Assignee: Hitachi, Ltd.
    Inventors: Michitaka Okuno, Takeki Yazaki
  • Patent number: 8869290
    Abstract: A broadband gateway, which enables communication with a plurality of devices, handles at least one physical layer connection to at least one corresponding network access service provider. Security boundaries such as conditional access (CA) and/or digital right management (DRM) boundaries associated with the broadband gateway are identified based on security profiles associated with the plurality of devices and/or a service from networks. The identified security boundaries are utilized to determine or negotiate CA information for content access for the service. The received content may be distributed according to the determined CA information and the security profiles of the corresponding devices. The broadband gateway may be automatically and dynamically configured based on the identified security boundaries to secure content distribution to the devices.
    Type: Grant
    Filed: December 30, 2010
    Date of Patent: October 21, 2014
    Assignee: Broadcom Corporation
    Inventors: Xuemin Chen, Jeyhan Karaoguz, Wael Diab, David Garrett, David Albert Lundgren, Rich Prodan