Security Kernel Or Utility Patents (Class 713/164)
  • Patent number: 10028001
    Abstract: There is provided a system comprising a non-transitory memory storing a rights database and a hardware processor configured to receive a user input from a user device requesting playback of a media content, the media content being provided by a first type of content provider, perform a first search of the rights database for a first media content entitlement associated with the media content corresponding to the first type of content provider, if the first search does not find the first media content entitlement, perform a second search of the rights database for a second media content entitlement associated with the media content corresponding to a second type of content provider, and, when the second search finds the second media content entitlement, enable playback of the media content from a content provider that is the first type of content provider based on the second media content entitlement corresponding to the second type of content provider.
    Type: Grant
    Filed: October 11, 2016
    Date of Patent: July 17, 2018
    Assignee: Disney Enterprises, Inc.
    Inventors: Edward C. Drake, Mark Arana
  • Patent number: 10020938
    Abstract: Methods, apparatus, and systems are disclosed for, among other things, secure passphrase handling for computing devices. In one respect, a method is provided. The method includes receiving a plurality of passphrase elements from an input device. The method also includes performing a sequence of secure delay processing operations, each operation generating a delayed output value from an initial value. The passphrase is verified upon completion of the sequence of secure delay processing operations. Further, initial values of respective secure delay processing operations are based on respective passphrase elements and, for each secure delay processing operation after a first secure delay processing operation, a delayed output value from at least one other secure delay processing operations.
    Type: Grant
    Filed: May 5, 2017
    Date of Patent: July 10, 2018
    Assignee: Callahan Cellular L.L.C.
    Inventor: Edwin A. Suominen
  • Patent number: 10019400
    Abstract: An apparatus is described herein. The apparatus includes a Universal Serial Bus (USB) component and a controller interface. The controller interface is to allocate register space for interfacing with the USB component and the USB component is virtualized into multiple instantiations. The apparatus also includes a secure environment, and the secure environment further virtualizes the multiple instantiations such that the multiple instantiations are owned by the secure environment.
    Type: Grant
    Filed: March 27, 2015
    Date of Patent: July 10, 2018
    Assignee: Intel Corporation
    Inventors: Nitin V. Sarangdhar, Steven B. McGowan, Raul Gutierrez, Karthi R. Vadivelu
  • Patent number: 10019343
    Abstract: Methods, systems, and computer program products are included for performing tracing in a protected kernel environment. A method includes scanning at least a portion of a kernel to locate one or more instructions. The locations of the one or more instructions are provided to a hypervisor. The one or more instructions are replaced with one or more other instructions. After replacing the one or more instructions, a kernel protection feature is activated. After activating the kernel protection feature, they hypervisor detects an attempted modification of the kernel. The hypervisor determines that the attempted modification corresponds to the at least one location provided to the hypervisor and that the attempted modification corresponds to an authorized code variant. The hypervisor modifies the kernel to include the authorized code variant at the at least one location.
    Type: Grant
    Filed: February 25, 2016
    Date of Patent: July 10, 2018
    Assignee: Red Hat Israel, LTD.
    Inventors: Michael Tsirkin, Paolo Bonzini
  • Patent number: 10021122
    Abstract: A method and an apparatus to perform multiple packet payload analysis have been disclosed. In one embodiment, the method includes receiving a plurality of data packets, each of the plurality of data packets containing a portion of a data pattern, determining whether each of the plurality of data packets is out of order, and making and storing a local copy of the corresponding data packet if the corresponding data packet is out of order. Other embodiments have been claimed and described.
    Type: Grant
    Filed: January 24, 2017
    Date of Patent: July 10, 2018
    Assignee: SonicWALL Inc.
    Inventors: Aleksandr Dubrovsky, Roman Yanovsky, Scott Aaron More, Boris Yanovsky
  • Patent number: 10021125
    Abstract: This disclosure provides an infrastructure monitoring tool, and related systems and methods, for collecting industrial process control and automation system risk data, and other data. A method includes discovering multiple devices in a computing system by a risk manager system. The method includes grouping the multiple devices into multiple security zones by the risk manager system. The method includes, for each security zone, causing one or more devices in that security zone to provide information to the risk manager system identifying alerts and events associated with the one or more devices. The method includes storing the information, by the risk manager system, in association with unique identifier values, the unique identifier values identifying different types of information.
    Type: Grant
    Filed: September 30, 2015
    Date of Patent: July 10, 2018
    Assignee: Honeywell International Inc.
    Inventors: Venkata Srinivasulu Reddy Talamanchi, Kenneth W. Dietrich, Eric T. Boice, Andrew W. Kowalczyk, Ganesh P. Gadhe
  • Patent number: 10007806
    Abstract: Disabling communication in a multiprocessor fabric. The multiprocessor fabric may include a plurality of processors and a plurality of communication elements and each of the plurality of communication elements may include a memory. A configuration may be received for the multiprocessor fabric, which specifies disabling of communication paths between one or more of: one or more processors and one or more communication elements; one or more processors and one or more other processors; or one or more communication elements and one or more other communication elements. Accordingly, the multiprocessor fabric may be automatically configured in hardware to disable the communication paths specified by the configuration. The multiprocessor fabric may be operated to execute a software application according to the configuration.
    Type: Grant
    Filed: April 14, 2016
    Date of Patent: June 26, 2018
    Assignee: Coherent Logix, Incorporated
    Inventors: Michael B. Doerr, Carl S. Dobbs, Michael B. Solka, Michael R. Trocino, David A. Gibson
  • Patent number: 9990494
    Abstract: Various embodiments are directed enabling anti-malware software to co-exist with protective features of an operating system. An apparatus may include a processor component including an IDT register storing an indication of size of an IDT; a monitoring component to retrieve the indication and compare the indication to a size of a guard IDT in response to modification of the IDT register to determine whether the guard routine is to inspect the IDT and a set of ISRs; and a cache component to overwrite the IDT and set of ISRs with a cached IDT and cached set of ISRs, respectively, based on the determination and prior to the inspection to prevent the guard routine from detecting a modification by an anti-malware routine, the cached IDT and cached set of ISRs generated from the IDT and set of ISRs, respectively, prior to the modification. Other embodiments are described and claimed.
    Type: Grant
    Filed: September 19, 2016
    Date of Patent: June 5, 2018
    Assignee: INTEL CORPORATION
    Inventors: Ramesh Thomas, Manohar R. Castelino, Kuo-Lang Tseng
  • Patent number: 9984229
    Abstract: Disclosed are examples of authorizing an application access attempt. One example method may include connecting via a computing device to at least one remote computing device at a remote site and attempting to download an application from the remote site. The method may also include determining via a processor a trust level of the application based on trust metrics and comparing the trust level to a predetermined threshold. The method may also include determining whether to allow the application to be downloaded to the computing device based on results of the comparing operation.
    Type: Grant
    Filed: August 31, 2011
    Date of Patent: May 29, 2018
    Assignee: Open Invention Network LLC
    Inventor: William Charles Easttom, II
  • Patent number: 9984248
    Abstract: Securing an endpoint against exposure to unsafe content includes encrypting files to prevent unauthorized access, and monitoring an exposure state of a process to potentially unsafe content by applying behavioral rules to determine whether the exposure state is either exposed or secure, where (1) the process is initially identified as secure, (2) the process is identified as exposed when the process opens a network connection to a URL that is not internal to an enterprise network of the endpoint and that has a poor reputation, (3) the process is identified as exposed when it opens a file identified as exposed, and (4) the process is identified as exposed when another exposed process opens a handle to the process. Access to the files may be restricted when the process is exposed by controlling access through a file system filter that conditionally decrypts files for the process according to its exposure state.
    Type: Grant
    Filed: February 12, 2016
    Date of Patent: May 29, 2018
    Assignee: Sophos Limited
    Inventors: Kenneth D. Ray, Andrew J. Thomas, Anthony John Merry, Harald Sch├╝tz, Andreas Berger, John Edward Tyrone Shaw
  • Patent number: 9977898
    Abstract: The present embodiments relate to security in a virtualized operating system environment with an active host based Intrusion Detection System (IDS). More specifically, the IDS identifies any infected container operating on the shared kernel and remedies the infected container. In an operating system virtualization, one or more containers are started in virtual memory utilizing the same operating system kernel. When a container starts any resource not specified in the container configuration is shared with the host operating system. The shared IDS provides security of the namespaces of all containers operating on the shared kernel.
    Type: Grant
    Filed: October 31, 2016
    Date of Patent: May 22, 2018
    Assignee: International Business Machines Corporation
    Inventors: Rafael Camarda Silva Folco, Breno H. Leitao, Desnes A. Nunes do Rosario
  • Patent number: 9971909
    Abstract: A processor capable of secure execution. The processor contains an execution unit and secure partition logic that secures a partition in memory. The processor also contains cryptographic logic coupled to the execution unit that encrypts and decrypts secure data and code.
    Type: Grant
    Filed: March 15, 2013
    Date of Patent: May 15, 2018
    Assignee: Intel Corporation
    Inventor: Millind Mittal
  • Patent number: 9973579
    Abstract: Embodiments described herein include methods and systems for remotely managing appliances associated with a user. A mobile phone is but one example of a controlled appliance. A third party operating system (OS) resident on the appliance and is in communication with a third party infrastructure. The appliance receives communications from the third party infrastructure related to management of the appliance, wherein management comprises controlling when the appliance is operable, and which functions the appliance can perform.
    Type: Grant
    Filed: March 2, 2016
    Date of Patent: May 15, 2018
    Assignee: Payjoy, Inc.
    Inventor: Douglas James Ricket
  • Patent number: 9971906
    Abstract: A system for secure data storage and transmission is provided. The system comprises a first security module for protecting data in a first data at rest system and a second security module for protecting data in a second data at rest system. At least one encryption parameter for the second data at rest system differs from at least one encryption parameter for the first data at rest system so that a datum is reencrypted when the datum is transferred from the first data at rest system to the second data at rest system.
    Type: Grant
    Filed: May 22, 2015
    Date of Patent: May 15, 2018
    Assignee: Protegrity Corporation
    Inventor: Ulf Mattsson
  • Patent number: 9952914
    Abstract: Aspects of the present invention disclose a method for customizing a parameter value in a software program. The method includes one or more processors receiving one integrated input requesting a change to the original value of a parameter in a software program to a new value of the parameter and defining a persistence level of the new value of the parameter. The method further includes one or more processors changing the original value of the parameter to the new value of the parameter based on the one integrated input and setting the persistence level of the new value based on the one integrated input.
    Type: Grant
    Filed: October 28, 2015
    Date of Patent: April 24, 2018
    Assignee: International Business Machines Corporation
    Inventors: James L. Lentz, David R. Schwartz
  • Patent number: 9928499
    Abstract: Processing payment through a mobile device includes: receiving a command; generating a payment request based on the command and send the payment request to be processed by a lower layer payment program; and monitoring the payment request sent from the localhost address of the mobile device via the predetermined port; in response to the payment request, providing an input interface for payment information in and receive the input payment information; using the lower layer payment program to connect with a payment server and pass the payment information over a network to the payment server; using the lower layer payment program to transfer a payment processing result received from the payment server, to the upper layer application program; and after the upper layer application program has been unblocked, presenting to a user an indication of whether the payment has been successfully processed.
    Type: Grant
    Filed: July 21, 2014
    Date of Patent: March 27, 2018
    Assignee: Alibaba Group Holding Limited
    Inventor: Gang Li
  • Patent number: 9916391
    Abstract: A method for webpage content browsing is provided. The method includes a terminal receiving a browsing request inputted by a user through performing an operation on a webpage link in a task window of an application, where the browsing request contains the webpage link. The method also includes the terminal parsing the browsing request to obtain the webpage link included in the browsing request. Further, the method includes the terminal generating a browsing window process, creating a browsing window using the browsing window process and attaching the browsing window to the task window. In addition, the method includes the terminal obtaining the webpage contents corresponding to the webpage link and outputting the webpage contents to the browsing window.
    Type: Grant
    Filed: February 13, 2015
    Date of Patent: March 13, 2018
    Assignee: TENCENT TECHNOLOGY (SHENZHEN) COMPANY LIMITED
    Inventors: Yang Gao, Huijiao Yang, Yi Chen, Hao Tang, Bo Hu, Lei Guan
  • Patent number: 9898603
    Abstract: A configuration scanning system is described herein that scans a system configuration database for malware-related information with less impact on other operations that access the system configuration database. The system employs techniques to reduce the impact on other operations that access the configuration database, including parsing a file-based stored version of the configuration database, accessing the configuration database using opportunistic locking, and caching configuration information obtained by scanning the configuration database. In this way, the system is able to respond to requests antimalware programs using cached information without impacting other programs using the configuration database. Thus, the configuration scanning system protects a computer system against malware while reducing the burden on the configuration database and on other programs that access the configuration database.
    Type: Grant
    Filed: January 8, 2013
    Date of Patent: February 20, 2018
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Hui Dai, Anil F. Thomas, Catalin D. Sandu
  • Patent number: 9900082
    Abstract: In some implementations, a satellite communication system is a capable of utilizing converged data transmissions over a satellite network to improve various aspects of services provisioned through the satellite network. For example, the system includes multiple electronic components that operate within a common software application framework to enable the ability to perform monitored operations in real-time. The system uses the monitored data to dynamically and intelligently adjust network configurations of the satellite network configuration to dynamically and intelligently improve to the provisioning of network-based services under varying network conditions.
    Type: Grant
    Filed: June 9, 2017
    Date of Patent: February 20, 2018
    Assignee: Stitel Networks, LLC
    Inventors: Noor A. Chowdhury, Nahid Hossain
  • Patent number: 9870311
    Abstract: The disclosure is generally directed towards automatically generating a mock object from a description of a real object, such as for use in testing. Mock object generation logic parses the description to determine interface(s) of the real object, which are replicated in the mock object, and to determine method(s) of the real object, which are simulated in the mock object. The mock object generation logic may generate a description of the mock object that is then compiled into the mock object for execution. Data types may be validated so that the arguments and/or return values from the mock object meet the expectations of a calling object.
    Type: Grant
    Filed: August 31, 2015
    Date of Patent: January 16, 2018
    Assignee: HOME BOX OFFICE, INC.
    Inventor: Brendan Joseph Clark
  • Patent number: 9871800
    Abstract: In accordance with an embodiment, described herein is a system and method for providing application security in a cloud computing or other environment. A plurality of hot-spot configurations define API usages which, for security reasons, are of interest to be monitored at runtime, such as invocations of particular methods that are likely to be used to attempt unauthorized access. Upon a user application being received for deployment to the cloud environment, an application compiler determines, for API usages expressed as method invocations within the source code of the application, one or more hot-spot configurations and associated policies or actions. The application compiler can then inject the user application to provide a security manager that, during runtime, monitors the methods and values invoked, and communicates with one or more security extensions to grant or deny access.
    Type: Grant
    Filed: January 30, 2015
    Date of Patent: January 16, 2018
    Assignee: ORACLE INTERNATIONAL CORPORATION
    Inventors: Velmurugan Subramanian, Nilesh Junnarkar
  • Patent number: 9866548
    Abstract: Embodiments generally relate to out-of-band management of a computing system. The present technology discloses enable a primary service controller to provide a centralized configuration of multiple secondary service controllers so that they can share a same configuration. It can utilize an authentication-free protocol to modify and manage credentials for a large number of service controllers.
    Type: Grant
    Filed: April 14, 2015
    Date of Patent: January 9, 2018
    Assignee: QUANTA COMPUTER INC.
    Inventor: Ching-Chih Shih
  • Patent number: 9864878
    Abstract: A computer implemented method includes generating, by a processor, a first event record in response to an event being performed by a computer; and generating, by the processor, a second event record in response to the first event record being generated, wherein the second event record comprises a signature corresponding to the first event record.
    Type: Grant
    Filed: July 27, 2015
    Date of Patent: January 9, 2018
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Anthony T. Sofia, Peter G. Sutton
  • Patent number: 9852001
    Abstract: Techniques are disclosed for controlling and managing virtual machines and other such virtual systems. VM execution approval is based on compliance with policies controlling various aspects of VM. The techniques can be employed to benefit all virtual environments, such as virtual machines, virtual appliances, and virtual applications. For ease of discussion herein, assume that a virtual machine (VM) represents each of these environments. In one particular embodiment, a systems management partition (SMP) is created inside the VM to provide a persistent and resilient storage for management information (e.g., logical and physical VM metadata). The SMP can also be used as a staging area for installing additional content or agentry on the VM when the VM is executed. Remote storage of management information can also be used. The VM management information can then be made available for pre-execution processing, including policy-based compliance testing.
    Type: Grant
    Filed: October 26, 2015
    Date of Patent: December 26, 2017
    Assignee: ManageIQ, Inc.
    Inventors: Joseph Fitzgerald, Oleg Barenboim
  • Patent number: 9853996
    Abstract: A system and method for identifying and preventing malicious application programming interface attacks is configured to, during a learning stage: monitor all requests sent to and from the server API; identify one or more first characteristic data points of each request and response sent during the learning stage; and determine, based at least in part on the identified one or more first characteristic data points, one or more characteristic data models, wherein a characteristic data model represents at least one of an expected input to the API and an expected output of the API; and during a protection stage: monitor all requests sent to and from the server API; identify one or more second characteristic data points of each request and response sent during the protection stage; and one of validate and invalidate the identified one or more second characteristic data points against the one or more characteristic data models.
    Type: Grant
    Filed: April 13, 2016
    Date of Patent: December 26, 2017
    Assignee: SECFUL, INC.
    Inventors: Roey Eliyahu, Omer Sadika
  • Patent number: 9846781
    Abstract: Example embodiments disclosed herein relate to unused parameters. A request to a web page of an application under test is made. It is determined whether the web page includes one or more unused parameter fields. Another request to the web page of the application under test is made using one or more parameters corresponding to the unused parameter fields.
    Type: Grant
    Filed: April 19, 2013
    Date of Patent: December 19, 2017
    Assignee: EntIT Software LLC
    Inventors: Nidhi GovindRam Kejriwal, Ronald Joseph Sechman, Sasi Siddharth Muthurajan
  • Patent number: 9843451
    Abstract: An electronic device includes a memory configured to store a lab certificate, a code authentication certificate and the executable code. The electronic device also includes a processor associated with a unique device identifier. For a first operational condition of the plurality of operational conditions, the processor is configured to: retrieve the code authentication certificate associated with the executable code; determine that a valid lab certificate is present in the memory; authenticate the code authentication certificate by determining that the code authentication certificate is signed with a private developer key and that the signature is valid; and execute the executable code on the electronic device responsive to determining that the lab certificate is valid and authenticating the code authentication certificate.
    Type: Grant
    Filed: October 30, 2014
    Date of Patent: December 12, 2017
    Assignee: MOTOROLA SOLUTIONS, INC.
    Inventors: Ellis A. Pinder, Thomas S. Messerges
  • Patent number: 9843453
    Abstract: A method for authorizing I/O (input/output) commands in a storage cluster is provided. The method includes generating a token responsive to an authority initiating an I/O command, wherein the token is specific to assignment of the authority and a storage node of the storage cluster. The method includes verifying the I/O command using the token, wherein the token includes a signature confirming validity of the token and wherein the token is revocable.
    Type: Grant
    Filed: October 23, 2015
    Date of Patent: December 12, 2017
    Assignee: Pure Storage, Inc.
    Inventors: John Hayes, Robert Lee
  • Patent number: 9836286
    Abstract: A computer program product according to some embodiments causes a processor to perform operations including disassembling executable code of an application program to provide disassembled code, identifying first wrapping code in the disassembled code, receiving second wrapping code, generating a consolidated application wrapper that manages operation of both the first wrapping code and the second wrapping code, inserting the second wrapping code and the consolidated application wrapper into the disassembled code to form modified disassembled code, and assembling the modified disassembled code to form modified executable code.
    Type: Grant
    Filed: March 27, 2015
    Date of Patent: December 5, 2017
    Assignee: CA, INC.
    Inventor: Vikrant Nandakumar
  • Patent number: 9838424
    Abstract: Techniques to contain lateral movement of attackers through just-in-time (JIT) provisioned accounts comprising an account management component to receive a request from a first account via a client device for a second account to access a server device in a set of server devices, an account authorization component to authorize the request for the second account based at least partially on account information associated with the first account, an account provisioning component to provision the second account to enable a client to access the server device, and an account notification component to provide account information associated with the second account to a client via the client device. Other embodiments are described and claimed.
    Type: Grant
    Filed: March 20, 2014
    Date of Patent: December 5, 2017
    Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC
    Inventors: Shane Brady, Siddhartha Mathur, Rajalakshmi Dani, Santosh Kumar, Luke Schoen, David Hetherington
  • Patent number: 9832015
    Abstract: Both end-to-end security and traffic visibility may be achieved by a system using a controller that derives a cryptographic key that is different for each client based on a derivation key and a client identifier that is conveyed in each data packet. The controller distributes the derivation key to information technology monitoring devices and a server to provide traffic visibility. For large key sizes, the key may be derived using a derivation formula as follows: client_key_MSB=AES128(base_key_1, client_ID),??(1) client_key_LSB=AES128(base_key_2, client_ID+pad), and??(2) client_key=client_key_MSB?client_key_LSB, where (1) and (2) are executed in parallel. The client key and a client identifier may be used so that end-to-end security may be achieved.
    Type: Grant
    Filed: December 1, 2014
    Date of Patent: November 28, 2017
    Assignee: Intel Corporation
    Inventors: Men Long, Jesse Walker, Karanvir S Grewal
  • Patent number: 9819650
    Abstract: A system and method for homomorphic encryption in a healthcare network environment is provided and includes receiving digital data over the healthcare network at a data custodian server in a plurality of formats from various data sources, encrypting the data according to a homomorphic encryption scheme, receiving a query at the data custodian server from a data consumer device concerning a portion of the encrypted data, initiating a secure homomorphic work session between the data custodian server and the data consumer device, generating a homomorphic work space associated with the homomorphic work session, compiling, by the data custodian server, a results set satisfying the query, loading the results set into the homomorphic work space, and building an application programming interface (API) compatible with the results set, the API facilitating encrypted analysis on the results set in the homomorphic work space.
    Type: Grant
    Filed: July 21, 2015
    Date of Patent: November 14, 2017
    Assignee: NANTHEALTH, INC.
    Inventors: Patrick Soon-Shiong, Harsh Kupwade-Patil, Ravi Seshadri, Nicholas J. Witchey
  • Patent number: 9807129
    Abstract: A logical communication path is provided between a target virtual machine (VM) and a host or application communicating with the VM. The target VM runs on a hypervisor host that has a hypervisor and a proxy agent. The hypervisor manages execution of the VM. A mapping is maintained indicating which VMs execute on which hosts. When the host or application is to send a message or packet to the target VM, the mapping is consulted and the hypervisor host hosting the target VM is identified. The message or packet, which may identify the target VM, is transmitted to the hypervisor host. A proxy agent at the hypervisor host selects a communication channel between the hypervisor and the target VM. The hypervisor then passes the message or packet through the selected channel to the target VM.
    Type: Grant
    Filed: October 30, 2015
    Date of Patent: October 31, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Robert Fries, Srivatsan Parthasarathy, Ashvinkumar Sanghvi, Aravind Ramarathinam, Michael Grier
  • Patent number: 9798678
    Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system includes one or more processing units sharing the storage. Each of the processing units has at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key, data transferred between its processor cache and the storage, when data relates to the protected section used by the hypervisor; and each processing unit respectively encrypts or decrypts, with a virtual machine key, data transferred between its processor cache and the storage, when data relates to storage areas used by a virtual machine.
    Type: Grant
    Filed: April 2, 2015
    Date of Patent: October 24, 2017
    Assignee: International Business Machines Corporation
    Inventors: Christine Axnix, Ute Gaertner, Jakob C. Lang, Angel Nunez Mencias
  • Patent number: 9800688
    Abstract: Embodiments include processes, systems, and devices for initiating proximity actions upon the activation of a proximity connection. A proximity service receives an indication from a proximity provider that a proximity connection is established, and then determines a joint proximity context of the proximity connection. The proximity service then initiates a proximity action to facilitate a proximity function indicated by the joint proximity context. Joint proximity contexts include indications that an application has queued content to be shared with a proximity device, that an application has registered to publish messages on a namespace, that an application has subscribed to messages on a namespace, that an application has registered to find a peer application on a proximity device to enable multi-user collaboration, and that a device seeks to pair with another device.
    Type: Grant
    Filed: September 12, 2011
    Date of Patent: October 24, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Marc Christopher Pottier, Max Glenn Morris, Travis J. Martin, Michael N. Loholt, Darren R. Davis, Priya Bhushan Dandawate, Kenton A. Shipley, Khurram M. Zia
  • Patent number: 9800618
    Abstract: A client-side user agent operates in conjunction with an identity selector to institute and exercise privacy control management over user identities managed by the identity selector. The user agent includes the combination of a privacy enforcement engine, a storage of rulesets expressing user privacy preferences, and a preference editor. The editor enables the user to direct the composition of privacy preferences relative to user identities. The preferences can be applied to individual cards and to categorized groups of attributes. The engine evaluates the proper rulesets against the privacy policy of a service provider. The privacy preferences used by the engine are determined on the basis of specifications in a security policy indicating the attribute requirements for claims that purport to satisfy the security policy.
    Type: Grant
    Filed: May 9, 2016
    Date of Patent: October 24, 2017
    Assignee: Open Invention Network LLC
    Inventor: Gail-Joon Ahn
  • Patent number: 9787714
    Abstract: A threat detection system receives links from emails opened in web browsers. The received links are compared with a whitelist of trusted links and blacklisted links associated with security threats. The threat detection system sends trusted identifiers when the received links are identified in the whitelist and sends block identifiers back to the web browsers when the received links are identified in the blacklist. The trusted identifiers cause the web browsers to display a trusted message and the block identifiers cause the web browsers to remove the received link and display a warning message. The threat detection system may receive threat reports for suspected links from employees of a same enterprise and allow an enterprise security administrator to asynchronously update the blacklists and whitelists based on the threat reports received from the enterprise users.
    Type: Grant
    Filed: October 25, 2016
    Date of Patent: October 10, 2017
    Assignee: SALESFORCE.COM, INC.
    Inventor: Timothy Bach
  • Patent number: 9785784
    Abstract: A method of operating a host controller interface includes receiving a buffer descriptor including sector information from a main memory, fetching data by using a source address included in the buffer descriptor, selecting one of a plurality of entries included in a security policy table by using the sector information, and determining whether to encrypt the fetched data by using a security policy included in the selected entry.
    Type: Grant
    Filed: August 19, 2015
    Date of Patent: October 10, 2017
    Assignee: Samsung Electronics Co., Ltd.
    Inventors: Kwan Ho Kim, Seok Min Kim, Heon Soo Lee
  • Patent number: 9779032
    Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system includes one or more processing units sharing the storage. Each of the processing units has at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key, data transferred between its processor cache and the storage, when data relates to the protected section used by the hypervisor; and each processing unit respectively encrypts or decrypts, with a virtual machine key, data transferred between its processor cache and the storage, when data relates to storage areas used by a virtual machine.
    Type: Grant
    Filed: November 14, 2015
    Date of Patent: October 3, 2017
    Assignee: International Business Machines Corporation
    Inventors: Christine Axnix, Ute Gaertner, Jakob C. Lang, Angel Nunez Mencias
  • Patent number: 9779248
    Abstract: Protecting secured boot secrets while starting an operating system. Embodiments include starting a first operating system using a trusted computing base, protecting a portion of the system memory to prevent access to the portion of the system memory by the first operating system, and storing secured boot secrets in the protected portion of the system memory. Based at least on identifying that a second operating system is to be started to replace the first operating system, embodiments include configuring one or more memory data structures, including code of the second operating system, in the protected portion of the system memory. The protected portion of the system memory is unprotected, while mitigating attacks on the portion of system memory, and processor state is set to execute the code of the second operating system. The second operating system starts using the secured boot secrets stored in the portion of the system memory.
    Type: Grant
    Filed: March 30, 2016
    Date of Patent: October 3, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Alain Gefflaut, Andrey Shedel
  • Patent number: 9773117
    Abstract: Reducing risk of data loss by automatically background scanning data to detect a plurality of candidate sensitive data items. For at least some of those candidate sensitive data items that are deemed not to concretely classified as sensitive, a dissolvable encryption is applied to the data item to at least temporarily protect the data item. When the user requests access to the data item, the system determines that the data item has been dissolvably encrypted and that the user is authorized to define the sensitivity of the data item. In response, the user is allowed to direct the system as to whether the data item is to be concretely encrypted (such as if the user was to confirm the data item as sensitive), or whether the dissolvable encryption of the data item is to be dissolved (such as if the user was to confirm the data item as not sensitive).
    Type: Grant
    Filed: June 4, 2014
    Date of Patent: September 26, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventor: Daniel Plastina
  • Patent number: 9772954
    Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system comprises one or more processing units sharing the storage, the processing units each having at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key in the chip cache, data transferred between its processor cache and the protected section, and each processing unit respectively encrypts or decrypts, with a segment key, data transferred between the chip cache and the storage, when data relates to a specific segment of the storage.
    Type: Grant
    Filed: November 14, 2015
    Date of Patent: September 26, 2017
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Christine Axnix, Ute Gaertner, Jakob C. Lang, Angel Nunez Mencias
  • Patent number: 9774568
    Abstract: A computer security architecture applies selected rules from among a set of rules defining one or more security policies to a given set of security context parameters to produce security verdicts, each representing whether a certain action requested by a subject entity is permissible. Each security policy is associated with a corresponding communication interface. A plurality of gateway engines are each associated with at least one of the subject entities and dedicated to interfacing with the security server. Each of the gateway engines carries out monitoring of requested actions by the associated subject entity and, for each requested action, identifies a security context. A security policy is determined for the requested action based on a corresponding security context, and a security verdict is obtained via a communication interface corresponding to the applicable security policy.
    Type: Grant
    Filed: January 27, 2016
    Date of Patent: September 26, 2017
    Assignee: AO KASPERSKY LAB
    Inventors: Andrey P. Doukhvalov, Pavel V. Dyakin, Dmitry A. Kulagin, Sergey B. Lungu, Stanislav V. Moiseev
  • Patent number: 9767301
    Abstract: A method, system, and computer usable program product-for context aware data protection are provided. Information about an access context is received in a data processing system. A resource affected by the access context is identified. The identification of the resource may include deriving knowledge about resource by making an inference from a portion of contents of the resource that the access context affects the resource, making an inference that the access context affects a second resource thereby inferring that the resource has to be modified, determining that the access context is relevant to the resource, or a combination thereof. The resource is received. A policy that is applicable to the access context is identified. A part of the resource to modify according to the policy is determined. The part is modified according to the policy and the access context to form a modified resource. The modified resource is transmitted.
    Type: Grant
    Filed: March 6, 2012
    Date of Patent: September 19, 2017
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Srinivas Jandhyala, Albee Jhoney, Sridhar R Muppidi, Nataraj Nagaratnam, Atul Saxena
  • Patent number: 9762609
    Abstract: Provided herein are systems and methods for targeted attack protection using predictive sandboxing. In exemplary embodiments, a method includes retrieving a URL from a message of a user and performing a preliminary determination to see if the URL can be discarded if it is not a candidate for sandboxing. The exemplary method includes computing a plurality of selection criteria factors for the URL if the URL passes the preliminary determination, each selection criteria factor having a respective factor threshold. The method can further include determining if any of the selection criteria factors for the URL exceeds the respective factor threshold for the respective selection criteria factor. Based on the determining, if any of the selection criteria factors exceeds the factor threshold for the selection criteria factor, the exemplary method includes automatically placing the URL in a sandbox for analysis.
    Type: Grant
    Filed: January 27, 2017
    Date of Patent: September 12, 2017
    Assignee: Proofpoint, Inc.
    Inventors: Steven Robert Sandke, Bryan Burns
  • Patent number: 9760395
    Abstract: A method for configuring and maintaining external monitoring of one or more instances of a virtual machine within a virtualized computing environment. The method includes a computer processor monitoring a hypervisor. The method further includes a computer processor identifying a first list, wherein the first list is comprised of one or more monitoring templates respectively associated with one or more virtual machine types, and maintaining a second list comprised plurality of provisioned instances of virtual machines, wherein the second list also includes a first information respectively associated with the plurality of provisioned instances of virtual machines. The method further includes a computer processor compiling a third list and transmitting the third list to the monitoring system. The method further includes a computer processor receiving the third list and in response, a computer processor executing one or more monitoring functions based, at least in part, on the third list.
    Type: Grant
    Filed: October 5, 2016
    Date of Patent: September 12, 2017
    Assignee: International Business Machines Corporation
    Inventors: Liam M. Doherty, King-Yan Kwan, Mark A. Shewell, Peter G. Woodward
  • Patent number: 9756069
    Abstract: A virtual machine is used to perform a raw scan for evasive malware on a host computer without requiring an interrupt or restart of a host operating system. An antivirus program installs a raw scanner virtual machine. The raw scanner virtual machine is triggered to scan files and memory for malware. The raw scan results are collected by the antivirus program for analysis, such as for use in generating a report or for removal of malware. The memory and files of the host are mapped to a guest space of the virtual machine.
    Type: Grant
    Filed: January 10, 2014
    Date of Patent: September 5, 2017
    Assignee: TREND MICRO INC.
    Inventors: Yuefeng Li, Qiang Huang, Hu Cao
  • Patent number: 9747381
    Abstract: A processor-executed access manager with an identity management framework receives a first query from a user of a client device connected to a network for a system. The query seeks information as to identity types supported by the system. The access manager responds to the first query with a list of supported identity types. The supported identity types include at least a hardware device, a role, and a user. The list is retrieved from a global configuration data structure in a global data store. The access manager receives a second query from the user for identities of the hardware devices associated with one of the supported identity types. And the access manager responds to the second query with the identity of a specific hardware device, if the user is permitted to access the specific hardware device according to permissions obtained through the global configuration data structure.
    Type: Grant
    Filed: May 4, 2015
    Date of Patent: August 29, 2017
    Assignee: Oracle America, Inc.
    Inventors: Deepa Mahendraker, Aravindan Ranganathan
  • Patent number: 9749498
    Abstract: Content files are isolated in a sandbox as a content isolation environment formed by a secondary user account. Printing is controlled by an agent via a staging file of a secure file type. The agent intercepts print requests (e.g. print start requests and print end requests) in a printing sub-system of an operating system in order to coordinate and securely control printing of the untrusted content file via the intermediate staging file.
    Type: Grant
    Filed: July 19, 2016
    Date of Patent: August 29, 2017
    Assignee: AVECTO LIMITED
    Inventors: Mark James Austin, John Goodridge
  • Patent number: 9729332
    Abstract: An authentication system according to the present disclosure includes a first controller connected to a first server via a first network, a second controller connected to a second server via a second network, and a device. The device compares a next issue date described in a first certificate revocation list acquired from the first controller and an issue date described in a second certificate revocation list acquired from the second controller thereby determining whether the first controller is invalid or not.
    Type: Grant
    Filed: June 1, 2015
    Date of Patent: August 8, 2017
    Assignee: PANASONIC INTELLECTUAL PROPERTY MANAGEMENT CO., LTD.
    Inventors: Yuji Unagami, Motoji Ohmori, Natsume Matsuzaki, Hideki Matsushima, Tomoyuki Haga, Manabu Maeda, Yoshihiro Ujiie