Policy Patents (Class 726/1)
  • Patent number: 11068615
    Abstract: An authentication model dynamically adjusts authentication factors required for access to a remote resource based on changes to a risk score for a user, a device, or some combination of these. For example, the authentication model may conditionally specify the number and type of authentication factors required by a user/device pair, and may dynamically alter authentication requirements based on changes to a current risk assessment for the user/device while the remote resource is in use.
    Type: Grant
    Filed: April 12, 2019
    Date of Patent: July 20, 2021
    Assignee: Sophos Limited
    Inventors: Joseph H. Levy, Andrew J. Thomas, Daniel Salvatore Schiappa, Kenneth D. Ray
  • Patent number: 11070593
    Abstract: In particular embodiments, a Cross-Border Visualization Generation System is configured to: (1) identify one or more data assets associated with a particular entity; (2) analyze the one or more data assets to identify one or more data elements stored in the identified one or more data assets; (3) define a plurality of physical locations and identify, for each of the identified one or more data assets, a respective particular physical location of the plurality of physical locations; (4) analyze the identified one or more data elements to determine one or more data transfers between the one or more data systems in different particular physical locations; (5) determine one or more regulations that relate to the one or more data transfers; and (6) generate a visual representation of the one or more data transfers based at least in part on the one or more regulations.
    Type: Grant
    Filed: December 21, 2020
    Date of Patent: July 20, 2021
    Assignee: OneTrust, LLC
    Inventors: Jonathan Blake Brannon, Bryan Patrick Kveen, Dylan D. Patton-Kuhl
  • Patent number: 11061710
    Abstract: Systems, methods, and techniques for securing a state of a guest are provided. An example method includes determining, by a virtual machine function within a guest, a guest central processing unit (CPU) state that is stored in one or more registers of a CPU and associated with the guest. The method also includes encrypting, by the virtual machine function, a first portion of the guest CPU state that is not used to execute a privileged instruction being attempted by the guest. The method further includes sending, by the virtual machine function, one or more requests based on the privileged instruction to a hypervisor. The method also includes after execution of the privileged instruction is completed, decrypting, by the virtual machine function, the first portion of the guest CPU state.
    Type: Grant
    Filed: July 1, 2019
    Date of Patent: July 13, 2021
    Assignee: RED HAT, INC.
    Inventor: Michael Tsirkin
  • Patent number: 11062016
    Abstract: Provided are systems and methods for verifying user credentials for performing a search. In one embodiment, a method can be provided that includes receiving a request to perform a search of machine generated data comprising time stamped events that is associated with a user, determining whether a set of cached user credentials has been updated within a period of time, querying, in response to determining that the credentials for the user have not been updated within the period of time, an identity provider server for a current set of user credentials associated with the user, receiving the current set of user credentials, determining whether the user has privileges to perform the search based at least in part on the set of user credentials, and causing, in response to determining that the user has privileges to perform the search, the search to be performed to identify one or more of the events that are responsive to the search.
    Type: Grant
    Filed: April 24, 2015
    Date of Patent: July 13, 2021
    Assignee: Splunk Inc.
    Inventors: Jagannath Kerai, Rama Gopalan
  • Patent number: 11062044
    Abstract: An access control system for managing and enforcing an attribute based access control (ABAC) policy includes: a minimum ABAC implementation that produces a representation access control list in an ABAC policy system; and a local host system that produces a resource repository access control list in the local host system such that the resource repository access control list is based on the representation access control list.
    Type: Grant
    Filed: March 12, 2020
    Date of Patent: July 13, 2021
    Assignee: GOVERNMENT OF THE UNITED STATES OF AMERICA, AS REPRESENTED BY THE SECRETARY OF COMMERCE
    Inventors: David F. Ferraiolo, Gopi Katwala, Serban Gavrila
  • Patent number: 11063954
    Abstract: Methods and systems for a transportation vehicle are provided. One method includes generating a packet by an application executed by a processor of a first seat device of an in-flight entertainment system having a plurality of seat devices on an aircraft; dropping the packet by the seat device when the application is not authorized for Internet communication; dropping the packet by the seat device when the packet is one of a broadcast packet, multicast packet or destined to a second seat device of the in-flight entertainment system; determining that the seat device Internet traffic is below a threshold value; and transmitting the packet to a network device when the application is authorized, and the packet is not a broadcast packet, multicast packet or destined for a second seat device.
    Type: Grant
    Filed: January 11, 2019
    Date of Patent: July 13, 2021
    Assignee: Panasonic Avionics Corporation
    Inventor: Philip Watson
  • Patent number: 11063951
    Abstract: A method is described. The method includes generating an access model that simulates a transformation of existing new technology file system (NTFS) permissions for a plurality of shared folders. The method also includes creating permission groups for the plurality of shared folders based on the access model. The method further includes updating the NTFS permissions of the shared folders based on the access model and permission groups.
    Type: Grant
    Filed: October 18, 2017
    Date of Patent: July 13, 2021
    Assignee: Stealthbits Technologies LLC
    Inventors: Sean Bergman, Kyle Michael Enman, Jeffrey Adam Warren
  • Patent number: 11063906
    Abstract: The present invention relates to a method for managing IoT devices by a security fabric. A method is provided for managing IoT devices includes collecting, by analyzing tier, data of Internet of Things (IoT) devices from a plurality of data sources, abstracting, by analyzing tier, profiled element baselines (PEBs) of IoT devices from the data, wherein each PEB includes characteristics of IoT devices; retrieving, by executing tier, the PEBs from the analyzing tier, wherein the executing tier is configured to control network traffic of IoT devices of a private network; generating, by the executing tier, security policies for IoT devices from PEBs of the IoT devices; and controlling, by the executing tier, network traffic of the IoT devices of the private network to comply with the security policies.
    Type: Grant
    Filed: December 31, 2016
    Date of Patent: July 13, 2021
    Assignee: Fortinet, Inc.
    Inventors: John Lunsford Gregory Whittle, Jonathan Q. Nguyen-Duy, Michael Craig Woolfe
  • Patent number: 11063968
    Abstract: Provided are a communication system and method that can block transmission of an abnormal message while allowing transmission and reception of an authorized message. The communication device includes a communication processing unit that sequentially outputs a binary transmission message, a first switch connects a first wire of a bus to a first potential and a second wire to a second potential, an abnormality detection unit detects an abnormality in a message transmitted on the bus, a switching control unit switches, if an abnormality has been detected, the first switch so that the first wire is connected to the first potential and the second wire is connected to the second potential, and a second switch connects the first wire and the second wire via a second resistor. The communication device transmits a message if no abnormality has been detected, and transmits a message if an abnormality has been detected.
    Type: Grant
    Filed: August 24, 2017
    Date of Patent: July 13, 2021
    Assignees: AutoNetworks Technologies, Ltd., Sumitomo Wiring Systems, Ltd., Sumitomo Electric Industries, Ltd.
    Inventor: Masayuki Inoue
  • Patent number: 11063973
    Abstract: Methods and systems for generating a security policy at a gateway are disclosed. A server computer and a gateway can perform a protocol in order to train a security model at a gateway, such that it can detect attack packets and prevent those attack packets from reaching the server computer via the gateway. In a learning phase, the server computer can provide training packets and test packets to the gateway. The gateway can use the training packets to train a security model, and the gateway can classify the test packets using the security model in order to test its accuracy. When the server computer is satisfied with the accuracy of the security policy, the server computer can transmit an acceptance of the security policy to the gateway, which can subsequently deploy the model in order to detect and filter attack packets.
    Type: Grant
    Filed: August 20, 2018
    Date of Patent: July 13, 2021
    Assignee: Visa International Service Association
    Inventors: Abhinav Aggarwal, Mahdi Zamani, Mihai Christodorescu
  • Patent number: 11064026
    Abstract: A method for sharing security threat information, performed by an apparatus for sharing security threat information, includes downloading a detection rule from a TAXII server and storing the same in a detection rule and result storage unit; performing detection for a detection target, which includes at least one of an Observed Data object, a file that is not in a STIX format, and a PCAP file, using the detection rule; generating a detection result, which is a result of the detection, using at least one of a Sighting object, a File object, and an Artifact object; and uploading the generated detection result to the TAXII server in order to share security threat information including the detection result.
    Type: Grant
    Filed: March 12, 2019
    Date of Patent: July 13, 2021
    Assignee: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE
    Inventors: Byeongho Kang, Cheolho Lee
  • Patent number: 11064357
    Abstract: Embodiments of the present invention relate to a method and an apparatus for managing an embedded universal integrated circuit card eUICC. The eUICC is installed in a terminal, a profile is installed in the eUICC, the profile is locked according to a policy rule, and the method includes: determining, by the terminal, identifier information and verification information of the profile that needs to be unlocked, where the identifier information of the profile is used to identify the profile installed in the terminal; and sending, by the terminal, a first unlock message to the eUICC, where the first unlock message carries the identifier information and the verification information of the profile, and the first unlock message is used to instruct the eUICC to determine the profile, and unlock the profile according to the policy rule after verification performed according to the verification information succeeds.
    Type: Grant
    Filed: October 20, 2016
    Date of Patent: July 13, 2021
    Assignee: HUAWEI TECHNOLOGIES CO., LTD.
    Inventors: Shunan Fan, Shuiping Long
  • Patent number: 11063944
    Abstract: Provided is a process that affords out-of-band authentication based on a secure channel to a trusted execution environment on a client device. The authentication process includes one or more authentication steps in addition to verifying any credentials provided by a client device. A notification may be transmitted by a server to a device other than the client device attempting to access the asset. That device may be a mobile device with a trusted execution environment storing user credential information, and the server may store representations of those credentials. The mobile device collects user input credentials and transmits representations for matching the previously stored representations and signed data for verification by the server that received data originated from the mobile device. The access attempt by the client is granted based in part on the result of authenticating the data received from the mobile device in a response to the notification.
    Type: Grant
    Filed: February 5, 2020
    Date of Patent: July 13, 2021
    Assignee: HYPR CORP.
    Inventors: George Avetisov, Bojan Simic, Roman Kadinsky
  • Patent number: 11057346
    Abstract: The present invention relates to a method for managing IoT devices by a security fabric. According to one embodiment, an analyzing tier collects data of Internet of Things (IoT) devices from a plurality of data sources and abstracts profiled element baselines (PEBs) of IoT devices of the same type from the data. An executing tier retrieves the PEBs from the analyzing tier and generates security policies for IoT devices of the same type from PEBs. The executing tier controls network traffic of the IoT devices of the private network to comply with the security policies.
    Type: Grant
    Filed: December 31, 2016
    Date of Patent: July 6, 2021
    Assignee: Fortinet, Inc.
    Inventors: Michael Craig Woolfe, Jonathan Q. Nguyen-Duy, John Lunsford Gregory Whittle
  • Patent number: 11057775
    Abstract: This application provides a key configuration method. A session management network element receives a request for end-to-end communication and obtains a security policy, where the security policy is determined based on at least one of: a user security requirement that is of the user equipment and that is preconfigured on a home subscriber server, a service security requirement from the user equipment, a security capability requirement supported by the user equipment, a security capability requirement from a carrier network, and a security requirement of a device on the other end of the end-to-end communication. The session management network element obtains a protection key used for protecting the end-to-end communication. The session management network element sends the security policy to the devices on two ends of the end-to-end communication.
    Type: Grant
    Filed: December 19, 2018
    Date of Patent: July 6, 2021
    Assignee: HUAWEI TECHNOLOGIES CO., LTD.
    Inventors: Bo Zhang, Rong Wu, Lu Gan
  • Patent number: 11057344
    Abstract: The present invention relates to a methods, systems and non-transitory computer-readable storage medium for managing IoT devices by a security fabric. According to one embodiment, an analyzing tier collects data of Internet of Things (IoT) devices from a plurality of data sources and abstracts profiled element baselines (PEBs) of IoT devices of the same type from the data. An executing tier retrieves the PEBs from the analyzing tier and generates security policies for IoT devices of the same type from PEBs. The executing tier controls network traffic of the IoT devices of the private network to comply with the security policies.
    Type: Grant
    Filed: December 30, 2016
    Date of Patent: July 6, 2021
    Assignee: Fortinet, Inc.
    Inventors: John Lunsford Gregory Whittle, Jonathan Q. Nguyen-Duy, Michael Craig Woolfe
  • Patent number: 11057393
    Abstract: Systems and methods for identity and access management are provided in a service mesh that includes a plurality of interconnected microservices. Each microservice is associated with a microgateway sidecar. The associated microgateway sidecar may intercept a request for the associated microservice sent over a communication network from a user device. Such request may include data regarding a context of the request. A token associated with the request may be enriched based on the context data and sent to at least one other microservice. A database of security policies for each of the microservices may be maintained. An authentication engine may generate a risk profile for the request based on the context data of the request and one or more of the security policies in the database. One or more of a plurality of available security workflows may be selected based on the risk profile.
    Type: Grant
    Filed: July 31, 2018
    Date of Patent: July 6, 2021
    Assignee: Cloudentity, Inc.
    Inventor: Nathanael Coffing
  • Patent number: 11057349
    Abstract: Method and system embodiments for providing a cloud-based multi-function firewall are described. A method includes retrieving device information associated with a network-enabled device. The device information is transmitted to a secure cloud for configuring a virtual private network (VPN) connection between the secure cloud and the network-enabled device. Cloud information specifying a cloud server in the secure cloud is received from the secure cloud. The secure cloud generates the cloud information based on the device information. Domain name service and routing functions are updated to forward network requests to the cloud server specified in the cloud information. The VPN connection to the secure cloud is established based on the cloud information such that network traffic to and from the network-enabled device is routed through the VPN connection to the cloud-based multi-function firewall implemented on the cloud server.
    Type: Grant
    Filed: November 2, 2018
    Date of Patent: July 6, 2021
    Assignee: Todyl, Inc.
    Inventor: John Nellen
  • Patent number: 11055690
    Abstract: A system, including: a non-transitory memory; and one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations including: receiving a transaction request from an endpoint device on a network, wherein the endpoint device is registered with a transaction service provider; locating, based on the transaction request, an authorization token corresponding to a payment mechanism, wherein the authorization token is stored to a memory device of the router; in response to receiving the transaction request, transmitting the authorization token to the transaction service provider to retrieve transaction information from the transaction service provider, wherein the transaction information includes payment data for a user of the endpoint device; and transmitting the transaction information to the upstream network location, wherein the upstream network location includes a merchant server.
    Type: Grant
    Filed: December 21, 2017
    Date of Patent: July 6, 2021
    Assignee: PAYPAL, INC.
    Inventor: Frank Anthony Nuzzi
  • Patent number: 11057407
    Abstract: Detecting malware attacks is described herein. A computer-implemented method may include receiving, via a processor, events from a plurality of activity monitors. The method also include extracting, via the processor, a plurality of behavioral features from the received events. The method may further include detecting, via the processor, a malware attack based on the extracted behavioral features using a malware identification model trained on private data and public data using a machine learning technique, wherein the private data includes private enterprise attack findings. The method may also include executing, via the processor, an ad hoc protection improvement based on the detected malware attack.
    Type: Grant
    Filed: November 25, 2019
    Date of Patent: July 6, 2021
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Shlomit Avrahami, Tali Finelt, Itai Gordon, Yakir Keisar, Ilan Prager, Alexander Pyasik, Oded Sofer, Or Bar-Yaacov, Yifat Yulevich
  • Patent number: 11057414
    Abstract: Implementations described and claimed herein provide systems, methods and computer-readable media with instructions for detecting anomalies in computer network traffic online, real-time, historical, forensic, and/or playback mode. The implementations can include monitoring network traffic metadata, parsing the metadata, constructing a multi-partite graph of nodes and edges based on a long-term incremental signal transformation or a short-term concurrent snapshot, and generating streaming analytics based on the multi-partite graph representing a likelihood that network traffic associated with a specified network component is infected with malware.
    Type: Grant
    Filed: August 5, 2020
    Date of Patent: July 6, 2021
    Assignee: Bridgery Technologies, LLC
    Inventors: Edward J Giorgio, Clifford C Cocks, O Patrick Kreidl, Jeffrey S Prisner, Alan G Richter, Richard A Wisniewski
  • Patent number: 11057453
    Abstract: In one implementation, a non-transitory machine-readable storage medium may store instructions that upon execution cause a processor to: receive a request for a webpage from a client device; in response to the received request, provide the webpage to a browser of the client device, the provided webpage including at least one event listener to detect a user change in the browser; receive a lock request from the at least one event listener on the client device; and in response to the received lock request, lock a session of the webpage on the client device.
    Type: Grant
    Filed: March 4, 2020
    Date of Patent: July 6, 2021
    Assignee: NETIQ CORPORATION
    Inventor: Umar Ashraf
  • Patent number: 11050715
    Abstract: A content filtering system and method includes receiving in a network device in a network from a user device, a user selected set of rules identifying a set of URLs to be blocked. The set of rules are loaded into the network device. The network device receives from the user device a request to access a specified URL. A determination is made at the network device whether the specified URL is in the user selected set of rules. If the specified URL is in the user selected set of rules, then the specified URL is blocked.
    Type: Grant
    Filed: March 19, 2020
    Date of Patent: June 29, 2021
    Assignees: AT&T Intellectual Property I, L.P., AT&T Mobility II LLC
    Inventors: Mark Austin, Shahab Azmoudeh, Joseph Dorsey, Victor Nilson, Christopher Sambar, Jerald Weber
  • Patent number: 11050613
    Abstract: A method for generating a configuration file for configuring an information technology infrastructure is provided. The method may include receiving, from a first user at a first client, a first indication to publish an infrastructure module comprising a set of configurations to apply to an information technology infrastructure. The infrastructure module may be stored in a module registry in response to the first indication. A second indication selecting the infrastructure module may be received from a second user at a second client. In response to the second indication, the infrastructure module may be sent from the module registry to the second client for insertion into a configuration file being created at the second client. The insertion of the infrastructure module may incorporate, into configuration file, the set of configurations to apply to the information technology infrastructure. Related systems and articles of manufacture, including computer program products, are also provided.
    Type: Grant
    Filed: July 3, 2019
    Date of Patent: June 29, 2021
    Assignee: HASHICORP
    Inventors: Mitchell Hashimoto, Armon Dadgar, Paul Hinze
  • Patent number: 11048611
    Abstract: A method, system and computer-usable medium for collecting and scanning data (i.e., web POST data) before the data is sent. A POST request is sent from a client device to server. The request is through a web browser running a script language listing. The script language listing is paused, while the data is held and scanned. A determination is made to allow or block the data before the data is sent through the POST request.
    Type: Grant
    Filed: November 29, 2018
    Date of Patent: June 29, 2021
    Assignee: Forcepoint, LLC
    Inventor: Peidong Chen
  • Patent number: 11048754
    Abstract: Provided are a computer program product, system, and method to determine whether to perform entity resolution on vertices in an entity graph. A determination is made of pairs of records in a database having a relationship value satisfying a threshold. An entity relationship graph has a vertex for each of the records of the pairs and an edge between two vertices. Each vertex has a self-information score based on content in the record, an initial unique entity identifier, and an entity information score. For each subject vertex of the vertices, a determination is made of a target vertex directly connected to the subject vertex that has a highest entity information score and whether to set the subject vertex entity identifier and entity information score to the entity identifier and entity information score of the target vertex based on the target vertex self-information score.
    Type: Grant
    Filed: August 22, 2018
    Date of Patent: June 29, 2021
    Assignee: International Business Machines Corporation
    Inventors: Craig W. Muchinsky, Scott Schumacher, Edward B. Thorne
  • Patent number: 11050829
    Abstract: The disclosure relates to sharing of information regarding a conditional action in an electronic device. The device includes a communication module for processing a signal for communication with other devices, and a processor. Herein, the at least one processor receives a ruleset including information regarding at least one conditional action from another electronic device via the communication module, and executes the ruleset. The ruleset may include at least one ruleset of which a permission for at least one of reading, modification, and deletion is limited.
    Type: Grant
    Filed: November 8, 2017
    Date of Patent: June 29, 2021
    Assignee: Samsung Electronics Co., Ltd.
    Inventors: Gun Park, Wonsuck Lee, Aeyoung Lee, Jungki Hong
  • Patent number: 11050749
    Abstract: There are provided systems and methods for a credential storage manager for protecting credential security during delegated account use. A first user that controls the account may delegate usage of the account to a second user through a credential manager of a transaction process that manages sensitive authentication information and delegates account usage. The credential manager may automatically fill authentication information for use of the account by the second user. A device fingerprint of a device of the second user may be used to provide risk prevention and access the account. The credential manager may prevent revealing of the credentials and navigation to sensitive data or processes with the account. Two-factor authentication may be performed by receiving a code in a message received by a device of the first user, scraping the code from the message, and entering the code to a device of the second user.
    Type: Grant
    Filed: December 31, 2018
    Date of Patent: June 29, 2021
    Assignee: PAYPAL, INC.
    Inventors: Yona Ju, Fun-Chen Jou
  • Patent number: 11050625
    Abstract: A method for generating a configuration file for configuring an information technology infrastructure is provided. The method may include receiving, from a first user at a first client, a first indication to publish an infrastructure module comprising a set of configurations to apply to an information technology infrastructure. The infrastructure module may be stored in a module registry in response to the first indication. A second indication selecting the infrastructure module may be received from a second user at a second client. In response to the second indication, the infrastructure module may be sent from the module registry to the second client for insertion into a configuration file being created at the second client. The insertion of the infrastructure module may incorporate, into configuration file, the set of configurations to apply to the information technology infrastructure. Related systems and articles of manufacture, including computer program products, are also provided.
    Type: Grant
    Filed: April 22, 2019
    Date of Patent: June 29, 2021
    Assignee: HASHICORP
    Inventors: Mitchell Hashimoto, Armon Dadgar, Paul Hinze
  • Patent number: 11044273
    Abstract: Systems, methods, and computer-readable media for configuring and verifying compliance requirements in a network.
    Type: Grant
    Filed: December 12, 2018
    Date of Patent: June 22, 2021
    Assignee: CISCO TECHNOLOGY, INC.
    Inventors: Advait Dixit, Navneet Yadav, Navjyoti Sharma, Ramana Rao Kompella, Kartik Mohanram
  • Patent number: 11042397
    Abstract: Some embodiments of the invention provide a method for migrating a machine on a first host computer to a second host computer. At the first host computer, the method gathers a set of service insertion data used by a first service insertion module executing on the first host computer to identify a particular chain of multiple services that a set of multiple service nodes have to perform on a particular data message flow associated with the machine. To the second host computer, the method sends a set of machine configuration data and the set of service insertion data. The second host computer (1) uses the machine configuration data to deploy the machine on the second host computer and (2) uses the gathered set of service insertion data to configure a second service insertion module executing on the second host computer to identify the particular chain of two or more services.
    Type: Grant
    Filed: June 18, 2019
    Date of Patent: June 22, 2021
    Assignee: VMWARE, INC.
    Inventors: Rahul Mishra, Camille Lecuyer, Saahil Gokhale, Rajeev Nair, Anuprem Chalvadi, Yang Ping, Kantesh Mundaragi, Pierluigi Rolando, Jayant Jain, Raju Koganty
  • Patent number: 11038892
    Abstract: Disclosed are various examples for dynamically generating restriction profiles for updated software platforms. A management system can determine that updated restrictions and/or settings are included in an updated or new version of a definition file. The updated settings identified and categorized according to risk for a given enterprise group without administrator input. An updated restriction profile can be generated according to the updated settings and distributed to managed devices.
    Type: Grant
    Filed: November 19, 2018
    Date of Patent: June 15, 2021
    Assignee: VMware, Inc.
    Inventor: Bahram Ali Zadeh
  • Patent number: 11039005
    Abstract: Disclosed are a location-based operation method, an electronic device, and a recording medium. The electronic device may include a memory storing instructions; and a processor configured to execute the instructions to: identify a first location of the electronic device based on first communication information; obtain, based on the identified first location being identified as being included in a second location area that is adjacent to and includes a first location area, second communication information; identify a second location of the electronic device based on at least a part of the obtained second communication information; and change a locked state of the electronic device to an unlocked state, based on the second location of the electronic device being identified as being included in the first location area.
    Type: Grant
    Filed: December 18, 2019
    Date of Patent: June 15, 2021
    Assignees: SAMSUNG ELECTRONICS CO., LTD., RESEARCH & BUSINESS FOUNDATION SUNGKYUNKWAN UNIVERSITY
    Inventors: Junho Huh, Ilyoup Kwak, Hyoungshick Kim, Woojin Park
  • Patent number: 11038908
    Abstract: The invention relates to digital cloud forensics. An embodiment of the present invention applies collection processes and tools to cloud infrastructure as a service to provide a more efficient and faithful representation of evidence. An embodiment of the present invention applies innovative concepts to retrospectively investigate ephemeral instances which may have long since terminated. This innovative process provides organizations a strategy to provide forensic investigations within either a public or private cloud environment.
    Type: Grant
    Filed: August 3, 2018
    Date of Patent: June 15, 2021
    Assignee: JPMorgan Chase Bank, N.A.
    Inventors: Michael P. Vega, James Regan, Matteo Michelini, Jean-Francois Legault
  • Patent number: 11036538
    Abstract: Some embodiments provide a method for migrating a service machine between two hosts. The method configures a first host (1) to gather service machine data associated with the service machine executing on the first host and (2) to send the gathered service machine data to the second host. Each host executes a software forwarding element to implement a distributed forwarding element (DFE) that implements a dedicated service forwarding plane that forwards data messages associated with guest machines to the services machines. The method configures the second host to use the received service machine data to deploy the service machine on the second host and to connect the deployed service machine to the DFE. The method configures the DFE to forward data messages associated with a guest machine executing on a third host, and addressed to the service machine to the second host instead of the first host.
    Type: Grant
    Filed: June 18, 2019
    Date of Patent: June 15, 2021
    Assignee: VMWARE, INC.
    Inventors: Camille Lecuyer, Saahil Gokhale, Rajeev Nair, Anuprem Chalvadi, Yang Ping, Kantesh Mundaragi, Rahul Mishra, Pierluigi Rolando, Jayant Jain, Raju Koganty
  • Patent number: 11036864
    Abstract: Methods, systems, and computer program products are included for authenticating computing devices. An exemplary method includes associating a security key with an operating system of a first computing device, wherein the security key is generated from a serial number corresponding to the first computing device. A token corresponding to the security key is sent to a second computing device. The token is accessed by the second computing device to authenticate the first computing device. An authenticated session is established between the first computing device and the second computing device. Within the authenticated session, a connection is provided between the first computing device and the second computing device.
    Type: Grant
    Filed: September 25, 2018
    Date of Patent: June 15, 2021
    Assignee: PAYPAL, INC.
    Inventor: Srini Rangaraj
  • Patent number: 11032246
    Abstract: Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers. The machines are virtual machines (VMs) in some embodiments, containers in other embodiments, or a mix of VMs and containers in still other embodiments. Some embodiments execute a guest-introspection (GI) agent on each machine from which contextual attributes need to be captured. In addition to executing one or more machines on each host computer, these embodiments also execute a context engine and one or more attribute-based service engines on each host computer. One of these service engines is a firewall engine. Through the GI agents of the machines on a host, the context engine of that host in some embodiments collects contextual attributes associated with network events and/or process events on the machines.
    Type: Grant
    Filed: December 10, 2017
    Date of Patent: June 8, 2021
    Assignee: NICIRA, INC.
    Inventors: Laxmikant Vithal Gunda, Arnold Poon, Jayant Jain, Aditi Vutukuri
  • Patent number: 11030578
    Abstract: Methods and systems may provide for identifying a first set of recipients associated with an away status. Additionally, the first set of recipients may be removed from a second set of recipients associated with a bulk communications campaign to obtain a third set of recipients, wherein a first message may be sent to the third set of recipients. It may be determined that the away status has ceased for one or more of the first set of recipients, wherein a second message may be sent to the one or more of the first set of recipients for which the away status has ceased. The second message may reference the away status. Methods and systems may also provide for a brokering system to enable the transfer of away status information between different collectors of away status information and senders of messages.
    Type: Grant
    Filed: February 18, 2013
    Date of Patent: June 8, 2021
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventor: Kenneth L. Robbins
  • Patent number: 11030295
    Abstract: Methods, systems, and computer-readable storage media for receiving, by an intermediate system from a web browser, a request to access a target system, in response to the request, transmitting, by the intermediate system, a request for a reentrance ticket to a target system, the request for a reentrance ticket including user credentials, and transmitting, by the intermediate system, the reentrance ticket to the web browser, the web browser transmitting a request for a security session to the target system, and executing one or more calls to the target system during the security session.
    Type: Grant
    Filed: December 20, 2018
    Date of Patent: June 8, 2021
    Assignee: SAP SE
    Inventors: Joshu Madina, Appalaswamy Yalamanchily, Wolfgang Janzen, Ralf Scheurer, Badari Nath J, Sarma Adithe
  • Patent number: 11030320
    Abstract: The present disclosure relates to systems and methods for identifying highly sensitive modules and taking a remediation or preventative action if such modules are accessed by malicious software. For example, the likelihood that a module is used for an exploit, and is thus sensitive, is categorized as high, medium, or low. The likelihood that a module can be used for an exploit can dictate whether, and to what degree, an application accessing the module is “suspicious.” However, in some instances, a sensitive module may have legitimate reasons to load when used in certain non-malicious ways. The system may also consider a trust level when determining what actions to take, such that an application and/or user having a higher trust level may be less suspicious when accessing a sensitive module as compared to an application or user having a lower trust level.
    Type: Grant
    Filed: September 27, 2018
    Date of Patent: June 8, 2021
    Assignee: WEBROOT INC.
    Inventors: John R. Shaw, II, Andrew L. Sandoval
  • Patent number: 11025414
    Abstract: Embodiments of the present invention disclose a key exchange method and apparatus. A network device acquires a first key, and sends a message including the first key to a second user equipment, so that the second user equipment uses, when communicating with a first user equipment by using a D2D link, the first key to protect transmitted information.
    Type: Grant
    Filed: June 17, 2019
    Date of Patent: June 1, 2021
    Assignee: Huawei Technologies Co., Ltd.
    Inventors: Dongmei Zhang, Jing Chen
  • Patent number: 11023611
    Abstract: Systems, methods, and non-transitory computer-readable media can identify a post to be published via a social networking system. A privacy schedule for modifying a privacy setting associated with the post can be determined. A trigger to modify the privacy setting associated with the post can be detected. The privacy setting can be modified based on the privacy schedule when the trigger is detected.
    Type: Grant
    Filed: September 21, 2017
    Date of Patent: June 1, 2021
    Assignee: Facebook, Inc.
    Inventor: Yen-Ting Tung
  • Patent number: 11023574
    Abstract: In one implementation, a method for providing security on controllers includes detecting computer-readable code running on a controller, the computer-readable code including code portions that each include instructions to be performed by the controller; identifying a current code portion of the computer-readable code; accessing an in-memory graph that models an operational flow of the computer-readable code, wherein the in-memory graph includes a plurality of nodes, each of the nodes corresponding to one of the code portions and each of the nodes having a risk value for the associated code portion that is a measure of security risk for the associated code portion; identifying the risk value for the current code portion; selecting, from a plurality of available flow control integrity (IMV) schemes, an IMV scheme based on the identified risk value; and applying, to the code portion as the code portion is running on the controller, the selected IMV scheme.
    Type: Grant
    Filed: December 28, 2018
    Date of Patent: June 1, 2021
    Assignee: Karamba Security Ltd.
    Inventors: Assaf Harel, Amiram Dotan, Tal Efraim Ben David, David Barzilai
  • Patent number: 11025661
    Abstract: One embodiment provides a method for facilitating security in a system of networked components. During operation, the system constructs a configuration graph that stores a first set of relationships between configuration parameters within a component and a second set of relationships between configuration parameters across different components. A relationship corresponds to a constraint and is indicated by one or more of: a range for a configuration parameter; and a conjunction or a disjunction of logical relationships between two or more configuration parameters. The system generates a set of candidate configuration parameter values that satisfy the constraints of the relationships in the configuration graph. The system selects, from the set of candidate configuration parameter values, a first set of configuration parameter values that optimizes a security objective function.
    Type: Grant
    Filed: December 13, 2018
    Date of Patent: June 1, 2021
    Assignee: Palo Alto Research Center Incorporated
    Inventors: Hamed Soroush, Shantanu Rane
  • Patent number: 11025657
    Abstract: A method by a security analysis server to generate a traffic monitoring rule. The method includes receiving, from a database agent because of a current configuration of the database agent, counts of an amount of traffic sent over a first set of one or more of the database connections being monitored by the database agent and generating a traffic monitoring rule that indicates database connections for which the database agent is to send counts of an amount of traffic, rather than all the traffic, sent over those database connections to the security analysis server because those database connections have been determined by the security analysis server to be of an application database connection type based on an analysis by the security analysis server of the counts. The method further includes applying the traffic monitoring rule by sending instructions to the database agent to alter the current configuration.
    Type: Grant
    Filed: December 13, 2018
    Date of Patent: June 1, 2021
    Assignee: Imperva, Inc.
    Inventors: Ehud Eshet, Ophir Bleiberg
  • Patent number: 11022949
    Abstract: A system for virtual patching of security vulnerabilities in an industrial production environment includes an industrial automation device (e.g., a PLC). The industrial automation device comprises an instance of a distributed database spanning a plurality of industrial automation devices and storing one or more virtual patches and an app container comprising a virtual patching engine security application. The app container is configured to collect system information generated by the industrial automation device during operation, and apply the one or more virtual patches to the system information to identify one or more security attacks.
    Type: Grant
    Filed: June 24, 2016
    Date of Patent: June 1, 2021
    Assignee: SIEMENS AKTIENGESELLSCHAFT
    Inventors: Dong Wei, Leandro Pfleger de Aguiar
  • Patent number: 11023942
    Abstract: A computer implemented method includes receiving anonymous entity information from a client device via a network. The anonymous entity information is used to register a user associated with the client device. User supplied anonymous information about the user is received from the network. Sensor signals from the client device are collected from the network. The user supplied anonymous information is combined with the sensor signals to produce an anonymized data package for the user. The anonymized data package is made accessible to vendor machines via the network. Transaction offers from the vendor machines are collected from the network. The transaction offers are supplied to the user device via the network. A selected transaction offer is received from the user device via the network. Network communication between the user device and a vendor machine associated with the selected transaction offer is coordinated.
    Type: Grant
    Filed: November 8, 2019
    Date of Patent: June 1, 2021
    Assignee: LaVid Technologies Inc.
    Inventors: Jesse D. Johnson, John Michael Brannigan
  • Patent number: 11019077
    Abstract: Techniques for providing multi-access distributed edge security in mobile networks (e.g., service provider networks for mobile subscribers, such as for 5G networks) are disclosed. In some embodiments, a system/process/computer program product for multi-access distributed edge security in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting subscription and/or equipment identifier information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the subscription and/or equipment identifier information.
    Type: Grant
    Filed: December 22, 2019
    Date of Patent: May 25, 2021
    Assignee: Palo Alto Networks, Inc.
    Inventors: Sachin Verma, Leonid Burakovsky
  • Patent number: 11017086
    Abstract: A security agent for a host computing device may be implemented with multiple levels of indirection from an operating system (OS) kernel of the computing device in order to facilitate software upgrades for the security agent. An unserviceable kernel-mode component of the security agent may directly interface with the OS kernel and hook into a function (e.g., a security callback function) of the OS kernel in a first level of indirection, while a serviceable kernel-mode component of the security agent, which is upgradable, may indirectly interface with the OS kernel via the unserviceable kernel-mode component in a second level of indirection. The serviceable kernel-mode component may be configured to process events, and/or data related thereto, received from the OS kernel via the unserviceable kernel-mode component in order to monitor activity on the computing device for malware attacks.
    Type: Grant
    Filed: September 29, 2017
    Date of Patent: May 25, 2021
    Assignee: CrowdStrike, Inc.
    Inventors: Cat S. Zimmermann, Steven King
  • Patent number: 11017107
    Abstract: A security assessment system of a computing resource service provider performs security analyses of virtual resource instances, such as virtual machine instances and virtual data store instances, to verify that certain invariable security requirements are satisfied by the instances' corresponding configurations; these analyses are performed before the instances are provisioned and deployed. If the security checks, which can be selected by the administrator of the resources, fail, the requested resources are denied deployment. Notifications identifying the faulty configuration(s) may be send to the administrative user. A template for launching virtual resource instances may be transformed into an optimized template for performing the pre-deployment security checks, such as by storing information needed to perform the checks within the optimized template itself.
    Type: Grant
    Filed: March 6, 2018
    Date of Patent: May 25, 2021
    Assignee: Amazon Technologies, Inc.
    Inventors: Neha Rungta, Pauline Virginie Bolignano, Catherine Dodge, Carsten Varming, John Cook, Rajesh Viswanathan, Daryl Stephen Cooke, Santosh Kalyankrishnan