46th week of 2015 patent applcation highlights part 67 |
Patent application number | Title | Published |
20150326524 | ADDRESS RESOLUTION IN SOFTWARE-DEFINED NETWORKS - Provided is a method of address resolution in a software-defined network. An Address Resolution Protocol (ARP) request message is received on a network device. The Address Resolution Protocol (ARP) request message from the network device is forwarded to an OpenFlow controller. A determination is made whether the OpenFlow controller includes information to identify a Media Access Control (MAC) address corresponding to an IP address of a receiving device from the Address Resolution Protocol (ARP) request message. A response is generated depending on whether the OpenFlow controller includes said information. | 2015-11-12 |
20150326525 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR MANAGING MULTIPLE PERSONAS WITHIN END USER APPLICATIONS - Methods, systems, and computer readable media for managing multiple personas within end user applications are disclosed. According to one method, a first profile definition defining a first persona through which a user accesses at least one social networking, OTT, or other hosted service and at least one trigger condition associated with the activation of the first persona is accessed. The method further includes determining a context for the user. The method further includes determining whether the context for the user satisfies the at least one trigger condition. In response to determining that the context satisfies the at least one trigger condition, the first persona is activated. | 2015-11-12 |
20150326526 | KEEPING A TERMINAL ACCESS LOCATION RECORD ALIVE - A SDN controller may receive a packet from a terminal device and may update an IP/MAC address mapping record and a terminal access location record of the terminal device. The SDN controller may periodically send an ARP request packet and may keep the IP/MAC address mapping record and the terminal access location record of the terminal device alive. The SDN controller may also periodically age the IP/MAC address mapping record and the terminal access location record of the terminal device. | 2015-11-12 |
20150326527 | METHODS OF USING BEACON MESSAGES TO DISCOVER DEVICES ACROSS SUBNETS - A method of discovering a device to be discovered in a communication network having multiple interconnected nodes includes transmitting, by a discoverer, at least one beacon signal including an IP address to the network. The device to be discovered receives the at least one beacon signal. The device to be discovered configures the IP address located in the at least one beacon signal. Additionally, the device to be discovered transmits an advertisement to a server specified by the discoverer. | 2015-11-12 |
20150326528 | Enforcement of Network-Wide Context Aware Policies - A method implemented in an edge router, the method comprising receiving an authentication request from a device, forwarding the authentication request to an authentication and policy server, receiving an authentication response and an indication of a device tag from the authentication and policy server, wherein the device tag is based on a characteristic of the device, a location, a destination, or a user of the device, forwarding the authentication response to the device, receiving a policy associated with the device tag from the authentication and policy server, receiving a packet from the device, embedding the device tag in the packet to form a tagged packet, and executing the policy. | 2015-11-12 |
20150326529 | GATEWAY DEVICE, AND SERVICE PROVIDING SYSTEM - Provided are a control device, system, and method capable of controlling an accessible range of information on an individual external device basis even in the case of a valid access for the information from an external device. An ACL management server is installed to introduce an ACL associating a service provider ID identifying a service provider accessing an ECU mounted on an automobile with an attribute of an ECU that the service provider can access or with an ASIL determined for the ECU, and to manage the ACL safely and in the latest state. Also, a service providing server is installed for providing services for reading and rewriting ECU control information in accordance with a request from a user. A gateway is installed for determining, using the ACL, whether access to the ECU should be granted with respect to access instruction execution information received from the service providing server. | 2015-11-12 |
20150326530 | Firewall Security for Computers with Internet Access and Method - A firewall security platform is provided for enhancing security of a network. The firewall security platform includes at least one interface to communicate the identity and current status of one or more traffic requesters and at least one device for receiving instructions from a user. Communication data packets associated with the one or more traffic requesters are allowed for communication via the network or denied and blocked by the firewall security platform based on the current status of each of the one or more traffic requesters. The user's instructions include making a selection, with the selection including members that are at least one of the one or more traffic requesters. The current status of each member of the selection is altered in response to the making of the selection. | 2015-11-12 |
20150326531 | MECHANISM FOR PROVIDING EXTERNAL ACCESS TO A SECURED NETWORKED VIRTUALIZATION ENVIRONMENT - A method for providing external access into a secured networked virtualization environment, includes performing a leadership election amongst nodes of the secured networked virtualization environment to elect a leader node, assigning a cluster virtual IP address to the leader node and generating a reverse tunnel, using a processor, by the leader node to allow for an external entity to communicate with the secured networked virtualization environment. | 2015-11-12 |
20150326532 | METHODS AND APPARATUS TO PROVIDE A DISTRIBUTED FIREWALL IN A NETWORK - Methods and apparatus to provide a distributed firewall in a network are disclosed. An example method includes identifying, at a control plane, a network traffic rule to implement in a network; determining, at the control plane, a distributed firewall for a first firewall in the network to enforce the network traffic rule; instructing, using the control plane, a first software-defined networking node to instantiate the first firewall of the distributed firewall; configuring a second software-defined networking node to route network traffic through the first firewall; and instructing the first software-defined networking node to enforce the network traffic rule. | 2015-11-12 |
20150326533 | LOAD BALANCING AMONG A CLUSTER OF FIREWALL SECURITY DEVICES - A method for balancing load among firewall security devices in a network is disclosed. According to one embodiment, a switch causes firewall security devices (FSDs) of a cluster to enter into a load balancing mode. Responsive to receiving a heartbeat signal from an FSD, information regarding the FSD and the port on which the heartbeat signal was received are added to a table maintained by the switch that maps outputs of a load balancing function to ports of the switch. A received packet is forwarded to an FSD of the cluster by: (i) extracting a configurable number of bit values from a configurable set of bit positions within the packet; (ii) determining the output of the load balancing function; (iii) identifying the port to which the FSD is coupled based on the output and the table; and (iv) transmitting the packet to the FSD via the identified port. | 2015-11-12 |
20150326534 | CONTEXT-AWARE PATTERN MATCHING ACCELERATOR - Methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a CPMP hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with IPS or ADC rules. A candidate rule is identified based on a correlation of results of the pre-matching process. The candidate packet is tokened to produce matching tokens and corresponding locations. A full-match process is performed on the candidate packet by a second stage of the CPMP hardware accelerator to determine whether it satisfies the candidate rule by performing one or more of (i) context-aware pattern matching, (ii) context-aware string matching and (iii) regular expression matching based on contextual information, the matching tokens and the corresponding locations. | 2015-11-12 |
20150326535 | NETWORK PLATFORM-AS-A-SERVICE FOR CREATING AND INSERTING VIRTUAL NETWORK FUNCTIONS INTO A SERVICE PROVIDER NETWORK - One or more devices may receive a service request. The service request may be associated with providing a network service to a service location and may be associated with a service provider network. The one or more devices may create a virtual network function (VNF), associated with providing the network service, based on the service request. The VNF may be created such that the VNF is hosted by the device, and may be configured to provide the network service. The one or more devices may insert the VNF into the service provider network. The VNF may be inserted to interact with a physical device of the service provider network to allow the network service to be provided to the service location. | 2015-11-12 |
20150326536 | SYSTEM AND METHOD FOR EXECUTION OF DEDICATED PERSONAS IN MOBILE TECHNOLOGY PLATFORMS - A method and user terminal for executing an anonymous or limited persona on a mobile technology platform (MTP) are provided. The method includes configuring a persona to be an anonymous persona by hiding at least an activity performed within the persona; executing the anonymous persona in a background operation of the MTP; checking if a secret request to activate the anonymous persona has been received; and activating the anonymous persona in the foreground of the operation of the MTP, upon receiving the secret request. | 2015-11-12 |
20150326537 | SECURE DEVICE-TO-DEVICE (D2D) COMMUNICATION - User equipment decrypt information received in a first frame over an air interface during device-to-device (D2D) communication with another user equipment. The information is decrypted using a cryptographic function that is applied to a security key and a first frame number of the first frame. | 2015-11-12 |
20150326538 | CONTENT MANAGEMENT SYSTEM - Disclosed is a content management system comprising: a server; a content database, configured within the server, within which are stored one or more channels, each channel comprising one or more stories, each story comprising a title and one or more files; and one or more user devices connected to the network, each user device being associated with a user, each user device being configured to allow the associated user to view one or more stories from a channel to which the associated user has viewing rights. The title of each story and the names of the files contained in the story are stored obfuscated in the content database, and the files are stored encrypted in the content database. | 2015-11-12 |
20150326539 | INCREASED COMMUNICATION SECURITY - A method of increasing communication security may include determining whether a first computer system is authorized to communicate with a second computer system, wherein the determining is performed at a third computer system. A message may be communicated from the third computer system to the first computer system, wherein the message includes a first data portion and a second data portion, wherein the first data portion includes a first instance of a session key, and wherein the second data portion includes a second instance of the session key. The second data portion may be decrypted at the first computer system to access the second instance of the session key. Another message, including the first data portion, may be communicated from the first computer system to the second computer system. The first data portion may be decrypted at the second computer system to access the first instance of the session key. | 2015-11-12 |
20150326540 | GENERATING AND DISTRIBUTING PRE-COMPUTED DATA (PCD) ASSETS TO A TARGET DEVICE - The embodiments described herein describe technologies for pre-computed data (PCD) asset generation and secure deployment of the PCD asset to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to generate a unique PCD asset for a target device. In response, the RA device generates the PCD asset and packages the PCD asset for secure deployment of the PCD asset to the target device and to be used exclusively by the target device. The RA device deploys the packaged PCD asset in a CM system for identification and tracking of the target device. | 2015-11-12 |
20150326541 | AUDITING AND PERMISSION PROVISIONING MECHANISMS IN A DISTRIBUTED SECURE ASSET-MANAGEMENT INFRASTRUCTURE - The embodiments described herein describe technologies for ticketing systems used in consumption and provisioning of data assets, such as a pre-computed (PCD) asset. A ticket may be a digital file or data that enables enforcement of usage count limits and uniqueness issuance ore sequential issuance of target device parameters. On implementation includes an Appliance device of a cryptographic manager (CM) system that receives a Module and a ticket over a network from a Service device. The Module is an application that securely provisions a data asset to a target device in an operation phase of a manufacturing lifecycle of the target device. The ticket is digital data that grants permission to the Appliance device to execute the Module. The Appliance device verifies the ticket to execute the Module. The Module, when executed, results in a secure construction of a sequence of operations to securely provision the data asset to the target device. | 2015-11-12 |
20150326542 | MANAGING NIC-ENCRYPTED FLOWS FOR MIGRATING GUESTS OR TASKS - An example of a system and method implementing a live migration of a guest on a virtual machine of a host server to a target server is provided. For example, a host server may utilize a flow key to encrypt and decrypt communications with a target server. This flow key may be encrypted using a receive master key, which may result in a receive token. The receive token may be sent to the Network Interface Controller of the host server, which will then encrypt the data packet and forward the information to the target server. Multiple sender schemes may be employed on the host server, and various updates may take place on the target server as a result of the new location of the migrating guest from the host server to the target server. | 2015-11-12 |
20150326543 | ESTABLISHING AN INITIAL ROOT OF TRUST FOR INDIVIDUAL COMPONENTS OF A DISTRIBUTED SECURITY INFRASTRUCTURE - The embodiments described herein describe technologies for a device definition process to establish a unique identity and a root of trust of a cryptographic manager (CM) device, the CM device to be deployed in a CM system. The device definition process can take place in a device definition phase of a manufacturing lifecycle of the CM device. One implementation includes a non-transitory storage medium to store an initialization application that, when executed by a CM device, causes the CM device to perform a device definition process to generate a device definition request to establish the unique identity and the root of trust. In response to the device definition request, the initialization application obtains device identity and device credentials of the CM device and stores the device definition request in storage space of a removable storage device. The initialization application imports a device definition response containing provisioning information generated by a provisioning device of a cryptographic manager system in response to the device definition request. | 2015-11-12 |
20150326544 | METHOD OF PROCESSING DATA IN DISTRIBUTED STORAGE SYSTEM - The invention relates to a method of processing data in a system including a first device (PC) able to require a second device to perform an operation on a datum, the first device storing both a private key and a public key, the second device being able to store at least one encrypted datum (A′) using the public key, characterized in that it includes:
| 2015-11-12 |
20150326545 | SECURE KEY ROTATION FOR AN ISSUER SECURITY DOMAIN OF AN ELECTRONIC DEVICE - Systems, methods, and computer-readable media for securely rotating keys for an issuer security domain of an electronic device are provided. In one example embodiment, an electronic device may include a communications component that receives encrypted issuer data from a commercial entity subsystem. The electronic device may also include a secure element that, inter alia, decrypts the encrypted issuer data with a first key that is stored in an issuer security domain of the secure element and stores a second key in the issuer security domain based on the decrypted issuer data. Additional embodiments are also provided. | 2015-11-12 |
20150326546 | Secure Archive - Storage apparatus ( | 2015-11-12 |
20150326547 | METHOD FOR SECURE COMMUNICATION USING ASYMMETRIC & SYMMETRIC ENCRYPTION OVER INSECURE COMMUNICATIONS - Data may be protected using a combination of symmetric and asymmetric cryptography. A symmetric key may be generated and the data may be encrypted with the symmetric key. The symmetric key and a only a portion of the symmetrically encrypted data may then be encrypted with an asymmetric public key. The entire set of encrypted data, including the asymmetrically encrypted symmetric key, the doubly encrypted portion of data, and the remainder of the symmetrically encrypted data may then be sent to a remote device using insecure communications. | 2015-11-12 |
20150326548 | MANAGEMENT OF DIGITAL ASSETS - An asset management system can enable a primary user to designate one or more inheriting users that will be authorized to access the primary user's digital assets in the event that the primary user passes away. The primary user can designate specific digital assets that an inheriting user is to inherit in the event that the primary user passes away. Upon a determination that the primary user has passed away, the asset management system can authorize the inheriting user to access the digital assets designated to the inheriting user by the primary user. Further, the asset management system can also enable creation of a memorial to the deceased individual where users can post homage tokens, such as digital candles, digital flowers, etc. | 2015-11-12 |
20150326549 | OPERATING SOFTWARE IN A VIRTUAL MACHINE ENVIRONMENT - A method of operating software in a virtual machine environment which is resident on a physical machine. The method comprises examining authenticity of a software license against authentication information stored in the virtual machine environment after activation of the software. The authentication information comprises unique virtual machine identification information that defines a unique association between the virtual machine and the physical machine. | 2015-11-12 |
20150326550 | AUTHENTICATION WITH PARENTAL CONTROL FUNCTIONALITY - In various embodiments, disclosed are a system and method for authenticating activity associated with a child account as controlled or managed by a parent account. A child-account user can enter a username, or other form of access information, in a child-account device. The username can contain a predetermined identifier in response to which, upon detecting the presence of the predetermined identifier, a third-party website can carry out authentication functions including sending a message to an authentication platform that carries out additional authentication functions, provided that a parent-account device authorizes doing so. | 2015-11-12 |
20150326551 | SESSION MANAGER FOR SECURED REMOTE COMPUTING - A method for managing a session between a local computing device and a remote computing device, in which a session is established between a local computing device and a remote computing device, a lock session signal is transmitted from the remote computing device to the local computing device, a lock session signal is received at the local computing device, and the session is locked, at the local computing device. Furthermore, the user is prompted for identification information at the remote computing device, and the identification information is transmitted from the remote computing device to the local computing device. Moreover, the identification information is received at the local computing device, the identification information is authenticated at the local computing device, and the session is unlocked, at the local computing device. | 2015-11-12 |
20150326552 | RESOURCE PROTECTION ON UN-TRUSTED DEVICES - Authenticating a client device to a service to allow the client device to access a resource provided by the service. A client device obtains a secondary credential that is associated with a primary credential and that is generated as being usable by a particular set of devices including the client device to indirectly gain access to the service through the primary credential. While outside of an enterprise network, the client device requests access to the service, including sending the secondary credential to an enterprise gateway. Based at least on sending the secondary credential to the enterprise gateway, the client device receives a resource from the service. The resource is received based at least on the enterprise gateway having forwarded the primary credential to the service after verifying that the secondary credential is valid and that the client device is in the particular set of client devices. | 2015-11-12 |
20150326553 | MOBILE HANDSET EXTENSION TO A DEVICE - Mobile operation is extended to a device. An extension interface comprises a client component within a mobile that is linked to a client component within the device. Extension of mobile operation is secured via delivery of credentials associated with the mobile to the device. Delivery of credentials is temporary and typically spans the period during which mobile operation is extended to the device. Application(s) and content(s) can be conveyed to the device for utilization therein. An emulation component that can reside at least in part on the client component within the device can emulate mobile operation. Client component within the mobile can include at least in part (i) a component that downloads drivers for communication with, and utilization of, the device to which mobile operation is extended, and (ii) a component that can scan for wireless-capable devices to extend mobile service thereto. | 2015-11-12 |
20150326554 | COMMUNICATION BETWEEN SOCIAL NETWORK CIRCLES - A social network (SNET) is divided into one or more circles having different trust levels. Communications between the different SNET circles is bridged by an SNET device capable of communicating with devices associated with the different SNET circles, even if those devices cannot communicate directly with each other. When a communication is sent between SNET circles, the SNET device verifies the trust level associated with the communication, and bridges the communication based, at least in part, on that trust level. The SNET device can be located in a demilitarized zone associated with both the first SNET circle and the second SNET circle. Where different SNET circles use different security secrets for communications between members, the SNET device can store different keys for each of those circles in separate, restricted portions of memory. | 2015-11-12 |
20150326555 | METHOD OF MANAGING FILES IN WEBDAV SERVER-EMBEDDED IMAGE FORMING APPARATUS, AND IMAGE FORMING SYSTEM THAT PERFORMS THE METHOD - A method of managing files in a Web-based Distributed Authoring and Versioning (WebDAV)-embedded image forming apparatus and an image forming apparatus that performs the method. The method includes receiving a connection request from the WebDAV client to manage at least one of a file and a directory stored in a storage unit of the image forming apparatus; receiving login information from the WebDAV client, authenticating the received login information of the WebDAV client, receiving a WebDAV command to control the at least one of the file and the directory from the authenticated WebDAV client, and executing a process with respect to the at least one of the file and the directory with reference to the received WebDAV command. | 2015-11-12 |
20150326556 | UNIVERSAL LOGIN AUTHENTICATION SERVICE - A system and method enables secure login at linked sites with a universal ID (UID) and possibly different or same password to linked identities. In such logins, a user stays at the linked login page, and the login name and password are sent to a UID provider for authentication. A UID provider may perform optional multi-factored authentication. A UID user is able to manage all his accounts, which are linked to his UID service, by changing the login names, passwords, security requirements, privacy requirements, and authentication requirements, with group-wise control. Successful or failed logins to linked accounts may be reported to a UID user. A UID user may disable logins at a group of linked accounts. | 2015-11-12 |
20150326557 | RELAY DEVICE, RELAY METHOD, AND PROGRAM - Provided are a relay device capable of appropriate access management, a relay method, and a program. The relay device ( | 2015-11-12 |
20150326558 | ARCHITECTURE FOR PLATFORM SECURITY USING A DEDICATED SECURITY DEVICE FOR USER INTERACTION - There is provided an architecture for a data processing platform using a dedicated security device for user interaction, the data processing platform ( | 2015-11-12 |
20150326559 | METHOD AND SYSTEM FOR AUTHORIZING SECURE ELECTRONIC TRANSACTIONS USING A SECURITY DEVICE - Methods and systems for authenticating a security device for providing a secure access and transaction authorization to a remote network location are provided. The security device is authenticated by installing private security software on the security device. A Two-Channel authorization method includes a transaction notification/authorization channel and a transaction channel. A Three-Channel authorization method includes a transaction notification channel, a transaction authorization channel, and the transaction channel. Embodiments of the present invention provide increased security and privacy. A corresponding system for authenticating a security device and preforming secure private transactions is also provided. | 2015-11-12 |
20150326560 | REGISTRATION AND NETWORK ACCESS CONTROL - In embodiments of registration and network access control, an initially unconfigured network interface device can be registered and configured as an interface to a public network for a client device. In another embodiment, a network interface device can receive a network access request from a client device to access a secure network utilizing extensible authentication protocol (EAP), and the request is communicated to an authentication service to authenticate a user of the client device based on user credentials. In another embodiment, a network interface device can receive a network access request from a client device to access a Web site in a public network utilizing a universal access method (UAM), and the request is redirected to the authentication service to authenticate a user of the client device based on user credentials. | 2015-11-12 |
20150326561 | Authentication and Secure Channel Setup for Communication Handoff Scenarios - Persistent communication layer credentials generated on a persistent communication layer at one network may be leveraged to perform authentication on another. For example, the persistent communication layer credentials may include application-layer credentials derived on an application layer. The application-layer credentials may be used to establish authentication credentials for authenticating a mobile device for access to services at a network server. The authentication credentials may be derived from the application-layer credentials of another network to enable a seamless handoff from one network to another. The authentication credentials may be derived from the application-layer credentials using reverse bootstrapping or other key derivation functions. The mobile device and/or network entity to which the mobile device is being authenticated may enable communication of authentication information between the communication layers to enable authentication of a device using multiple communication layers. | 2015-11-12 |
20150326562 | FACILITATING SINGLE SIGN-ON TO SOFTWARE APPLICATIONS - After an initial user sign-on with an identity provider, and in response to an intention of the user to use a third-party application executing on a client device of the user and requiring user sign-on, the identity provider provides a client script to the third-party application. The client script facilitates user and application authentication and invokes a trusted broker application that interacts with the identity provider to enable the user to use the third-party application. The use of the trusted broker application provided by the identity provider frees the authors of third-party applications from the need to modify their applications to explicitly sign in with the identify provider. | 2015-11-12 |
20150326563 | PROVISIONING DRM CREDENTIALS ON A CLIENT DEVICE USING AN UPDATE SERVER - A method of provisioning DRM credentials on a client device, comprising receiving DRM credentials at an update server from a key generation system, the DRM credentials having been encrypted by the key generation system, receiving a DRM credential request from a client device, the DRM credential request comprising a digital signature, a device class certificate, and an authorization token, authenticating the DRM credential request by validating the digital signature and the device class certificate, extracting and validating the authorization token, and providing the DRM credentials to the client device. | 2015-11-12 |
20150326564 | Method And Browser For Online Banking Login - The present disclosure discloses method and browser for online banking login, solving the problems of complex and trivial steps and insecurity of online banking login via web navigation websites. The method comprises: pre-storing and managing online banking website addresses on a browser side and managing the certificates and/or online banking plugins corresponding to the online banking in the form of NPAPI; judging whether the current website address accessed by a user in the browser is an online banking website address, based on the stored online banking website addresses; when it is one of the stored online banking website addresses, using the NPAPI to call the corresponding online banking certificate and/or online banking plugin to perform online banking login. The embodiments of the present disclosure decrease steps and enhance security to log in to online banking. | 2015-11-12 |
20150326565 | METHOD AND SYSTEM FOR AUTHORIZING SECURE ELECTRONIC TRANSACTIONS USING A SECURITY DEVICE HAVING A QUICK RESPONSE CODE SCANNER - Methods and systems for authenticating a security device for providing a secure access and transaction authorization to a remote network location are provided. The security device is authenticated by installing private security software on the security device. In order to authorize a transaction, a transaction authorization is performed using the security device by display a QR (Quick Response) code from an authorization server on a user terminal and scanning the QR code into the security device. After scanning the QR code, an OTA (One-Time-Authorization) code is sent from the security device to the authorization server for verifying the transaction. Embodiments of the present invention provide increased security and privacy. A corresponding system for authenticating a security device and preforming secure and private transactions is also provided. | 2015-11-12 |
20150326566 | PASSWORD SCHEME THAT CAN BE USED FOR SECURITY OF MODEMS IN AN INDEPENDENTLY OPERATED CABLE SYSTEM THAT IS SCALABLE WITH DYNAMICALLY CHANGEABLE PASSWORDS - A password scheme is provided that can be used for security of cable modems in a cable network. In the system, the password is unique to each modem, the password is not fixed for the life of the device, is not shared across cable systems, is easily recoverable after a compromise, and is changed periodically based on some type of configuration. In the system each modem creates its own random password. Then the modem encrypts the password using a public key provided by the cable system and stores the encrypted password in a Management Information Base (MIB) operated by the cable system. The MIB operator decrypts the encrypted password corresponding to the public key and recovers the password. The cable operator uses the password to log in remotely to the modem. If a compromise or change of the public key or password occurs, the password is regenerated using the same procedure. | 2015-11-12 |
20150326567 | MODULES TO SECURELY PROVISION AN ASSET TO A TARGET DEVICE - The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a command to create a Module and executes a Module Template to generate the Module in response to the command. The Module is deployed to an Appliance device. A set of instructions of the Module, when executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device. The Appliance device is configured to distribute the data asset to a cryptographic manager (CM) core of the target device. | 2015-11-12 |
20150326568 | APPARATUS AND METHODS FOR STORING ELECTRONIC ACCESS CLIENTS - Apparatus and methods for storing and controlling access control clients. In one embodiment, transmitting and receiving devices ensure that only one copy of an eSIM is active at any time. Specifically, each transferred eSIM is encrypted for the destination device; the eSIM from the source device is deleted, deactivated, or otherwise rendered unusable. Various aspects of network infrastructure are also described, including electronic Universal Integrated Circuit Card (eUICC) appliances, and mobile devices. Various scenarios for transfer of eSIMs are also disclosed. | 2015-11-12 |
20150326569 | Secure information storage and retrieval apparatus and method - A user using a client computer registers with a server computer over a computer network by submitting a biometric scan of a body part of the user. The user commands the client computer to encrypt an electronic file. The client computer generates a private key, encrypts the electronic file and transmits the key to the server computer. The client computer saves the encrypted file. The encrypted file and the key are saved at different physical locations. The owner of the file is able to grant permission to other registered users to unlock the encrypted file. | 2015-11-12 |
20150326570 | SYSTEMS AND METHODS FOR DISCERNING EYE SIGNALS AND CONTINUOUS BIOMETRIC IDENTIFICATION - Apparatus, systems, and methods are provided for substantially continuous biometric identification (CBID) of an individual using eye signals in real time. The apparatus is included within a wearable computing device with identification of the device wearer based on iris recognition within one or more cameras directed at one or both eyes, and/or other physiological, anatomical and/or behavioral measures. Verification of device user identity can be used to enable or disable the display of secure information. Identity verification can also be included within information that is transmitted from the device in order to determine appropriate security measures by remote processing units. The apparatus may be incorporated within wearable computing that performs other functions including vision correction, head-mounted display, viewing the surrounding environment using scene camera(s), recording audio data via a microphone, and/or other sensing equipment. | 2015-11-12 |
20150326571 | SYSTEM AND METHOD FOR SPEAKER RECOGNITION ON MOBILE DEVICES - A speaker recognition system for authenticating a mobile device user includes an enrollment and learning software module, a voice biometric authentication software module, and a secure software application. Upon request by a user of the mobile device, the enrollment and learning software module displays text prompts to the user, receives speech utterances from the user, and produces a voice biometric print. The enrollment and training software module determines when a voice biometric print has met at least a quality threshold before storing it on the mobile device. The secure software application prompts a user requiring authentication to repeat an utterance based at least on an attribute of a selected voice biometric print, receives a corresponding utterance, requests the voice biometric authentication software module to verify the identity of the second user using the utterance, and, if the user is authenticated, imports the voice biometric print. | 2015-11-12 |
20150326572 | DASH-AWARE NETWORK APPLICATION FUNCTION (D-NAF) - Technology for a dynamic adaptive streaming over hypertext transfer protocol (HTTP) aware (DASH-aware) network application function (D-NAF) on a server is disclosed. In an example, the D-NAF can include a network application function (NAF) for authenticating a client and a DASH proxy for delivering DASH content and authentication information for the client. | 2015-11-12 |
20150326573 | SYSTEM AND METHOD FOR TRUSTED PAIR SECURITY - A system for and method of protecting a resource is presented. The system and method include a trusted pair consisting of an initiator and a receiver. The receiver faces outward and is connected to a network, such as the Internet. The initiator is connected to the protected resource. In establishing a connection between the initiator and the receiver, the initiator initiates all communications. This configuration simplifies environment management, improves security including access controls, and facilitates deployment of internet-facing resources by changing the traditional model of component-to-component connection. | 2015-11-12 |
20150326574 | DEVICE VALIDATION USING DEVICE FINGERPRINT - Embodiments of the invention are directed to apparatuses, methods and computer program products for validating a device. An exemplary apparatus is configured to: determine a device accesses an application; determine whether the device is a trusted device based on a device fingerprint associated with the device; in response to determining the device is a trusted device, create an authenticated session; and enable performance of a transaction using the device during the authenticated session. | 2015-11-12 |
20150326575 | DATA TRANSFER BASED ON INPUT DEVICE IDENTIFYING INFORMATION - In one aspect, a first device includes a processor and a memory accessible to the processor. The memory bears instructions executable by the processor to identify a first data transfer command based on input from an input device, receive identifying information associated with the input device, and execute the first data transfer command responsive at least in part to authentication of the input device based at least in part on the identifying information. The first data transfer command pertains to the transfer of first data. | 2015-11-12 |
20150326576 | SECURE ASSET MANAGEMENT SYSTEM - A user can acquire a request code, submit the request code with/as a request for an access code, be granted the access code, enter the access code, and be granted access to an asset, room, or other secured item or space with which the security arrangement is used to restrict access. A user interface can include a display and a data entry device to allow the user to acquire and enter the codes. The access code can be encrypted into the request code, or the request code can trigger generation of the access code according to a predefined process. | 2015-11-12 |
20150326577 | ACCELERATED APPLICATION AUTHENTICATION AND CONTENT DELIVERY - A samples service is configured to provide accelerated application authentication and content delivery. A proof of identity of a client application is exchanged with credentials that are used to authenticate the client application to a content provider. Samples of documents from the content provider are selected based on a contextual information of the client application to provide it with customized content. Static data associated with the samples are provided instead of dynamic data that is resource intensive to generate. | 2015-11-12 |
20150326578 | METHOD AND APPARATUS FOR CONTROLLING RESOURCES ACCESS - Controlling resource access, a first device responsive to a request for access to a resource, determines whether to grant the access to the resource, based on an identity of a requestor requesting the access to the resource. The resource is provided by a second device that is separate from the first device. The first device customizes an access token with an access constraint to control the access to the resource, the access token is generated responsive to the first device determining that, based on the identity of the requestor requesting the access to the resource, the access to the resource is granted. | 2015-11-12 |
20150326579 | CONNECTING PUBLIC CLOUD APPLICATIONS WITH PRIVATE NETWORK RESOURCES - The automatic establishing of the connection between the public cloud and the on-premises resource. First, the bridging infrastructure is automatic accessed. The bridging infrastructure is configured to interact with a user system within the private network using a first control. For instance, it is this first control that may be represented as an executable within the configuration package used in provisioning the connection. A second control is provided to the application running in the public cloud. The second control is structured such that the at least one application may be used to securely connect via the bridging infrastructure with an on-premises resource of the private network. | 2015-11-12 |
20150326580 | SYSTEMS AND METHODS FOR PROVIDING AN INTEGRATED IDENTIFIER - Embodiments described herein provide systems and methods to streamline the mechanism by which data users access differently regulated data through the use of one or more integrated identifiers. The integrated identifiers lessen or eliminate the need to separately maintain one set of identifiers for regulated data and another set for non-regulated data. The methods and systems may be applicable in various credit and healthcare contexts where regulations over data use are prevalent. In one or more embodiments, a data user receives a unique integrated identifier for each of the data user's current or prospective customers, and the integrated identifiers can be used to persistently identify and track the customers over time and across applications that access regulated and/or non-regulated data. In the healthcare context, a healthcare provider may utilize a patient ID as the integrated identifier. To protect privacy, the integrated identifier may not include social security numbers or birthdates. | 2015-11-12 |
20150326581 | ASCCESSING MULTIPLE CLIENT DOMAINS USING A SINGLE APPLICATION - Methods, computer systems, and computer-readable storage media for using a single application on a mobile device to access a plurality of client domain sites are provided. The single application on the mobile device receives from a user of the mobile device a set of authorization credentials. Based on the set of authorization credentials, the single application receives a first client domain uniform resource locator from a third-party directory service. The first client domain uniform resource locator is used to access a client gateway service; the client gateway service provides a secure access point to a number of different service solutions hosted by a client. Upon the user inputting a set of authentication credentials, the user is able to access information from one or more of the different service solutions. | 2015-11-12 |
20150326582 | Apparatus, Systems, Platforms, and Methods For Securing Communication Data Exchanges Between Multiple Networks for Industrial and Non-Industrial Applications - Apparatus, systems, network platforms, and methods of providing secure communication between multiple networks, and program product for managing heat exchanger energy efficiency and retrofit for an industrial facility, are provided. According to an exemplary apparatus, the apparatus can include provisions for preventing uninterrupted application-to-application layer communications between the one or more secured networked members and the one or more networked enterprise members to thereby eliminate active files from being communicated, preventing communication of active files or other vulnerable files, and preventing establishment of active links or sessions, between the one or more secured networked members and the one or more networked enterprise members. | 2015-11-12 |
20150326583 | MOBILE DEVICE, PROGRAM, AND CONTROL METHOD - When a pre-determined time period has elapsed after a user access is last detected, a mobile device performs protection processing on account-related information. The mobile device includes an access detection unit that detects that a user accesses the mobile device, and a time period determination unit that determines whether or not a pre-determined time period has elapsed from a last user access time point at which the user last accessed the mobile device. The mobile device further includes a storage location acquisition unit that acquires a location in the data storage unit in which the account-related information is stored, and a protection unit that performs the protection processing on the account-related information based on the storage location of the account-related information acquired by the storage location acquisition unit, when the time period determination unit determines that a pre-determined time period has elapsed from the last user access time point. | 2015-11-12 |
20150326584 | METHOD AND SYSTEM FOR EXECUTING A SECURE APPLICATION ON AN UNTRUSTED USER EQUIPMENT - A method for executing a secure application on an untrusted user equipment having storage means with at least one protected region includes establishing a secure or authenticated communication channel between a trusted device and the user equipment. Secure application information of the secure application is provided via the communication channel to be executed on the user equipment. Correctness of the secure application information is checked. Execution of the secure application is initiated on the user equipment via the communication channel such that the secure application is stored in the protected region of the storage means. | 2015-11-12 |
20150326585 | Fuzzy Whitelisting Anti-Malware Systems and Methods - In some embodiments, an anti-malware system accounts for benign differences between non-malicious data objects, such as differences introduced by compilers and other polymorphisms. A target object is separated into a multitude of code blocks, and a hash is calculated for each code block. The obtained set of target hashes is then compared against a database of hashes corresponding to code blocks extracted from whitelisted objects. A target object may be labeled as whitelisted (trusted, non-malicious) if it has a substantial number of hashes in common with a whitelisted object. Objects which are slightly different from known whitelisted objects may still receive whitelisting status. By allowing a certain degree of mismatch between the sets of hashes of distinct objects, some embodiments of the present invention increase the efficiency of whitelisting without an unacceptable decrease in safety. | 2015-11-12 |
20150326586 | REMEDIATING ROGUE APPLICATIONS - In one example embodiment, a remediating system may include a mobile communication device, to which an application is to be installed, and a remediator that may be configured to remediate the application and transmit the remediated version of the application to the mobile communication device for installation. | 2015-11-12 |
20150326587 | DISTRIBUTED SYSTEM FOR BOT DETECTION - A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. The Sinkhole module may implement a proxy mode in which traffic received by the Sinkhole module is transmitted to a destination specified in the traffic but modified to reference the Sinkhole as the source. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code. | 2015-11-12 |
20150326588 | SYSTEM AND METHOD FOR DIRECTING MALICOUS ACTIVITY TO A MONITORING SYSTEM - A system of client devices and a server system implementing services makes use of credentials to facilitate authentication of the client devices with the server and generates log entries for different accesses to the server system. A monitoring system places credentials and log entries referencing the monitoring system with the credentials and log entries on the client devices without any authentication or actual access attempts by the client devices to the monitoring system. Unauthorized access to the client devices may result in the credentials and log entries to the monitoring system being accessed and used to access the monitoring system. Attempts to exploit the monitoring system using the credentials and log entries is contained within the monitoring system and data is collected to characterize malicious code attempting to exploit the monitoring system. The data is then used to prevent attacks and detect compromised client devices and server systems. | 2015-11-12 |
20150326589 | SYSTEM AND METHODS FOR REDUCING IMPACT OF MALICIOUS ACTIVITY ON OPERATIONS OF A WIDE AREA NETWORK - System architecture and methods for controlling improper network activity in a wide area network, where the system includes multiple service provider devices configured to provide communications service to attack vector devices. Each service provider device or plurality of devices is provided with at least one policy agent. The policy agent of each of the service provider devices is placed in communication with a security service system. The method includes detecting an improper network event using one of the policy agents and providing the security service device associated with that policy agent/service provider device with vector data characterizing the improper network event. The method further includes forwarding the vector data relating to the improper network event from the security service system to other of the security service systems, and from those to the policy agents in the other service provider devices. The method then inhibits the transfer of messages, data, or other forms of traffic corresponding to the vector data. | 2015-11-12 |
20150326590 | INTERDICTING UNDESIRED SERVICE - Interdicting an undesired service is disclosed. For example, a malware service is interdicted. The undesired service is identified. A vulnerability of the undesired service is identified from among a hierarchy of vulnerabilities. The undesired service is interdicted according to the vulnerability. For example, a corresponding action of a vulnerability to interdict the undesired service is performed in the order of the hierarchy until the undesired service is interdicted. | 2015-11-12 |
20150326591 | ROGUE OPTICAL NETWORK INTERFACE DEVICE DETECTION - Techniques are described for identifying a rogue network interface device whose laser is not under control of a controller of the network interface device. The techniques identify the rogue network interface device based on reception of a predefined data pattern in a timeslot that is not reserved for any of the network interface devices without needing to disable upstream data transmission from the network interface devices during their assigned timeslots. The techniques also relate to a network interface device determining whether the network interface device is transmitting optical signals at a wavelength different than the wavelength that the OLT to which the network interface device is associated receives. | 2015-11-12 |
20150326592 | EMULATING SHELLCODE ATTACKS - A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. In the case of shellcode attacks, unsuccessful attacks may be emulated by selecting a corresponding emulator that will receive and execute instructions, as would a successful shellcode attack. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code. | 2015-11-12 |
20150326593 | DETECTING NETWORK TRAFFIC CONTENT - A device for detecting network traffic content is provided. The device includes a memory configured for storing one or more signatures, each of the one or more signatures associated with content desired to be detected, and 5 defined by one or more predicates. The device a/so includes a processor configured to receive data associated with network traffic content, execute one or more instructions based on the one or more signatures and the data, and determine whether the network traffic content matches the content desired to be detected. | 2015-11-12 |
20150326594 | NETWORK DATA COLLECTION AND RESPONSE SYSTEM - Embodiments include a network data collection and response system for enhancing security in an enterprise network providing a user-supplied computing device with access to the network. A network data collection and response system tracks network activity of the device and maintains a device inventory recording the device type and configuration information for the device along with a resource utilization profile for the device. The network data collection and response system detects high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a data monitoring agent installed on the device and implements a response action to mitigate the high-risk or unauthorized network. | 2015-11-12 |
20150326595 | USER LOGIN MONITORING DEVICE AND METHOD - The present invention discloses a user login monitoring device and method. The method comprises: acquiring a latest user login record list of a user, wherein each of the user login records comprises information associated with the login location of the user; determining a frequently-used login location of the user according to the user login record list, and when the number of the user login records with a same login location is not less than a first threshold, determining the login location as the frequently-used login location of the user; and marking a user login record with a different login location from the frequently-used login location as abnormal. The frequently-used login location of the user can be automatically determined without the participation of the user, and the abnormal login record can be determined and marked by using the present invention so as to facilitate the user to check or remind the user, thus the security of the user account is improved. Moreover, in some special cases, it can be determined accurately whether a user login is abnormal according to the present invention, thus the accuracy is increased and the false alarm rate is lowered. | 2015-11-12 |
20150326596 | CLOUD BASED METHOD AND APPARATUS FOR MONITORING INTERNET USAGE - A cloud based method and apparatus for monitoring internet usage are provided. The method comprises: receiving a website inquiry instruction sent by a client, wherein the instruction comprises a website identifier; determining whether the website is a website to be monitored; and if the website is a website to be monitored, processing the website inquiry instruction in accordance with a security policy pre-stored in a server, wherein the security policy is set by the client. Since the security policy is stored on a server, it cannot be easily circumvented by the user, and its effectiveness is enhanced. | 2015-11-12 |
20150326597 | SYSTEMS, METHODS, AND MEDIA FOR GENERATING SANITIZED DATA, SANITIZING ANOMALY DETECTION MODELS, AND/OR GENERATING SANITIZED ANOMALY DETECTION MODELS - Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and generating anomaly detection models are provided. In some embodiments, methods for sanitizing anomaly detection models are provided. The methods including: receiving at least one abnormal anomaly detection model from at least one remote location; comparing at least one of the at least one abnormal anomaly detection model to a local normal detection model to produce a common set of features common to both the at least one abnormal anomaly detection model and the local normal detection model; and generating a sanitized normal anomaly detection model by removing the common set of features from the local normal detection model. | 2015-11-12 |
20150326598 | PREDICTED ATTACK DETECTION RATES ALONG A NETWORK PATH - In one embodiment, attack detectability metrics are received from nodes along a path in a network. The attack detectability metrics from the nodes along the path are used to compute a path attack detectability value. A determination is made as to whether the path attack detectability value satisfies a network policy and one or more routing paths in the network are adjusted based on the path attack detectability value not satisfying the network policy. | 2015-11-12 |
20150326599 | Evaluating URLS For Malicious Content - A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Requests by a user system for a resource at a URL may be received by a firewall, a honey client module may access the URL and permit installation of malicious code or other malicious activities. In response to detecting malicious activities, the honey client module characterizes the malicious activity to generate a descriptor used to detect malicious code in other systems. The URL may also be blacklisted by the firewall. | 2015-11-12 |
20150326600 | FLOW-BASED SYSTEM AND METHOD FOR DETECTING CYBER-ATTACKS UTILIZING CONTEXTUAL INFORMATION - A flow-based detection system and method for detection of cyber-attacks is provided that utilizes contextual information to provide improved detection accuracy over existing flow-based systems. Contextual information is utilized to semantically reveal cyber-attacks from IP flows. Time, location, and other contextual information mined from network flow data is utilized to create semantic links among alerts raised in response to suspicious IP flows. The semantic links are identified through an inference process on probabilistic semantic link networks. The resulting links are used at run-time to retrieve relevant suspicious activities that represent a possible attack or possible steps in multi-step attacks. | 2015-11-12 |
20150326601 | ASSESSMENT TYPE-VARIABLE ENTERPRISE SECURITY IMPACT ANALYSIS - A data management service identifies sensitive data stored on enterprise databases according to record classification rules that classify a data record as having a sensitive data type if the data record includes fields matching at least one of the record classification rules. Methods and systems rely on a set of impact factors each having a set of set of value bands representing a range for the impact factor and a corresponding value (between 0 and 1). The factors, ranges, and values all are customizable for an organization. Impact scoring calculations take into account each of the impact factors, and each is weighted to represent a specific risk perception or assessment type. A similar impact scoring is applied to data quality using volume of data as a key attribute of the quality. | 2015-11-12 |
20150326602 | CLEAN-UP OF UN-REASSEMBLED DATA FRAGMENTS - A receiving device storing fragments may detect a total usage of storage space, such as a number of used queue banks (QBs), by un-reassembled fragments and take action when the total usage of storage space reaches a threshold level. For example, additional fragments may be rejected for a period of time after the threshold level is reached. In another example, the un-reassembled fragments may be cleaned up after the threshold level is reached. In yet another example, the reaching of the threshold level may be logged. | 2015-11-12 |
20150326603 | AVOIDING COLLISIONS IN INTERNET PROTOCOL (IP) PACKET IDENTIFICATION NUMBERS - A pseudo-random generator may be used to generate identification values for formatted data packets. A method for transmitting data less susceptible to man-in-the-middle attacks may include receiving data for transmission over a network according to a protocol; formatting the data into one or more internet protocol (IP) packets by fragmenting the received data; and transmitting the one or more internet protocol (IP) packets. The step of formatting the data into one or more internet protocol (IP) packets may include generating a unique pseudo-random number while avoiding collisions with previously-used numbers; and inserting the pseudo-random number as an identifier in the one or more internet protocol (IP) packets corresponding to the received data. | 2015-11-12 |
20150326604 | RULES BASED MONITORING AND INTRUSION DETECTION SYSTEM - The present invention is a rules-based monitoring and intrusion detection system that comprises three core components in a data network: a client electronic device in the form of a smart phone, tablet, or other electronic device; a mobile app gateway; and a web server. The system is initiated with an electronic request by a client to receive monitoring of their electronic device. The request is sent through a mobile application gateway and received by a web server. The web server responds to this request by sending a graphical user interface to the client's electronic device, with which the client may be able to configure certain settings for monitoring. The settings are in the form of rules, which in response to certain events, may trigger alarms in the intrusion detection software. The web server then receives these rules and compiles monitoring software for installation on the client's electronic device. Once activated, this software continuously monitors the client's electronic device and compares certain events with the programmed rules. Upon finding a matching event and rule, the monitoring software sends a communication to the web server and the web server then issues a command or sends a communication, depending on and in accordance with the user-defined rules. This system can be used to better secure the sensitive data stored on a client's electronic device in the event of theft, hacking, or misplacement. | 2015-11-12 |
20150326605 | METHOD AND APPARATUS FOR PROVIDING NOTIFICATION OF DETECTED ERROR CONDITIONS IN A NETWORK - Methods for managing a communication session in a communication network are disclosed. For example, a method includes detecting, by a first endpoint comprising at least one processor, an error condition associated with the communication session, sending, by the first endpoint, a notification of the error condition to a second endpoint that is using a transport layer session and receiving, by the first endpoint, a communication from the second endpoint, proposing a response to the error condition. Another method includes receiving, by a first endpoint comprising at least one processor, a notification of an error condition associated with the communication session, selecting, by the first endpoint, a response to the error condition, and sending, by the first endpoint, a communication to a second endpoint that is using a transport layer session, proposing a response to the error condition. | 2015-11-12 |
20150326606 | SYSTEM AND METHOD FOR IDENTIFYING PHISHING WEBSITE - The present invention discloses a system and method for identifying a phishing website. The system comprises: a domain name acquisition unit, a domain name statistic unit and a website identification unit; the domain name acquisition unit being configured to collect all links found in a website to be identified so as to acquire the domain names corresponding to the links; the domain name statistic unit being configured to carry out a statistic on the number of times that the domain names occur in the website to be identified, and finding the domain name which has the most number of occurrences and mark it as a target domain name; and the website identification unit being configured to judge whether the website to be identified is a phishing website on the basis of the target domain name and the domain name of the website to be identified. | 2015-11-12 |
20150326607 | DETECTION OF SPYWARE THREATS WITHIN VIRTUAL MACHINES - A system analyzes content accessed at a network site to determine whether it is malicious. The system employs a tool able to identify spyware that is piggy-backed on executable files (such as software downloads) and is able to detect “drive-by download” attacks that install software on the victim's computer when a page is rendered by a browser program. The tool uses a virtual machine (VM) to sandbox and analyze potentially malicious content. By installing and running executable files within a clean VM environment, commercial anti-spyware tools can be employed to determine whether a specific executable contains piggy-backed spyware. By visiting a Web page with an unmodified browser inside a clean VM environment, predefined “triggers,” such as the installation of a new library, or the creation of a new process, can be used to determine whether the page mounts a drive-by download attack. | 2015-11-12 |
20150326608 | SOCIAL NETWORK HONEYPOT - The invention is a method and system for detecting attackers that are interested in attacking an organization's infrastructure during the reconnaissance phase of an Advanced Persistent Threat (APT). APTs are very sophisticated attacks and incorporate advanced methods for evading current security mechanisms. Therefore, the present invention uses an innovative social network honeypot. | 2015-11-12 |
20150326609 | DESIGNATING A VOTING CLASSIFIER USING DISTRIBUTED LEARNING MACHINES - In one embodiment, possible voting nodes in a network are identified. The possible voting nodes each execute a classifier that is configured to select a label from among a plurality of labels based on a set of input features. A set of one or more eligible voting nodes is selected from among the possible voting nodes based on a network policy. Voting requests are then provided to the one or more eligible voting nodes that cause the one or more eligible voting nodes to select labels from among the plurality of labels. Votes are received from the eligible voting nodes that include the selected labels and are used to determine a voting result. | 2015-11-12 |
20150326610 | CONNECTION CONFIGURATION - A connection method is provided. The method includes retrieving by a data retrieval device, unique data comprising an identifier associated with a wireless device. The unique data is transmitted to a router transmitting an authorization request and a configuration request for a configuration change to an authorization service. The authorization request is presented to a user and in response the user transmits an authorization code to the authorization service. In response, the router generates a virtual SSID and preconfigured firewall rules based on the unique data and the wireless device is automatically connected to the router based on the virtual SSID and the preconfigured firewall rules. | 2015-11-12 |
20150326611 | SECURITY CONTROL APPARATUS AND METHOD FOR CLOUD-BASED VIRTUAL DESKTOP - The security control apparatus includes a network control unit for receiving a security protocol-based packet that includes a protocol control header and data and that is transmitted between a cloud-based virtual desktop interaction remote agent unit and a virtual machine of a cloud-based virtual desktop interaction device, and blocking network traffic between cloud-based virtual desktop interaction remote agent unit and the virtual machine, depending on received results of checking. A policy checking unit checks whether information extracted from the security protocol-based packet is compliant with control policies, and transmits results of checking to the network control unit. If the information is not compliant with the control policies, a security solution interaction unit transmits the extracted information to an external security solution, and transmits results of checking by a corresponding security solution to the network control unit. | 2015-11-12 |
20150326612 | TECHNIQUES FOR NETWORK SELECTION IN UNLICENSED FREQUENCY BANDS - Aspects described herein relate to detecting wireless network services. A network that advertises access to a service provider network via a cellular radio access technology (RAT) in an unlicensed frequency can be discovered at a user equipment (UE). The UE can then determine one or more user-defined or operator-defined policies related to selecting the network, and select the network for access based at least in part on the one or more user-defined or operator-defined policies. | 2015-11-12 |
20150326613 | DYNAMIC USER IDENTIFICATION AND POLICY ENFORCEMENT IN CLOUD-BASED SECURE WEB GATEWAYS - A cloud-based secure Web gateway, a cloud-based secure Web method, and a network deliver a secure Web gateway (SWG) as a cloud-based service to organizations and provide dynamic user identification and policy enforcement therein. As a cloud-based service, the SWG systems and methods provide scalability and capability of accommodating multiple organizations therein with proper isolation therebetween. There are two basic requirements for the cloud-based SWG: (i) Having some means of forwarding traffic from the organization or its users to the SWG nodes, and (ii) Being able to authenticate the organization and users for policy enforcement and access logging. The SWG systems and methods dynamically associate traffic to users regardless of the source (device, location, encryption, application type, etc.), and once traffic is tagged to a user/organization, various polices can be enforced and audit logs of user access can be maintained. | 2015-11-12 |
20150326614 | Social Sharing of Security Information in a Group - Techniques for social sharing security information between client entities forming a group are described herein. The group of client entities is formed as a result of a security server providing one or more secure mechanisms for forming a group among client entities, the client entities each belonging to a different organization. The security service then automatically shares security information of a client entity in the group with one or more other client entities in the group. | 2015-11-12 |
20150326615 | CLOUD BASED MOBILE DEVICE SECURITY AND POLICY ENFORCEMENT - Cloud based mobile device security and policy systems and methods use the “cloud” to pervasively enforce security and policy on mobile devices. The cloud based mobile device security and policy systems and methods provide uniformity in securing mobile devices for small to large organizations. The cloud based mobile device security and policy systems and methods may enforce one or more policies for users wherever and whenever the users are connected across a plurality of different devices including mobile devices. This solution ensures protection across different types, brands, operating systems, etc. for smartphones, tablets, netbooks, mobile computers, and the like. | 2015-11-12 |
20150326616 | Directing Audited Data Traffic to Specific Repositories - Data traffic is monitored on a network and data access elements thereof are collected. The collected data access elements are compared to security rules. A first audit data collection is sent to a first repository in response to one or more data access elements of a first data access matching a first condition of one of the security rules. The one of the security rules having the first condition designates the first audit data collection and the first repository. A second audit data collection is sent to a second repository in response to one or more data access elements of a second data access matching a second condition of one of the security rules. The one of the security rules having the second condition designates the second audit data collection and the second repository. | 2015-11-12 |
20150326617 | Privacy Control Processes for Mobile Devices, Wearable Devices, other Networked Devices, and the Internet of Things - Mobile devices are increasingly capable of collecting, storing, and transmitting data which may infringe on the security or privacy of others. The inventions disclosed provide methods by which such conflicts may be reduced by allowing geo-graphical areas to be opted-out of certain types of collection, at all or specific times. These methods may help broaden the acceptance of such devices as Google Glass®, other wearable devices, or other mobile collection-capable devices. The disclosure describes a “collection controller” which maintains positive control over a device's collection capabilities. This controller may be paired with an online opt-out registry or sensor which detects coded opt-out beacons. Certain data collected by the device might be metadata tagged and its further use determined by a “data disposition controller” which ensures restrictions on the collected data are maintained and adhered to. Finally, the device may itself be queried to determine if it is controlled by any or all of the processes disclosed in this submission. | 2015-11-12 |
20150326618 | METHOD OF PROVIDING EVIDENCE COLLECTION TOOL, AND APPARATUS AND METHOD FOR COLLECTING DIGITAL EVIDENCE IN DOMAIN SEPARATION-BASED MOBILE DEVICE - A method of providing an evidence collection tool, and an apparatus and method for collecting digital evidence in a domain separation-based mobile device are disclosed. The apparatus includes a target device information collection module, a collection module, a transmission module, and a control module. The target device information collection module collects the system feature information and user identification information of a domain separation-based mobile device. The collection module collects digital evidence using a received evidence collection tool. The control module transfers the user identification information and a previously inputted the investigator authentication key value to a server, transfers the security key from the server to the encryption unit of transmission module, the transmission module encrypts the digital evidence using a received security key and transmits the system feature information to the server, and transfers the evidence collection tool from the server to the collection module. | 2015-11-12 |
20150326619 | ON-DEMAND REGISTRATION FOR IMS SERVICES - A device may receive service information associated with an internet protocol multimedia subsystem (IMS) service. The IMS service may be provided via an IMS network. The service information may include information that identifies a terminating device that is to receive the IMS service. The device may cause registration trigger information to be provided to the terminating device based on receiving the service information. The registration trigger information may be provided to the terminating device to cause the terminating device to register to the IMS network to allow the terminating device to receive the IMS service. | 2015-11-12 |
20150326620 | MEDIA PRESENTATION IN A VIRTUAL SHARED SPACE - Various embodiments of the present technology involve the sharing of media items via a virtual shared space. For example, a user could create and share a slideshow to other users in a presentation mode that includes establishing a shared screen session for simultaneous viewing of the images. Further, while in the presentation mode, interaction with the images by each user could be shown on each device. For example, if a user zooms in on an object, another user will see a magnification of the object. Additionally, if the other user subsequently zooms out, the first user will see a minimization of the object. In another example, an audio message describing one or more images of a slideshow could be provided for playback at a later time when establishing a shared screen session is not available. | 2015-11-12 |
20150326621 | ON-DEMAND ROBOT ACQUISITION OF COMMUNICATION FEATURES - Methods, devices, and systems are provided that determine required communications features to be used in a communication session and provide participants of the communication session with an identification of the required communications features. When a communication device used by the participant does not include one of the required communications features, the user is provided access to those features, based on compatibility. When a communication device is found to be compatible, the communication device accesses the features by running communications applications having the required communications features. | 2015-11-12 |
20150326622 | GENERATING A FORM RESPONSE INTERFACE IN AN ONLINE APPLICATION - An approach is described for generating a form response interface in an online application. An associated system may include a processor and a memory storing an application program, which, when executed on the processor, performs an operation that may include identifying a content post in an online application interface and facilitating evaluation of the content post. Upon determining that the content post is form-addressable based on the evaluation, the operation may include generating a form response interface element including multiple alternatives and updating the online application interface to display the form response interface element with the content post. Facilitating evaluation according to the operation may include parsing language in the content post to determine the presence of a form-addressable interrogatory element. Facilitating evaluation according to the operation further may include analyzing comments posted in response to the content post to determine the presence of form-addressable common language elements. | 2015-11-12 |
20150326623 | REAL TIME MONITORING OF USERS WITHIN A PREDETERMINED RANGE AND SELECTIVE RECEIPT OF VIRTUAL CARDS - Methods of selectively distributing virtual cards between mobile devices, comprising providing a plurality of mobile devices assigned to a plurality of users, wherein a software program manages a user account comprising a collection virtual cards, wherein the virtual cards include different profiles of a same user, wherein the account further comprises a user appearance generated from at least one virtual card for transmission to surrounding mobile devices; selectively displaying the user appearance on a surrounding device only if the original sending device and surrounding device are within a predetermined range; and sending a virtual card to a user associated with a user appearance. | 2015-11-12 |