26th week of 2016 patent applcation highlights part 81 |
Patent application number | Title | Published |
20160191459 | PROVIDING CONTENT TO DEVICES IN A CLUSTER - Methods, systems, and apparatus, include computer programs encoded on a computer-readable storage medium, and include a method for providing content. The method includes receiving a request for content from a requesting device that includes an associated IP address and determining that the received request is appropriate for clustering based on the IP address. The method further includes determining whether the received request is already associated with a cluster including, and when not, returning a cluster cookie to the requesting device and storing cluster information including the IP address associated with the requesting device; otherwise creating a cluster including returning a cluster cookie to the requesting device and storing in a data set associated with the cluster information including the IP address associated with the requesting device. The method further includes providing a response to the received request based on the data set for an associated cluster. | 2016-06-30 |
20160191460 | FORWARDING A DHCP PACKET - According to an example, a relay device receives a DHCP request packet sent from a DHCP client, in which the DHCP request packet includes a user information sub-option including a node identifier of the DHCP client. The relay device adds a node identifier of the relay device and path information of receiving the DHCP request packet by the relay device to a relay agent information sub-option in the DHCP request packet, and forwards the DHCP request packet to a DHCP server, so that the DHCP server determines network topology according to the user information sub-option and the relay agent information sub-option. | 2016-06-30 |
20160191461 | TURN Relay Service Reuse For NAT Traversal During Media Session Resumption - A call media session restoration method comprising detecting a network reconnection triggering event that disconnects a media session for a client and a relay connection on a network device for the media session, sending a relay address allocation request to the network device, wherein the relay address allocation request comprises a session update attribute that identifies the relay connection, receiving a user authentication request message from the network device, authenticating the relay address allocation request with the network device, wherein the relay address allocation request is authenticated in accordance with the user authentication request message, and wherein authenticating the relay address allocation request comprises resending the session update attribute, and performing a connectivity check between the client and a peer via the relay connection, wherein performing the connectivity check restores the media session and the relay connection and reuses the relay address for the relay connection. | 2016-06-30 |
20160191462 | MESSAGE FORWARDING IN A VIRTUAL LOCAL AREA NETWORK - In an example, a method for message forwarding in a network includes a first network device learning Media Access Control (MAC) address information received from a second network device. The MAC address information includes a Virtual Local Area Network (VLAN) identifier (ID), an aggregated MAC address, and an aggregated MAC address mask. The first network device receives a message addressed to the VLAN ID and a destination MAC address, and forwards the message to the second network device according to the MAC address information. | 2016-06-30 |
20160191463 | SYSTEMS AND METHODS FOR AUTOMATICALLY APPLYING FIREWALL POLICIES WITHIN DATA CENTER APPLICATIONS - The disclosed method may include (1) identifying a data center application whose functionality is provided by a set of systems, (2) organizing, automatically by the computing device, the set of systems into one or more application model groups by, for each system in the set of systems, identifying an attribute of the system that is indicative of a security context under which the system should operate and assigning the system to an application model group for which the security context will be provided, and (3) for each application model group in the one or more application model groups, protecting the application model group by selecting a firewall configuration that will provide the security context for the application model group and by using the selected firewall configuration to protect the application model group. Various other methods, systems, and computer-readable media are also disclosed. | 2016-06-30 |
20160191464 | USING INDIVIDUALIZED APIs TO BLOCK AUTOMATED ATTACKS ON NATIVE APPS AND/OR PURPOSELY EXPOSED APIs - An API call filtering system filters responses to API call requests received, via a network, from user devices. The API call filtering system is configured to require personalized API call requests wherein each API call (except for some minor exceptions) includes a unique endpoint identifier (“UEID”) of the user device making the request. Using the UEID, the web service or other service protected by the API call filtering system can be secured against excessive request iterations from a set of rogue user devices while allowing for ordinary volumes of requests of requests the user devices, wherein one or more boundaries between what is deemed to be an ordinary volume of requests and what is deemed to be excessive request iterations are determined by predetermined criteria. | 2016-06-30 |
20160191465 | FIREWALL TECHNIQUES FOR COLORED OBJECTS ON ENDPOINTS - Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility. | 2016-06-30 |
20160191466 | DYNAMICALLY OPTIMIZED SECURITY POLICY MANAGEMENT - Methods and systems for dynamically optimized rule-based security policy management are provided. A request is received by a network security management device to add a new traffic flow policy rule to multiple existing policy rules managed by the network security management device. Dependencies of the new traffic flow policy rule on the existing policy rules are automatically determined. An updated set of policy rules is formed by incorporating the new traffic flow policy rule within the existing policy rules based on the dependencies. The updated set of policy rules is then optimized by grouping, reordering and/or deleting a sub-set of policy rules of the updated set of policy rules based on one or more of weights assigned to particular types of traffic, preference settings, priority settings, network traffic characteristics and usage statistics for each policy rule of the updated set of policy rules. | 2016-06-30 |
20160191467 | METHODS AND SYSTEMS FOR SECURELY MANAGING VIRTUALIZATION PLATFORM - Virtualization platforms and management clients therefor are communicatively coupled to one another via a control layer logically disposed therebetween. The control layer is configured to proxy virtualization management commands from the management clients to the virtualization platforms, but only after successful authentication of users (which may include automated agents and processes) issuing those commands and privileges of those users as defined by access control information accessible to the control layer. The control layer may be instantiated as an application running on a physical appliance logically interposed between the virtualization platforms and management clients, or a software package running on dedicated hardware logically interposed between the virtualization platforms and management clients, or as an application encapsulated in a virtual machine running on a compatible virtualization platform logically interposed between the virtualization platforms and management client. | 2016-06-30 |
20160191468 | VIRTUAL DESKTOP ACCELERATOR WITH SUPPORT FOR DYNAMIC PROXY THREAD MANAGEMENT - In particular embodiments, a method includes determining a data flow rate of the active connections at a proxy, comparing the data flow rate to a first pre-determined threshold value, and, when the data flow rate exceeds the first pre-determined threshold value, creating one or more new processing threads associated with the proxy. | 2016-06-30 |
20160191469 | SECURE HOST COMMUNICATIONS - A trusted device includes a secure interface and a host interface, the secure interface being isolated from the host interface by an isolated environment. A user provides a communication to the trusted device via the secure interface. A processor of the isolated environment encrypts the communication and transmits the encrypted communication to a read file of the host interface. A host device connected to the trusted device via the host interface receives the encrypted communication. The host device transmits the encrypted communication to a second host device that is connected to a second trusted device via a second host interface. The second host device transmits the encrypted communication to a write file of the second host interface. A processor in an isolated environment of the second trusted device decrypts the communication and provides the decrypted communication to a second user via a secure interface of the second trusted device. | 2016-06-30 |
20160191470 | Method and apparatus for securely transmitting communication between multiple users - A computer driven apparatus comprising at least one client device, where this client device is capable of managing and storing data. The apparatus further comprises a central location for managing subscriptions, addresses and public encryption keys. The central location does not store or come in contact with any of the client communication but serves to provide logistical support for connected clients. The apparatus uses symmetric and asymmetric encryption to encrypt messages and symmetric and asymmetric decryption decrypt messages by the receiver. Only one portion of the encryption mechanism is stored by a third party. The apparatus uses a discovery mechanism to determine the appropriate encryption key for each recipient, or to identify whether encryption is supported by the intended recipient. The apparatus further comprises support for sorting messages by sender and other extended options, as well as extended forwarding choices with respect to attachments and plurality of recipients. | 2016-06-30 |
20160191471 | SECURITY KEY GENERATION AND MANAGEMENT METHOD OF PDCP DISTRIBUTED STRUCTURE FOR SUPPORTING DUAL CONNECTIVITY - The present disclosure relates to a pre-5 | 2016-06-30 |
20160191472 | SYSTEM AND METHOD OF SENDING AND RECEIVING SECRET MESSAGE CONTENT OVER A NETWORK - The proliferation of personal computing devices in recent years, especially mobile personal computing devices, has led to increased concerns regarding the safety and security of documents and messages that are sent over networks. Users desire a system that provides for the setting of custom, content-agnostic, permissions at a message, document, and/or sub-document-level through communications networks. Such a system may allow users to apply customized privacy settings and encryption keys differently to particular parts of documents and/or messages. Such a system may also allow the user to manipulate outgoing message objects of pre-existing formats, so as to “hide” the encrypted document and/or message content within one or more portions of the message object that are not displayed in existing message viewer applications, e.g., metadata fields or unused headers. As such, only authorized message viewing applications may know where to look for (and have the necessary keys to decrypt) such hidden content. | 2016-06-30 |
20160191473 | Method And Apparatus For Securing An Application Using A Measurement Of A Location Dependent Physical Property Of The Environment - Methods, apparatus, and systems for authenticating a user taking into account measurement values of characteristics of the purported environment of the user are described. | 2016-06-30 |
20160191474 | METHODS AND SYSTEMS FOR PROVIDING A CUSTOMIZED NETWORK - A computer implemented method and apparatus is disclosed that includes programming to generate, spawn, or invoke a mother script in a virtual computing environment residing on a physical server. The methods and systems dynamically generate, spawn, or invoke at least one virtual machine embedded with one or more daughter scripts or virtual scripts containing adaptive instruction sets based on a first request, in the form of one or more virtual atoms, where each virtual atom has at least one assigned task and is allowed to connect to other virtual atoms to create one or more virtual computing systems or networks, in the form of one or more virtual molecules. | 2016-06-30 |
20160191475 | DATA ACCESSING METHOD AND SYSTEM AND MEMORY STORAGE APPARATUS - A data accessing method and system for a memory storage apparatus are provided. The method includes: performing a near field communication between a memory storage apparatus and an electronic apparatus, and receiving a first password from the electronic apparatus by the memory storage device in the near field communication. The method also includes: recording the first password in a memory unit of the memory storage apparatus. The method further includes: when the memory storage apparatus is not connected to the electronic apparatus or a host in a predetermined time after the memory storage apparatus receives the first password, deleting the first password recorded in the memory unit; and when the first password recorded in the memory unit is the same as a second password in the memory storage apparatus, allowing the electronic apparatus or the host to access the memory storage apparatus by the memory storage apparatus. | 2016-06-30 |
20160191476 | KEY MANAGEMENT FOR COMPROMISED ENTERPRISE ENDPOINTS - Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility. | 2016-06-30 |
20160191477 | AUTOMATIC SECURITY PARAMETER MANAGEMENT AND RENEWAL - A method of automatic security parameter renewal includes determining if a security parameter satisfies a renewal condition, and automatically updating the security parameter when the renewal condition is satisfied. The automatically updating the security parameter includes modifying a certificate in dependent components of an application of the security parameter, by a central certification server, upon receipt of a new certificate. | 2016-06-30 |
20160191478 | METHOD AND COMPUTING DEVICE FOR INTEGRATING A KEY MANAGEMENT SYSTEM WITH PRE-SHARED KEY (PSK)-AUTHENTICATED INTERNET KEY EXCHANGE (IKE) - A method and computing device for integrating a key management system with a Pre-Shared Key (PSK)-authenticated Internet Key Exchange (IKE). The method comprises the following: An IKE Identification Payload including an Identification Data field is generated via a first computing device. The Identification Data field comprises: a user identifier (ID) field uniquely identifying one or more of a user of the first computing device and the first computing device; a key ID field uniquely identifying a PSK; and a separator between the user ID field and the key ID field. The IKE Identification Payload is transmitted from the first computing device to a second computing device as part of the IKE. | 2016-06-30 |
20160191479 | SECURITY FRAMEWORK FOR MEDIA PLAYBACK - Disclosed are various embodiments relating to a security framework for media playback. In one embodiment, a client device has a decryption module, a streaming module, and a playback module. The playback module may be configured to request media data from the streaming module and render the media data on an output device. The streaming module may be configured to obtain the media data from the decryption module by a request that specifies a size of the media data. The size may be dynamically determined based at least in part on an amount of available temporary data storage. The decryption module may be configured to decrypt a portion of an encrypted media file based at least in part on the specified size to produce the media data. | 2016-06-30 |
20160191480 | RECORDING DATA AND USING THE RECORDED DATA - A method and system for recording data including content in a recording medium on a computer apparatus. First encrypted data, obtained by encrypting the data using a medium key created for each recording medium, is recorded in a recording medium. Second encrypted data, obtained by encrypting the medium key using a public key, is recorded in the recording medium. A private key corresponding to the public key is not recorded in the recording medium. | 2016-06-30 |
20160191481 | ENCRYPTION KEY RETRIEVAL - Particular embodiments described herein provide for an electronic device that can be configured to include an authentication module. The authentication module can be configured to receiving a request to access an electronic device, where the electronic device is separate from the authentication module, collect authentication data, communicate the authentication data to a network element, receive an authentication key, and communicate the authentication key to the electronic device. | 2016-06-30 |
20160191482 | SYSTEM AND METHOD FOR PROVIDING AUTHENTICATED COMMUNICATIONS FROM A REMOTE DEVICE TO A LOCAL DEVICE - A method and system for enabling authenticated communications between a local device and a remote device over a network. An authentication service verifies user credentials and transmits an identity token to the local device. The local device transmits the identity token to the device manager, and receives an associated channel identifier for a device specific channel. The local device transmits to the device message relay a request to receive data on the device specific channel. The local device listens for approval on an approval channel and transmits to the device message relay the channel identifier and the identity token. The device message relay transmits an approval via the approval channel if the identity token is authentic and the user has permission to receive data on the device specific channel. Data from the remote device can be transmitted via the device specific channel. | 2016-06-30 |
20160191483 | Universal Connector - A Universal Connector (“UC”) ecosystem includes encrypted twin (first and second) communications stacks configured to supervise persistent connectivity with distributed data collection points within an Internet of Things. Everything that interacts with the UC ecosystem follows a simple registration process: (1) devices participate on the first stack by requesting to be adopted by logging into the Cloud Service (the “knowledge” factor, they phone home); (2) if validated as an ecosystem device, it is placed into the adoption process and proceeds to the next layer of authentication; and (3) the second stack represents applications (mobile and web) that continue the adoption process for the user/owner (the possession factor). The owner creates an account, then associates the device to the account created, and if all authentication factors are confirmed, the device is adopted and registered to the user/owner completing the adoption process. | 2016-06-30 |
20160191484 | Secure Inmate Digital Storage - A method for providing personal digital storage for residents of a secure facility includes receiving a resident's login information and verifying the login information. Upon successful verification, access to a personal digital storage area is provided that includes more than multiple sections wherein each section is accessible to the resident and wherein each section is further accessible to a different set of individuals than that of another section. | 2016-06-30 |
20160191485 | SYSTEMS AND METHODS FOR SITE DATA COLLECTION - A system and method for collecting, storing, maintaining and presenting data to optimize and make more efficient the installation of a communication system. A mobile device running a field application, a remote server running a server side application and data storage are employed in the system. A subset of these systems can be used in some use cases. The disclosed system may display, generate reports and download the collected data to facilitate installation of the communications system. The system may also provide an API to retrieve the collected data. | 2016-06-30 |
20160191486 | TRANSPARENT CLIENT AUTHENTICATION - A system and method for authenticating an application (client) to a server or service. During a registration phase, an application that requests access to a service can receive a service identifier, which it can authenticate. The application can generate and send to the server or service an application-service key that is based upon the authenticated service identifier and a secret application key; a service-application identifier that can be based upon the authenticated service identifier and an application identifier; and a registration nonce, all of which can be stored at the server. During the authentication phase, the client can send to the server the application-service identifier, which the server can use to lookup the stored registration data. The server can send the registration nonce to the client, which can compute a proof of possession of the service-application key and send to the server. The server can compute its own version of this key and compare it to the received key. If they correspond, then the client is authenticated. | 2016-06-30 |
20160191487 | NETWORK WATERMARK - A network communications method utilizing a network watermark for providing security in the communications includes creating a verifiable network communications path of nodes through a network for the transfer of information from a first end node to a second end node; verifying the network communications path of nodes, by the first end node, before communicating by the first end node information intended for receipt by the second end node; and once the network communications path of nodes is verified by the first end node, communicating by the first end node, via the verified communications path of nodes, the information intended for receipt by the second end node; wherein the network watermark represents the verifiable network communications path of nodes. | 2016-06-30 |
20160191488 | NETWORK WATERMARK - A network communications method utilizing a network watermark for providing security in the communications includes creating a verifiable network communications path of nodes through a network for the transfer of information from a first end node to a second end node; verifying the network communications path of nodes, by the first end node, before communicating by the first end node information intended for receipt by the second end node; and once the network communications path of nodes is verified by the first end node, communicating by the first end node, via the verified communications path of nodes, the information intended for receipt by the second end node; wherein the network watermark represents the verifiable network communications path of nodes. | 2016-06-30 |
20160191489 | METHOD FOR ASSIGNING AN AGENT DEVICE FROM A FIRST DEVICE REGISTRY TO A SECOND DEVICE REGISTRY - An agent device is registered in a first device registry maintained by a first registry apparatus for authenticating agent devices for communicating with application providing apparatuses. The agent device can be assigned to a second device registry maintained by second registry apparatus. The method of assignment comprises the first registry apparatus receiving from a requestor device a device assignment request. In response to the device assignment request, the first registry apparatus checks whether the agent device is allowed to be assigned to the second device registry, and if so, the agent device transmits second authentication information for authenticating the identity of the agent device to the second registry apparatus which registers this in the second device registry. | 2016-06-30 |
20160191490 | IDENTIFY A RADIO FREQUENCY EMITTING DEVICE BY MAC ADDRESS - A computer system reports “logical usage pattern data” and location information in a Device Report; in addition, another computer system reports MAC addresses associated with mobile device in Network Device reports; the Device Reports and Networks Reports are correlated based on various factors; if a set of Device Reports and Network Reports correlate, then a Device Identifier is created and sent to the corresponding mobile device; the Device Identifier may then be used to identify the mobile device, such as when the MAC address is inaccessible. The Device Identifier may be associated with other devices used by the user of the mobile device. | 2016-06-30 |
20160191491 | SINGLE LOGIN PROCEDURE FOR ACCESSING SCOIAL NETWORK INFORMATION ACROSS MULTIPLE EXTERNAL SYSTEMS - A social networking system contains information describing users of the social network and various connections among the users. A user can access multiple external systems that communicate with the social networking system to access information about the users of the social networking system. Login status of the user account on the social networking system is maintained. If the login status of the user account on the social networking system indicates that the user is not logged in, the user is required to provide authentication information. If the login status of the user account indicates that the user is logged in, social network information is provided to the user via an external system, subject to the privacy settings of users of the social networking system. If the user logs out from an external system, the user is also logged out from the social networking system. | 2016-06-30 |
20160191492 | METHOD AND DEVICE FOR TRANSFERRING RESOURCES - The present disclosure discloses a method and a device for transferring resources. The method for transferring resources includes: receiving a resource transfer request for transferring resources sent by a transfer account; detecting whether a physical characteristic collected by a mobile device bound to the transfer account is received; and if detecting that the physical characteristic collected by the mobile device bound to the transfer account is received, transferring the resources when the physical characteristic matches with a stored physical characteristic model of the transfer account. | 2016-06-30 |
20160191493 | SYSTEM AND METHOD OF AUTHENTICATING A LIVE VIDEO STREAM - A method of authenticating a video streaming transmission comprising generating a secure token at an application server, providing the secure token to a user device, receiving the secure token at a media server with a publish request from the user device, transmitting the secure token to the application server for authentication, and authenticating the secure token. The publish request from the user device is enabled if the secure token is authenticated by the application server. The connection between the media server and the user device is terminated if the secure token fails to authenticate. | 2016-06-30 |
20160191494 | METHOD AND APPARATUS FOR SECURING A MOBILE APPLICATION - Methods, apparatus, and systems for personalizing a software token using a dynamic credential (such as a one-time password or electronic signature) generated by a hardware token are disclosed. | 2016-06-30 |
20160191495 | PRIVILEGED SHARED ACCOUNT PASSWORD SANITATION - Sanitizing passwords used in a shared, privileged account includes providing a password of a shared account to a user; identifying a first machine logged into using the password; determining when the first machine enters an inconsistent state; and modifying a memory area associated with the first machine to eliminate occurrences of the password in the memory area. | 2016-06-30 |
20160191496 | ESTABLISHING ACCESS TO A SECURE NETWORK BASED ON USER-CREATED CREDENTIAL INDICIA - In various aspects, code-based indicia contain secured network access credentials. In some aspects, a computer processor receives user input that specifies secured network access credentials, and the computer processor creates or modifies credentials for establishing a secured network connection. In these aspects, the computer processor generates code-based indicia that contain at least part of the secured network access credentials. In other aspects, a computer processor scans the code-based indicia and extracts the network access credentials. In these aspects, the computer processor employs the network access credentials to establish the secured network connection. In additional aspects, a network router apparatus renders the code-based indicia to an active display. In further aspects, a network router apparatus conditions grant of network access to a device on receipt from the device of an answer to a security question included in the secured network access credentials. | 2016-06-30 |
20160191497 | METHOD AND SYSTEM FOR MANAGING DATA - The system has a user terminal. A client provides access for the user terminal to data entries stored in a database. A database holds information consisting of one or more data entries and data identifications connected to the data entries. The client forms data identification for a certain data entry to be stored in the database from a unique user name and a master password. A pair of the data identification and the data entry is stored. Access for the user terminal is provided to a data entry stored in a database by using the master password, and the unique user name. | 2016-06-30 |
20160191498 | USER AUTHENTICATION BASED ON PERSONAL ACCESS HISTORY - Methods and systems are provided for authenticating a user using data related to the historical interactions of the user with computer based applications. | 2016-06-30 |
20160191499 | Shared Secret Vault for Applications with Single Sign On - Some aspects of the disclosure generally relate to providing single sign on features in mobile applications in a secure environment using a shared vault. An application may prompt a user to provide user entropy such as a passcode (e.g. a password and/or PIN). The application may use the user entropy to decrypt a user-entropy-encrypted vault key. Once the vault key is decrypted, the application may decrypt a vault database of the shared vault. The shared vault may store shared secrets, such as server credentials, and an unlock key. The application may store the unlock key, generate an unlock-key-encrypted vault key, and cause the shared vault to store the unlock-key-encrypted vault key, thereby “unlocking” the vault. The application may then use the unlock key to decrypt the vault database without prompting the user to provide user entropy again. | 2016-06-30 |
20160191500 | CONSOLIDATED AUTHENTICATION - A method and system for authenticating a user at a first computer to first and second applications installed in a second computer. The second computer receives from the user a first request to access the first application, and in response, the second computer redirects the first request to a third computer, and in response, the third computer determines that the user was previously authenticated and so notifies the second computer, and in response, the second computer returns a first session key to the third computer. The first session key enables a session with the first application but not with the second application. A second session key was sent by the third computer to the first computer after the third computer received the first session key from the second computer. The second session key enables a session with both the first application and the second application. | 2016-06-30 |
20160191501 | METHOD, DEVICE AND SYSTEM FOR CONFIGURING MULTIPLE DEVICES - Embodiments of the present invention provide a method, device and system for configuring multiple devices, where multiple devices are configured simply and securely in a centralized manner. The method includes: acquiring, by a configuration device, device identity information, configuration password information, and network role attributes of at least two devices needing to be configured on a same wireless local area network WLAN; determining a central node device of the WLAN according to the network role attributes of the at least two devices; and sending device identity information and configuration password information of a non-central node device to the central node device, or sending, by the configuration device, device identity information and configuration password information of the central node device to the non-central node device. | 2016-06-30 |
20160191502 | DUAL LAYER TRANSPORT SECURITY CONFIGURATION - A system includes a first computer processor that receives a data transmission from a second computer processor. The data transmission includes a client certificate authentication and a user-based authentication. If the incoming information cannot be authenticated by the client certificate in a first layer of the system landscape, then there is no further data transmission to a second layer. If the first layer can authenticate the client certificate authentication, the system landscape transmits the data transmission to the second layer. If the second layer cannot authenticate the user-based authentication, the system prevents the data transmission from being processed at the second layer. If the second layer can authenticate the user-based authentication, the system processes the data transmission at the second layer. | 2016-06-30 |
20160191503 | PEER TO PEER ENTERPRISE FILE SHARING - Disclosed are various embodiments for facilitating the distribution of files from a file repository. Files from a file repository can be distributed via peer to peer transmissions where the peer devices can perform authentication functions. The authentication can be performed based upon metadata associated with the files as well as based upon authentication requests submitted to an authentication server. | 2016-06-30 |
20160191504 | MOBILE TERMINAL FOR PROVIDING ONE TIME PASSWORD AND OPERATING METHOD THEREOF - Provided are a mobile terminal for providing a one-time password (OTP) and an operation method thereof. The mobile terminal includes a first one-time password (OTP) generating module configured to provide identification information regarding each of a plurality of pieces of OTP data to a user, and output an OTP provided according to any one identification information selected by the user, and a second OTP generating module based on mobile trusted module (MTM) configured to transfer the identification information regarding each of the plurality of pieces of OTP data to the first OTP generating module according to a corresponding request from the first OTP generating module, generate an OTP by using OTP data corresponding to the selected identification information, and transfer the generated OTP to the first OTP generating module. | 2016-06-30 |
20160191505 | CAPTCHA IMAGE SCRAMBLE - In one embodiment, a client computing device receives information regarding a Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA). The CAPTCHA includes an image file, a challenge, and code that is executable by a web browser to unscramble the received image file. The code includes instructions to divide the received image file into image sections, each image section having a unique identifier and grouped into either a first set or a second set. The code further contains instructions to transpose each image section in the first set into a new position, creating a new image. A web browser of the client computing device executes the code to create a second image from the received image file. The second image and the challenge are presented to a user of the client computing device. | 2016-06-30 |
20160191506 | Mobile Secure Login System and Method - A mobile secure login method comprises steps of 1) displaying a machine readable graphic form encoded with a sign in URL and a unique token on a browser, wherein the said machine readable graphic form comprises at least one of a 1D barcode, a 2D barcode, a PDF417, an QR code, a Data Matrix code, an Aztec code, and OCR symbol; 2) scanning the said machine readable graphic form using a mobile device; 3) transmitting the sign in credential with the said unique token to a server at the said sign in URL from the said mobile device, wherein the said sign in credential comprises at least one of a username, a password, and a PKI signed challenge; 4) authenticating the said sign in credential at the said server to enable the said browser login to a secure website automatically. | 2016-06-30 |
20160191507 | SYSTEMS AND METHODS FOR AUTHENTICATING A USER DEVICE FOR A WEB SERVICE - An instant access device may receive a request from a user device to access secure content corresponding to a particular web service. The instant access device may create a hash code based on a telephone number of the user device and a hash code, and may communicate the hash code to an authentication system. The authentication system may authenticate the user device by comparing the hash code to a hash table that includes a list of hash codes associated with user devices that are authorized to access the secure content. Based on whether the user device is authenticated by the authentication system, the instant access device may cause the user device to access the secure content, whether by accessing the secure content directly (when the user device authentication is successful) or by creating a new user account (when the user device authentication is unsuccessful). | 2016-06-30 |
20160191508 | Methods and Systems for Block Sharding of Objects Stored in Distributed Storage System - The present disclosure provides systems and methods for sharding objects stored in a distributed storage system. In accordance with one embodiment disclosed herein, a block sharding technique is used. Block sharding is an advantageously efficient technique when dealing with random access objects, such as virtual disk drives or “volumes”. One embodiment disclosed herein provides a method of performing a delta edit of a named object stored in a distributed storage system in which a payload of the named object is stored in block shards defined by block-shard chunk references. The block shards store non-overlapping byte ranges of the payload of the named object. Another embodiment disclosed herein relates to a method of retrieving a portion of a named object stored in a distributed object storage system. Other embodiments, aspects and features are also disclosed. | 2016-06-30 |
20160191509 | Methods and Systems for Key Sharding of Objects Stored in Distributed Storage System - The present disclosure also provides systems and methods for sharding objects stored in a distributed storage system. In accordance with one embodiment disclosed herein, a key sharding technique is used. Key sharding is an advantageously efficient technique when dealing with an object containing a collection of key-value records. In accordance with an embodiment of the invention, referenced chunks identified by the key shards may each store a subset of the collection of the key-value records, and the key-value records in the subset have key hashes that have a range of matching bits in common. One embodiment disclosed herein provides a method of performing a delta edit of a named object stored in a distributed storage system in which a payload of the named object is stored in key shards. Other embodiments, aspects and features are also disclosed. | 2016-06-30 |
20160191510 | SECURITY AND PRIVACY ENHANCEMENTS FOR SECURITY DEVICES - A tamper-resistant security device, such as a subscriber identity module or equivalent, has an AKA (Authentication and Key Agreement) module for performing an AKA process with a security key stored in the device, as well as means for external communication. The tamper-resistant security device includes an application that cooperates with the AKA module and an internal interface for communications between the AKA module and the application. The application cooperating with the AKA module is preferably a security and/or privacy enhancing application. For increased security, the security device may also detect whether it is operated in its normal secure environment or a foreign less secure environment and set access rights to resident files or commands that could expose the AKA process or corresponding parameters accordingly. | 2016-06-30 |
20160191511 | WEARABLE DEVICE AUTHENTICATION - A wearable device is used to authenticate a user into a user account at a user device of the user. In particular, the wearable device may include a sensor configured to detect a body chemistry of the user. The wearable device may send a signal, such as a short range wireless signal, Bluetooth Low Energy or the like, to the user device to communicate the detected body chemistry to the user device. The user device may authenticate the user based on the body chemistry condition detected at the wearable device. In an embodiment, the wearable device may include an olfactory sensor configured to detect certain smell or scent of the user. | 2016-06-30 |
20160191512 | PREDICTIVE USER AUTHENTICATION - In an example, a system and method for predictive user authentication is disclosed. The system may include proximity sensors, computer vision systems, and other provisions for monitoring users' movements throughout a facility. A predictive security engine may also be programmed with heuristic data to recognize such factors as a user's face, gait, or average appearance. When a user approaches a terminal, the system may preemptively compute a confidence score regarding the user's authenticity. Based on the confidence score, the system will determine how much additional authentication is necessary. The system may also provide context-sensitive data to the user based on location or activities. Thus, authentication to the system is made easier to the user, and the user receives more relevant data for his or her activities. | 2016-06-30 |
20160191513 | BINDING A DATA TRANSACTION TO A PERSON'S IDENTITY USING BIOMETRICS - Methods and systems are described for binding a data transaction to a person's identity using biometrics. The method comprises the generation of data which includes information associated with a transaction, or an encrypted transaction, between a server and a client device associated with a user, generating authentication data providing an irrevocable binding of the information to biometric characteristics of the user, by capturing biometric input by the user of said authentication data or information associated with the transaction, wherein this information is implanted into the captured data. A predetermined minimum number of quorum portions may be generated from a portion of the data generated or processed by the method, wherein at least a predetermined minimum number of received quorum data portions are required to reconstruct the data portion. | 2016-06-30 |
20160191514 | SECURE TRANSACTION AND ACCESS USING INSECURE DEVICE - The present invention enables secure transactions or access using insecure endpoint devices, such as computers, tablets and smart-phones. These insecure devices are potentially compromised with malicious software that may attack the user in every possible way. The present invention does not pretend to prevent malware. Instead, malware attacks against secure transactions and access are made obsolete. The present invention includes data, directly connected to transaction or access request to Relying-Party-Service-Provider, into authentication process of Identity-as-a-Service Provider. The present invention includes user authentication using mobile phone vs. Identity-Management-as-a-Service provider. The present invention also includes entering request for secure transaction or access to Relying-Party-Service-Provider, using insecure device. The present invention also includes two-way communication between Relying-Party-Service-Provider and Identity-Management-as-a-Service. The advantages of the present invention include, without limitation, that it is resilient to malware attack. | 2016-06-30 |
20160191515 | USER AUTHENTICATION METHOD AND ELECTRONIC DEVICE PERFORMING USER AUTHENTICATION - Provided are a user authentication method and an electronic device performing the method. The method is performed under the control of a processor and includes inputting a user authentication request for identifying a user, generating random number data that corresponds to knowledge-based authentication information in the user authentication request, generating an authentication code by combining biometrics-based authentication information in the user authentication request and the random number data, and processing the user authentication request based on the authentication code. | 2016-06-30 |
20160191516 | Method and System For Distinguishing Humans From Machines - A method and an apparatus for distinguishing humans from computers. During user registration, a computer prompts a human user to provide a spoken response to certain authentication information for registration. The computer obtains registration voice data from the spoken response and establishes a registration voiceprint of the human user. During user logon, the computer identifies the user requesting to logon by the user's logon credentials, provides authentication information for logon to the user, and prompts the user to provide a spoken response to the authentication information for logon. The computer obtains logon voice data from the spoken response, and establishes a logon voiceprint of the user. The computer then determines whether the user requesting to logon is human by comparing the logon voiceprint with the registration voiceprint. | 2016-06-30 |
20160191517 | METHOD AND APPARATUS FOR AUTHENTICATING USER BASED ON BIOSIGNAL - A method and apparatus for authenticating a user are provided. An authentication apparatus includes a data set generator configured to generate an authentication data set by extracting waveforms from a biosignal of a user, a similarity calculator configured to match each of the extracted waveforms to registered waveforms included in a registration data set, and calculate a similarity between each of the extracted waveforms and the registered waveforms, and an auxiliary similarity calculator configured to extract a representative authentication waveform indicating a representative waveform of the extracted waveforms and a representative registration waveform indicating a representative waveform of the registered waveforms, and calculate a similarity between the representative authentication waveform and the representative registration waveform. | 2016-06-30 |
20160191518 | Online Pseudonym Verification and Identity Validation - Methods, systems, and computer program products for authenticating an online user. Authentication involves sending a code from a server to a user device equipped with a source of illumination and a camera capable of capturing video imagery of the online user. The user device receives the code, modulates the source of illumination in accordance with the code, and captures video imagery of the user while the source of illumination is being modulated according to the code. The captured video imagery of the online user is sent to the server where it is analyzed to detect evidence of changes in illumination that correspond to the code. If good correspondence is found, the user may be authenticated. Similar methods may be applied to other biometric data. Applications of the authentication include identify validation, pseudonym verification, and distinguishing human from non human access attempts. | 2016-06-30 |
20160191519 | COMPETENCY BASED DEVICE ACCESS - A system and method are provided to enable competency based device access. The ability for a user to use a particular device may require demonstration of a skill or competency. Access control can be provided for a device to limit user access and to configure the device based upon the user competencies to utilize or perform functions on the device. The competency of the user can be defined in a competency checklist used to determine the skill or certifications of a user maintained by a resource management system. | 2016-06-30 |
20160191520 | OFFLINE METHODS FOR AUTHENTICATION IN A CLIENT/SERVER AUTHENTICATION SYSTEM - A method for providing authentication of a user of a recipient unit when the recipient unit is off-line includes storing one or a plurality of one-time challenge-reply sets based on an on-line communication with a sender unit. In one example, each of the one-time challenge-reply sets includes at least a one-time challenge-reply pair for use in off-line authentication of the user for a particular resource available through the recipient unit. When the user is offline, the method includes selecting at least one of the plurality of stored one-time challenge-reply sets for off-line authentication of the user for the particular resource available through the recipient unit. The one-time challenge-reply sets may be associated with an article. | 2016-06-30 |
20160191521 | INTROSPECTION METHOD AND APPARATUS FOR NETWORK ACCESS FILTERING - Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g., application associated with a particular URL request). Hence, in some embodiments, this method seamlessly processes granular user-aware URL filtering rules (e.g., members of the sales organization can access social networking sites but not other members). This approach requires no additional configuration on networking infrastructure. | 2016-06-30 |
20160191522 | METHOD AND APPARATUS FOR ACCESSING WEBSITE - Disclosed are methods and apparatus for accessing a website. A method may comprise: acquiring a web address that meets a preset condition; determining a server corresponding to the web address and establishing a transport layer connection therewith; upon receiving an instruction for accessing a website corresponding to the web address, using the transport layer connection to send a network request to the server for acquiring the webpage content of the website. Such method can save time for establishing a transport layer connection, thereby improving the efficiency of accessing a website. When a transport layer connection is established with a server in advance, moreover, there are a very small number of data packets generated with the server, which greatly reduces the network data. Prior to receiving an instruction for accessing a website corresponding to the web address, moreover, only a transport layer connection is established with the server without requesting more data from the server, leading to a very low occupation of system resources such as memory and processor. | 2016-06-30 |
20160191523 | SERVICE AUTHORITY DETERMINATION METHOD AND DEVICE - Provided are a service authority determination method and device. The method comprises: receiving a web (Web) application identifier sent by access equipment; and sending the Web application identifier to an application server (AS), so that according to a service authority policy corresponding to the Web application identifier and service subscription data of a user equipment (UE), the AS determines a service authority of the UE. | 2016-06-30 |
20160191524 | RELAYED NETWORK ACCESS CONTROL SYSTEMS AND METHODS - A computer system for authenticating and managing network traffic may comprise a network link providing a connection to a network, an authentication, authorization, and accounting (AAA) server configured to provide AAA management for the network link, an access controller configured to communicate with the AAA server and to control access to the network link, and a subnetwork of client devices connected to an intermediate relay node. The client devices may be configured to communicate with the access controller and the network link through the intermediate relay node. Also methods and processes by which an intermediate relay node and an access controller may operate in the network for authentication of client devices and routing of network traffic. | 2016-06-30 |
20160191525 | PROTECTING SUPERVISOR MODE INFORMATION - Embodiments of an invention for protecting supervisor mode information are disclosed. In one embodiment, an apparatus includes a storage location, instruction hardware, execution hardware, and control logic. The storage location is to store an indicator to enable supervisor mode information protection. The instruction hardware is to receive an instruction to access supervisor mode information. The execution hardware is to execute the instruction. The control logic is to prevent execution of the instruction if supervisor mode information protection is enabled and a current privilege level is less privileged than a supervisor mode. | 2016-06-30 |
20160191526 | PEER TO PEER ENTERPRISE FILE SHARING - Disclosed are various embodiments for facilitating the distribution of files from a file repository. Files from a file repository can be distributed via peer to peer transmissions where the peer devices can perform authentication functions. The authentication can be performed based upon metadata associated with the files as well as based upon authentication requests submitted to an authentication server. | 2016-06-30 |
20160191527 | Method for Operating a Security Element - A method for operating a security element, preferably in the form of a chip card, having a processor, and a memory. stores an operating system comprising an operating-system kernel and at least one additional operating-system module for supplying optional operating-system functionalities, and at least one access permission associated with the operating-system module and determining whether the operating-system module can be accessed during operation of the security element. The method comprises the step of changing the access permission for the operating-system module for supplying optional operating-system functionalities in reaction to the receiving of a message from a server. The message from the server may be an OTA message sent from the server to the security element via a mobile radio network. | 2016-06-30 |
20160191528 | REQUEST-SPECIFIC AUTHENTICATION FOR ACCESSING WEB SERVICE RESOURCES - Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource. | 2016-06-30 |
20160191529 | CAPTCHA CHALLENGE INCORPORATING OBFUSCATED CHARACTERS - A method for determining if a user of a computer system is a human. A processor receives an indication that a computer security program is needed and acquires at least one image depicting a first string of characters including at least a first and second set of one or more characters. A processor assigns a substitute character to be used as input for each of the second set of one or more characters. A processor presents the at least one image and an indication of the substitute character and when to use the substitute character to the user. A processor receives a second string of characters from the user. A processor determines whether the second string of characters substantially matches the first string of characters based on the substitute character assigned to each of the second set of one or more characters and determines whether the user is a human. | 2016-06-30 |
20160191530 | TECHNOLOGIES FOR ACCESS CONTROL - Technologies for performing access control include a computing device that parses a network packet received by the computing device to identify an n-tuple of a header of the network packet, wherein the n-tuple is associated with one or more access control rules. The computing devices determines a bitmask associated with an access control rule of a virtual machine of the computing device and applies the determined bitmask to the n-tuple of the network packet to generate a masked n-tuple. Further, the computing device generates a hash of the masked n-tuple and compares the generated hash to a reference hash associated with the access control rule to identify a match. The computing device performs an access control action in response to identifying a match between the generated hash and the reference hash. | 2016-06-30 |
20160191531 | METHOD FOR FILE SCRUBBING IN A SECURITY GATEWAY FOR THREAT PREVENTION - Methods and systems for blocking reception of digital content elements by devices are disclosed. These methods and systems comprise elements of hardware and software for, receiving an electronic communication including at least one digital document; determining the content type of the at least one digital document; based on the content type of the at least one digital document, modifying the digital content of the digital document so as to selectively disable functionality of the digital document; and, enabling the subsequent processing of the electronic communication including the at least one digital document with the modified digital content. | 2016-06-30 |
20160191532 | SYSTEMS FOR NETWORK RISK ASSESSMENT INCLUDING PROCESSING OF USER ACCESS RIGHTS ASSOCIATED WITH A NETWORK OF DEVICES - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for network risk assessment. One of the methods includes obtaining information describing network traffic between a plurality of network devices within a network. A network topology of the network is determined based on the information describing network traffic, with the network topology including nodes connected by an edge to one or more other nodes, and with each node being associated with one or more network devices. Indications of user access rights of users are associated to respective nodes included in the network topology. User interface data associated with the network topology is generated. | 2016-06-30 |
20160191533 | METHOD, APPARATUS, AND SYSTEM FOR RESTRICTING ACCESS - Techniques for restricting access to sensitive application(s) or data to a limited physical area are disclosed. Various embodiments are described in which a tethering station and a wireless storage controller communicate with each other over a radio link. The tethering station can be secured such that the tethering station's location restricts the range within which the wireless storage controller is allowed to enable access to a mobile storage controlled by the wireless storage controller. This restricts access to the application and/or the application stored in the mobile storage to a limited area through radio tethering. | 2016-06-30 |
20160191534 | Methods and Systems for Managing Permissions to Access Mobile Device Resources - In an electronic device, a first application sends a request to a second application for access by the first application to a resource of the electronic device, wherein the first and second applications run on an operating system of the electronic device. In response to the first request, the second application is used to ask a user of the electronic device for permission for the first application to access the resource. A first user input is received, providing permission for the first application to access the resource. In response to the first user input, the second application is used to grant permission to the first application to access the resource. | 2016-06-30 |
20160191535 | METHOD AND APPARATUS FOR CONTROLLING DATA PERMISSIONS - Methods and apparatus for controlling data permission are disclosed herein, and embodiments include generating a relational database that includes entity objects, corresponding user identifications and obligatory relationships of corresponding permission information. The obligatory relationships include time interval information. Some methods further include receiving a request to access an entity object, and the access request comprises identification of an accessing user and an accessing timestamp. The method further includes rendering the permission information of the corresponding entity object if the identification of the accessing user is substantially similar to the corresponding identification of the entity object and the accessing timestamp is within the time interval in response to the accessing request. | 2016-06-30 |
20160191536 | Access Requests at IAM System Implementing IAM Data Model - Systems and methods are provided for provisioning access rights to physical computing resources using an IAM system implementing an IAM data model. The IAM data model may identify logical and physical computing resources. An access request handler may receive an access request and identify a set of logical permissions based on the access request. The access request handler may derive a set of logical entitlements based on the set of logical permissions. An entitlement translator may translate the set of logical entitlements to a physical entitlement specification based on a set of physical permission specifications associated with the set of logical permissions. A physical permission specification may be obtained by mapping a logical permission to one or more physical permissions. An access control manager may then provision access rights to at least one physical computing resource indicated in the physical entitlement specification. | 2016-06-30 |
20160191537 | IMPLEMENTING USER-SPECIFIED TRANSACTION PARAMETERS FOR TRANSFERRING DIGITAL CONTENT ITEMS AMONGST USERS - A computing system and/or network environment in which users can transfer (or initiate transfer of) digital content items to other users in accordance with a variety of transaction parameters that are specified by the user. | 2016-06-30 |
20160191538 | CROSS PLATFORM SOCIAL NETWORKING AUTHENTICATION SYSTEM - Disclosed in one example is a method of authenticating with multiple social network services. The method may include storing first authentication information associated with a user for a first social networking service using at least one computer processor, receiving second authentication information associated with the user for a second social networking service from a social networking application, and sending to the social networking application the first authentication information. The first authentication information may enable the social networking application to utilize a protected application programming interface call for the first social networking service and the second authentication information may enable the social networking application to utilize a protected application programming interface call for the second social networking service. | 2016-06-30 |
20160191539 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR PUBLICLY PROVIDING WEB CONTENT USING A MULTI-TENANT SYSTEM - In accordance with embodiments, there are provided mechanisms and methods for publicly providing web content of a tenant using a multi-tenant on-demand database service. These mechanisms and methods for publicly providing web content of a tenant using a multi-tenant on-demand database service can allow the web content to be published by a tenant using the multi-tenant on-demand database service for use by non-tenants of the multi-tenant on-demand database service. | 2016-06-30 |
20160191540 | AUTHENTICATION BASED ON PROXIMATE DEVICES - In one embodiment, a computer-implemented method includes, in response to an attempt by a user to perform a transaction using a computing device, accessing a communication device connected to the computing device. A presence of one or more nearby devices, with respect to the computing device, is detected through use of the communication device connected to the computing device. A mapping of nearby devices to trust levels may be applied to the one or more nearby devices. In the mapping, each group of one or more nearby devices maps to a trust level of two or more trust levels. An assigned trust level for the transaction is determined, by a computer processor, based on applying the mapping of nearby devices to trust levels. The mapping of nearby devices to trust levels is modified based on the one or more nearby devices detected. The modified mapping is used for future transactions. | 2016-06-30 |
20160191541 | METHOD AND SYSTEM FOR NETWORK VALIDATION OF INFORMATION - Embodiments of the present application relate to a method for network validation of information, a system for network validation of information, and a computer program product for network validation of information. A method for network validation of information is provided. The method includes receiving verification information from a user, the verification information including a plurality of verification fields, determining a verification sequence of the plurality of verification fields based on a verification rule configuration and a verification scoring table, verifying a current verification field according to the verification sequence, verifying a next verification field in the event that the verification of the current verification field succeeds, and terminating verification in the event that the verification of the current verification field fails. | 2016-06-30 |
20160191542 | MESSAGE SENDER AUTHENTICITY VALIDATION - In an example, a system and method are provided for validating the sender of a message, such as an e-mail, text message, voice mail, network message, internet posting, or other electronic message. An authenticity server engine may first prescreen the message with anti-spam, anti-malware, and other filters. The screened message is then provided to the end user. If the end user deems the message suspicious, he may request additional validation. The authenticity server engine may then apply an example four-phase validation scheme, including analyzing header data for consistency with the message body, analyzing public data sources, analyzing private data sources, and receiving a result of an off-channel challenge to the sender. The server may then assign the message a sender validity confidence score. | 2016-06-30 |
20160191543 | SECURE NEIGHBOR DISCOVERY (SEND) USING PRE-SHARED KEY - An extension is provided to the SEND protocol without requiring a CGA or third party trust anchor. A shared key is provided to both a sender and receiver of a neighbor discovery (ND) message. A digital signature option is contained in the ND message. A digital signature field is determined by the algorithm field in the option. When the ND message is received, the receiver may verify the digital signature field using the pre-shared key according to the algorithm field. If the ND message passes verification, the receiver may process the message. | 2016-06-30 |
20160191544 | USER TERMINAL, SERVICE PROVIDING APPARATUS, DRIVING METHOD OF USER TERMINAL, DRIVING METHOD OF SERVICE PROVIDING APPARATUS, AND ENCRYPTION INDEXING-BASED SEARCH SYSTEM - A user terminal, a service providing apparatus, a driving method of a user terminal, a driving method of a service providing apparatus, and an encryption indexing-based search system are provided. The user terminal includes a storage configured to store content and an indexing information processor configured to generate indexing information for searching the stored content, encrypt the generated indexing information, and provide the encrypted indexing information to a service providing apparatus which manages the encrypted indexing information. | 2016-06-30 |
20160191545 | SYSTEMS AND METHODS FOR MONITORING VIRTUAL NETWORKS - The disclosed computer-implemented method for monitoring virtual networks may include (1) identifying a virtual network containing at least one virtualized switching device that routes network traffic from a source port within the virtual network to a destination port, (2) providing, within the virtualized switching device, a set of software-defined network rules containing criteria for identifying packets having at least one predetermined property associated with a security policy, (3) intercepting, at the source port, a packet destined for the destination port, (4) determining that at least one characteristic of the packet satisfies at least one of the rules, and (5) in response to determining that the characteristic of the packet satisfies at least one of the rules, forwarding a copy of the packet to a virtual tap port that analyzes the packet for security threats. Various other methods, systems, and computer-readable media are also disclosed. | 2016-06-30 |
20160191546 | APPLICATION MALWARE ISOLATION VIA HARDWARE SEPARATION - A system for application malware isolation via hardware separation for use in a networked server-client system in the event of a possible malicious intrusion including a client; and a remote application physically separate from the client, the remote application interactively connected with the client over an encrypted network, the remote application comprising an isolation encoding module configured to create a secure version of potentially malicious client content, the remote application further comprising an application isolation container configured to run operations of interest to the client, so as to perform application malware isolation via hardware separation in the server-client system. | 2016-06-30 |
20160191547 | Zero-Day Rotating Guest Image Profile - According to one embodiment, a threat detection platform features a housing, a communication interface, a processor coupled to the communication interface, and a data store. The data store includes (i) an event log, (ii) a first virtual machine, and (iii) a second virtual machine. The first virtual machine is provisioned with a first guest image that is based on an instrumented software profile that includes a first software component and activity monitors configured for the first software component. The second virtual machine is provisioned with a second guest image that is based on a temporary software profile that includes a second software component that is a more recent version of the first software component and the activity monitors configured for the first software component. | 2016-06-30 |
20160191548 | METHOD AND SYSTEM FOR MISUSE DETECTION - This disclosure discusses methods, systems, and an apparatus that can determine whether email content is potentially malicious, contains potentially malicious content, has originated from a potentially malicious entity, or contains links or other references to potentially malicious web content. The disclosure discusses some embodiments that include evaluating text in the email content to determine if predetermined suspected malicious phrases are present in the text, evaluating one or more links in the email content using an IP address, URL, or DNS to determine if the links reference potentially malicious web content, and evaluating metadata in the email content to determine if the email content is potentially malicious. | 2016-06-30 |
20160191549 | RICH METADATA-BASED NETWORK SECURITY MONITORING AND ANALYSIS - Network security monitoring for external threats is provided that is based on rich metadata collected from internal network traffic that is analyzed for anomalies against a behavior baseline to detect the external threats. Rich metadata includes but is not limited to the information typically found in the headers of every layer of telecommunication protocols describing the communication between network entities. | 2016-06-30 |
20160191550 | MICROVISOR-BASED MALWARE DETECTION ENDPOINT ARCHITECTURE - A threat-aware microvisor may be deployed in a malware detection endpoint architecture and execute on an endpoint to provide exploit and malware detection within a network environment. Exploit and malware detection on the endpoint may be performed in accordance with one or more processes embodied as software modules or engines configured to detect suspicious and/or malicious behaviors of an operating system process (object), and to correlate and classify the detected behaviors as indicative of malware. Detection of suspicious and/or malicious behaviors may be performed by static and dynamic analysis of the object. Static analysis may perform examination of the object to determine whether it is suspicious, while dynamic analysis may instrument the behavior of the object as the operating system process runs via capability violations of, e.g. operating system events. A behavioral analysis logic engine and a classifier may thereafter cooperate to perform correlation and classification of the detected behaviors. | 2016-06-30 |
20160191551 | METHOD AND SYSTEM FOR DETECTING THREATS USING METADATA VECTORS - An approach for detecting network attacks using metadata vectors may initially involve receiving network communications or packets, extracting metadata items from the packets. The metadata items describe the communications without requiring deep content inspection of the data payload or contents. The communications may be clustered into groups using the metadata items. If a cluster exceeds a threshold, an alarm may be generated. | 2016-06-30 |
20160191552 | NETWORK MONITORING SYSTEM AND METHOD - A disclosed network monitoring method includes: obtaining, by a first apparatus, packets from a node outside a network to a first terminal in the network, and packets from the first terminal to a second terminal in the network; transmitting, by the first apparatus and to a third apparatus, information on first plural packets that satisfy a first condition; obtaining, by a second apparatus, packets from the first terminal to the second terminal, and packets from the second terminal to the node; transmitting, by the second apparatus and to the third apparatus, information on second plural packets that satisfy a second condition; receiving, by the third apparatus, the information on the first and second plural packets; and determining, by the third apparatus, whether an attack from outside the network occurred, based on whether a same packet is included in the first and second plural packets. | 2016-06-30 |
20160191553 | ALERT TRANSMISSION METHOD, COMPUTER-READABLE RECORDING MEDIUM, AND ALERT TRANSMISSION APPARATUS - An alert transmission method is disclosed. Behavior logs of multiple users are collected from multiple terminals. A computer groups users having a high similarity to each other based on the behavior logs. An alert is transmitted to other users belonging to a group of a user indicated by a report of a cyber attack, when receiving the report from a terminal of the user. | 2016-06-30 |
20160191554 | SYSTEM AND METHOD FOR IDENTIFICATION OF AUTOMATED BROWSER AGENTS - Disclosed herein are methods and systems for evaluating web browser behavior to report on human versus non-human activity, based on varying analyses of detectable properties. By passively detecting the code of a webpage engaged by a browsing user, the present invention evaluates the browsing user's activity in order to predict the type of user with a degree of confidence. The predictions are formed by acquiring information on how a user loads, navigates, and interacts with a webpage and comparing that information with known and unknown properties in various control groups. If the prediction yields a high likelihood of automated activity, additional active detection may be performed. Reports are compiled by analysis servers and made available to the operators of webpages. By compiling performance metrics and informing operators of fraudulent versus normal activity, the invention combats malicious automated traffic directed at any aspect of a given webpage. | 2016-06-30 |
20160191555 | Secured Automated or Semi-Automated Systems - Secured automated or semi-automated systems are provided herein. In one embodiment, a sensor system includes a sensor, a legacy computing environment that is configured to communicate with the sensor and process sensor raw data output, and transmit the processed sensor output to a first network node over the network, and a trusted computing environment configured to receive raw sensor output directly from the sensor and transmit the raw sensor output to an additional network node or the first network node over the network. | 2016-06-30 |
20160191556 | BLOCKING INTRUSION ATTACKS AT AN OFFENDING HOST - A method, apparatus, and program product are provided for protecting a network from intrusions. An offending packet communicated by an offending host coupled to a protected network is detected. In response to the detection, a blocking instruction is returned to the offending host to initiate an intrusion protection operation on the offending host, where the blocking instruction inhibits further transmission of offending packets by the offending host. At the offending host, a blocking instruction is received with a portion of an offending packet. The offending host verifies that the offending packet originated from the host. In response to the verification of the offending packet originating from the host, an intrusion protection operation is initiated on the host thereby inhibiting transmission of a subsequent outbound offending packet by the host. | 2016-06-30 |
20160191557 | Methods and Systems of Detecting and Analyzing Correlated Operations in a Common Storage - A method of detecting correlated operations in a common storage. The method comprises providing at least one input operation, each the input operation being designated to write uniquely identifiable data on a memory unit of an application, monitoring a plurality of output operations of the application, each the output operation includes data read from the memory unit, comparing between the at least one input operation and the plurality of output operations to identify at least one matching group of input and output operations wherein each member of the at least one matching group has correlated written or read data in a common correlated target address in the memory unit, and outputting an indication of the at least one matching group. | 2016-06-30 |
20160191558 | ACCELERATED THREAT MITIGATION SYSTEM - An intrusion detection and prevention system and method for dealing with threats to computers and computer networks, and in particular to computers and networks connected to the Internet, is disclosed. A sensor receives network traffic. The sensor includes a first processor for managing the network traffic that is received, a first path for the traffic that is received for storing the traffic in a memory for subsequent use, a second path for analyzing the traffic that is received, and for processing the traffic at a speed that is at least as fast as speed of the first path. The second processor is associated with the second path so that some of the traffic is allowed along the first path and other of the traffic is rate limited or not allowed along the first path. The system and method use four tiers of threat detection to successively mitigate a large variety of threats. | 2016-06-30 |