Patent application number | Description | Published |
20100045993 | METHOD OF DETECTING ANALYTE - A system and method is provided for detecting concentration of an analyte in a fluid. The method comprises detecting an optical property of a first region of two or more regions in a system, the first region located in a container having a reservoir for one or more modifiers of one or more optical properties of the first region. The movement of the one or more modifiers is responsive to changes in concentration of the analyte. A next step detects an optical property of a second region of the two or more regions in the system, the second region located in a container having a reservoir for one or more modifiers of one or more optical properties of the second region. The movement of the one or more modifiers is responsive to changes in concentration of a compound, where the compound is something other than the analyte. The detected optical property of the first region and the detected optical property of the second region are used in embodiments to separate the effect of the analyte on the detected optical property of the first region from the effect of the compound, where the compound is an interfering compound. | 02-25-2010 |
20100049015 | SPECIFICITY OF ANALYTE DETECTION IN ETALONS - A system and method is provided for detecting concentration of an analyte in a fluid. A first container includes (i) an optical cavity detection region, (ii) a reservoir for one or more modifiers of one or more optical properties of the optical cavity detection region, and (iii) a set of one or more bounding regions through which objects in the fluid can transfer into the container. The optical cavity detection region and the reservoir define separate areas of the first container. The movement of the one or more modifiers between the reservoir and the optical cavity detection region is responsive to changes in concentration of the analyte. A second container includes an optical cavity detection region, and a set of one or more bounding regions through which objects in the fluid can transfer into the container. Also provided are optical components for guiding light into the optical cavity detection regions of the first and second containers. | 02-25-2010 |
20100155572 | Obtaining Sensing Results and/or Data in Response to Object Detection - An encoder/sensor can obtain sensing results from objects in an encoding/sensing region; a trigger detector can respond to objects in a trigger detection region, providing respective trigger signals; and a relative motion component can cause relative motion of objects into the trigger detection region, from it into the encoding/sensing region, and within the encoding/sensing region. In response to an object's trigger signal, control circuitry can cause the encoder/sensor and/or the relative motion component to operate so that the encoder/sensor obtains sensing results indicating a time-varying waveform and processing circuitry can obtain data from the sensing results indicating a time-varying waveform. The time-varying waveform can include information resulting from the relative motion within the encoding/sensing region. The encoder/sensor and trigger detector can be implemented, for example, with discrete components or as sets of cells in a photosensing array on an integrated circuit. | 06-24-2010 |
20100155577 | Obtaining Sensing Results Indicating Time Variation - In response to objects having relative motion within an encoding/sensing region relative to an encoder/sensor that, e.g., photosenses emanating light or performs impedance-based sensing, sensing results can indicate sensed time-varying waveforms with information about the objects, about their relative motion, about excitation characteristics, about environmental characteristics, and so forth. An encoder/sensor can include, for example, a non-periodic arrangement of sensing elements; a longitudinal sequence of sensing elements with a combined sensing pattern that approximates a superposition or scaled superposition of simpler sensing patterns; and/or IC-implemented sensing elements that include photosensing arrays on ICs and readout/combine circuitry that reads out photosensed quantities from cells in groups in accordance with cell-group sensing patterns and combines the readout photosensed quantities to obtain the sensing results. Objects can move fluidically as in flow cytometry, through scanning movement as in document scanning, or in other ways. | 06-24-2010 |
20100185143 | SENSOR SYSTEM FOR DRUG DELIVERY DEVICE, DRUG DELIVERY DEVICE HAVING THE SAME AND METHOD OF USING THE SAME - A system for use with a drug delivery device includes a sensor unit and a deactivation unit operatively coupled to an output of the sensor unit and to a drug-retaining region of the drug delivery device, wherein the drug-retaining region contains a drug. The sensor unit is configured to detect a characteristic of a local environment and generate an output corresponding to a value of the detected characteristic. The deactivation unit is configured to render the drug ineffective when the output of the sensor unit satisfies a predetermined condition. | 07-22-2010 |
20110222062 | ANALYZERS WITH TIME VARIATION BASED ON COLOR-CODED SPATIAL MODULATION - A filter arrangement can transmit and/or reflect light emanating from a moving object so that the emanating light has time variation, and the time variation can include information about the object, such as its type. For example, emanating light from segments of a path can be transmitted/reflected through positions of a filter assembly, and the transmission functions of the positions can be sufficiently different that time variation occurs in the emanating light between segments. Or emanating light from a segment can be transmitted/reflected through a filter component in which simpler transmission functions are superimposed, so that time variation occurs in the emanating light in accordance with superposition of two simpler non-uniform transmission functions. Many filter arrangements could be used, e.g. the filter component could include the filter assembly, which can have one of the simpler non-uniform transmission functions. Time-varying waveforms from sensing results can be compared to obtain spectral differences. The filter arrangement, in a practical commercial embodiment, can be manufactured to be disposable, and used in a point-of-care device for use practically anywhere, at low cost, and can also be implemented in an in-line monitoring system. | 09-15-2011 |
20120132255 | Solar Energy Harvesting Device Using Stimuli-Responsive Material - A solar energy harvesting system including a sunlight concentrating member (e.g., a lens array) for focusing direct sunlight at predetermined focal points inside a waveguide containing a stimuli-responsive material (SRM) that is evenly distributed throughout the waveguide material such that the SRM assumes a relatively high transparency state away from the focused sunlight, and small light-scattering portions of the SRM change to a relatively opaque (light scattering) state only in focal zone regions adjacent to the concentrated sunlight. The outer waveguide surfaces are locally parallel (e.g., planar) and formed such that sunlight scattered by the light-scattering SRM portions is transmitted by total internal reflection through the remaining transparent waveguide material, and outcoupled to one or more solar energy receivers (e.g., PV cells) that are disposed outside the waveguide (e.g., along the peripheral edge). | 05-31-2012 |
20130016746 | Vertical Surface Emitting Semiconductor Device - A semiconductor light emitting device includes a pump light source, a gain structure, and an out-coupling mirror. The gain structure is comprised of InGaN layers that have resonant excitation absorption at the pump wavelength. Light from the pump light source causes the gain structure to emit light, which is reflected by the out-coupling mirror back to the gain structure. A distributed Bragg reflector causes internal reflection within the gain structure. The out-coupling mirror permits light having sufficient energy to pass therethrough for use external to the device. A frequency doubling structure may be disposed between the gain structure and the out-coupling mirror. Output wavelengths in the deep-UV spectrum may be achieved. | 01-17-2013 |
20130037726 | COMPACT ANALYZER WITH SPATIAL MODULATION AND MULTIPLE INTENSITY MODULATED EXCITATION SOURCES - A compact analyzer includes a flow cell having a flow channel through which a sample is made to pass. First and second light sources are arranged to emit first and second excitation light into first and second overlapping portions of the flow channel, respectively. The first excitation light stimulates a first light emission from particles of a first particle type that may be present in the sample; the second excitation light stimulates a second light emission from particles of a second particle type. A detector receives the first and second light emission from the corresponding particles present in the sample in a detection portion of the flow channel, and provides a detector output based on the received light emission. The light sources are modulated at different frequencies so that a frequency analysis of the detector output can provide separate information about the first and second particle types. | 02-14-2013 |
20130085352 | Controlling Transfer of Objects Affecting Optical Characteristics - An implantable product such as an article, device, or system can include analyte and non-analyte containers in parts that can be operated as optical cavities. The product can also include fluidic components such as filter assemblies that control transfer of objects that affect or shift spectrum features or characteristics such as by shifting transmission mode peaks or reflection mode valleys, shifting phase, reducing maxima or contrast, or increasing intermediate intensity width such as full width half maximum (FWHM). Analyte, e.g. glucose molecules, can be predominantly included in a set of objects that transfer more rapidly into the analyte container than other objects, and can have a negligible or zero rate of transfer into the non-analyte container; objects that transfer more rapidly into the non-analyte container can include objects smaller than the analyte or molecules of a set of selected types, including, e.g., sodium chloride. Output light from the containers accordingly includes information about analyte. | 04-04-2013 |
20130153771 | TRAFFIC MONITORING BASED ON NON-IMAGING DETECTION - Traffic monitors based on non-imaging radiation detectors are described. A traffic monitor includes a non-imaging radiation detector that senses spatially patterned radiation emanating from objects moving in a traffic pattern. The detector generates a time varying output signal based on the sensed radiation. Signal processing circuitry is used to analyze the time varying output signal using time domain analysis to provide the traffic information. | 06-20-2013 |
20140087971 | MULTIPLEXED FLOW ASSAY BASED ON ABSORPTION-ENCODED MICRO BEADS - Analysis of a system and/or sample involves the use of absorption-encoded micro beads. Each type of micro bead is encoded with amounts of the k dyes in a proportional relationship that is different from proportional relationships of the k dyes of others of the n types of absorption-encoded micro beads. A system and/or a sample can be analyzed using information obtained from detecting the one or more types of absorption-encoded micro beads. | 03-27-2014 |
20140192359 | ANALYZERS WITH TIME VARIATION BASED ON COLOR-CODED SPATIAL MODULATION - A filter arrangement can transmit and/or reflect light emanating from a moving object so that the emanating light has time variation, and the time variation can include information about the object, such as its type. For example, emanating light from segments of a path can be transmitted/reflected through positions of a filter assembly, and the transmission functions of the positions can be sufficiently different that time variation occurs in the emanating light between segments. Or emanating light from a segment can be transmitted/reflected through a filter component in which simpler transmission functions are superimposed, so that time variation occurs in the emanating light in accordance with superposition of two simpler non-uniform transmission functions. Many filter arrangements could be used, e.g. the filter component could include the filter assembly, which can have one of the simpler non-uniform transmission functions. Time-varying waveforms from sensing results can be compared to obtain spectral differences. The filter arrangement, in a practical commercial embodiment, can be manufactured to be disposable, and used in a point-of-care device for use practically anywhere, at low cost, and can also be implemented in an in-line monitoring system. | 07-10-2014 |
20140273009 | COMPOSITIONS AND METHODS FOR PERFORMING ASSAYS - The disclosure relates to compositions for use in assays, the compositions comprising at least one latent fluorophore including at least one enzyme-reactive quenching group and a conjugative group; and a support connectable to the latent fluorophore by the conjugative group. The disclosure further relates to methods of measuring the presence and/or concentration of an analyte, as well as methods of measuring the relative activity of at least two enzymes. | 09-18-2014 |
20150105295 | MULTIPLEXED FLOW ASSAY BASED ON ABSORPTION-ENCODED MICRO BEADS - Analysis of a system and/or sample involves the use of absorption-encoded micro beads. Each type of micro bead is encoded with amounts of the k dyes in a proportional relationship that is different from proportional relationships of the k dyes of others of the n types of absorption-encoded micro beads. A system and/or a sample can be analyzed using information obtained from detecting the one or more types of absorption-encoded micro beads. | 04-16-2015 |
20150177118 | FLUIDIC OPTICAL CARTRIDGE - Embodiments are directed to an apparatus that includes a fluidic structure and optical components. The fluidic structure includes a transparent channel through which objects in an analyte fluid can travel along respective paths during operation of the apparatus. The optical components are configured to provide measurement light to the objects traveling through the transparent channel. The fluidic structure is configured to reversibly engage with a host structure. The host structure includes a source of the measurement light and electronics to receive and process output light emanating from the objects traveling in the channel. The fluidic structure makes an air-tight seal when engaged with the host structure. | 06-25-2015 |
20150177119 | FLOW CYTOMETER - Embodiments are directed to a host structure that includes a waveguide configured to deliver measurement light to a compartment at least partially within the host structure. The compartment is configured to reversibly engage a fluidic optical cartridge. The host structure also includes a detector configured to receive and process output light emanating from the fluidic optical cartridge as well as electronics to process signals from the detector. | 06-25-2015 |
20150233703 | SPATIAL MODULATION OF LIGHT TO DETERMINE OBJECT LENGTH - Spatially modulated light emanating from an object moving along a flow path is used to determine various object characteristics including object length along the flow direction. Light emanating from at least one object moving along in a flow path along a flow direction of a spatial filter is sensed. The intensity of the sensed light is time modulated according to features of the spatial filter. A time varying electrical signal is generated which includes a plurality of pulses in response to the sensed light. Pulse widths of at least some of the pulses are measured at a fraction of a local extremum of the pulses. The length of the object along the flow direction is determined based on the measured pulse widths. | 08-20-2015 |
20150233704 | SPATIAL MODULATION OF LIGHT TO DETERMINE DIMENSIONAL CHARACTERISTICS OF OBJECTS IN A FLOW PATH - A device includes a spatial filter arranged in a Cartesian coordinate system having orthogonal x, y, and z axes. The spatial filter has mask features that are more light transmissive and mask features that are less light transmissive. The mask features are arranged along the x-axis in the flow direction of a flow path. A detector is positioned to detect light emanating from at least one object in the flow path, the object having a width along the y-axis, a thickness along the z-axis, and a length along the x-axis. Light emanating from the object is time modulated according to the mask features as the object moves along the flow path. The detector is configured to generate a time-varying electrical signal in response to the detected light that includes information about the width or thickness of the object. | 08-20-2015 |
20150276387 | SPATIAL MODULATION OF LIGHT TO DETERMINE OBJECT POSITION - Approaches for determining object position in a flow path are disclosed. A system includes a spatial filter having a length disposed along a longitudinal axis of the flow path and a width along a lateral axis of the flow path. The spatial filter has mask features configured to modulate light. Light emanating from objects moving along the flow path is detected. The detected light has a component along a detection axis that makes a non-zero angle with respect to the longitudinal and lateral axes. An electrical output signal that includes information about the trajectory depth of the object is generated in response to the detected light. | 10-01-2015 |
20150276486 | DETERMINATION OF COLOR CHARACTERISTICS OF OBJECTS USING SPATIALLY MODULATED LIGHT - A system is configured to determine a color distribution of an object moving along a flow direction relative to a spatial filter. The light emanating from the object is time modulated according to the mask features of the spatial filter. First and second detectors are arranged to sense the modulated light. The first detector senses light having a first wavelength spectrum and generates a first electrical output signal in response to the sensed light. The second detector light senses light having a second wavelength spectrum and generates a second electrical output signal in response to the sensed light. Signals from the first and second detectors include information about color distribution of the object. | 10-01-2015 |
20150285622 | MONITOR FOR PARTICLE INJECTOR - Approaches for determining the delivery success of a particle, such as a drug particle, are disclosed. A system for monitoring delivery of particles to biological tissue includes a volume, an optical component, a detector, and an analyzer. The volume comprises a space through which a particle can pass in a desired direction. The optical component is configured to provide a measurement light. The detector is positioned to detect light emanating from the particle in response to the measurement light. The detected light is modulated as the particle moves along a detection axis. The detector is configured to generate a time-varying signal in response to the detected light. The analyzer is configured to receive the time-varying signal and determine a delivery success of the particle into a biological tissue based upon characteristics of the time-varying signal. | 10-08-2015 |
20150359522 | POINT OF CARE URINE TESTER AND METHOD - A urine capturing arrangement is configured to receive urine from a user of a toilet, and a chamber is fluidically coupled to the capturing arrangement. A diverter is fluidically coupled between the capturing arrangement and the chamber. The diverter is configured to divert a volume of the received urine to the chamber. A detection unit is configured to sense for presence of a predetermined characteristic in the volume of the urine and to generate at least one electrical signal comprising information about the predetermined characteristic. | 12-17-2015 |
Patent application number | Description | Published |
20130276054 | RECORDING ACTIVITY-TRIGGERED COMPUTER VIDEO OUTPUT - An application that is capable of monitoring Internet or network traffic and performing recordings of computer video output based on one or more violations of network activity policies. The recording application can be installed on the computer to be recorded or another computer or server that is connected through the network to the computer to be recorded. The monitoring application contains a configuration interface that allows a user to set thresholds for certain types of network policy violations. When the one or more violations are detected, the recording application will begin recording video of the computer's video activity. The application can be configured to include settings such as the length of the recording. In a typical environment, the application is a hardware appliance that is capable of monitoring web activity and network traffic and can connect to the computer over the network in order to perform the recording. | 10-17-2013 |
20130283385 | RESTRICTING COMMUNICATION OVER AN ENCRYPTED NETWORK CONNECTION TO INTERNET DOMAINS THAT SHARE COMMON IP ADDRESSES AND SHARED SSL CERTIFICATES - An apparatus prevents communication by a client device to a domain that cannot be uniquely identified by relocating the DNS mapping of the domain to a destination IP Address that is uniquely identifiable and that represents a location of an apparatus that provides a data path to the domain. | 10-24-2013 |
20130315566 | Recording Activity-Triggered Computer Video Output - An application that is capable of monitoring Internet or network traffic and performing recordings of computer video output based on one or more violations of network activity policies. The recording application can be installed on the computer to be recorded or another computer or server that is connected through the network to the computer to be recorded. The monitoring application contains a configuration interface that allows a user to set thresholds for certain types of network policy violations. When the one or more violations are detected, the recording application will begin recording video of the computer's video activity. The application can be configured to include settings such as the length of the recording. In a typical environment, the application is a hardware appliance that is capable of monitoring web activity and network traffic and can connect to the computer over the network in order to perform the recording. | 11-28-2013 |
20140304808 | Device-Specific Authentication Credentials - Methods and systems for providing device-specific authentication are described. One example method includes generating device-specific credentials, associating the device-specific credentials with a device, authenticating the device based on the device-specific credentials, and after authenticating the device, authenticating a user of the device based on user-specific credentials associated with the user and different than the device-specific credentials. | 10-09-2014 |
20140317295 | Allocating a Pool of Shared Bandwidth - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for allocating a pool of shared Internet bandwidth. One of the methods includes providing a first communications channel having a first bandwidth, the first bandwidth being shared by a first group of first users, providing a second communications channel having a second bandwidth different than the first bandwidth, the second bandwidth being shared by a second group of second users, detecting that at least one first data connection for a particular first user in the first group has satisfied a first predetermined condition, and moving, based on the detecting, the at least one first data connection for the particular first user from the first communications channel to the second communications channel. | 10-23-2014 |
20140317397 | SELECTIVELY PERFORMING MAN IN THE MIDDLE DECRYPTION - A device within the network receives a domain name service (DNS) request for an address of a first resource outside the network, the first resource associated with a security policy of the network. An address of a second resource within the network is returned to the device within the network in response the DNS request, the second resource address having previously been associated with the first resource address. A first encrypted connection is established between the device and the second resource, and a second encrypted connection is established between the second resource and the first resource, to facilitate encrypted communication traffic between the device and the first resource. The encrypted communication traffic passing between the device and the first resource is selectively decrypted and inspected depending on the address of the first resource. | 10-23-2014 |
20140337613 | SELECTIVELY PERFORMING MAN IN THE MIDDLE DECRYPTION - An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies. | 11-13-2014 |
20140343989 | IMPLICITLY LINKING ACCESS POLICIES USING GROUP NAMES - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for implicitly linking access policies using group names. One of the methods includes receiving first information corresponding to a directory service of network users, the directory service configured to organize the network users into a plurality of user roles, receiving second information corresponding to a resource available to the network users, the resource having a plurality of policy groups, identifying at least one first user role name that matches at least one first policy group name, and linking the user role corresponding to the matched first user role name with the policy group corresponding to the matched first policy group name such that the one or more network users in the linked user role are subject to the usage policies associated with the linked policy group. | 11-20-2014 |
20140351573 | SELECTIVELY PERFORMING MAN IN THE MIDDLE DECRYPTION - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for selectively performing man in the middle decryption. One of the methods includes receiving a first request to access a first resource hosted by a server outside the network, determining whether requests from the client device to access the first resource outside the network should be redirected to a second resource hosted by a proxy within the network, providing a redirect response to the client device, the redirect response including the second universal resource identifier, establishing a first encrypted connected between the client device and the proxy hosting the second resource, and a second encrypted connection between the proxy hosting the second domain and the server hosting the first resource, and decrypting and inspecting the encrypted communication traffic passing between the client device and the server hosting the first resource. | 11-27-2014 |
20150026240 | LOCATION BASED NETWORK USAGE POLICIES - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for location based network usage policies. One of the methods includes storing information defining a plurality of network policy groups, receiving first information indicating that a client device is connected to the network at a first physical location, and identifying a first user role associated with the client device, identifying, from among the plurality of network policy groups, a first network policy group having both (i) an associated first policy location that corresponds to the client device's first physical location, and (ii) an associated policy role that corresponds to the client device's first user role, and regulating the client device's access to resources available on the network based on the one or more network usage policies associated with the identified first network policy group. | 01-22-2015 |
20150029850 | LOAD BALANCING NETWORK ADAPTER - Methods and systems for providing device-specific authentication are described. One example method includes receiving, by an input port of a network adapter within the computer system, a stream of network traffic; dividing, by load balancing logic within the network adapter, the received stream of network traffic into a plurality of substreams; and presenting the plurality of substreams to respective interfaces of the network adapter, each network adapter interface being accessible by an operating system executing on the computer system. | 01-29-2015 |
20150033298 | DEVICE AUTHENTICATION USING PROXY AUTOMATIC CONFIGURATION SCRIPT REQUESTS - Methods and systems for performing device authentication using proxy automatic configuration script requests are described. One example method includes generating a unique key for a client device; configuring the client device to send a request for a proxy automatic configuration (PAC) script upon accessing a network, the request including the unique key; receiving, over a network, a request for the PAC script including a request key; and authenticating the client device on the network if the request key matches the client device's unique key. | 01-29-2015 |
20150039713 | CONTENT CACHING - A gateway within a network intercepts a request by a client within the network for content associated with a server outside the network, the client having a direct connection with the server outside the network. The method further includes determining whether a copy of the requested content is available in a cache within the network. The method further includes, if the copy of the requested content is determined to be available in the cache within the network, transmitting a redirect response to the client to cause the cause to retrieve the copy of the requested client from the cache within the network. The method further includes if the copy of the requested content is determined not to be available in the cache within the network, permitting the intercepted content request by the client to be transmitted to the server outside the network to cause the requested content to be retrieved via the direct connection between the server outside the network and the client within the network. | 02-05-2015 |
20150046343 | USER DEVICE RECYCLING - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for recycling a user device. One of the methods includes facilitating a device analysis application to be stored and installed on a user device, testing, by the device analysis application executing on the user device, one or more properties of the user device, determining an exchange value of the user device based at least in part on a result of testing the one or more properties of the user device, and presenting the determined exchange value to an operator of the user device. | 02-12-2015 |
20150046588 | SWITCHING BETWEEN NETWORKS - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for switching between parallel networks. One of the methods includes maintaining a plurality of parallel networks including a first network that precludes access to secure resources, and a second network that provides access both to unsecured resources and secured resources, enabling a user device access to connect to the first network, receiving input from the user device seeking access to one or more secured resources, in response to the received input, installing a device management profile on the user device, and causing the user device to switch from the connection to the first network to a connection to the second network. | 02-12-2015 |
20150052345 | SELECTIVELY PERFORMING MAN IN THE MIDDLE DECRYPTION - A HTTP request addressed to a first resource on a second device outside the network is received from a first device within the network. The HTTP request is redirected to a third device within the network. A first encrypted connection is established between the first device and the third device, and a second encrypted connection between the third device and the second device. The third device retrieves the first resource from the second device. The first resource is modified to change pointers within the first resource to point to location in a domain associated with the third device within the network. The third device serves, to the first device, the second resource. | 02-19-2015 |
20150096005 | MOBILE DEVICE MANAGEMENT PROFILE DISTRIBUTION - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for automated mobile device management profile distribution. One of the methods includes receiving a first request for access to a first network resource from a client device, the first network resource corresponding to one of a plurality of restricted resources accessible only by devices enrolled with a mobile device management system, determining that the client device is not enrolled with the mobile device management system, preventing the client device access to the first network resource, providing to the client device a redirect to a mobile device management resource that is different from the first network resource, providing instructions for presentation of a user interface to the client device, and enrolling the client device with the mobile device management system, the enrolling comprising providing a copy of the mobile device management profile to the client device. | 04-02-2015 |
20150113147 | Allocating a Pool of Shared Bandwidth - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for allocating a pool of shared Internet bandwidth. One of the methods includes providing a first communications channel having a first bandwidth, the first bandwidth being shared by a first group of first users, providing a second communications channel having a second bandwidth different than the first bandwidth, the second bandwidth being shared by a second group of second users, detecting that at least one first data connection for a particular first user in the first group has satisfied a first predetermined condition, and moving, based on the detecting, the at least one first data connection for the particular first user from the first communications channel to the second communications channel. | 04-23-2015 |
20150143110 | MANAGE ENCRYPTED NETWORK TRAFFIC USING SPOOFED ADDRESSES - Methods and systems for managing encrypted network traffic using spoofed addresses. One example method includes receiving a request to resolve a domain name; determining that the domain name is included in a predetermined set of domain names; associating a spoofed address with the domain name; sending a response to the request to resolve the domain name, the response including the spoofed address; receiving a secure request for a resource, the secure request directed to the spoofed address; determining that the secure request is directed to the domain name based on the association between the spoofed address and the domain name; and selectively decrypting the secure request based at least in part on determining that the secure request is directed to the domain name. | 05-21-2015 |
20150215286 | SELECTIVELY PERFORMING MAN IN THE MIDDLE DECRYPTION - An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies. | 07-30-2015 |
20150215296 | SELECTIVELY PERFORMING MAN IN THE MIDDLE DECRYPTION - A HTTP request addressed to a first resource on a second device outside the network is received from a first device within the network. The HTTP request is redirected to a third device within the network. A first encrypted connection is established between the first device and the third device, and a second encrypted connection between the third device and the second device. The third device retrieves the first resource from the second device. The first resource is modified to change pointers within the first resource to point to location in a domain associated with the third device within the network. The third device serves, to the first device, the second resource. | 07-30-2015 |
20150242415 | DETECTING AND MANAGING ABNORMAL DATA BEHAVIOR - Methods and systems for providing destination-specific network management are described. One example method includes determining a normal data movement profile for a computing device based on observed normal data transfer behavior by the computing device; identifying a data movement rule associated with the computing device, the data movement rule including a deviation amount, and one or more actions to take when the computing device deviates from the normal data movement profile by more than the deviation amount; detecting a data movement associated with the computing device; determining that the detected data movement exceeds the deviation amount included in the data movement rule relative to the normal data movement profile for the computing device; and performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule. | 08-27-2015 |
20150244822 | LOCATION BASED NETWORK USAGE POLICIES - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for location based network usage policies. One of the methods includes storing information defining a plurality of network policy groups, receiving first information indicating that a client device is connected to the network at a first physical location, and identifying a first user role associated with the client device, identifying, from among the plurality of network policy groups, a first network policy group having both (i) an associated first policy location that corresponds to the client device's first physical location, and (ii) an associated policy role that corresponds to the client device's first user role, and regulating the client device's access to resources available on the network based on the one or more network usage policies associated with the identified first network policy group. | 08-27-2015 |
20150256416 | APPLYING POLICIES TO SUBNETS - Associations are maintained among a plurality of subnets, policies, and client types. Each subnet has an associated client type and policy. For a particular client device, (i) a client type of the particular client device, and (ii) a client type associated with the subnet on which the particular client device is hosted is determined. For the particular client device, (i) the determined client type of the particular client device with (ii) the determined client type associated with the subnet on which the particular client device is hosted is compared. Responsive to a determination that the client type of the particular client device matches the client type associated with the subnet that hosts the particular client device, a policy is applied to the particular client device. | 09-10-2015 |
20150256516 | MANAGE ENCRYPTED NETWORK TRAFFIC USING SPOOFED ADDRESSES - Methods and systems for managing encrypted network traffic using spoofed addresses. One example method includes receiving a request to resolve a domain name; determining that the domain name is included in a predetermined set of domain names; associating a spoofed address with the domain name; sending a response to the request to resolve the domain name including the spoofed address; receiving a secure request for a resource, the secure request directed to the spoofed address; identifying a user identity associated with the secure request; determining that the secure request is directed to the domain name based on the association between the spoofed address and the domain name; and selectively decrypting and/or blocking the secure request based at least in part on determining that the secure request is directed to the domain name and based at least in part on the user identity associated with the secure request. | 09-10-2015 |
20150261953 | Recording Activity-Triggered Computer Video Output - An application that is capable of monitoring Internet or network traffic and performing recordings of computer video output based on one or more violations of network activity policies. The recording application can be installed on the computer to be recorded or another computer or server that is connected through the network to the computer to be recorded. The monitoring application contains a configuration interface that allows a user to set thresholds for certain types of network policy violations. When the one or more violations are detected, the recording application will begin recording video of the computer's video activity. The application can be configured to include settings such as the length of the recording. In a typical environment, the application is a hardware appliance that is capable of monitoring web activity and network traffic and can connect to the computer over the network in order to perform the recording. | 09-17-2015 |
20150271209 | SOFT WEBSITE BLOCK OVERRIDE - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for overriding a soft website block. One of the methods includes receiving, from a user device, a request to access a resource, determining, using a first policy group for the user device, that the user device should be prevented from accessing the resource, providing, to the user device and based on determining that the user device should be prevented from accessing the resource, instructions for the presentation of a user interface including a user credentials field, receiving user credentials from the user device, determining that the user credentials are the same as credentials used to log onto the user device, and allowing the user device access to the resource. | 09-24-2015 |
20150281275 | NETWORK NOTIFICATIONS - A request is received from a device within a network for a resource on server outside of the network. The resource is subject to a policy of the network. An informational webpage is served to the device; the webpage includes an interface element. An indication of a selection of the interface element is received the resource is served to the device from a proxy server configured to apply the policy to the resource. | 10-01-2015 |
20150301982 | GENERATING PROXY AUTOMATIC CONFIGURATION SCRIPTS - Methods and systems for generating a proxy automatic configuration (PAC) script based on the location of a device. One example method includes receiving a request for a proxy automatic configuration (PAC) script from a source address associated with a device; determining, based at least in part on the source address, a location of the device; generating a PAC script based at least in part on the determined location of the device; and sending a response to the request for the PAC script including the generated PAC script. | 10-22-2015 |
20150333980 | MAINTAINING IP TABLES - Data including a set of one or more resources and one or more associated IP addresses is updated based on monitored DNS responses. A request is received from a client device for a resource identified by an IP address. The IP address is matched to one of the IP addresses in the set of one or more IP addresses. A particular resource associated with the matched IP address is identified. A particular network policy that applies is identified. The identified particular network policy is applied to the received request. | 11-19-2015 |
20150334103 | DEVICE AUTHENTICATION USING PROXY AUTOMATIC CONFIGURATION SCRIPT REQUESTS - Methods and systems for performing device authentication using proxy automatic configuration script requests are described. One example method includes generating a unique key for a client device; configuring the client device to send a request for a proxy automatic configuration (PAC) script upon accessing a network, the request including the unique key; receiving, over a network, a request for the PAC script including a request key; and authenticating the client device on the network if the request key matches the client device's unique key. | 11-19-2015 |
20150334116 | MAINTAINING IP TABLES - Data including a set of one or more resources and one or more associated IP addresses is updated based on data from a DNS server. A request is received from a client device for a resource identified by an IP address. The IP address is matched to one of the IP addresses in the set of one or more IP addresses. A particular resource associated with the matched IP address is identified. A particular network policy that applies is identified. The identified particular network policy is applied to the received request. | 11-19-2015 |
20150341228 | NETWORK NOTIFICATIONS - A request is received from a device within a network for a resource on server outside of the network. The resource is subject to a policy of the network. An informational webpage is served to the device; the webpage includes an interface element. An indication of a selection of the interface element is received the resource is served to the device from a proxy server configured to apply the policy to the resource. | 11-26-2015 |
20150381559 | MANAGE ENCRYPTED NETWORK TRAFFIC USING DNS RESPONSES - This present disclosure generally relates to managing encrypted network traffic using Domain Name System (DNS) responses. One example method includes requesting an address associated with the a domain name from a resolution server, the domain name included in a predetermined set of domain names for which secure requests are to be identified domain name from a resolution server; receiving a response from the resolution server including one or more addresses associated with the domain name; associating with the domain name a particular address selected from the received one or more addresses; receiving a request to resolve the domain name; sending a response to the request to resolve the domain name, the sent response including the particular address associated with the domain name; receiving a secure request for a resource, the secure request directed to the particular address associated with the domain name; and determining that the secure request is directed to the domain name based on the association between the particular address and the domain name. | 12-31-2015 |
20150381570 | SELECTIVELY PERFORMING MAN IN THE MIDDLE DECRYPTION - A HTTP request addressed to a first resource on a second device outside the network is received from a first device within the network. The HTTP request is redirected to a third device within the network. A first encrypted connection is established between the first device and the third device, and a second encrypted connection between the third device and the second device. The third device retrieves the first resource from the second device. The first resource is modified to change pointers within the first resource to point to location in a domain associated with the third device within the network. The third device serves, to the first device, the second resource. | 12-31-2015 |
20150381583 | SELECTIVELY PERFORMING MAN IN THE MIDDLE DECRYPTION - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for selectively performing man in the middle decryption. One of the methods includes receiving a first request to access a first resource hosted by a server outside the network, determining whether requests from the client device to access the first resource outside the network should be redirected to a second resource hosted by a proxy within the network, providing a redirect response to the client device, the redirect response including the second universal resource identifier, establishing a first encrypted connected between the client device and the proxy hosting the second resource, and a second encrypted connection between the proxy hosting the second domain and the server hosting the first resource, and decrypting and inspecting the encrypted communication traffic passing between the client device and the server hosting the first resource. | 12-31-2015 |
20150381584 | SELECTIVELY PERFORMING MAN IN THE MIDDLE DECRYPTION - An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies. | 12-31-2015 |
20160006624 | MAINTAINING IP TABLES - Data including a set of one or more resources and one or more associated IP addresses is updated based on monitored DNS responses. A request is received from a client device for a resource identified by an IP address. The IP address is matched to one of the IP addresses in the set of one or more IP addresses. A particular resource associated with the matched IP address is identified. A particular network policy that applies is identified. The identified particular network policy is applied to the received request. | 01-07-2016 |
20160026788 | Selectively introducing security issues in a sandbox environment to elicit malicious application behavior - One example method includes configuring the virtual machine environment to introduce one or more security issues within the virtual machine environment, wherein each security issue elicits a particular malicious application to perform malicious actions when introduced during execution of the particular malicious application; executing a software application within the virtual machine environment; detecting at least one of the malicious actions being performed by the software application during execution within the virtual machine environment; and initiating an analysis action in response to detecting at least one of the malicious actions being performed by the software application. | 01-28-2016 |
20160026789 | EMULATING EXPECTED NETWORK COMMUNICATIONS TO APPLICATIONS IN A VIRTUAL MACHINE ENVIRONMENT - One example method includes executing a software application within the virtual machine environment; during execution of the software application, detecting a network request sent from the software application within the virtual machine environment, the network request formatted according to a particular network protocol; in response to detecting the network request: determining an expected response to the network request based on at least one of information included in the network request or the particular network protocol; and providing the expected response to the software application within the virtual machine environment. | 01-28-2016 |
20160026798 | Selectively Capturing Video in a Virtual Environment Based on Application Behavior - One example method includes executing a software application within the virtual machine environment; during execution of the software application, detecting one or more actions specified by a malicious application policy being performed by the software application within the virtual machine environment, the malicious application policy specifying one or more actions that will trigger video capture in the virtual machine environment executing the software application; and initiating capture of a video signal of the virtual machine environment in response to detecting the one or more actions specified by the malicious application policy | 01-28-2016 |
20160036830 | Web Redirection for Content Scanning - This specification generally relates to using redirect messages to implement content scanning. One example method includes receiving from a client a first request for a network resource, the first request including an original location of the network resource; determining that a response to the first request is to be analyzed; sending a redirect response to the client including a modified location for the network resource different than the original location; receiving a second request for the network resource from the client, the second request including the modified location; in response to receiving the second request for the network resource from the client: retrieving the network resource from the original location; determining that the retrieved network resource is suitable to send to the client; and in response to determining that the retrieved network resource is suitable, sending the retrieved network resource to the client. | 02-04-2016 |
20160036831 | WEB REDIRECTION FOR CONTENT FILTERING - This specification generally relates to using redirect messages to implement content filtering. One example method includes determining that access to a network resource should be redirected based at least in part on access behavior associated with the network resource; receiving from a client a first request for the network resource, the first request including an original location of the network resource; sending a redirect response to the client including a modified location for the network resource different than the original location; receiving a second request for the network resource from the client including the modified location; retrieving the network resource from the original location; performing at least one action on the retrieved network resource; and selectively sending the retrieved network resource to the client based at least in part on a result associated with the at least one action. | 02-04-2016 |
20160036934 | WEB REDIRECTION FOR CACHING - This specification generally relates to using redirect messages to implement caching. One example method includes receiving from a client a first request for a network resource, the first request including an original location of the network resource; determining that a response to the first request is to be cached; sending a redirect response to the client including a cache location for the network resource; receiving a second request for the network resource from the client, the second request including the cache location; in response to receiving the second request for the network resource from the client: determining that the network resource has not been previously cached; retrieving the network resource from the original location; caching the retrieved network resource in a location associated with the cache location for the network resource; and sending the retrieved network resource to the client. | 02-04-2016 |
20160036936 | Web Redirection for Caching - This specification generally relates to using redirect messages to implement caching. One example method includes receiving from a client a first request for a network resource, the first request including an original location of the network resource; determining that a response to the first request is to be cached; sending a redirect response to the client including a cache location for the network resource; receiving a second request for the network resource from the client, the second request including the cache location; in response to receiving the second request for the network resource from the client: determining that the network resource has not been previously cached; retrieving the network resource from the original location; caching the retrieved network resource in a location associated with the cache location for the network resource; and sending the retrieved network resource to the client. | 02-04-2016 |
Patent application number | Description | Published |
20150242415 | DETECTING AND MANAGING ABNORMAL DATA BEHAVIOR - Methods and systems for providing destination-specific network management are described. One example method includes determining a normal data movement profile for a computing device based on observed normal data transfer behavior by the computing device; identifying a data movement rule associated with the computing device, the data movement rule including a deviation amount, and one or more actions to take when the computing device deviates from the normal data movement profile by more than the deviation amount; detecting a data movement associated with the computing device; determining that the detected data movement exceeds the deviation amount included in the data movement rule relative to the normal data movement profile for the computing device; and performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule. | 08-27-2015 |
20150256516 | MANAGE ENCRYPTED NETWORK TRAFFIC USING SPOOFED ADDRESSES - Methods and systems for managing encrypted network traffic using spoofed addresses. One example method includes receiving a request to resolve a domain name; determining that the domain name is included in a predetermined set of domain names; associating a spoofed address with the domain name; sending a response to the request to resolve the domain name including the spoofed address; receiving a secure request for a resource, the secure request directed to the spoofed address; identifying a user identity associated with the secure request; determining that the secure request is directed to the domain name based on the association between the spoofed address and the domain name; and selectively decrypting and/or blocking the secure request based at least in part on determining that the secure request is directed to the domain name and based at least in part on the user identity associated with the secure request. | 09-10-2015 |
20150271209 | SOFT WEBSITE BLOCK OVERRIDE - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for overriding a soft website block. One of the methods includes receiving, from a user device, a request to access a resource, determining, using a first policy group for the user device, that the user device should be prevented from accessing the resource, providing, to the user device and based on determining that the user device should be prevented from accessing the resource, instructions for the presentation of a user interface including a user credentials field, receiving user credentials from the user device, determining that the user credentials are the same as credentials used to log onto the user device, and allowing the user device access to the resource. | 09-24-2015 |
20150301982 | GENERATING PROXY AUTOMATIC CONFIGURATION SCRIPTS - Methods and systems for generating a proxy automatic configuration (PAC) script based on the location of a device. One example method includes receiving a request for a proxy automatic configuration (PAC) script from a source address associated with a device; determining, based at least in part on the source address, a location of the device; generating a PAC script based at least in part on the determined location of the device; and sending a response to the request for the PAC script including the generated PAC script. | 10-22-2015 |
20150381559 | MANAGE ENCRYPTED NETWORK TRAFFIC USING DNS RESPONSES - This present disclosure generally relates to managing encrypted network traffic using Domain Name System (DNS) responses. One example method includes requesting an address associated with the a domain name from a resolution server, the domain name included in a predetermined set of domain names for which secure requests are to be identified domain name from a resolution server; receiving a response from the resolution server including one or more addresses associated with the domain name; associating with the domain name a particular address selected from the received one or more addresses; receiving a request to resolve the domain name; sending a response to the request to resolve the domain name, the sent response including the particular address associated with the domain name; receiving a secure request for a resource, the secure request directed to the particular address associated with the domain name; and determining that the secure request is directed to the domain name based on the association between the particular address and the domain name. | 12-31-2015 |
20160026788 | Selectively introducing security issues in a sandbox environment to elicit malicious application behavior - One example method includes configuring the virtual machine environment to introduce one or more security issues within the virtual machine environment, wherein each security issue elicits a particular malicious application to perform malicious actions when introduced during execution of the particular malicious application; executing a software application within the virtual machine environment; detecting at least one of the malicious actions being performed by the software application during execution within the virtual machine environment; and initiating an analysis action in response to detecting at least one of the malicious actions being performed by the software application. | 01-28-2016 |
20160026789 | EMULATING EXPECTED NETWORK COMMUNICATIONS TO APPLICATIONS IN A VIRTUAL MACHINE ENVIRONMENT - One example method includes executing a software application within the virtual machine environment; during execution of the software application, detecting a network request sent from the software application within the virtual machine environment, the network request formatted according to a particular network protocol; in response to detecting the network request: determining an expected response to the network request based on at least one of information included in the network request or the particular network protocol; and providing the expected response to the software application within the virtual machine environment. | 01-28-2016 |
20160026798 | Selectively Capturing Video in a Virtual Environment Based on Application Behavior - One example method includes executing a software application within the virtual machine environment; during execution of the software application, detecting one or more actions specified by a malicious application policy being performed by the software application within the virtual machine environment, the malicious application policy specifying one or more actions that will trigger video capture in the virtual machine environment executing the software application; and initiating capture of a video signal of the virtual machine environment in response to detecting the one or more actions specified by the malicious application policy | 01-28-2016 |
20160036830 | Web Redirection for Content Scanning - This specification generally relates to using redirect messages to implement content scanning. One example method includes receiving from a client a first request for a network resource, the first request including an original location of the network resource; determining that a response to the first request is to be analyzed; sending a redirect response to the client including a modified location for the network resource different than the original location; receiving a second request for the network resource from the client, the second request including the modified location; in response to receiving the second request for the network resource from the client: retrieving the network resource from the original location; determining that the retrieved network resource is suitable to send to the client; and in response to determining that the retrieved network resource is suitable, sending the retrieved network resource to the client. | 02-04-2016 |
20160036831 | WEB REDIRECTION FOR CONTENT FILTERING - This specification generally relates to using redirect messages to implement content filtering. One example method includes determining that access to a network resource should be redirected based at least in part on access behavior associated with the network resource; receiving from a client a first request for the network resource, the first request including an original location of the network resource; sending a redirect response to the client including a modified location for the network resource different than the original location; receiving a second request for the network resource from the client including the modified location; retrieving the network resource from the original location; performing at least one action on the retrieved network resource; and selectively sending the retrieved network resource to the client based at least in part on a result associated with the at least one action. | 02-04-2016 |
20160036934 | WEB REDIRECTION FOR CACHING - This specification generally relates to using redirect messages to implement caching. One example method includes receiving from a client a first request for a network resource, the first request including an original location of the network resource; determining that a response to the first request is to be cached; sending a redirect response to the client including a cache location for the network resource; receiving a second request for the network resource from the client, the second request including the cache location; in response to receiving the second request for the network resource from the client: determining that the network resource has not been previously cached; retrieving the network resource from the original location; caching the retrieved network resource in a location associated with the cache location for the network resource; and sending the retrieved network resource to the client. | 02-04-2016 |
20160036936 | Web Redirection for Caching - This specification generally relates to using redirect messages to implement caching. One example method includes receiving from a client a first request for a network resource, the first request including an original location of the network resource; determining that a response to the first request is to be cached; sending a redirect response to the client including a cache location for the network resource; receiving a second request for the network resource from the client, the second request including the cache location; in response to receiving the second request for the network resource from the client: determining that the network resource has not been previously cached; retrieving the network resource from the original location; caching the retrieved network resource in a location associated with the cache location for the network resource; and sending the retrieved network resource to the client. | 02-04-2016 |