Patent application number | Description | Published |
20090132642 | DELEGATING APPLICATION INVOCATION BACK TO CLIENT - Aspects of the subject matter described herein relate to delegating application invocation back to a client. In aspects, a server hosts an application that has a user interface that is presented on a client. User interaction on the user interface is encoded and sent to the server to give to the application. When the user uses the application such that another application is to be executed, a server delegator determines whether to execute the other application on the server or the client. If the application is to be executed on the client, the server delegator instructs a component that executes on the client to execute the application on the client. Otherwise, the application is executed on the server and data representing the user interface of the application is sent to the client so that the client may present the user interface to a user. | 05-21-2009 |
20090177514 | SERVICES USING GLOBALLY DISTRIBUTED INFRASTRUCTURE FOR SECURE CONTENT MANAGEMENT - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services. | 07-09-2009 |
20090178108 | ENTERPRISE SECURITY ASSESSMENT SHARING FOR OFF-PREMISE USERS USING GLOBALLY DISTRIBUTED INFRASTRUCTURE - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and off-premise or roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services. | 07-09-2009 |
20090178109 | Authentication in a globally distributed infrastructure for secure content management - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services. | 07-09-2009 |
20090178131 | GLOBALLY DISTRIBUTED INFRASTRUCTURE FOR SECURE CONTENT MANAGEMENT - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services. | 07-09-2009 |
20090178132 | Enterprise Security Assessment Sharing For Consumers Using Globally Distributed Infrastructure - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services. | 07-09-2009 |
20090254984 | HARDWARE INTERFACE FOR ENABLING DIRECT ACCESS AND SECURITY ASSESSMENT SHARING - Native IPv6 capabilities are provided to an IPv4 network node, device, or endpoint using a hardware interface that supports network communication under a Direct Access model. The Direct Access model supports IPv6 communication with IPsec and enforces Network Access Protection (“NAP”) health requirement policies for endpoints that are network clients. A Direct Access-ready server is enabled using a hardware interface that implements IPv4 to IPv6 translation and optionally IPsec termination capability. A Direct Access-ready client is enabled using a hardware interface that implements IPv4 to IPv6 translation, IPsec termination capability, and which optionally provides NAP (Network Access Protection) capabilities for Direct Access-ready clients that are configured as mobile information appliances. The hardware interface may be implemented as a network interface card (“NIC”) or as a chipset. | 10-08-2009 |
20090271621 | SIMPLIFIED LOGIN FOR MOBILE DEVICES - Aspects of the subject matter described herein relate to a simplified login for mobile devices. In aspects, on a first logon, a mobile device asks a user to enter credentials and a PIN. The credentials and PIN are sent to a server which validates user credentials. If the user credentials are valid, the server encrypts data that includes at least the user credentials and the PIN and sends the encrypted data to the mobile device. In subsequent logons, the user may logon using only the PIN. During login, the mobile device sends the PIN in conjunction with the encrypted data. The server can then decrypt the data and compare the received PIN with the decrypted PIN. If the PINs are equal, the server may grant access to a resource according to the credentials. | 10-29-2009 |
20090300739 | Authentication for distributed secure content management system - Aspects of the subject matter described herein relate to authentication for a distributed secure content management system. In aspects, a request to access a resource available through the Internet is routed to a security component. The security component is one of a plurality of security components distributed throughout the Internet and responsible for authenticating entities associated with an enterprise. The security component determines an authentication protocol to use with the entity and then authenticates the entity. If the entity is authenticated, the entity is allowed to use a forward proxy. | 12-03-2009 |
20090327497 | SEAMLESS LOCATION AWARE NETWORK CONNECTIVITY - Described is a technology by which a seamless automatic connection to an (e.g., corporate) network is made for a client device. Upon detecting a need for a connection to a network, such as by intercepting a communication directed towards a network destination, a list of available connection methods is automatically obtained based on the device's current location data (e.g., LAN or remote) and policy information. An available connection method from the list is selected, e.g., in order, and an attempt is made to establish a connection via that connection method. If the attempt fails, another attempt is made with a different connection method, and so on, until a connection method succeeds. Additional seamlessness from the user's perspective is provided via a credentials vault, by which stored credentials may be retrieved and used in association with the access method being attempted. | 12-31-2009 |
20100011432 | AUTOMATICALLY DISTRIBUTED NETWORK PROTECTION - A network protection solution is provided by which security capabilities of a client machine are communicated to a network security gateway so that a variety of processes can be automatically and dynamically distributed between the gateway and the client machine in a way that achieves a target level of security for the client while consuming the least possible amount of resources on the gateway. For example, for a client that is compliant with specified health and/or corporate governance policies and which is known to have A/V capabilities that are deployed and operational, the network security gateway will not need to perform additional A/V scanning on incoming network traffic to the client which can thus save resources at the gateway and lower operating costs. | 01-14-2010 |
20100058432 | PROTECTING A VIRTUAL GUEST MACHINE FROM ATTACKS BY AN INFECTED HOST - In a virtualization environment, a host machine on which a guest machine is operable is monitored to determine that it is healthy by being compliant with applicable policies (such as being up to date with the current security patches, running an anti-virus program, certified to run a guest machine, etc.) and free from malicious software or “malware” that could potentially disrupt or compromise the security of the guest machine. If the host machine is found to be non-compliant, then the guest machine is prevented from either booting up on the host machine or connecting to a network to ensure that the entire virtualization environment is compliant and that the guest machine, including its data and applications, etc., is protected against attacks that may be launched against it via malicious code that runs on the unhealthy host machine, or is isolated from the network until the non-compliancy is remediated. | 03-04-2010 |
20100115578 | AUTHENTICATION IN A NETWORK USING CLIENT HEALTH ENFORCEMENT FRAMEWORK - A network with authentication implemented using a client health enforcement framework. The framework is adapted to receive plug-ins on clients that generate health information. Corresponding plug-ins on a server validate that health information. Based on the results of validation, the server may instruct the client to remediate or may authorize an underlying access enforcement mechanism to allow access. A client plug-in that generates authentication information formatted as a statement of health may be incorporated into such a framework. Similarly, on the server, a validator to determine, based on the authentication information, whether the client should be granted network access can be incorporated into the framework. Authentication can be simply applied or modified by changing the plug-ins, while relying on the framework to interface with an enforcement mechanism. Functions of the health enforcement framework can be leveraged to provide authentication-based functionality, such as revoking authorized access after a period of user inactivity or in response to a user command. | 05-06-2010 |
20100125904 | COMBINING A MOBILE DEVICE AND COMPUTER TO CREATE A SECURE PERSONALIZED ENVIRONMENT - A mobile device, such as a mobile phone, smart phone, personal music player, handheld game device, and the like, when operatively combined with a PC, creates a secure and personalized computing platform through configuration of the mobile device's CPU (central processing unit) and OS (operating system) to function as an immutable trusted core. The trusted core in the mobile device verifies the integrity of the PC including, for example, that its drivers, applications, and other software are trusted and unmodified, and thus safe to use without presenting a threat to the integrity of the combined computing platform. The mobile device can further optionally store and transport the user's personalization data—including, for example, the user's desktop, applications, data, certificates, settings, and preferences—which can be accessed by the PC when the devices are combined to thus create a personalized computing environment. | 05-20-2010 |
20100157799 | LOAD BALANCING - A method of load balancing data packets at an array is disclosed. The method includes receiving a data packet encoded in a first format at an input of the array. The received data packet is assigned to an assigned element of the array, and the data packet is routed to a device. A message encoded in a second format is received from the device at the array. Information is extracted from a payload portion of the message, and the message is assigned to the assigned element of the array based on the information extracted from the payload portion of the message. | 06-24-2010 |
20100180332 | INFORMATION PROTECTION APPLIED BY AN INTERMEDIARY DEVICE - Methods, systems, and computer-readable media are disclosed for applying information protection. A particular method includes receiving a data file at a gateway coupled to a network. The data file is to be sent to a destination device that is external to the network. The method also includes selectively applying information protection to the data file at the gateway prior to sending the data file to the destination device. The information protection is selectively applied based on information associated with the destination device, information associated with the data file, and information associated with a user of the destination device. | 07-15-2010 |
20100186079 | REMOTE ACCESS TO PRIVATE NETWORK RESOURCES FROM OUTSIDE THE NETWORK - In some embodiments of the invention, techniques may make private identifiers for private network resources usable to establish connections to those private network resources from computing devices connected to an outside network. For example, when a computing device is connected to an outside network and attempting to contact a private network resource, DNS may be used to resolve a domain name for the private network resource to an IP address for an edge resource of the private network. Communications may be passed between the computing device and the edge resource according to protocols which embed the identifier originally used to identify the private network resource. The edge resource of the private network may analyze communications over the connection to determine this identifier, and use it to pass the communication to the desired private network resource. | 07-22-2010 |
20100217890 | USING SERVER TYPE TO OBTAIN NETWORK ADDRESS - Aspects of the subject matter described herein relate to using server type to obtain a network address. In aspects, a gateway that sits between a single network protocol client and a server receives a request from the client for a network address of the server. The gateway issues multiple name resolution requests and waits for a first response. Depending on various factors, the gateway determines whether or not to wait for additional responses before responding to the client. If needed, the gateway may obtain an address of a translating device to assist the client in communicating with the server. | 08-26-2010 |
20110083013 | PRIVACY VAULT FOR MAINTAINING THE PRIVACY OF USER PROFILES - Methods, systems, and computer-readable media for facilitating personalization of web content is provided, while protecting the privacy of the user data utilized to personalize the user's experience. A privacy vault may collect user data including user activity data, demographic data, and user interests submitted by a user. In one embodiment, the privacy vault operates on a user client device. The privacy vault sends the user data to a community vault that collects user data from multiple users. The community vault generates segment rules that whether a user belongs to a user segment, which expresses a user's interest. The segment rules are then communicated back to the privacy vault, which assigns one or more user segments to the user based on the user data available to the privacy vault and the segment rules. The privacy vault may communicate user segments to one or more content providers that supply personalized content that is selected based on the user segments provided. | 04-07-2011 |
20110145566 | Secret Encryption with Public or Delegated Comparison - Described is a technology comprising a system in which two distrusting parties can submit sets of encrypted keywords using two independent secret keys to a third party who can decide, using only public keys, if the underlying cleartext message of a cryptogram produced by one distrusting party matches that of a cryptogram produced by the other. The third party (e.g., a server) uses generator information corresponding to a generator of an elliptic curve group to determine whether the sets of encrypted keywords match each other. Various ways to provide the generator information based upon the generator are described. Also described is the use of one-ray randomization and two-way randomization as part of the system to protect against dictionary attacks. | 06-16-2011 |
20110164746 | MAINTAINING PRIVACY DURING USER PROFILING - Systems, methods, and computer storage media having computer-executable instructions embodied thereon that maintain privacy during user profiling are provided. A profiling service receives, from a first device, rules for profiling a user. The rules were encrypted using a private key. The profiling service also receives, from a second device, user data. The user data was encrypted using a public key communicated to the second device by the first device. The profiling service then matches the encrypted rules with the encrypted user data, and based on the matching, generates a profile for the user. In embodiments, such a user profile can be utilized to deliver personalized digital content to a user. | 07-07-2011 |
20110167003 | MAINTAINING PRIVACY DURING PERSONALIZED CONTENT DELIVERY - Embodiments of the present invention relate to systems, methods, and computer-storage media for maintaining privacy while delivering advertisements based on encrypted user profile identifiers. In embodiments, a Public key Encryption with Keyword Search (PEKS) is used to generate a public key and a private key. In embodiments, a public key and a private key are used to encrypt user profile identifiers and generate trapdoors associated with defined profile identifiers, respectively. A portion of the encrypted user profile identifiers are compared to a portion of the trapdoors. If a match is present between at least one encrypted user profile identifier and an associated trapdoor, a delivery engine is provided with an identification of content to be delivered to the user. The provided description is then used to determine an advertisement to present to a user. The advertisement is then presented to the user. | 07-07-2011 |
20110313857 | USER CENTRIC REAL-TIME ADVERTISEMENT BIDDING - A client-based ad agent dynamically determines whether an advertisement campaign should bid on an impression for an end user and/or sets the bid price of the advertisement campaign for the impression. When an opportunity for an impression on a web page is identified, the ad agent accesses user data associated with an end user. The ad agent analyzes the user data to identify the relevance and/or value of serving an impression to the end user to the advertisement campaign. Based on the analysis, the ad agent controls whether the advertisement campaign bids on the impression for the end user and/or sets the bid price of the advertisement campaign for the impression. | 12-22-2011 |
20120095997 | PROVIDING CONTEXTUAL HINTS ASSOCIATED WITH A USER SESSION - Systems, methods, and computer storage media having computer-executable instructions embodied thereon that provide contextual indicators associated with a user session are described. Content items within a document associated with a user session are selected. Upon receiving an indication that the user desires to perform a context-aware search, the document associated with the user session is analyzed for contextual information related to the content items selected by the user. Various “contextual indicators” associated with the user session are derived. The contextual indicators are provided for output in association with the user session. The contextual indicators may be fed to a search engine and used to identify search results that the user has an increased likelihood (relative to the current context surrounding the user) of desiring to access. | 04-19-2012 |
20120154117 | SUPPLEMENTING BIOMETRIC IDENTIFICATION WITH DEVICE IDENTIFICATION - A computer may identify an individual according to one or more biometrics based on various physiological aspects of the individual, such as metrics of various features of the face, gait, fingerprint, or voice of the individual. However, biometrics are often computationally intensive to compute, inaccurate, and unable to scale to identify an individual among a large set of known individuals. Therefore, the biometric identification of an individual may be supplemented by identifying one or more devices associated with the individual (e.g., a mobile phone, a vehicle driven by the individual, or an implanted medical device). When an individual is registered for identification, various device identifiers of devices associated with the individual may be stored along with the biometrics of the individual. Individuals may then be identified using both biometrics and detected device identifiers, thereby improving the efficiency, speed, accuracy, and scalability of the identification. | 06-21-2012 |
20120158783 | LARGE-SCALE EVENT EVALUATION USING REALTIME PROCESSORS - Large-scale event processing systems are often designed to perform data mining operations by storing a large set of events in a massive database, applying complex queries to the records of the events, and generating reports and notifications. However, because such queries are performed on very large data sets, the processing of the queries often introduces a significant delay between the occurrence of the events and the reporting or notification thereof. Instead, a large-scale event processing system may be devised as a large state machine organized according to an evaluation plan, comprising a graph of event processors that, in realtime, evaluate each event in an event stream to update an internal state of the event processor, and to perform responses when response conditions are met. The continuous monitoring and evaluation of the stream of events may therefore enable the event processing system to provide realtime responses and notifications of complex queries. | 06-21-2012 |
20120166447 | FILTERING QUERIED DATA ON DATA STORES - A data set may be distributed over many data stores, and a query may be distributively evaluated by several data stores with the results combined to form a query result (e.g., utilizing a MapReduce framework). However, such architectures may violate security principles by performing sophisticated processing, including the execution of arbitrary code, on the same machines that store the data. Instead of processing queries, a data store may be configured only to receive requests specifying one or more filtering criteria, and to provide the data items satisfying the filtering criteria. A compute node may apply a query by generating a request including one o more filter criteria, providing the request to a data node, and applying the remainder of the query (including sophisticated processing, and potentially the execution of arbitrary code) to the data items provided by the data node, thereby improving the security and efficiency of query processing. | 06-28-2012 |
20120233676 | GROUPING PERSONAL ACCOUNTS TO TAILOR A WEB SERVICE - This document describes grouping personal accounts to tailor a web service. By grouping personal accounts, a service provider may tailor a web service to multiple people based on information about those people. | 09-13-2012 |
20130066819 | ADAPTIVE RECOMMENDATION SYSTEM - A recommendation system for optimizing content recommendation lists is disclosed. The system dynamically tracks a list interaction history of a user, which details that user's interactions with a plurality of different lists presenting different recommended items to that user. The system automatically correlates one or more list preferences with that user based on the list interaction history, and builds a recommendation list with a plurality of candidate items having different recommendation confidences. The recommendation list is built such that each candidate item with a higher recommendation confidence is prioritized over each candidate item with a lower recommendation confidence according to the one or more list preferences correlated to that user. | 03-14-2013 |
20130211950 | RECOMMENDER SYSTEM - Embodiments of the invention provide methods and apparatus for recommending items from a catalog of items to a user by parsing the catalog of items into a plurality of catalog clusters of related items and recommending catalog items to the user from catalog clusters to which items previously preferred by the user belong. | 08-15-2013 |
20130218907 | RECOMMENDER SYSTEM - Embodiments of the invention provide methods and apparatus for recommending items from a catalog of items to users in a population of users by generating trait vectors that represent items in the catalog responsive to explicit and/or implicit preference data for a group of less than all the users and using the trait vectors to recommend items to users in the population that are not in the group. | 08-22-2013 |
20130325898 | LARGE-SCALE EVENT EVALUATION USING REALTIME PROCESSORS - Large-scale event processing systems are often designed to perform data mining operations by storing a large set of events in a massive database, applying complex queries to the records of the events, and generating reports and notifications. However, because such queries are performed on very large data sets, the processing of the queries often introduces a significant delay between the occurrence of the events and the reporting or notification thereof. Instead, a large-scale event processing system may be devised as a large state machine organized according to an evaluation plan, comprising a graph of event processors that, in realtime, evaluate each event in an event stream to update an internal state of the event processor, and to perform responses when response conditions are met. The continuous monitoring and evaluation of the stream of events may therefore enable the event processing system to provide realtime responses and notifications to complex queries. | 12-05-2013 |
20140129500 | Efficient Modeling System - A technique for efficiently factoring a matrix in a recommendation system. Usage data for a large set of users relative to a set of items is provided in a usage matrix R. To reduce computational requirements, the usage matrix is sampled to provide a reduced matrix R′. R′ is factored into a user matrix U′ and an item matrix V. User vectors in U′ and V are initialized and then iteratively updated to arrive at an optimal solution. The reduced matrix can be factored using the computational resources of a single computing device, for instance. Subsequently, the full user matrix U is obtained by fixing V and analytically minimizing an error in UV=R+error. The computations of this analytic solution can be divided among a set of computing devices, such as by using a map and reduce technique. Each computing device solves the equation for different respective subset of users. | 05-08-2014 |
20140129826 | Simplified Login for Mobile Devices - Aspects of the subject matter described herein relate to a simplified login for mobile devices. In aspects, on a first logon, a mobile device asks a user to enter credentials and a PIN. The credentials and PIN are sent to a server which validates user credentials. If the user credentials are valid, the server encrypts data that includes at least the user credentials and the PIN and sends the encrypted data to the mobile device. In subsequent logons, the user may logon using only the PIN. During login, the mobile device sends the PIN in conjunction with the encrypted data. The server can then decrypt the data and compare the received PIN with the decrypted PIN. If the PINs are equal, the server may grant access to a resource according to the credentials. | 05-08-2014 |
20140181121 | FEATURE EMBEDDING IN MATRIX FACTORIZATION - In various embodiments, systems and methods are provided for enhancing media content recommendations by using feature vectors. An enhanced-matrix having a first portion and a second portion is received. The first portion of the enhanced-matrix includes a user-item matrix and the second portion of the enhanced-matrix includes a feature-item matrix. Each entry in the feature-item matrix is item metadata. An item-stem vector is determined based on a weighted sum of each of the feature vectors associated with the item. An item-latent-trait vector is generated based on the item-stem vector and an item-offset vector. The item-offset vector is an item vector for the item in the user-item matrix. One or more recommended-media content derived based on the item-latent-trait vector is provided. | 06-26-2014 |
20150073932 | Strength Based Modeling For Recommendation System - Example apparatus and methods provide a recommendation to a user about a product they may wish to consider purchasing. One method produces a single indication concerning a relationship between a user and an item with which the user has interacted. The single indication identifies whether the user likes the item and the degree to which the user likes the item. The single indication is independent of user signals processed to compute the single indication. The single indication is produced by a signal deriver that is loosely coupled to a model of users and items. The model may be a matrix upon which matrix factorization can be performed. Although matrix factorization is performed, it is performed on vectors whose elements are independent of the signals processed by the signal deriver. Since users may have different preferences at different times, the degree to which the user likes the item may be manipulated. | 03-12-2015 |