Настройки

Укажите год
-

Небесная энциклопедия

Космические корабли и станции, автоматические КА и методы их проектирования, бортовые комплексы управления, системы и средства жизнеобеспечения, особенности технологии производства ракетно-космических систем

Подробнее
-

Мониторинг СМИ

Мониторинг СМИ и социальных сетей. Сканирование интернета, новостных сайтов, специализированных контентных площадок на базе мессенджеров. Гибкие настройки фильтров и первоначальных источников.

Подробнее

Форма поиска

Поддерживает ввод нескольких поисковых фраз (по одной на строку). При поиске обеспечивает поддержку морфологии русского и английского языка
Ведите корректный номера.
Ведите корректный номера.
Ведите корректный номера.
Ведите корректный номера.
Укажите год
Укажите год
Применить Всего найдено 30233. Отображено 101.
22-04-2021 дата публикации

NETWORK MANAGEMENT

Номер: WO2021074266A1
Автор: JERICHOW, Anja, MANGE, Genevieve
Принадлежит:

According to an example aspect of the present invention, there is provided an apparatus comprising a memory configured to store security information, and at least one processing core, configured to generate the security information by defining a security policy concerning user plane transfer of precision time protocol messages, and to instruct at least one network node to implement the security policy by transmitting the security information to the at least one network node.

Подробнее
Номер записи: 1
05-01-2012 дата публикации

Optimized interface between two network elements operating under an authentication, authorization and accounting protocol

Номер: US20120005356A1
Автор: Vesa Pauli HELLGREN
Принадлежит: NOKIA SIEMENS NETWORKS OY

According to several embodiments of the present invention, a single session according to an authentication, authorization and accounting protocol, with a network element carrying out a policy and charging rule function is created, wherein the specific session may be used to manage and/or report policy and/or charging control rules.

Подробнее
Номер записи: 2
26-01-2012 дата публикации

Systems and methods for providing a smart group

Номер: US20120023554A1
Автор: Ivan Bojer, Jong Kann, Larry Tomlin, Marco Murgia, Pierre Rafiq
Принадлежит: Individual

The present invention is directed towards systems and methods for establishing and applying a policy group to control a user's access to an identified resource. A policy group representing an aggregate of one or more access configurations for a user to access one or more identified resources may be established via a policy manager. The policy group may include a login point component representing an entry point to access the identified resource. The login point may be configured via the policy manager to specify a uniform resource locator for the entry point. One or more authentication and authorization methods may be selected for the login point component. The device may receive a request to access the uniform resource locator. The device may initiate the policy group for evaluation. The device may initiate, with the user, one or more authentication and authorization methods specified by the login point component.

Подробнее
Номер записи: 3
09-02-2012 дата публикации

System for managing devices and method of operation of same

Номер: US20120036552A1
Автор: Daniel Gittleman, Paul Krzyzanowski, Robert M. DARE, Vadim Kacherov
Принадлежит: Openpeak Inc

A managed services platform and method of operation of same are described herein. The platform can include a device management service (DMS) server in which the DMS server can act as a gateway for communications with one or more computing devices, and the computing devices are associated with a first entity. The platform can also include an application service (AS) server in which the AS server is communicatively coupled with the DMS server. When a first computing device contacts the DMS server, the DMS server is operable to provide a bundle to the first computing device. As an example, the bundle contains content that at least includes one or more configuration messages and an application set that contains one or more predefined applications. The content of the bundle can be determined at least in part by the first entity.

Подробнее
Номер записи: 4
09-02-2012 дата публикации

Methods and systems for securely managing virtualization platform

Номер: US20120036561A1
Автор: Boris Belov, Boris Strongin, Eric Ming Chiu, Hemma Prafullchandra, Renata Budko
Принадлежит: Individual

Virtualization platforms and management clients therefor are communicatively coupled to one another via a control layer logically disposed therebetween. The control layer is configured to proxy virtualization management commands from the management clients to the virtualization platforms, but only after successful authentication of users (which may include automated agents and processes) issuing those commands and privileges of those users as defined by access control information accessible to the control layer. The control layer may be instantiated as an application running on a physical appliance logically interposed between the virtualization platforms and management clients, or a software package running on dedicated hardware logically interposed between the virtualization platforms and management clients, or as an application encapsulated in a virtual machine running on a compatible virtualization platform logically interposed between the virtualization platforms and management clients.

Подробнее
Номер записи: 5
01-03-2012 дата публикации

Method and apparatus determining certificate revocation status

Номер: US20120054487A1
Автор: Bryan Kerrigan, Puneet Gupta, Robert Stuercke, Yixin Sun
Принадлежит: Cisco Technology Inc

A method is disclosed for obtaining certificate revocation information from a server, obtaining from a client a request for a revocation status of a certificate and notifying the client when the certificate identified in the client request has been revoked. The method may be performed by a networking device that is separate from the server and the client.

Подробнее
Номер записи: 6
03-05-2012 дата публикации

Method and apparatus for providing distributed policy management

Номер: US20120110632A1
Автор: Theodore Robert Burghart
Принадлежит: Nokia Oyj

An approach is provided for distributed policy management and enforcement. A policy manager determines one or more domains of an information system. The one or more domains are associated at least in part with respective subsets of one or more resources of the information system. The policy manager also determines one or more respective access policies local to the one or more domains. The one or more respective access policies configured to enable a determination at least in part of access to the respective subsets, the one or more resources, or a combination thereof. At least one of the one or more respective access policies is configured to operate independently of other ones of the one or more respective schemas.

Подробнее
Номер записи: 7
10-05-2012 дата публикации

Malicious Mobile Code Runtime Monitoring System and Methods

Номер: US20120117651A1
Автор: David R. Kroll, Nirmrod Itzhak Vered, Shlomo Touboul, Yigal Mordechai Edery
Принадлежит: Individual

Protection systems and methods provide for protecting one or more personal computers (“PCs”) and/or other intermittently or persistently network accessible devices or processes from undesirable or otherwise malicious operations of Java TN applets, ActiveX™ controls, JavaScript™ scripts, Visual Basic scripts, add-ins, downloaded/uploaded programs or other “Downloadables” or “mobile code” in whole or part. A protection engine embodiment provides for monitoring information received, determining whether received information does or is likely to include executable code, and if so, causes mobile protection code (MPC) to be transferred to and rendered operable within a destination device of the received information. An MPC embodiment further provides, within a Downloadable-destination, for initiating the Downloadable, enabling malicious Downloadable operation attempts to be received by the MPC, and causing (predetermined) corresponding operations to be executed in response to the attempts.

Подробнее
Номер записи: 8
28-06-2012 дата публикации

Policy-based access to virtualized applications

Номер: US20120167159A1
Автор: Adam Brady Anderson, Alvin Chardon, Angela Mele ANDERSON, Cread Wellington Mefford, JR., Lidiane Pereira de Souza, Matthew Christopher Babey, Scott Elliot Stearns
Принадлежит: Microsoft Corp

When a request is received to execute a virtualized application, an application virtualization client component evaluates an execution policy to determine if the application may be executed. If the application virtualization client component determines based on the execution policy that the virtualized application may be executed, the application virtualization client component publishes the virtualized application. The application virtualization client component publishes the application by making the virtualized application available for execution if the application is installed, and installing the virtualized application if it is not installed. The application virtualization client component also evaluates the execution policy during execution of the virtualized application. If the application virtualization client component determines that the execution policy is no longer satisfied, the application virtualization client component unpublishes the virtualized application, thereby preventing execution of the virtualized application.

Подробнее
Номер записи: 9
28-06-2012 дата публикации

Method and System for Authentication Event Security Policy Generation

Номер: US20120167168A1
Автор: Douglas B. Orr, Douglas Joon Song, Thomas Henry Ptacek
Принадлежит: Arbor Networks Inc

A method and system allows for the deployment of security policies into the higher layers of the OSI model. Specifically, it allows for the establishment of security policies at layer 4 and higher, by monitoring authentication flows and using these flows as the basis for establishing security policies which then can be used as a basis for assessing the operation of the network.

Подробнее
Номер записи: 10
12-07-2012 дата публикации

System and method for data mining and security policy management

Номер: US20120179687A1
Автор: Weimin Liu
Принадлежит: McAfee LLC

A system and method to generate and maintain controlled growth DAG are described. The controlled growth DAG conveys information about objects captured by a capture system.

Подробнее
Номер записи: 11
12-07-2012 дата публикации

Method of generating security rule-set and system thereof

Номер: US20120180104A1
Автор: Haggai Schechtman, Yoni Lavi, Yoram GRONICH
Принадлежит: Tufin Software Technologies Ltd

There are provided a method of automated generation of a security rule-set and a system thereof. The method comprises: obtaining a group of log records of communication events resulting from traffic related to the security gateway; generating a preliminary rule-set of permissive rules, said set covering the obtained group of log records; generating, with the help of mapping the generated preliminary rule-set to the obtained group of log records, a rule-set of non-overlapping rules covering the group of log records; and generating an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rule to the obtained group of log records.

Подробнее
Номер записи: 12
09-08-2012 дата публикации

Self regulation of the subject of attestation

Номер: US20120204020A1
Автор: Alexey Efron, Amos Ortal, Mark F. Novak, Stefan Thom, Yair Tor
Принадлежит: Microsoft Corp

Attestation by a self-regulating attestation client. The attestation client requests a credential of health from an attestation service, which includes an ordered attestation log and proof of integrity and freshness of the log. The attestation client receives the requested credential of health, which certifies the attestation client was healthy when it requested the credential of health and that the attestation service trusts the attestation client to be healthy each time the attestation client authenticates using the credential of health. The attestation client receives a request to authenticate that it is healthy using the credential of health, verifies that it is currently healthy, and performs the requested authentication.

Подробнее
Номер записи: 13
09-08-2012 дата публикации

Method and Apparatus for a Control Plane to Manage Domain-Based Security and Mobility in an Information Centric Network

Номер: US20120204224A1
Автор: Guoqiang Wang, Ravi Ravindran, Xinwen Zhang
Принадлежит: FutureWei Technologies Inc

A networking system comprising a virtual group controller in an information centric network configured to enable mobility and security for a plurality of users groups of the information centric network, a plurality of user groups coupled to the virtual group controller and associated with the users, a plurality of agents that are each associated with one of the user groups, and a database for trusted service profile coupled to the virtual group controller, wherein the virtual group controller is configured to interact with the agents to enable mobility for the user groups using a server-less domain-based naming scheme.

Подробнее
Номер записи: 14
30-08-2012 дата публикации

System and method for controlling access to electronic devices

Номер: US20120221666A1
Автор: Larry G. Brown, Philip Schentrup, Vadim Kacherov
Принадлежит: Openpeak Inc

A system and method of controlling access to one or more electronic devices is disclosed. The method can include the step of—out of a plurality of electronic devices—identifying a master device and a slave device. The master device can be configured to control access to at least one feature of the slave device, and the master device can be associated with a person who has supervisory authority over another person who uses the slave device. During an active session on the slave device, a pre-disablement warning can be sent to the slave device in which the pre-disablement warning can identify a first time period by which access to the feature of the slave device is to be prevented. A disablement message can be sent to the slave device, thereby preventing access to the feature of the slave device following the expiration of the first time period.

Подробнее
Номер записи: 15
06-09-2012 дата публикации

Secure platform voucher service for software components within an execution environment

Номер: US20120226903A1
Автор: David Durham, Hormuzd M. Khosravi, Men Long, Uri Blumenthal
Принадлежит: Individual

Apparatuses, articles, methods, and systems for secure platform voucher service for software within an execution environment. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by authenticated, authorized and verified software components. A provisioning remote entity or gateway only needs to know a platform's public key or certificate hierarchy to receive verification for any component. The verification or voucher helps assure to the remote entity that no malware running in the platform or on the network will have access to provisioned material. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the software component.

Подробнее
Номер записи: 16
13-09-2012 дата публикации

System and method for server-coupled application re-analysis to obtain trust, distribution and ratings assessment

Номер: US20120233695A1
Автор: Anthony McKay Lineberry, Ariel Salomon, Daniel Lee Evans, David Golombek, David Luke Richardson, James David Burgess, Kevin Patrick Mahaffey, Kyle Barton, Timothy Michael WYATT
Принадлежит: LookOut Inc

A system and method for preventing malware, spyware and other undesirable applications from affecting mobile communication devices uses a server to assist in identifying and removing undesirable applications. When scanning an application, a device transmits information about the application to a server for analysis. The server receives the information, produces a characterization assessment and can also provide a characterization re-assessment for the application, or data object, and transmits the assessment to the device. By performing analysis on a server, the invention allows a device to reduce the battery and performance cost of protecting against undesirable applications. The servers transmit notifications to devices that have installed applications that are discovered to be undesirable. The server can accumulate this data and then perform a characterization re-assessment of a data object it has previously assessed to provide an assessment based upon one of trust, distribution and ratings information.

Подробнее
Номер записи: 17
20-09-2012 дата публикации

Method, device, and system for processing ipv6 packet

Номер: US20120236864A1
Автор: Hongyu Li, Ruobin Zheng
Принадлежит: Huawei Technologies Co Ltd

The present disclosure discloses a method, device, and system for processing an IPv6 packet, and relates to the field of Internet technologies. According to the present disclosure, a secure access, authentication, and authorization can be ensured in an IPv6 network, and different IPv6 address prefixes are allocated to different terminals. Therefore, normal routing in the network is ensured. A method for processing an IPv6 packet provided in an embodiment of the present disclosure includes: an access node adds access line information to an IPv6 packet; and forwards the IPv6 packet that is added with the access line information to an IP edge node. The present disclosure is applicable to a scenario of processing a packet in an IPv6 network.

Подробнее
Номер записи: 18
20-09-2012 дата публикации

Security enforcement in virtualized systems

Номер: US20120240182A1
Автор: Krishna Narayanaswamy, Roger A. Chickering, Steve Malmskog
Принадлежит: Juniper Networks Inc

A system includes a virtual machine (VM) server and a policy engine server. The VM server includes two or more guest operating systems and an agent. The agent is configured to collect information from the two or more guest operating systems. The policy engine server is configured to: receive the information from the agent; generate access control information for a first guest OS, of the two or more guest operating systems, based on the information; and configure an enforcer based on the access control information.

Подробнее
Номер записи: 19
01-11-2012 дата публикации

Method and apparatus for providing service provider-controlled communication security

Номер: US20120275598A1
Автор: Jukka Sakari Alakontiola, Markku Kalevi Vimpari
Принадлежит: Nokia Oyj

An approach is provided for service provider controlled communication security. A security platform receives a connection request from a client device. The security platform determines context information associated with the device, access network, a user of the device, or a combination thereof, and then processes and/or facilitates a processing of the context information to determine one or more encryption ciphers to offer for the session. Next, the security platform causes, at least in part, establishment of the connection request using, at least in part, the one of the offered encryption ciphers.

Подробнее
Номер записи: 20
01-11-2012 дата публикации

Method for securely creating a new user identity within an existing cloud account in a cloud computing system

Номер: US20120278861A1
Автор: HongQian Karen Lu
Принадлежит: GEMALTO SA

The invention proposes a method for securely creating a new user identity within an existing cloud account in a cloud computing system, said cloud computing system providing cloud services and resources, said cloud account comprising cloud user identities, said method comprising enabling a first user to access the cloud services and resources using a first security device, wherein it comprises authenticating to the first security device, creating a new user identity within the cloud account for a second user using the first security device.

Подробнее
Номер записи: 21
08-11-2012 дата публикации

Methods and apparatus for analyzing system events

Номер: US20120284221A1
Автор: Charles Van Niman, David Harris, James McFadyen, Tim Shelton
Принадлежит: Jerome Naifeh

Apparatus and methods facilitate analysis of events associated with a plurality of computer systems. Event occurrence items are compared with event rules of event rule sets associated with each computer system to determine whether the items are potentially significant as determined by matching with the event rule sets. A scorer associated with each computer system assigns a score to each event occurrence item to provide a relative indication of the potential significance of the event occurrence item. An interface is used to query the scored event occurrence items from each of the plurality of computer systems.

Подробнее
Номер записи: 22
15-11-2012 дата публикации

System and method for server-coupled application re-analysis

Номер: US20120290640A1
Автор: Anthony McKay Lineberry, Ariel Salomon, Daniel Lee Evans, David Golombek, David Luke Richardson, James David Burgess, Kevin Patrick Mahaffey, Kyle Barton, Tomothy Michael WYATT
Принадлежит: LookOut Inc

To prevent malware, spyware and other undesirable applications from affecting mobile communication devices (e.g., smartphones, netbooks, and tablets), a device uses a server to assist in identifying and removing undesirable applications. When scanning an application, a device transmits information about the application to a server for analysis. The server receives the information, produces a categorization assessment and can provide a categorization re-assessment, and transmits the assessment to the device. By performing analysis on a server, a device can reduce its battery and performance cost of protecting against undesirable applications. The server transmits notifications to devices that have installed applications that are discovered to be undesirable. The server receives data about applications from many devices, using the combined data to minimize false positives and provide comprehensive protection against known and unknown threats. The server can accumulate this data and perform a categorization re-assessment of a data object previously assessed.

Подробнее
Номер записи: 23
15-11-2012 дата публикации

Single sign-on between applications

Номер: US20120291114A1
Автор: Maxim Poliashenko, Robert Baumann
Принадлежит: CCH Inc

A single sign-on (SSO) system uses simple one-to-one trust relationships between individual applications and an SSO service to extend log in services from one application to another. Each application retains its own login policies and can separately make a decision whether to trust the SSO request or challenge the user for login credentials. By structuring the SSO system to use simple identity mapping, there is no requirement for consolidating user identity records from multiple applications into a single database with its attendant overhead and dependency risks.

Подробнее
Номер записи: 24
15-11-2012 дата публикации

Detecting web browser based attacks using browser digest compute tests launched from a remote source

Номер: US20120291129A1
Автор: Amichai Shulman, Tal Arieh Be'ery
Принадлежит: Individual

The detection of web browser-based attacks using browser tests launched from a remote source is described. In one example, a digest is computed based on the content of an HTTP response message. The message is modified and sent to a client device that also computes a digest. The digests are compared to determine whether content has been modified by malware on the HTTP client. The results of the test are analyzed and defensive measures are taken.

Подробнее
Номер записи: 25
22-11-2012 дата публикации

System and method for application program operation on a wireless device

Номер: US20120297443A1
Автор: Shawn Kahandaliyanage
Принадлежит: Research in Motion Ltd

Embodiments described herein address mobile devices with non-secure operating systems that do not provide a sufficient security framework. More particularly, the embodiments described herein provide a set of applications to the device for providing security features to the non-secure operating system.

Подробнее
Номер записи: 26
27-12-2012 дата публикации

Network-agnostic content management

Номер: US20120331537A1
Автор: Erick John Haughn, John Lewis, Judson John Flynn
Принадлежит: AT&T MOBILITY II LLC

System(s) and method(s) are provided for content management, e.g., exchange and manipulation, across devices provisioned through disparate network platforms. Devices can be mobile or stationary, and connect to provisioning network platforms through various network bearers. Through various secure protocols, a client component within a device secures access to content and provides secure delivery thereof. Directives for content manipulation are also delivered securely. Delivery of contents and directives are performed from device to device, routed via gateway nodes within a network platform that provisions the device. In addition, or alternatively, content management can be implemented through an intermediary component, which can also validate devices and secure delivery of content or directives. Alarm signaling among devices provisioned through disparate network platforms also can be securely conveyed. Intermediary component also can be exploited for content management among subscribers of disparate network providers.

Подробнее
Номер записи: 27
31-01-2013 дата публикации

Evaluating Detectability of Information in Authorization Policies

Номер: US20130031596A1
Автор: Moritz Becker
Принадлежит: Microsoft Corp

Techniques for evaluating detectablity of confidential information stored in authorization policies are described. In an example, an authorization policy has a confidential property. The confidential property is defined by whether application of a test probe to the authorization policy results in the grant of access to a resource. A processor automatically determines whether at least one witness policy can be generated that is observationally equivalent to the authorization policy from the perspective of a potential attacker, but the application of the test probe to the witness policy generates an access denial result. In the case that such a witness policy can be generated, an indication that the confidential property cannot be detected using the test probe is output. In the case that such a witness policy cannot be generated, an indication that the confidential property can be detected using the test probe is output.

Подробнее
Номер записи: 28
14-02-2013 дата публикации

Procedure for the preparation and performing of a post issuance process on a secure element

Номер: US20130042325A1
Автор: Andras Vilmos, Peter Parkanyi
Принадлежит: Individual

The invention relates to a method for enabling post issuance operation on a secure element connectable to a communication device. The method allows an SE controlling party to perform remotely operations such as creation of new security domains for an external party, loading, and installation of applications of an external party and management functions including personalization and activation of applications loaded on the SE for an external party. The method includes the steps of: collecting data stored on the SE suitable for identification of the SE and data for contacting the SE controlling party; creating an initial data packet from the collected data, sending the data packet to a party which can be the external party, an agent of the external party, the SE controlling party, an agent of the SE controlling party. The invention further relates to a communication device and a software application for implementing the method.

Подробнее
Номер записи: 29
14-03-2013 дата публикации

System and method for enabling effective work force management of a smart grid

Номер: US20130066481A1
Автор: Don T. MAK, Gopal K. BHAGERIA, Jean-Gael F. REBOUL, Kevin M. MONAGLE, Matthew A. TERRY, Matthew B. TREVATHAN, Sri Ramanathan
Принадлежит: International Business Machines Corp

A system and a method are provided for enabling effective work force management of a smart grid. The method includes receiving a first Session Initiation Protocol (SIP) message comprising a state of an electrical component on an electrical grid; and notifying a third party of the state of the electrical component by sending a second SIP message.

Подробнее
Номер записи: 30
14-03-2013 дата публикации

Fight-through nodes for survivable computer network

Номер: US20130067574A1
Автор: Kenneth J. Thurber, Stephen K. Brueckner
Принадлежит: Architecture Technology Corp

A survivable network is described in which one or more network device includes enhanced functionality to fight through cyber attacks. A Fight-Through Node (FTN) is described, which may be a combined hardware/software system that enhances existing networks with survivability properties. A network node comprises a hardware-based processing system having a set of one or more processing units, and a hypervisor executing on each one of the processing units; and a plurality of virtual machines executing on each of the hypervisor. The network node includes an application-level dispatcher to receive a plurality of transaction requests from a plurality of network communication session with a plurality of clients and distribute a copy of each of the transaction requests to the plurality of virtual machines executing on the network node over a plurality of time steps to form a processing pipeline of the virtual machines.

Подробнее
Номер записи: 31
21-03-2013 дата публикации

Enforcing communication policy rules on shared documents

Номер: US20130073621A1
Автор: Kartik Murthy, Nathan Waddoups
Принадлежит: Microsoft Corp

A system is provided for automatically enforcing communication policy rules for document sharing between a communication server and a publishing server. The system may enable a policy agent to examine a communication containing a document attachment before the communication may be delivered to a recipient. The policy agent may evaluate the communication against communication policy rules, and if the policy agent determines that the communication policy rules are not violated, then a document upload agent may transfer the attached document to the publishing server. The system may then deliver the communication message to the recipient. If the policy agent determines that the communication policy rules are violated, then the system may prevent the document upload agent from transferring the attached document to the publishing server and may continue to deliver the communication to the recipient without the document attachment.

Подробнее
Номер записи: 32
21-03-2013 дата публикации

Portable Port Profiles for Virtual Machines in a Virtualized Data Center

Номер: US20130074066A1
Автор: Ajit Sanzgiri, Joseph Swaminathan, Sachin Thakkar
Принадлежит: Cisco Technology Inc

Techniques are provided for implementing a portable port profile that is based on a virtual machine (VM) definition file. Properties are specified within the VM definition that allow a virtual switch to look up one or more network policies such as connectivity, firewall, or other enforcement policies, and apply those policies on a customizable basis to the VM's virtual network interface.

Подробнее
Номер записи: 33
21-03-2013 дата публикации

System and method for real-time customized threat protection

Номер: US20130074143A1
Автор: Denys Lok Hang Ma, Rahul Chander KASHYAP, Yichong Lin, Zheng Bu
Принадлежит: McAfee LLC

A method is provided in one example embodiment that includes receiving event information associated with reports from sensors distributed throughout a network environment and correlating the event information to identify a threat. A customized security policy based on the threat may be sent to the sensors.

Подробнее
Номер записи: 34
21-03-2013 дата публикации

Public network access server having a user-configurable firewall

Номер: US20130074154A1
Автор: Joseph G. Barrett
Принадлежит: Facebook Inc

A user-configurable firewall and method in which a user-changeable security setting for a client computer is maintained by an access server through which a user accesses the public network. The user-changeable security setting can be used to specify which outside computers or network devices may access the client computer and what type of access to the client computer is allowed. If an attempt to access the client computer is made, the user-configurable security setting is checked to determine if the attempted access is allowed by the current security setting. If the attempted access is allowed by the current security setting, access is allowed to the client computer; otherwise, access is not allowed. If the user changes the user-configurable security setting, the changes to the user-configurable security setting are provided to the access server.

Подробнее
Номер записи: 35
28-03-2013 дата публикации

PROVISIONING USER PERMISSIONS USING ATTRIBUTE-BASED ACCESS-CONTROL POLICIES

Номер: US20130081105A1
Автор: Giambiagi Pablo
Принадлежит: Axiomatics AB

An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and/or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy. 1. A computer-implemented method of evaluating an attribute-based access control , ABAC , policy for a set of elements , which are arranged in a computer system and belong to one of several predefined categories selected from subjects , resources , actions and environments ,wherein the access control policy comprises functional expressions which depend on attributes, each pertaining to elements in one of several predefined categories, each element in the set being associated with at least one attribute value assumed by an attribute of the element, andwherein the policy controls access of subjects in the set of elements to resources in the set of elements in accordance with values of the policy, including Permit and Deny,the method comprising the steps of:i) selecting one of the predefined categories as a primary category;ii) for the selected category, performing the substeps of:ii-1) extracting, from the policy, expressions containing attributes in no other than the selected category;ii-2) extracting, from elements in the ...

Подробнее
Номер записи: 36
04-04-2013 дата публикации

Priority assignments for policy attachments

Номер: US20130086240A1
Автор: Jeffrey Jason Bryan, Nickolas Kavantzas
Принадлежит: Oracle International Corp

Techniques for resolving conflicts between web service policies that are attached (via LPA and/or GPA metadata) to a policy subject (e.g., a WS client/service endpoint). In one set of embodiments, a priority value can be assigned to each policy attached to a policy subject via the policy's corresponding policy attachment metadata file. These priority values can be taken into account when determining whether one policy should be given precedence over another, conflicting policy attached to the same policy subject. In certain embodiments, as part of this determination, the priority value of a policy can be given greater weight than the scope at which the policy is attached.

Подробнее
Номер записи: 37
11-04-2013 дата публикации

Dynamic session migration between network security gateways

Номер: US20130091264A1
Автор: Choung-Yaw Michael Shieh, MENG Xu, Yi Sun
Принадлежит: Varmour Networks Inc

A method and apparatus is disclosed herein for migrating session information between security gateways are disclosed. In one embodiment, receiving, at a first security gateway, session information associated with a session corresponding to a network connection, the session information having been transferred from a second security gateway, the first and second security gateway being separate physical devices; and thereafter performing security processing for the session at the first security gateway.

Подробнее
Номер записи: 38
11-04-2013 дата публикации

NETWORK APPLIANCE FOR CUSTOMIZABLE QUARANTINING OF A NODE ON A NETWORK

Номер: US20130091534A1
Автор: Boscolo Christopher Daniel, Gilde Robert G.
Принадлежит: Lockdown Networks, Inc.

A system, method, and apparatus are directed to managing access to a network. An agent may intercept a network packet transmitted by an enforcement point in response to a request from a device to join the network. The agent identifies, based on the network packet, a port number on the enforcement point at which the request is received. The agent may transmit the port number to a NACA to enable security enforcement operations to be performed on the device. Another device may reside outside the quarantined network and be enabled by the NACA to direct a remediation measure to be performed on the device using at least the port number. The NACA may spoof an ARP response with an address of the NACA to restrict access to resources. The NACA may also place the device into one of a plurality of quarantined networks. 1. A method , comprising:intercepting a network packet transmitted to a device by an enforcement point in a network, wherein the network packet is transmitted in response to a request from the device to join the network;determining information identifying a port on the enforcement point at which the request is received, wherein the information identifying the port is determined by evaluating the contents of the intercepted network packet;establishing a network connection to a network access control appliance (NACA) in the network; andtransmitting the information identifying the port to the NACA to enable security enforcement operations to be performed on the device via the NACA, wherein the security enforcement operations include;selecting a first quarantined network from a plurality of quarantined networks if the first quarantined network is not managing another device, wherein devices on different quarantined networks are inhibited from accessing each other; andcausing the device to be quarantined by placing the device on the first quarantined network such that communications over the network by the device are restricted and traffic for the device is filtered ...

Подробнее
Номер записи: 39
18-04-2013 дата публикации

Global Queue Pair Management in a Point-to-Point Computer Network

Номер: US20130097600A1
Автор: Omar Cardona, Rakesh Sharma, Renato J. Recio, Vinit Jain
Принадлежит: International Business Machines Corp

An approach is provided in which a local module receives a data frame initiated by a first virtual machine and has a target destination at a second virtual machine, which executes on a destination host system. The local module identifies a destination local port ID and a destination global queue pair number corresponding to the second virtual machine. In one embodiment, the destination local port ID corresponds to the destination host, but the destination global queue pair number is independent of the destination host. The local module includes the destination global queue pair number and the destination local port ID in an overlay header and encapsulates the data frame with the overlay header, which results in an encapsulated frame. In turn, the local module sends the encapsulated frame through a computer network to the second virtual machine.

Подробнее
Номер записи: 40
18-04-2013 дата публикации

Managing policies

Номер: US20130097653A1
Автор: Eran Ben-Shahar, Idan Doitch, Ittai Doron, Noam Gershon Ben-Yochanan, Yafit Cohen, Yaniv Naor
Принадлежит: Microsoft Corp

Aspects of the subject matter described herein relate to managing policies. In aspects, a staging store is used to store policies that are not applied to a computer system unless and until they are copied to or otherwise imported into a production store. A configuration entity is allowed read/write access to the staging store, but is not allowed write access to the production store. A policy manager is granted read access to the staging store and write access to the production store. The policy manager may approve or deny staging policies. If the policy manger approves a staging policy, the policy manager may derive a production policy from the staging policy and store the production policy in the production store. Once a policy is in the production store, the policy may be applied to one or more entities as appropriate.

Подробнее
Номер записи: 41
18-04-2013 дата публикации

SECURE DATA INTERCHANGE

Номер: US20130097664A1
Автор: Eisner Jason M., Herz Frederick, Kannan Sampath, Labys Walter Paul, Parkes David C.
Принадлежит: Pinpoint, Incorporated

A secure data interchange system enables information about bilateral and multilateral interactions between multiple persistent parties to be exchanged and leveraged within an environment that uses a combination of techniques to control access to information, release of information, and matching of information back to parties. Access to data records can be controlled using an associated price rule. A data owner can specify a price for different types and amounts of information access. 1. A method of providing access to user profile information , the method comprising:storing in memory a profile for a user, the profile comprising personal information regarding the user;establishing a policy for access to the user's personal information, the policy comprising an access rule that provides users with different levels of access to the user's personal information for different users, wherein the access rule is controlled by the owner of the personal information;providing online access to the user's personal information by the users in accordance with the policy;establishing a price rule for access to one or more user profiles by one or more agents; andproviding access to information in the one or more user profiles based on the price rule.2. The method of claim 1 , further comprising:matching the users based on their profiles. This application is a divisional of and claims priority under 35 U.S.C. §120 to U.S. application Ser. No. 12/417,747 entitled “Secure Data Interchange,” filed on Apr. 3, 2009, which is a continuation of U.S. application Ser. No. 09/699,098, filed on Oct. 27, 2000, which claims the benefit of U.S. Provisional Application No. 60/161,640, filed Oct. 27, 1999, titled Secure Data Interchange, and U.S. Provisional Application No. 60/206,538, filed May 23, 2000, titled Secure Data Interchange, all of which are incorporated herein by reference in their entirety.1. Field of the InventionThe Secure Data Interchange invention describes a system to allow a ...

Подробнее
Номер записи: 42
25-04-2013 дата публикации

Policy Enforcement in a Secure Data File Delivery System

Номер: US20130104185A1
Автор: Bandini Jean-Christophe, Smith Jeffrey C.
Принадлежит: Axway Inc.

A server interacts with a sender to form a package which can include one or more attached data files to be sent to one or more recipients, and the server applies a policy established by a policy authority of the sender to the package. Since the server both forms the package through interaction with the sender and applies the policy, violations of the policy by the package can be brought to the sender's attention during an interactive session with the sender and before encryption of all or part of the package. As a result, the sender is educated regarding the policy of the sender's policy authority, and the sender can modify the package immediately to comport with the policy. The server delivers the package to intended recipients by sending notification to each recipient and including package identification data, e.g., a URL by which the package can be retrieved. 1. (canceled)2. A method comprising:in an secure interactive session between a client sender associated with an enterprise and a web server accessible to the client sender via a public internet, receiving data specifying one or more recipients, a subject and message data, and identifying one or more data files for inclusion in a package submitted for delivery to the specified one or more recipients;evaluating the received data for violation of a sender policy framework specified and configurable by a policy authority with which the client sender is associated and, in the case of a violation, allowing the client sender to, during the secure interactive session, correct the data and resubmit the package for delivery; andeffectuating delivery of the package at least in part by sending a notification message to each of the specified one or more recipients, the notification message containing a private universal resource locator (private URL) by which the respective recipient may securely retrieve the package.3. The method of claim 2 ,wherein the evaluating of received data for violation of the sender policy ...

Подробнее
Номер записи: 43
25-04-2013 дата публикации

METHOD AND SYSTEM FOR MANAGING CONFIDENTIAL INFORMATION

Номер: US20130104191A1
Автор: BARATZ Arik, Carny Ofir, GRINDLINGER Yair, Peled Ariel, Troyansky Lidror
Принадлежит: PortAuthority Technologies Inc.

A method and a system for information management and control is presented, based on modular and abstract description of the information. Identifiers are used to identify features of interest in the information and information use policies are assigned directly or indirectly on the basis of the identifiers, allowing for flexible and efficient policy management and enforcement, in that a policy can be defined with a direct relationship to the actual information content of digital data items. The information content can be of various kinds: e.g., textual documents, numerical spreadsheets, audio and video files, pictures and images, drawings etc. The system can provide protection against information policy breaches such as information misuse, unauthorized distribution and leakage, and for information tracking. 1. A method for monitoring information content carried in a medium , the method comprising:monitoring said medium for said information;seeking elementary information units within objects of said information being monitored in said medium;identifying said elementary information units; anddeducing information about the content of said information objects from identification of said elementary information units found within said objects.2. A method according to claim 1 , wherein said medium comprises at least one of the following:a distribution channel; anda storage medium.3. A method according to claim 1 , wherein said information objects comprise at least one simple information object claim 1 , said simple information object comprising one of the following:an elementary information unit;a set of elementary information units; andan ordered set of elementary information units.4. A method according to claim 1 , wherein said elementary information units comprise at least one of the following:a sentence; a sequences of words; a word; a sequence of characters; a character; a sequence of numbers; a number; a sequence of digits; a digit; a vector; a curve; a pixel; a block ...

Подробнее
Номер записи: 44
25-04-2013 дата публикации

DYNAMIC CONFIGURATION OF A GAMING SYSTEM

Номер: US20130104193A1
Автор: BRUNET DE COURSSOU Thierry, GATTO Jean-Marie
Принадлежит: IGT

A method to enable dynamic configuration of gaming terminals installed in one or a plurality of gaming premises whereby certified games, certified data files and certified support software components are activated in accordance with a predetermined schedule or automatically in response to the observed gaming activity. The method may include allocating an individual PKI certificate to each executable software component and each of its versions, binding the PKI certificate to the executable software, associating a distinctive policy for each certificate and then enforcing the software execution policies in accordance with the desired authorized game configuration and schedule. The PKI certificate's “Subject Name” (or “Issued to” field or “CommonName” field) may be a concatenation of the software component identification, its version number and optionally other identification characters. The method applies equally to other network connected gaming subsystems. The method enables a fine-grained and secure control of the authorized software components and thus the flexibility to securely configure the gaming system in accordance with a schedule or in a close-loop fashion in order to meet business objectives. In addition, a method to enable the certification authority to bind the certificates to the tested code is described. 1. A method for a network connected gaming system to enable selective execution of at least one authorized software component , comprising the steps of: configuring Software Restriction Policies for the at least one authorized software component at a predetermined time; unrestricting the Software Restriction Policies for the at least one authorized software component at a predetermined time; enabling a link for the Software Restriction Policies for the at least one authorized software component at a predetermined time; checking for a change of the Software Restriction Policies and if there is no policy change then looping to the beginning of this step ...

Подробнее
Номер записи: 45
02-05-2013 дата публикации

METHOD FOR ADAPTING SECURITY POLICIES OF AN INFORMATION SYSTEM INFRASTRUCTURE

Номер: US20130111548A1
Автор: Cuppens Frédéric, Cuppens Nora, Dubus Samuel, Kanoun Wael
Принадлежит:

The present invention refers to a method for adapting security policies of an information system infrastructure as a function of attacks on the system by storing potential attacks, their associated risks and curative security policies in a data repository, monitoring entering contents representing data streams of the information system, detecting at least one attack in the information system, assessing a success probability parameter of the at least one detected attack and its associated cost impact parameter, assessing an activation impact parameter of at least one curative security policy in response to the at least one detected attack and its associated cost impact parameter, deciding to activate or deactivate a curative security policy based on the success probability parameter of a detected attack, the activation impact parameter of associated curative security policies and the cost impact parameters of both an attack and associated curative security policies. 1. Method for adapting security policies of an information system infrastructure in function of attacks comprising the steps of:storing potential attacks and their associated risks in a data repository;storing curative security policies in response of the potential attacks in a data repository;monitoring entering contents representing data streams of the information system;detecting at least one attack in the information system;assessing a success probability parameter of the at least one detected attack and its associated cost impact parameter;assessing an activation impact parameter of at least one curative security policy in response to the at least one detected attack and its associated cost impact parameter;deciding of the activation or deactivation of a curative security policy in function of the success probability parameter of the, at least one, detected attack, of the activation impact parameter of at least one curative security policy and of the cost impact parameters of both the detected at ...

Подробнее
Номер записи: 46
02-05-2013 дата публикации

METHODS AND SYSTEMS THAT SELECTIVELY RESURRECT BLOCKED COMMUNICATIONS BETWEEN DEVICES

Номер: US20130111590A1
Автор: Aaron Jeffrey A., Alin Jun-Gang
Принадлежит: WORCESTER TECHNOLOGIES LLC

Data communications between devices are selectively blocked and resurrected based on error notifications. Data communications from one or more source devices to one or more intended destination devices are selectively blocked based on content of the data communications. The blocked data communications are stored in a database. A blocked data communication is retrieved from the database in response to an error notification from one of the source devices and/or from one of the destination devices. The retrieved data communication is then sent to the intended destination device. 1. A method , comprising:storing a blocked data communication, wherein the blocked data communication is blocked from being transmitted to a destination device; andsending the blocked data communication to the destination device in response to receiving an error notification indicating an error operational condition in an application program on the destination device and caused by blocking of the blocked data communication from being transmitted to the destination device.2. The method of claim 1 , further comprising:detecting a defined potential intrusion into the destination device, wherein the storing is performed in response to the detecting the defined potential intrusion.3. The method of claim 2 , wherein the detecting comprises:comparing content of the data communication to a communication blocking rule; andperforming the detecting based, at least, on the comparing of the content of the data communication and the communication blocking rule.4. The method of claim 3 , further comprising:modifying the communication blocking rule based, at least, on the error notification being determined to indicate that the data communication caused the error operational condition in the application program on the destination device.5. The method of claim 4 , wherein the modifying comprises:modifying the communication blocking rule to allow a subsequent data communication to be transmitted to the ...

Подробнее
Номер записи: 47
09-05-2013 дата публикации

METHOD AND SYSTEM FOR ENCRYPTED FILE ACCESS

Номер: US20130117811A1
Автор: Phillips Anthony H.
Принадлежит: INTERNATIONAL BUSINESS MACHINES CORPORATION

A method and system for encrypted file access are provided. The method includes the steps of: receiving () an access request for an encrypted file (-) by an application (); determining () the application () making the access request; checking () if the application () is authorised for access; and if authorised, allowing the access request. The access request may be a read or write access by a destination or source application (). If the application () is authorised for access, the method checks () if the application () is authorised for unencrypted access; and if so, allowing unencrypted file access. 115-. (canceled)16. A file encryption system comprising:a data store storing a list of applications and types of files that the applications have been granted permission to access and a list of allowable hash values; and receive an access request for an encrypted file by an application;', 'determine if the application is authorized for access to the encrypted file by checking a name of the application and a file type of the encrypted file against the list of applications and types of files that the applications have been granted permission to access;', 'upon determining that the application is authorized to access the encrypted file, further determine if the application is authorized for access to an unencrypted version of the encrypted file by calculating a hash value of contents of the application and checking the calculated hash value against the list of allowable hash values; and', 'upon determining that the application is authorized for access to an unencrypted version of the encrypted file, decrypt the encrypted file and return the decrypted file to the application, otherwise return the encrypted file to the application;, 'a processor configured to'}wherein the list of applications and types of files that the applications have been granted permission to access and the list of allowable hash values are administered by a security policy.1718-. (canceled)19. The ...

Подробнее
Номер записи: 48
16-05-2013 дата публикации

File-based application programming interface providing selectable security features

Номер: US20130124851A1
Автор: Michael T. Kain
Принадлежит: Individual

A data communication security system is disclosed that includes a network interface including a first security module implementing a first security architecture, and a second security module implementing a second security architecture different from the first security architecture. The network interface further includes a file-based application programming interface defining a plurality of attributes of the network interface and including at least one attribute associated with data security managed by one of the first and second security modules. The file-based application programming interface includes at least one attribute from among the plurality of attributes that is associated with selecting between the first or second security modules.

Подробнее
Номер записи: 49
16-05-2013 дата публикации

File-based application programming interface providing ssh-secured communication

Номер: US20130124852A1
Автор: Michael T. Kain, Ralph Armstrong
Принадлежит: Individual

A data communication security system is disclosed that includes a network interface configured for transport layer protocol communications at a communication port. The network interface includes a security module configured to provide secure shell (SSH) data security on a transport layer data path, and which is communicatively connected to the transport layer data path. The data communication security system also includes a file-based application programming interface defining a plurality of attributes of the network interface and including at least one attribute configured for selection of the security module and accessible for use in logical I/O operations.

Подробнее
Номер записи: 50
23-05-2013 дата публикации

SYSTEM AND METHOD FOR PROVIDING VARIABLE SECURITY LEVEL IN A WIRELESS COMMUNICATION SYSTEM

Номер: US20130129092A1
Автор: Chitrapu Prabhakar R., Kumoluyi Akinlolu Oloruntosi, Reznik Alexander, Shin Sung-Hyuk, Tsai Yingming, Zhang Guodong
Принадлежит: INTERDIGITAL TECHNOLOGY CORPORATION

A system and method for providing variable security levels in a wireless communication network. The present invention optimizes the often conflicting demands of highly secure wireless communications and high speed wireless communications. According to a preferred embodiment of the present invention, various security sensors are scanned to determine the likely presence of an intruder within a predetermined trust zone. If an intruder is likely present, the security level is changed to the highest setting, and consequently a lower data rate, while the intruder is identified. If the identified intruder is in fact a trusted node, the security level is returned to a lower setting. If the identified intruder is not a trusted node, the security level is maintained at an elevated state while the intruder is within the trust zone. 1. A method for providing security , comprising:configuring a trust zone with variable level security; andincreasing a level of the variable level security on detection of an intruder wireless device in the trust zone.2. The method of claim 1 , wherein an increased level of the variable level security has an increased bit length of an encryption key that uses symmetric key cryptography.3. The method of claim 1 , wherein an increased level of the variable level security has an increased frequency at which a public key utilizing asymmetric key cryptography is changed.4. The method of claim 1 , further comprising:decreasing the level of the variable level security on a condition that the detected intruder wireless device is a trusted device.5. The method of claim 1 , further comprising:maintaining the level on a condition that the detected intruder wireless device is not a trusted device.6. The method of claim 1 , further comprising:terminating all communications across the trust zone upon increasing the level of the variable level security.7. The method of claim 1 , wherein providing an increased level of the variable level security includes ...

Подробнее
Номер записи: 51
23-05-2013 дата публикации

COMBINING NETWORK ENDPOINT POLICY RESULTS

Номер: US20130133027A1
Автор: Chickering Roger Allen, Funk Paul, Hanna Stephen, Kirner Paul James, Kougiouris Panagiotis
Принадлежит: JUNIPER NETWORKS, INC.

An endpoint integrity system controls access to resources of a protected network for endpoint devices attempting to access the protected network. The system may include a number of evaluation modules that communicate with an endpoint device. The evaluation modules generate policy results for the endpoint device, in which each of the policy results assume one of three or more states, called a multi-state policy result. The multi-state policy results are combined to produce a combined Boolean policy result. 127-. (canceled)28. A method comprising: the plurality of policy results including a first policy result and a second policy result,', 'each policy result, of the plurality of policy results, being associated with a respective plurality of states, and', a pass state,', 'a fail state, and', 'another state that differs from the pass state and the fail state;, 'a first plurality of states, associated with the first policy result, including], 'identifying, by a processor, a plurality of policy results relating to a security state of a network device,'} a first state of the first plurality of states, and', 'a second state of a second plurality of states associated with the second policy result;, 'the information identifying, 'determining, by the processor, information associated with a criterion,'}evaluating, by the processor and based on the criterion, the network device to generate an evaluation result; andoutputting, by the processor, the evaluation result to the network device.29. The method of claim 28 , where the other state claim 28 , included in the first plurality of states claim 28 , corresponds to at least one of:a state associated with the isolating the network device within a network, ora state related to denying a request from the network device.30. The method of claim 28 , where the evaluation result relates to confirming at least one of:an integrity status of the network device,an identity of a user of the network device,an identity of the network device ...

Подробнее
Номер записи: 52
23-05-2013 дата публикации

PLATFORM AUTHENTICATION STRATEGY MANAGEMENT METHOD AND DEVICE FOR TRUSTED CONNECTION ARCHITECTURE

Номер: US20130133030A1
Автор: Cao Jun, Huang Zhenhai, Kan Runtian, Liu Xiaoyong, Wang Ke, XIAO Yuelei, Xue Yonggang, Yuan Kelong, Zhang Guoqiang, Zhu Lin
Принадлежит: CHINA IWNCOMM CO., LTD.

Provided are a platform authentication strategy management method for trusted connection architecture (TCA), and the trusted network connection (TNC) client, TNC access point and evaluation strategy service provider for implementing the method in the TCA. In the embodiments of the present invention, the platform authentication strategy for the access requester can be configured in the TNC access point or the evaluation strategy service provider, and the platform authentication strategy for the access requester configured in the evaluation strategy service provider can be delivered to the TNC access point. Moreover, a component-type-level convergence platform evaluation strategy can be executed in the TNC access point or the evaluation strategy service provider, to ensure that the realization of the TCA platform authentication has good application extensibility. 1. A platform authentication policy management method applicable to a trusted connection architecture , comprising:a step 1 of configuring, on a Trusted Network Connection, TNC, client, first platform authentication policies comprising a platform authentication management policy of an access requester, platform configuration protection policies of the access requester, platform evaluation policies for an access controller and a platform authentication action recommendation generation policy of the access requester; andconfiguring, on a TNC access point or an evaluation policy server, second platform authentication policies comprising a platform authentication management policy of the access controller, platform configuration protection policies of the access controller, platform evaluation policies for the access requester and a platform authentication action recommendation generation policy of the access controller;a step 2 of, if the second platform authentication policies are configured on the evaluation policy server, then the TNC access point requesting the evaluation policy server for the second ...

Подробнее
Номер записи: 53
30-05-2013 дата публикации

METHOD AND APPARATUS FOR EXECUTING SECURITY POLICY SCRIPT, SECURITY POLICY SYSTEM

Номер: US20130139217A1
Автор: XIE Yongfang
Принадлежит: Huawei Technologies Co., Ltd.

Embodiments of the present invention provide a method and an apparatus for executing a security policy script as well as a security policy system. The method includes: verifying a signature of a security policy script to be executed, where the security policy script to be executed corresponds to a unique signature, and the signature is used to verify validity of the security policy script; and invoking a script engine to execute the security policy script to be executed after verifying that the signature of the security policy script to be executed is correct, so as to improve security of the security policy script effectively. 1. A method performed by a terminal security proxy apparatus in the network for executing a security policy script , comprising:verifying a signature of a security policy script to be executed, wherein the security policy script to be executed corresponds to a unique signature, and the signature is used to verify validity of the security policy script; andinvoking a script engine to execute the security policy script to be executed after verifying that the signature of the security policy script to be executed is correct.2. The method performed by a terminal security proxy apparatus in the network for executing a security policy script according to claim 1 , wherein:the invoking a script engine to execute the security policy script comprises:parsing the security policy script to be executed to obtain at least one script command;determining whether it is allowed to execute the script command; andwhen it is determined that the execution is allowed, executing the script command; otherwise, skipping the script command.3. The method performed by a terminal security proxy apparatus in the network for executing a security policy script according to claim 2 , wherein:the determining whether it is allowed to execute the script command comprises:filtering the at least one script command according to a command filtering database to determine whether the ...

Подробнее
Номер записи: 54
06-06-2013 дата публикации

METHOD AND APPARATUS FOR PROVIDING CONTENT TO A COMPUTING DEVICE

Номер: US20130145246A1
Автор: So Andrew
Принадлежит: SALMON ALAGNAK LLC

Methods and systems for providing content (e.g., such as web content) to a computing device are disclosed. An example method for providing web content includes receiving, from a first computing device, a request for the web content and determining a device type of the first computing device. The example method further includes retrieving the web content and modifying the web content based on the device type. The example method still further includes providing the modified web content to the first computing device for display on the first computing device. 1. A method comprising:providing an end-user interface, wherein the end-user interface is configured to provide a selectable level of security for transmissions associated with a chat session.2. The method of claim 1 , further comprising selecting a first level of security for the transmission associated with the chat session.3. The method of claim 2 , further comprising accelerating the transmissions in response to the selecting the first level of security.4. The method of claim 3 , wherein the first level of security comprises implementing secure transmissions.5. The method of claim 4 , wherein the secure transmissions comprises encryption of the chat session.6. The method of claim 1 , wherein the transmissions comprise financial transactions and network traffic.7. The method of claim 1 , wherein the level of security comprises a secure transmission session and a non-secure transmission session.8. The method of claim 5 , wherein the secure transmissions further comprise a secure socket layer session.9. The method of claim 1 , wherein the level of security is configured to a default setting of a non-secure transmission session.10. The method of claim 1 , wherein the level of security is configured to a default setting of a secure transmission session.11. A method comprising:providing a network-based chat session for a plurality of participants;providing a plurality of stored messages;selecting a stored message of ...

Подробнее
Номер записи: 55
06-06-2013 дата публикации

POLICY EVALUATION IN CONTROLLED ENVIRONMENT

Номер: US20130145421A1
Автор: Chickering Roger, Hanna Stephen R., Kirner Paul James, Kougiouris Panagiotis
Принадлежит: JUNIPER NETWORKS, INC.

A module may include interface logic to receive information identifying a state related to a client device via logic related to a controlled environment, and to send a valid policy result to a host device, where the valid policy result is related to the state. The module may include processing logic to process policy content according to a resource policy, where the processing is based on the information, and to produce the valid policy result based on the processing using the resource policy, where the valid policy result is adapted for use by the host device when implementing the network policy with respect to a destination device when the client device attempts to communicate with the destination device. 131-. (canceled)32. A method comprising: the first device being different than the second device, and', 'the one or more policies relating to accessing a network;, 'receiving, by a first device and from a second device, first information relating to whether the second device complies with one or more policies,'}identifying, by the first device and based on the first information, second information that identifies the one or more policies;causing, by the first device, a determination, using the first information and the second information, to be made as to whether the second device complies with the one or more policies;determining, by the first device, whether a result of the determination corresponds to an authorized operation relating to the first device;sending, by the first device and to the second device, a message indicating that the second device is denied access to the network when the result does not correspond to the authorized operation; and 'the third device to determine whether to grant access to the network, to the second device, based on the instructions.', 'sending, by the first device and to a third device, instructions relating to the second device accessing the network when the result corresponds to the authorized operation,'}33. The method of ...

Подробнее
Номер записи: 56
06-06-2013 дата публикации

METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT FOR TAGGING CONTENT ON UNCONTROLLED WEB APPLICATION

Номер: US20130145423A1
Автор: Cooper Cameron Blair
Принадлежит: Socialware, Inc.

Communications by a device in a private network to a site operating outside of the network can be programmatically inspected. Unstructured data, including messages and application content, originating from outside of the network may be dynamically converted to structured data that can be tagged. Interactions and activities can be monitored and processed differently according to internal policies and/or business rules. For example, at least a portion of the structured data can be modified prior to forwarding to the device, access by the device to at least a portion of the structured data can be blocked or limited, access by the device to one or more features associated with the structured data can be blocked or limited, etc. 1. A method for controlling access to a web site , comprising: monitoring access by a device within the network to a site operating outside of the network, wherein the site is not controlled by the network;', 'based on the access by the device in the network to the site operating outside of the network, receiving unstructured data from outside of the network and converting at least part of the unstructured data to structured data; and', 'applying a policy to the structured data, wherein the policy is internal to the network, wherein the server computer in the network performs the applying., 'at a server computer in a network2. The method according to claim 1 , wherein applying the policy comprises blocking access by the device to the structured data or limiting access by the device to at least a portion of the structured data.3. The method according to claim 1 , wherein applying the policy further comprises modifying at least a portion of the structured data prior to forwarding to the device in the network.4. The method according to claim 1 , wherein applying the policy further comprises limiting access by the device to one or more features associated with the structured data.5. The method according to claim 4 , wherein at least one of the one or ...

Подробнее
Номер записи: 57
13-06-2013 дата публикации

METHOD AND DEVICE FOR CONTROLLING ACCESS TO OUT-OF-BAND CONTENTS FOR COMBINATION WITH TRUSTED CONTENTS, AND ASSOCIATED EQUIPMENTS

Номер: US20130152161A1
Автор: HEEN Olivier, Neumann Christoph, ONNO Stephane
Принадлежит: THOMSON LICENSING

A method is intended for controlling access to out-of-band contents, provided by an out-of-band source, by at least one communication equipment connected to a managed source, providing trusted contents, and coupled to this out-of-band source. This method includes the steps of: 1. Method for controlling access to out-of-band contents , provided by an out-of-band source , by at least one communication equipment connected to a managed source , providing trusted contents , and coupled to said out-of-band source , the method comprising the steps , at a network equipment connected to said out-of-band source and comprising a processor , of:(i) receiving security data, representative of a policy defining out-of-band contents that are allowed to be combined with a trusted content, from a communication equipment, and enforcing said policy associated to said trusted content into a security means of said network equipment,', 'transmitting said chosen out-of-band content to at least said communication equipment requesting it through said chosen trusted communication path if it conforms to said enforced policy., '(ii) receiving a message, requesting transmission on a chosen trusted communication path of a chosen out-of-band content to be combined with said trusted content, from said communication equipment,'}2. Method according to claim 1 , wherein in step (i) at least some of said security data associated to said trusted content are extracted by said communication equipment from auxiliary data contained into a data stream comprising said trusted content.3. Method according to one of claim 1 , wherein in step (i) at least some of said security data associated to said trusted content are defined by a user of said communication equipment.4. Method according to one of claim 1 , wherein in step (ii) said security means drops or modifies said chosen out-of-band content if it does not conform to said enforced policy.5. Method according to claim 4 , wherein in step (ii) said network ...

Подробнее
Номер записи: 58
13-06-2013 дата публикации

METHOD AND SYSTEM FOR AUTHORIZING A LEVEL OF ACCESS OF A CLIENT TO A VIRTUAL PRIVATE NETWORK CONNECTION, BASED ON A CLIENT-SIDE ATTRIBUTE

Номер: US20130152162A1
Автор: He Junxiao, MULLICK AMARNATH, Nanjundaswamy Shashi, Soni Ajay, Venkatraman Charu
Принадлежит:

An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause. 1. A method for assigning a client to an authorization group based on a client-side attribute , the method comprising:(a) identifying, by a device intermediary to a plurality of clients and a server, a policy for evaluating a client responsive to a first request of the client to access the server, the policy specifying an expression comprising a plurality of clauses joined by one or more logical operators, each clause of the plurality of clauses identifying a different client-side attribute to be evaluated by the client;(b) transmitting, by the device to the client, a second request to the client to have the client evaluate the plurality of clauses;(c) receiving, by the device from the client, a response to the second request, the response comprising a result of evaluation by the client of the plurality of clauses of the expression; and(d) assigning, by the device, the client to an authorization group responsive to applying the policy to the result of the evaluation.2. The method of claim 1 , wherein each clause comprises an object identifying the client claim 1 , an attribute of the object and a prerequisite of the attribute.3. The method of claim 2 , wherein ...

Подробнее
Номер записи: 59
13-06-2013 дата публикации

Taking Configuration Management Data and Change Business Process Data Into Account With Regard to Authorization and Authentication Rules

Номер: US20130152164A1
Автор: Aggarwal Vijay Kumar, Dickerson Scott Stephen, Holley Adam Reudeau
Принадлежит: INTERNATIONAL BUSINESS MACHINES CORPORATION

An approach receives a request from a user, typically a change implementer, on a computer system. The request includes a user identifier and a requested action. A current timestamp corresponding to a computer system clock is retrieved. Scheduled changes are retrieved from a data store accessible by the processor. The current timestamp is compared to the scheduled change periods. The requested action is allowed if the comparison reveals that the current timestamp is within one of the retrieved scheduled changes, and the requested action is denied if the comparison reveals that the current timestamp is outside of the retrieved scheduled change periods. 1. A processor-implemented method comprising:receiving a request, wherein the request includes a user identifier, a system identifier, and a requested command, wherein the requested command comprises a command to be executed on a system corresponding to the system identifier;performing the requested command in response to determining that the requested command is included in a predetermined list of allowed commands associated with the user identifier; anddenying the requested command in response to determining that the requested command is not included in the predetermined list of allowed commands associated with the user identifier.2. The method of further comprising:comparing a current time to one or more scheduled change periods associated with the system, wherein the allowing and the denying are based in part on the comparing.3. The method of further comprising:refusing to process one or more additional requests in response to determining that a system wide restriction period is reached.4. The method of further comprising:receiving, from a requestor, a restriction policy request corresponding to the system;retrieving a restriction policy corresponding to the system; andreturning the retrieved restriction policy to the requestor.5. The method of wherein the restriction policy is selected from a group consisting of a ...

Подробнее
Номер записи: 60
20-06-2013 дата публикации

Method and system for resource and admission control of home network

Номер: US20130160073A1
Автор: You Jianjie
Принадлежит: ZTE CORPORATION

The disclosure provides a method for resource and admission control of a home network, the RACF of an NGN retail service provider formulates an initial policy rule according to a resource request after receiving the resource request sent by an SCF; a CPN performs authorization check on one or more resource requests after receiving them, each of which includes the initial policy rule and is sent by an RACF of a respective NGN retail service provider, formulates a final policy rule after the authorization check is passed, and executes the final policy rule. The disclosure further provides a system for resource and admission control of a home network correspondingly, since a CGPE-FE executes corresponding operation according to the decision result of an HPD-FE, the disclosure can avoid resource control errors such as resource desynchrony or resource inconsistence, and can improve system stability. 1. A method for resource and admission control of a home network , comprising:performing authorization check, by a Resource and Admission Control Function (RACF) of a Next Generation Network (NGN) retail service provider, on a resource request after receiving the resource request sent by a Service Control Function (SCF), formulating an initial policy rule after the authorization check is passed, and sending a resource request comprising the initial policy rule to a Customer Premises Network (CPN);performing, by the CPN, authorization check on one or more resource requests after receiving them, each of which comprises the initial policy rule and is sent by an RACF of a respective NGN retail service provider, formulating a final policy rule after the authorization check is passed, and executing the final policy rule.2. The method according to claim 1 , whereinsending the resource request comprising the initial policy rule by the RACF of the NGN is retail service provider to the CPN, is: sending, by a Policy Decision Functional Entity of the RACF of the NGN retail service ...

Подробнее
Номер записи: 61
27-06-2013 дата публикации

Security policy editor

Номер: US20130167193A1
Автор: Brookins Nicholas S., Mutton James A., Olugbile Akinwale O.
Принадлежит: AKAMAI TECHNOLOGIES, INC.

A shared computing infrastructure has associated therewith a portal application through which users access the infrastructure and provision one or more services, such as content storage and delivery. The portal comprises a security policy editor, a web-based configuration tool that is intended for use by customers to generate and apply security policies to their media content. The security policy editor provides the user the ability to create and manage security policies, to assign policies so created to desired media content and/or player components, and to view information regarding all of the customer's current policy assignments. The editor provides a unified interface to configure all media security services that are available to the CDN customer from a single interface, and to enable the configured security features to be promptly propagated and enforced throughout the overlay network infrastructure. The editor advantageously enables security features to be configured independently of a delivery configuration. 1. A method of enforcing security in a shared computing infrastructure , the computing infrastructure having associated therewith a portal application through which portal users access the shared computing infrastructure and provision one or more services , a storage system , and a set of edge servers from which protected content is delivered to requesting end users , the method comprising:for a particular security service provided from the shared computing infrastructure structure, distributing a security metadata template to the set of edge servers, the security metadata template defining logic for performing a security operation associated with the particular security service;receiving, via the portal application executing on a hardware element, information defining a security policy;storing, in a data store, the information; andupon receipt at an edge server of a request for the protected content, fetching the information and executing the logic ...

Подробнее
Номер записи: 62
04-07-2013 дата публикации

Methods for identifying network traffic characteristics to correlate and manage one or more subsequent flows and devices thereof

Номер: US20130173779A1
Автор: Dmitry ROVNIAGUIN, Ephraim Dan, Ron Talmor
Принадлежит: F5 Networks Inc

A method, non-transitory computer readable medium, and device that identifies network traffic characteristics to correlate and manage one or more subsequent flows includes transmitting a monitoring request comprising one or more attributes extracted from an HTTP request received from a client computing device and a timestamp to a monitoring server to correlate one or more subsequent flows associated with the HTTP request. The HTTP request is transmitted to an application server after receiving an acknowledgement response to the monitoring request from the monitoring server. An HTTP response to the HTTP request is received from the application server. An operation with respect to the HTTP response is performed.

Подробнее
Номер записи: 63
04-07-2013 дата публикации

ACCESS CONTROL INFORMATION GENERATING SYSTEM

Номер: US20130174217A1
Автор: OGAWA Ryuichi
Принадлежит: NEC Corporation

A system stores policy information in which role identification information, resource group identification information and action information are associated with each other (), stores user identification information and role identification information in association with each other (), receives an access request including user identification information for identifying a user of a client device (), generates access control information based on the policy information and transmits the generated access control information to an access target device (), acquires address information of a transmission source of the access request (), and generates communication filter information representing permission for communication relating to an address represented by the acquired address information and transmits the generated communication filter information to a communication filter device specified based on the policy information (). 1. An access control information generation system comprising:a policy information storing unit for storing policy information in which role identification information for identifying a role assigned to a user, resource group identification information for identifying a resource group including at least one access target resource that is owned by an access target device and is a resource to be a target of access, and action information representing a type of access to the access target resource are associated with each other;a user information storing unit for storing user identification information for identifying a user and role identification information for identifying a role assigned to the user in association with each other;an access request receiving unit for receiving an access request including user identification information for identifying a user of a client device from the client device;an access control information transmitting unit for generating access control information representing permission for a user identified by user ...

Подробнее
Номер записи: 64
04-07-2013 дата публикации

SECURITY POLICY ENFORCEMENT SYSTEM AND SECURITY POLICY ENFORCEMENT METHOD

Номер: US20130174218A1
Автор: Sasaki Takayuki
Принадлежит: NEC Corporation

An object of the present invention is to distribute a processing load of security measures and enforce a security policy to be applicable to a large system. Policy information indicating a security measure to be executed on user information transmitted from a client to a server is stored in a policy storing section. Measure arrangement information indicating the security measure executable in each of a plurality of policy enforcement sections is stored in a measure-arrangement storing section. Among the plurality of policy enforcement sections, one or more of the policy enforcement sections that execute the security measure on the user information are selected on the basis of the policy information and the measure arrangement information. Each of the one or more policy enforcement sections executes the security measure on the user information and outputs, on the basis of a selection result, the user information to the other policy enforcement sections among the one or more policy enforcement sections or to the server. 1. A security policy enforcement system comprising:a plurality of policy enforcement sections configured to execute a security measure on user information transmitted from a client to a server;a policy storing section configured to store policy information indicating the security measure to be executed on the user information;a measure-arrangement storing section configured to store measure arrangement information indicating the security measure executable in each of the policy enforcement sections; anda policy determining section configured to select, on the basis of the policy information and the measure arrangement information, one or more of the policy enforcement sections that execute the security measure on the user information among the plurality of policy enforcement sections, whereineach of the one or more policy enforcement sections executes the security measure on the user information and outputs, on the basis of a selection result of the ...

Подробнее
Номер записи: 65
11-07-2013 дата публикации

METHOD AND APPARATUS FOR PROVIDING EXTENDED AVAILABILITY OF REPRESENTATIVES FOR REMOTE SUPPORT AND MANAGEMENT

Номер: US20130179939A1
Автор: CHERUKURI Rajesh, III John Burns, Ngo Huey Jiun, Smith
Принадлежит: BOMGAR

A network appliance is configured to determine a security policy controlled by a system of an organization. The network appliance creates an association between the security policy and support agent access to the system. The network appliance creates portals where the access is based on the security policy and access includes connectivity for providing remote support service to the system from a remote support service disconnected from the system. 1. A method comprising:determining, by a network appliance, a security policy controlled by a system of an organization;creating, by the network appliance, an association between the security policy and access to the system; andcreating, via the network appliance, portals where the access is based on the security policy,wherein the access includes connectivity for providing remote support service to the system from a remote support service disconnected from the system.2. A method according to claim 1 , further comprising:determining a customer associated with the system; andconnecting a support agent to the customer via a portal, wherein the portal provides the organization with information regarding support agent-customer activity.3. A method according to claim 1 , further comprising:recording support agent activity associated with a portal; andcreating auditable reports, performance reports, or a combination thereof based on the recorded support agent activity.4. A method according to claim 1 , wherein the portal is configured to serve as a proxy for attended and unattended remote support.5. A method according to claim 4 , wherein the portal is configured to push a remote support executable to the system claim 4 , initiate a pre-installed client to establish a remote support session claim 4 , or a combination thereof.6. A method according to claim 5 , wherein the pre-installed client is configured to collect data and statuses related to a remote system.7. A method according to claim 4 , wherein the portal is configured ...

Подробнее
Номер записи: 66
18-07-2013 дата публикации

METHOD, APPARATUS, SIGNALS AND MEDIUM FOR ENFORCING COMPLIANCE WITH A POLICY ON A CLIENT COMPUTER

Номер: US20130185762A1
Автор: Huang Tao, May Robert Alvin, Wang Wei
Принадлежит: Fortinet, Inc.

A method and system for enforcing compliance with a policy on a client computer in communication with a network is disclosed. The method involves receiving a data transmission from the client computer on the network. The data transmission includes status information associated with the client computer. The data transmission is permitted to continue when the status information meets a criterion. 1. A method for client computer policy compliance enforcement , the method comprising:receiving a data transmission from a client computer on a network, said data transmission including status information associated with a configuration and operational status of the client computer, the status information including hashed representations of client computer configuration and operational status data;preventing said data transmission from continuing when said data transmission does not include status information;permitting said data transmission to continue when said status information meets a criterion as determined through a matching of the hashed representations of the client computer configuration and operational status data with desired hash values; and the data transmission includes a request; and', 'permitting the data transmission to continue includes forwarding the data transmission for processing of the request., 'wherein2. The method of claim 1 , wherein permitting said data transmission to continue further comprises authenticating a user of the client computer before permitting said data transmission to continue.3. The method of claim 1 , further comprising causing an action to be taken when said status information does not meet said criterion.4. The method of claim 3 , wherein causing said action to be taken comprises causing an entry to be made in a log.5. The method of claim 3 , wherein causing said action to be taken comprises causing an alert to be issued.6. The method of claim 5 , wherein causing said alert to be issued comprises sending a message to an ...

Подробнее
Номер записи: 67
25-07-2013 дата публикации

CLUSTER ARCHITECTURE FOR NETWORK SECURITY PROCESSING

Номер: US20130191881A1
Автор: Hsu Jeff, Huang James, Lee Ming-Jeng, Linden Thomas
Принадлежит: WATCHGUARD TECHNOLOGIES, INC.

A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed. 1. A computer-readable storage medium comprising instructions to cause a computing device to perform a method for assigning network flow processing tasks within a cluster comprising a plurality of communicatively coupled computing devices , the method comprising:maintaining a flow assignment data structure comprising mappings between network flows and cluster computing devices assigned thereto;identifying a network flow for processing by the cluster;determining whether the network flow is already being processed by a cluster computing device using the flow assignment data structure;assigning the network flow to a selected one of the cluster computing devices when the flow has not been assigned to a cluster computing device; andupdating the flow assignment data structure to map the network flow to the assigned cluster computing device.2. The computer-readable storage medium of claim 1 , further comprising configuring the assigned cluster computing device to process network traffic associated with the network flow.3. The computer-readable storage ...

Подробнее
Номер записи: 68
01-08-2013 дата публикации

METHOD AND APPARATUS FOR DISTRIBUTING PUBLISHED MESSAGES

Номер: US20130198308A1
Автор: Chen Canfeng, Ma Jian, Yang Xiaogang
Принадлежит: Nokia Corporation

A method for delivering published messages to subscribers comprises: —storing a set of subscriptions (F_top, F_top, F_top) in a routing table (RTO) of a first broker (BRO), —sending a set of messages (e, e, e) from the first broker (BRO) to a second broker (BR) according to at least one subscription (F_top) stored in the routing table (RTO)—receiving a subsequent message (e), —determining a search term (topi) based on a data element of the subsequent message (e), —comparing the search term (topi) with a set of data elements stored in a relation repository (CRR), and—controlling sending of the subsequent message (e) to the second broker (BR) according to a result of said comparison, wherein the set of data elements stored in the relation repository (CRR) comprises data elements of the messages (e, e, e) previously sent to the second broker (BR), and wherein said set of subscriptions (F_top, F_top, F_top) contains at least one subscription (F_top), which specifies a topic (top), which is not contained in the set of data elements stored in the relation repository (CRR). 124-. (canceled)26. The method of comprising:searching for a data element in the repository such that a data element is considered to match with the search term when a difference or a distance between the data element in the repository and the search term is smaller than a predetermined limit, andcontrolling sending of the subsequent message to the second broker based on a result of said searching.27. The method of comprising changing a merit value when a matching data element is found.28. The method of comprising sending the subsequent message to the second broker when the merit value passes a first limit.29. The method according to comprising adding a new data point to the repository when the subsequent message has been subscribed by at least one subscriber claim 25 , and no matching data elements are found in the repository.30. The method according to wherein the search term is at least one ofa data ...

Подробнее
Номер записи: 69
01-08-2013 дата публикации

System and method for innovative management of transport layer security session tickets in a network environment

Номер: US20130198509A1
Автор: Shivakumar Buruganahalli, Venu Vissamsetty
Принадлежит: McAfee LLC

An example method includes identifying a transport layer security (TLS) session between a client and a server, parsing one or more TLS messages to identify a session ticket associated with the session, transforming the session ticket into a fixed size session token, and managing the session using the session token to identify the session. The transforming may include computing a hash value of the session ticket using a hashing algorithm. If any of the TLS messages is spread across more than one TLS protocol record, the method can include computing a hash value of a portion of the session ticket encountered in a TLS protocol record using a hashing algorithm, incrementally computing another hash value of another portion of the session ticket encountered in a subsequent TLS protocol record from the previously computed hash value, and repeating the incremental computing until portions of the session ticket have been processed.

Подробнее
Номер записи: 70
01-08-2013 дата публикации

Role Engineering Scoping and Management

Номер: US20130198639A1
Автор: Casco-Arias Sanchez Luis B., Jordan Todd D., Kuehr-McLaren David G., Love Oriana J., Palmieri David W., Plachco Chrystian L., Rajamani Magesh, Robke Jeffrey T.
Принадлежит: INTERNATIONAL BUSINESS MACHINES CORPORATION

Mechanisms are provided for performing a role engineering project for applying security roles to access operations targeting resources. A plurality of data objects representing one or more user identities, permissions, and resources of an organization computing system are received. One or more filter criteria for filtering the plurality of data objects to generate a subset of data objects for consideration during the role engineering project are received. The one or more filter criteria specify a scope of the role engineering project. The one or more filter criteria are applied to generate the subset of data objects. Role engineering project operations are performed on the subset of data objects to generate one or more security roles. The one or more security roles are deployed to the organization computing system to control access operations targeting resources of the organization computing system. 1. A method , in a data processing system , for performing a role engineering project for applying security roles to access operations targeting resources , comprising:receiving, by the data processing system, a plurality of data objects representing one or more user identities, permissions, and resources of an organization computing system;receiving, by the data processing system, one or more filter criteria for filtering the plurality of data objects to generate a subset of data objects for consideration during the role engineering project, wherein the one or more filter criteria specify a scope of the role engineering project;applying, by the data processing system, the one or more filter criteria to generate the subset of data objects;performing, in the data processing system, role engineering project operations on the subset of data objects to generate one or more security roles; anddeploying, by the data processing system, the one or more security roles to the organization computing system to control access operations targeting resources of the organization ...

Подробнее
Номер записи: 71
01-08-2013 дата публикации

POLICY-BASED SELECTION OF REMEDIATION

Номер: US20130198800A1
Автор: Bezilla Daniel B., Immordino John L., Ogura James Le
Принадлежит: Colorado Remediation Technologies, LLC

Methods and systems for automatically determining one or more remediations for a remotely monitored host asset are provided. According to one embodiment, a policy database, having stored therein policies defines at least one parameter condition violation of which is potentially indicative of unauthorized activity or manipulation of the host asset, is maintained by a remote server. The remote server receives via a network, a value of a parameter of the host asset. The parameter value is one of multiple parameter values that collectively characterize an operational state of the host asset. A determination is made whether there is a policy violation based on the parameter value by retrieving and evaluating one or more policies with reference to the parameter value. When a policy violation is confirmed, a remediation is retrieved from a remediation database associated with the remote server and the remediation is deployed to the host asset. 1. A computer-implemented method comprising:maintaining, by a remote server, a policy database having stored therein a plurality of policies each of which defines at least one parameter condition violation of which is potentially indicative of unauthorized activity or manipulation of a particular host asset of a plurality of monitored host assets;receiving, by a remote server, via a network coupling the plurality of monitored host assets in communication with the remote server, a value of a parameter of a host asset of the plurality of monitored host assets, wherein the parameter value is one of a plurality of parameter values that collectively characterize an operational state of the host asset at a particular point in time; retrieving, by the remote server from the policy database, one or more policies of the plurality of policies; and', 'evaluating, by the remote server, the one or more policies with reference to the parameter value; and, 'determining whether a policy of the plurality of policies is violated based on the parameter ...

Подробнее
Номер записи: 72
01-08-2013 дата публикации

WHITE LISTING DNS TOP-TALKERS

Номер: US20130198803A1
Автор: MCPHERSON DANNY, OSTERWEIL ERIC
Принадлежит: VeriSign, Inc.

Systems and methods for creating a list of trustworthy resolvers in a domain name system. A computer receives a resolver profile for a resolver sending queries to a domain name server. The resolver profile is based on any, or a combination, of a top-talker status of the resolver, a normalcy of distribution of domain names queried, a continuity of distribution of query type, and a RD bit status, and information related to query traffic based on the topology of the domain name server. Resolver profiles can be compared to a trust policy to determine whether the resolver is trustworthy. Resolvers deemed trustworthy can be added to a list of trustworthy resolvers. Embodiments can detect the occurrence of a network-based attack. Embodiments can mitigate the effect of a network-based attack by responding only to queries from resolvers on the list of trustworthy resolvers. 1. A computer-implemented method for creating a list of trustworthy DNS resolvers , the method comprising:receiving, at a computer, a resolver profile for a resolver sending queries to a domain name server based any, or a combination, of a top-talker status of the resolver, a normalcy of distribution of domain names queried, a continuity of distribution of query type, a RD bit status, and information related to query traffic at one or more nodes in a distributed domain name server topology;applying a policy to the resolver profile to determine whether the resolver is trustworthy; andadding, by the computer, the resolver to a list of trustworthy resolvers if the resolver is determined to be trustworthy.2. The computer-implemented method of wherein receiving comprises receiving a resolver profile based on a continuity of an IP time-to-live variance of queries from the resolver.3. The computer-implemented method of comprising generating an indication of an attack condition if the resolver profile is not determined to be trustworthy.4. The computer-implemented method of comprising blocking queries from a ...

Подробнее
Номер записи: 73
01-08-2013 дата публикации

REMEDIATION OF COMPUTER SECURITY VULNERABILITIES

Номер: US20130198848A1
Автор: Wolff Todd
Принадлежит: Board of Regents of the University of Texas System

A computer security vulnerability remediation system (CSVRS) is disclosed, including a CSVRS client communicatively coupled to a remediation server through a network. The CSVRS client includes software having a security vulnerability, which vulnerability may be known to malicious actors who develop an exploit. In some cases, the exploit is a “zero-day exploit,” meaning the vulnerability may not be known to the CSVRS client until the exploit is deployed. A RSP receives information about the exploit and vulnerability from a team of remediation experts. The RSP may prepare a remedial exploit, which carries a self-healing pay load. The remedial exploit may be delivered either through the vulnerability itself, or through credentials granted by the CSVRS client to the RSP. The self-healing pay-load takes appropriate action, such as closing ports or disabling scripts, to prevent the vulnerability from being further exploited. 1. A tangible data storage medium having stored thereon executable software instructions that are configured , when executed , to instruct a processor to:communicate with a client computing device;evaluate the client computing device to determine whether the client computing device is subject to a known security vulnerability; the remedial exploit is configured to exploit the security vulnerability to gain privileged access to the client computing device and deliver thereto a self-healing payload; and', "the self-healing payload configured to take a remedial action to reduce the client machine's exposure to the security vulnerability."], 'upon determining that the client computing device is subject to the vulnerability, deliver a remedial exploit to the client computing device, wherein2. The tangible storage medium of wherein the remedial action is selected from group consisting of disabling selected forms of scripting claim 1 , modifying firewall rules claim 1 , disabling services claim 1 , modifying registry settings claim 1 , downloading programs ...

Подробнее
Номер записи: 74
08-08-2013 дата публикации

METHOD AND SYSTEM FOR INTELLIGENT MANY-TO-MANY SERVICE ROUTING OVER EPP

Номер: US20130204838A1
Автор: Anderson Marc, Chawat Raja, Gould James, Jain Mahendra
Принадлежит: Verising, Inc

Method and system for routing EPP requests over a network are provided. A routing system includes multiple frontend service interfaces, one or more gateways, a management server, and a backend service platform that provides multiple application services. The frontend service interfaces are addressable using virtual IP addresses (“VIP”) and can be provided by the gateways. The routing system defines a many-to-many mapping between the frontend service interfaces and a set of services provided by the backend service platform. A requestor can send a request over EPP to a targeted service interface to access one or more backend services, by sending the request to a target IP or domain name that corresponds to a VIP associated with the targeted service interface. Using the many-to-many mapping and the VIP of the targeted service interface, the routing system can identify backend services sought by the request and provide the requestor with access to the backend services. 1. A computer-implemented method for routing requests received using Extensible Provisioning Protocol (EPP) to a plurality of services , the method comprising:receiving, via the EPP from a requestor, a request to access a service from among the plurality of services, wherein the request is directed to a target service interface of a plurality of service interfaces via an address associated with the target service interface;analyzing the request to determine the address of the target service interface;identifying the service sought by the request based on the address of the target service interface; androuting the request to the service thereby providing the requestor with access to the service.2. The computer-implemented method of claim 1 , wherein identifying the service sought by the request further comprises:identifying the service sought by the request based on information in a routing table associated with the address of the target service interface, wherein the routing table includes a many-to-many ...

Подробнее
Номер записи: 75
15-08-2013 дата публикации

MIGRATION OF CREDENTIALS AND/OR DOMAINS BETWEEN TRUSTED HARDWARE SUBSCRIPTION MODULES

Номер: US20130212637A1
Автор: Cha Inhyok, Guccione Louis, Leicher Andreas, Schmidt Andreas
Принадлежит: INTERDIGITAL PATENT HOLDINGS, INC.

Systems, methods, and instrumentalities are disclosed that allow a user to initiate migration of a credential from one domain to another domain. A request to initiate a migration of credentials from a first domain to a second domain may be initiated by a user (.). A remote owner may receive a message indicating that the migration has been requested. The message received by the remote owner may be an indication that the source and destination devices have performed internal checks and determined that a migration could proceed. The remote owner may evaluate source information received from the source device and destination information received from the destination device (), (.), (.). Based on the evaluation of the source information and the destination information, the remote owner may determine that the migration is acceptable. The remote owner may send an indication to proceed with the migration (), (.) 1. In a system comprising one or more devices , each of which comprise one or more domains , each domain comprising a configuration of computing resources executing on the one or more devices and each domain being configured to perform functions for an owner of the domain that may be located locally or remotely from the domain , wherein each domain may have a different owner , and wherein at least one domain is owned by a user of said one or more devices , and wherein at least one other domain is owned by a remote owner , a method comprising:receiving a message indicating that a migration has been requested, wherein at least one of a first domain or a credential associated with the first domain is migrated from a source device to a destination device;evaluating source information received from the source device and destination information received from the destination device;determining that the migration is acceptable based on the evaluating; andsending an indication to proceed with the migration.2. The method of claim 1 , wherein:the source information includes at ...

Подробнее
Номер записи: 76
15-08-2013 дата публикации

SYSTEMS AND METHODS FOR TESTING ONLINE SYSTEMS AND CONTENT

Номер: US20130212638A1
Автор: WILSON Jeffrey Todd
Принадлежит: AOL INC.

Systems and methods are provided for automatically monitoring a compliance of web pages and graphical user interfaces with governmental and self-regulatory privacy and security policies. In accordance with one implementation, a method is provided that comprises instructing the execution of an operation on content associated with at least one web page is generated. The operation may include at least one of (i) a scanning operation that generates forensic data corresponding to the web page or (ii) an analytical operation that analyzes at least a portion of the forensic data corresponding to the web page. The method further comprises obtaining output data associated with the executed operation, and generating information indicative of a compliance of the web page with at least one of a privacy regulation or a security regulation, the information being generated based on the output data. 1. A computer-implemented method , comprising:instructing, with at least one processor, the execution of an operation on content associated with at least one web page, the operation comprising at least one of (i) a scanning operation that generates forensic data corresponding to the web page or (ii) an analytical operation that analyzes at least a portion of the forensic data corresponding to the web page;obtaining output data associated with the executed operation; andgenerating, with the at least one processor, information indicating whether there is a compliance of the at least one web page with at least one of a privacy regulation or a security regulation, the information being generated based on the obtained output data.2. The method of claim 1 , further comprising:transmitting configuration information to a server capable of executing the operation, the configuration information identifying the operation and the at least one web page.3. The method of claim 2 , further comprising:receiving a request to execute the operation from an input source;receiving polling information from ...

Подробнее
Номер записи: 77
15-08-2013 дата публикации

Method, System And Apparatus For Improving Security Level Of A Terminal When Surfing Internet

Номер: US20130212639A1
Автор: Dan SONG, Fei Qi, Feng Zhao
Принадлежит: Tencent Technology Shenzhen Co Ltd

A method, system, and apparatus for improving security level of a terminal when it surfs the Internet. The method includes receiving, by a network side, network security information reported by a terminal, generating a network security policy according to the network security information reported by each terminal, and transmitting a security indication to the network security policy to the terminal; providing, by the terminal, a security prompt for network information to be obtained or having been obtained according to the security indication. Various embodiments can improve the security level of the terminal when it surfs the Internet and save resources of the terminal.

Подробнее
Номер записи: 78
15-08-2013 дата публикации

Distributed network instrumentation system

Номер: US20130212641A1
Автор: Bryan Stiekes
Принадлежит: Hewlett Packard Development Co LP

A distributed network instrumentation system ( 100 ) includes a security management station ( 110 ) including a global network policy decomposer ( 112 ) configured to decompose global network security policies to local security policies for distributed policy enforcement, and a network interface ( 220 ) communicatively coupled to a compute platform ( 200 ), The network interface ( 220 ) is configured to off-load processing of the local security policies and end-to-end encryption from an operating system ( 210 ) of the compute platform ( 200 ) for facilitating network instrumentation.

Подробнее
Номер записи: 79
15-08-2013 дата публикации

Mission management for dynamic computer networks

Номер: US20130212676A1
Автор: Wayne Smith
Принадлежит: HARRIS CORP

Method for communicating data in a computer network involves dynamically modifying at a first location in the computer network a plurality of true values. The true values correctly represent the plurality of identify parameters. These true values are transformed to false values, which incorrectly represent the identity parameters. Subsequently, the identity parameters are modified at a second location to transform the false values back to the true values. The position of the first and/or second locations varies dynamically as part of this process. A bridge transforms identity parameter values when communicating outside the network. Dynamic modification of the identity parameters occurs in accordance with a mission plan that can be modified without interrupting communication of data in the network.

Подробнее
Номер записи: 80
22-08-2013 дата публикации

CERTIFICATE MANAGEMENT METHOD BASED ON CONNECTIVITY AND POLICY

Номер: US20130219455A1
Автор: Bender Christopher Lyle, HO Alan Pak-Lun, Storozuk John Vincent, TSE Chi Chiu
Принадлежит: RESEARCH IN MOTION LIMITED

Plural modes of operation may be established on a mobile device. Specific modes of operation of the mobile device may be associated with specific spaces in memory. By associating the existing certificate store structure and key store structure with a mode of operation, certificates and keys can be assigned to one space among plural spaces. Furthermore, management (viewing/importation/deletion) of certificates associated with specific modes of operation may be controlled based on the presence or absence of a mobile device administration server and the status (enabled/disabled) of an IT policy. 1. A method of regulating population of a certificate store in a memory of a device , the method comprising:determining that a device administration server is present; andresponsive to the determining, disabling user interface interaction for importing at least some certificates into a certificate store associated with a mode of operation of the device.2. The method of further comprising:determining that an information technology policy is enabled;receiving a certificate pushed to the device; andsaving the certificate to the certificate store associated with the mode of operation of the device.3. The method of further comprising:determining that an information technology policy is disabled; andresponsive to the determining that an information technology policy is disabled, limiting the disabling user interface interaction for importing to only trusted Certificate Authority certificates.4. The method of further comprising claim 1 , responsive to the determining claim 1 , disabling user interface-based selection for deleting certificates from the certificate store associated with the mode of operation of the device.5. The method of further comprising seeding the certificate store associated with the mode of operation of the device.6. The method of further comprising claim 1 , before the determining:receiving a command to create the certificate store associated with the mode of ...

Подробнее
Номер записи: 81
22-08-2013 дата публикации

System and Method for Providing Network Security to Mobile Devices

Номер: US20130219457A1
Автор: Touboul Shlomo
Принадлежит: Yoggie Security Systems Ltd.

A small piece of hardware connects to a mobile device and filters out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy. 1. A mobile security system , comprising:a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device;a network connection module for acting as a gateway to a network;a security policy for determining whether to forward content intended for the mobile device to the mobile device; anda security engine for executing the security policy.2. The mobile security system of claim 1 , wherein the connection mechanism includes at least one of a USB connector claim 1 , a PCMCIA connector claim 1 , an Ethernet connector claim 1 , and a wireless communication module.3. The mobile security system of claim 1 , wherein the network connection module includes a wireless network interface card.4. The mobile security system of claim 1 , wherein the security engine includes at least one of an antivirus engine claim 1 , an antispyware engine claim 1 , a firewall engine claim 1 , an IPS/IDS engine claim 1 , a content filtering engine claim 1 , a multilayered security monitor claim 1 , a bytecode monitor claim 1 , and a URL monitor.5. The mobile security system of claim 1 , wherein the security policy performs weighted risk analysis.6. The mobile security system of claim 5 , wherein the weighted risk analysis weighs risk based on content type.7. The mobile security ...

Подробнее
Номер записи: 82
22-08-2013 дата публикации

Remote Security Self-Assessment Framework

Номер: US20130219493A1
Автор: Banzhof Carl
Принадлежит: ISCAN ONLINE, INC.

A system for security self-assessment for a computer platform. The system comprises a memory, a processor, and an application stored in the memory. When executed by the processor, the application in association with a call to action transmits security self-assessment logic and at least one security self-assessment policy to a computer platform, wherein the security self-assessment policy defines at least one scan tool to be used by the security self-assessment logic when executed on the computer platform to perform a security self-assessment of the computer platform. The system further comprises a plurality of scan tools stored in the memory and accessible for downloading by the computer platform. The security self-assessment logic is configured to cause a processor of the computer platform to download at least one scan tool defined by the security self-assessment policy and to perform a security self-assessment. 1. A system for security self-assessment of a computer platform , comprising:a memory;a processor; 'in association with a call to action, transmits security self-assessment logic and at least one security self-assessment policy to a computer platform, wherein the security self-assessment policy defines at least one scan tool to be used by the security self-assessment logic when executed on the computer platform to perform a security self-assessment of the computer platform; and', 'an application stored in the memory that, when executed by the processor,'}a plurality of scan tools stored in the memory and accessible for downloading by security self-assessment logic when executed on the computer platform,wherein the security self-assessment logic is configured to cause a processor of the computer platform to download to the computer platform the at least one scan tool defined by the security self-assessment policy from the plurality of scan tools stored in the memory, to perform a security self-assessment of the computer platform based at least in part on the ...

Подробнее
Номер записи: 83
22-08-2013 дата публикации

SYSTEM AND METHOD FOR OPTIMIZATION OF SECURITY TASKS BY CONFIGURING SECURITY MODULES

Номер: US20130219495A1
Автор: KULAGA ANDREY, TIKHOMIROV ANTON
Принадлежит: KASPERSKY LAB, ZAO

A system and method for dynamic configuration of the security modules for optimization of execution of security tasks are provided. The system includes: a mechanism for identifying the clients connected to the network; a client data collection unit that determines hardware/software configurations of each detected client; a security module selection and installation unit that selects required modules for each client; a statistics collection unit that collects the security tasks execution statistics from user modules and from client modules; and a configuration unit that configures the client and server modules based on the collected statistics in order to optimize execution of the security tasks. 1. A computer-implemented system for optimization of execution of security tasks , the system comprising:a client data collection unit for determining hardware and software configurations of clients detected as being connected to a network;a security module selection unit connected to the client data collection unit for selecting security modules for the clients for subsequent installation of the selected security modules on the clients and on a server;a statistics collection unit that collects security-related statistics from the clients and from the server; anda configuration unit for configuring the installed security modules based on the collected security-related statistics,wherein a security task is executed on a client, if the client has a corresponding installed security module, and the security task is executed on the server, if the client does not have the corresponding security module.2. The system of claim 1 , wherein the system uses ARP-spoofing for detecting which clients are connected to the network.3. The system of claim 1 , further comprising a database storing data of the security modules claim 1 , wherein the data of the security modules is any of:module name;module version;incompatibilities with operating systems;incompatibilities with applications; ...

Подробнее
Номер записи: 84
29-08-2013 дата публикации

OFF-DEVICE ANTI-MALWARE PROTECTION FOR MOBILE DEVICES

Номер: US20130227636A1
Автор: Bettini Anthony John, Guerra Domingo J., Price Michael, Watkins Kevin
Принадлежит: Appthority, Inc.

Techniques for off-device anti-malware protection for mobile devices are disclosed. In some embodiments, off-device anti-malware protection for mobile devices includes receiving a software inventory for a mobile device, in which the software inventory identifies a plurality of applications installed on the mobile device; and determining whether one or more of the plurality of applications identified in the software inventory are associated with malware based on a policy. In some embodiments, the off-device anti-malware protection for mobile devices further includes enforcing the policy on the mobile device. In some embodiments, the off-device anti-malware protection for mobile devices is provided as a cloud service. 1. A system for off-device anti-malware protection for mobile devices , comprising: receive a software inventory for a mobile device, wherein the software inventory identifies a plurality of applications installed on the mobile device; and', 'determine whether one or more of the plurality of applications identified in the software inventory are associated with malware based on a policy; and, 'a processor configured toa memory coupled to the processor and configured to provide the processor with instructions.2. The system recited in claim 1 , wherein the software inventory for the mobile device is received at a cloud service for providing off-device anti-malware protection for mobile devices.3. The system recited in claim 1 , wherein the policy includes one or more of the following:a malware policy, a privacy policy, and an enterprise configured application security policy.4. The system recited in claim 1 , wherein a mobile device management (MDM) provisioning profile is installed on the mobile device claim 1 , and wherein the MDM provisioning profile generates the software inventory for the mobile device.5. The system recited in claim 1 , wherein a mobile device management (MDM) provisioning profile is installed on the mobile device claim 1 , wherein the ...

Подробнее
Номер записи: 85
29-08-2013 дата публикации

SYSTEMS AND METHODS TO ENFORCE SECURITY POLICIES ON THE LOADING, LINKING, AND EXECUTION OF NATIVE CODE BY MOBILE APPLICATIONS RUNNING INSIDE OF VIRTUAL MACHINES

Номер: US20130227641A1
Автор: Clancy, III Thomas Charles, White Christopher Jules
Принадлежит: OPTIO LABS, LLC

Methods and systems described herein relate to enhancing security on a device by enforcing one or more policies on the loading, linking, and/or executing of native code by one or more applications executing on the device. 1. A method of enforcing policies associated with the loading , linking and/or execution of native code by an application , the method comprising:taking an application executing, through the use of a computer processor, in a first process on a device;providing a policy engine executing, through the use of a computer processor, in a second process on the device;taking a request for a native code library by the application;determining by the policy engine whether the request from the application is allowed based on a policy; andpermitting access to the native code library upon determining that the application is allowed to access the native library.2. The method of claim 1 , wherein the method further comprises facilitating interaction between the application and an operating system via the native code library.3. The method of claim 1 , wherein providing a policy engine comprises providing a policy engine enabled to communicate with a remote policy server to obtain the policy.4. The method of claim 3 , wherein the remote policy server comprises a policy server managing a policy repository comprising at least one policy.5. The method of claim 1 , wherein the application is an application running inside of a virtual machine.6. The method of claim 1 , further comprising taking requests from a plurality of applications.7. The method of claim 1 , wherein the device is one of a mobile phone claim 1 , a tablet claim 1 , a laptop claim 1 , and a smartphone.8. The method of claim 1 , wherein the policy comprises one or more of a black list claim 1 , a white list claim 1 , a signature claim 1 , a name check claim 1 , a checksum claim 1 , a library analysis check claim 1 , a check for permission for an application claim 1 , a process check claim 1 , a user ...

Подробнее
Номер записи: 86
29-08-2013 дата публикации

Systems involving firewall of virtual machine traffic and methods of processing information associated with same

Номер: US20130227674A1
Автор: Derek Anderson
Принадлежит: Virtustream Canada Holdings Inc

Systems and methods are disclosed involving compute nodes configured to define and/or otherwise processing information associated with one or more virtual machines. In one exemplary implementation, a compute node may be configured to enable a firewall between the virtual machine and at least a portion of a network. Moreover, the firewall may be configured to detect undesired traffic based on a list of rules or an Ethernet bridge table associated with communication between the virtual machine and the network. Various features may also relate to the compute node being configured to lock the virtual machine in response to the firewall detecting undesired traffic associated with the virtual machine.

Подробнее
Номер записи: 87
12-09-2013 дата публикации

System and method for providing pluggable security in an enterprise crawl and search framework environment

Номер: US20130238589A1
Автор: DJ Vasant Ursal, Sandeep Yarramreddy
Принадлежит: Oracle International Corp

Systems and methods for providing an enterprise crawl and search framework, including features such as use with middleware and enterprise application environments, pluggable security, search development tools, user interfaces, and governance. In accordance with an embodiment, the system includes an enterprise crawl and search framework which abstracts an underlying search engine, provides a common set of application programming interfaces for developing search functionalities, and allows the framework to serve as an integration layer between one or more enterprise search engine and one or more enterprise application. A pluggable security environment which includes one or more enterprise application security APIs, authentication services, security plugin, authorization service, and data service, allows an application developer to add security information to enterprise application data before inserting or creating indexes on the search engine, and deploy the enterprise application and use any policies in its configuration to configure enterprise application domain security, so that at query time, the security environment retrieves security keys of a user performing an enterprise application search, and passes those keys to the search engine, where they are used to filter the query results.

Подробнее
Номер записи: 88
12-09-2013 дата публикации

Method and apparatus for providing efficient management of certificate revocation

Номер: US20130238897A1
Автор: Atefeh Mashatan, Imad Aad, Pentti Valtteri Niemi, Rafik Chaabouni, Serge Vaudenay
Принадлежит: Individual

A method for providing efficient management of certificate revocation may comprise storing a list of identifiers of digital certificates including a revocation list defining a list of revoked certificates in an accumulator, storing a witness value in association with at least some entries in the revocation list in which the witness value provides proof of the membership or non-membership of an identifier in the revocation list, enabling generation of a new accumulator and a new witness value responsive to each insertion or deletion of an entry in the revocation list, and enabling batch updates to the revocation list using a reduced bitlength value generated based on to a ratio of a value generated based on elements added to the revocation list to a value generated based on elements deleted from the revocation list. A corresponding apparatus is also provided. A method for certificate authorities (CA) that use Bloom filters for certificate revocation list (CRL) compression that enables the CA to hash only the entry that is to be un-revoked so that a good compression rate may be provided while avoiding computation of the entire CRL for each un-revocation.

Подробнее
Номер записи: 89
12-09-2013 дата публикации

System and method for enhancing trust for person-related data sources

Номер: US20130239170A1
Автор: Atul Singh, Harish Peri, Tyler Ziemann
Принадлежит: Salesforce com Inc

The technology disclosed relates to enhancing trust for person-related data sources by tracking person-related sources using trust objects that hold trust metadata. In particular, it relates to generating trust-enhanced data by appending trust metadata to social media content and other business-to-business entities, and further using the trust-enhanced data to develop social engagement models based on customer preferences. The trust metadata described includes names, interface categories and origins of the person-related data sources along with customer engagement preferences and connection types.

Подробнее
Номер записи: 90
12-09-2013 дата публикации

COMMUNICATION CONTROL APPARATUS, SYSTEM, METHOD, AND NON-TRANSITORY COMPUTER READABLE MEDIUM STORING PROGRAM THEREON

Номер: US20130239172A1
Автор: Higuchi Naoshi, MURAKAMI Takuya
Принадлежит: NEC Corporation

A communication control apparatus that controls communication via a network between a first communication apparatus for communicating via a virtual communication channel and a second communication apparatus for transmitting a communication request with the first communication apparatus including a storage unit that stores access control policy defining allowance or denial of access to the first communication apparatus, an establishment unit that establishes the virtual communication channel with the first communication apparatus, an authentication unit that authenticates the second communication apparatus based on the communication request received from the second communication apparatus, an access control unit that refers to the access control policy and evaluates whether to allow or deny access from the authenticated second communication apparatus to the first communication apparatus, and a transfer unit that transfers the received communication request to the first communication apparatus when the access control unit evaluates that the access is allowed. 1. A communication control apparatus that controls communication via a network between a first communication apparatus for communicating via a virtual communication channel and a second communication apparatus for transmitting a communication request with the first communication apparatus , the communication control apparatus comprising:storage unit for storing access control policy, the access control policy defining allowance or denial of access to the first communication apparatus;establishment unit for establishing the virtual communication channel with the first communication apparatus via the network in response to a request from the first communication apparatus;authentication unit for authenticating the second communication apparatus based on the communication request received from the second communication apparatus via the network;access control unit for referring to the access control policy stored to ...

Подробнее
Номер записи: 91
19-09-2013 дата публикации

System and method for providing data protection workflows in a network environment

Номер: US20130246334A1
Автор: Ankit R. Jain, Avinash Vishnu Pawar, Bimalesh Jha, Damodar K. Hegde, Nitin Maini, Rajaram V. Nanganure, Ratinder Paul Singh Ahuja, Sujata Patel
Принадлежит: McAfee LLC

A method is provided in one example and includes receiving first sets of metadata elements representing objects of an inventory and generating a first summary of a first subset of the objects. The method further includes receiving second sets of metadata elements and corresponding category information representing objects of the first subset that are classified based on a first category and generating a second summary of a second subset of the classified objects. In yet further embodiments, the method includes initiating a protection task for objects of the second subset of the classified objects. In more specific embodiments, the protection task includes applying a remediation policy to the objects of the second subset or registering the objects of the second subset. In yet other embodiments, the second summary includes at least one of a total count and a total size of the objects in the second subset.

Подробнее
Номер записи: 92
19-09-2013 дата публикации

System and method for intelligent state management

Номер: US20130246424A1
Автор: Lee C. Cheung, Ratinder Paul Singh Ahuja, William Deninger
Принадлежит: McAfee LLC

A method is provided in one example embodiment and it includes receiving a state request and determining whether a state exists in a translation dictionary for the state request. The method further includes reproducing the state if it is not in the dictionary and adding a new state to the dictionary. In more specific embodiments, the method includes compiling a rule, based on the state, into a given state table. The rule affects data management for one or more documents that satisfy the rule. In yet other embodiments, the method includes determining that the state represents a final state such that a descriptor is added to the state. In one example, if the state is not referenced in the algorithm, then the state is released. If the state is referenced in the algorithm, then the state is replaced with the new state.

Подробнее
Номер записи: 93
19-09-2013 дата публикации

System and method for selecting messaging settings on a messaging client

Номер: US20130246549A1
Автор: Anthony Fabian Scian, Herbert Anthony Little, Michael Kenneth Brown, Michael Stephen Brown, Neil Patrick Adams
Принадлежит: Research in Motion Ltd

A system and method of selecting messaging settings on a messaging client are provided. A display configured to operate in conjunction with the messaging client displays a compose screen that includes a message portion and a messaging settings portion when an outgoing message is to be composed on the messaging client. Messaging settings selected to control message characteristics of the outgoing message are displayed in the messaging settings portion of the compose screen.

Подробнее
Номер записи: 94
19-09-2013 дата публикации

Systems, devices, and methods for securely transmitting a security parameter to a computing device

Номер: US20130246794A1
Автор: Herbert Anthony Little, Michael Stephen Brown
Принадлежит: Research in Motion Ltd

Embodiments of the systems, devices, and methods described herein generally facilitate the secure transmittal of security parameters. In accordance with at least one embodiment, a representation of first data comprising a password is generated at the first computing device as an audio signal. The audio signal is transmitted from the first computing device to the second computing device. The password is determined from the audio signal at the second computing device. A key exchange is performed between the first computing device and the second computing device wherein a key is derived at each of the first and second computing devices. In at least one embodiment, one or more security parameters (e.g. one or more public keys) are exchanged between the first and second computing devices, and techniques for securing the exchange of security parameters or authenticating exchanged security parameters are generally disclosed herein.

Подробнее
Номер записи: 95
19-09-2013 дата публикации

Distribution of security policies for small to medium-sized organizations

Номер: US20130247128A1
Автор: Hinchliffe Alex J., Howard Fraser P., Kemp Andrew, Rai Bobby
Принадлежит:

A security policy distribution system encapsulates parameters for a security policy and instructions for applying the parameters to a corresponding security program into a self-contained configuration file. When the self-contained configuration file is executed on behalf of a computer, the corresponding security program on the computer is updated with the parameters, thus distributing the security policy to the computer. 1. A method , comprising:providing a configuration procedure for an antivirus program to determine which parameters of a security policy have changed;creating a self-contained configuration file corresponding to the security policy, the self-contained configuration file comprising instructions for applying the parameters of the security policy;storing the self-contained configuration file on a server for subsequent downloading by a plurality of devices;providing the self-contained configuration file in an e-mail to be communicated over a network from the server to a client device for subsequent installation at the client device, wherein a login script, which was previously modified on the client device, is provided to search for updated self-contained configuration files as part of a client login procedure, and wherein detection of the updated self-contained configuration files results in an application of particular parameters of the updated self-contained configuration files being applied against corresponding security software of the client device to replicate the security policy, and wherein the self-contained configuration file includes a first instruction that renders the self-contained configuration file unusable by the client device after a certain period of time, and wherein the self-contained configuration file includes a second instruction for deleting the self-contained configuration file once it is executed; andreceiving an error message if the self-contained configuration file is not installed on the client device, wherein the self- ...

Подробнее
Номер записи: 96
19-09-2013 дата публикации

System, method and computer program product for obtaining a reputation associated with a file

Номер: US20130247129A1
Автор: Bolin Christopher S., Heron George L.
Принадлежит:

A reputation system, method and computer program product are provided. In use, a file associated with a first computer is identified. Thereafter, a reputation associated with the file stored at a second computer is obtained. 1. A method , comprising:identifying a file associated with a first computer;obtaining an overall reputation associated with the file stored at a second computer, wherein the overall reputation comprises at least one characteristic associated with the file that includes undesirable code identified through a scanning activity, and wherein the overall reputation is determined by receiving information on the reputation of the file from each of a plurality of computers and aggregating the information received from each of the plurality of computers to produce the overall reputation associated with the file, and wherein the information on the reputation of the file received from each of the plurality of computers is based upon a respective determination of a reputation of the file by each of the plurality of computers; andidentifying a policy, wherein an agent provisioned in the first computer prohibits downloading of the file based on whether the reputation complies with configurable reputation settings provided in the policy, and wherein the policy is configured for indicating that additional scanning is to be carried out based on the reputation of the file.2. The method of claim 1 , wherein the overall reputation associated with the file is determined automatically.3. The method of claim 2 , wherein the overall reputation associated with the file is determined automatically by inspecting a plurality of files associated with a plurality of sites on a network.4. The method of claim 3 , wherein a plurality of the reputations associated with the plurality of files are stored in a database at the second computer claim 3 , from which the overall reputation is obtained.5. The method of claim 1 , wherein the overall reputation associated with the file is ...

Подробнее
Номер записи: 97
19-09-2013 дата публикации

METHODS AND SYSTEMS FOR AUTOMATICALLY CONFIGURING AND RE-CONFIGURING ELECTRONIC SECURITY INTERFACES

Номер: US20130247137A1
Автор: Puri Colin, Puri Rohit Raj
Принадлежит:

A scalable and flexible system and method for automatically configuring and re-configuring electronic security interfaces comprising video, audio, wireless hardware and software capable of capturing video and audio designed to be a true “plug-n-play” for an end-user. The system is configured to incorporate almost any type of camera, battery technology, storage device, wifi or cellular technology, microphone and provides access to the web in real-time to add applications, for example, facial recognition web services, real-time comparing of any previously identified and stored object etc. In addition, the system and method is capable of taking inputs of most custom user-deployment application requirement and generating a set of hardware to fulfill a user's particular requirements. 1. A method of configuring a system for monitoring a location:determining, using at least one computing device, parameters of the location;classifying the parameters, wherein the parameters define requirements for at least one or more of audio, video, communication, storage, recording times, and energy devices;cross-reference the parameters with a predefined database of hardware devices to selectively determine suggested hardware devices that meet the requirements;suggest software configurations based on the requirements; andenable user access to software configurations and the hardware devices that meet the requirements, to enable modifications to either the hardware devices and the software configurations.2. A method of claim 1 , wherein the requirements are scalable.3. A method of claim 1 , wherein depending on the requirements claim 1 , the suggested hardware devices are a subset of all available devices possible.4. A method of claim 1 , wherein new hardware devices are automatically discovered and added to the predefined database.5. A method of claim 1 , wherein a device that is determined to be obsolete is automatically deleted from the predefine database.6. A method of claim 1 , ...

Подробнее
Номер записи: 98
19-09-2013 дата публикации

METHOD AND APPARATUS FOR PROVIDING MOBILE AND SOCIAL SERVICES VIA VIRTUAL INDIVIDUAL SERVERS

Номер: US20130247141A1
Автор: Caceres Ramon, Cox Landon, Lim Harold, Shakimov Amre, Varshavsky Alexander
Принадлежит: AT&T Intellectual Property I,L.P.

A method, computer readable medium and apparatus for providing a virtual individual server service within a communications network are disclosed. For example, the method receives a request from a subscriber of the communications network to subscribe to the virtual individual server service, provides a virtual individual server to the subscriber in response to the request and executes at least one application via the virtual individual server using at least one piece of personal information associated with the subscriber. 1. A method for providing a virtual server service within a communications network , comprising:receiving, by a processor, a request from a subscriber of a plurality of subscribers of the communications network to subscribe to the virtual server service;providing, by the processor, a respective virtual server to the subscriber in response to the request, wherein the subscriber has full control of the respective virtual individual server and the subscriber has exclusive control over determining another subscriber of the plurality of subscribers to have access to the respective virtual individual server provided to the subscriber; andexecuting, by the processor, an application via the virtual individual server using a piece of personal information associated with the subscriber.2. The method of claim 1 , wherein the respective virtual individual server comprises a portion of processing power and a portion of memory within the communications network dedicated to the subscriber.3. The method of claim 1 , further comprising:receiving the piece of personal information from the subscriber; andstoring the piece of personal information in the respective virtual individual server.4. The method of claim 1 , wherein the subscriber maintains control over software executed in the respective virtual individual server.5. The method of claim 1 , wherein the subscriber defines a security policy of the respective virtual individual server to determine who is allowed ...

Подробнее
Номер записи: 99
19-09-2013 дата публикации

SYSTEM AND METHOD FOR CONFIGURING DEVICES FOR SECURE OPERATIONS

Номер: US20130247143A1
Автор: Adams Neil Patrick, Brown Michael Kenneth, Brown Michael Stephen, Kirkup Michael Grant, LITTLE Herbert Anthony, MacFarlane David Victor, ROBERTSON Ian
Принадлежит:

Systems and methods for establishing a security-related mode of operation for computing devices. A policy data store contains security mode configuration data related to the computing devices. Security mode configuration data is used in establishing a security-related mode of operation for the computing devices. 1. A wireless mobile device , comprising:a processor configured to be placed in a first security mode of operation, responsive to receiving first instructions;the processor further configured to be placed in a second security mode of operation, responsive to receiving second instructions, wherein at least one of the first and second security modes of operation causes the processor to use one or more security algorithms; anda display configured to visually indicate a current security mode of operation to a user of the wireless mobile device.2. The wireless mobile device of claim 1 , wherein the display further comprises a security options screen configured to provide the visual indication of the current security mode of operation.3. The wireless mobile device of claim 1 , wherein at least one of the first and second security modes of operation comprises a Federal Information Processing Standard (FIPS) mode of operation.4. The wireless mobile device of claim 1 , wherein at least one of the first and second security modes of operation includes the use of Advanced Encryption Standard (AES).5. The wireless mobile device of claim 1 , wherein at least one of the first and second security modes of operation includes the use of Triple Data Encryption Standard (3DES).6. A method for operating a wireless mobile device claim 1 , the method comprising:placing a processor in a first security mode of operation, responsive to receiving first instructions;placing the processor in a second security mode of operation, responsive to receiving second instructions, wherein at least one of the first and second security modes of operation causes the processor to use one or more ...

Подробнее
Номер записи: 100
26-09-2013 дата публикации

Inter-domain replication of service information

Номер: US20130254328A1
Автор: Koichi Nakamura, Shigemitsu Inoue, Yohsuke Ishii
Принадлежит: International Business Machines Corp

An automated conversion of service information between independent information technology (IT) management domains is performed using a federated gateway within each of the independent IT management domains that bridges the independent IT management domains. The automated conversion of service information allows at least one service consumer application executing within a first independent IT management domain to use a local service definition format to access at least one remote service provider application with a remote service interface defined using a different remote service definition format for execution in a second independent IT management domain. At least one service request is dynamically processed for the at least one remote service provider application via service provider application endpoint translation using the federated gateway within each of the independent IT management domains that bridges the independent IT management domains.

Подробнее
Номер записи: 101