Patent application number | Description | Published |
20080282313 | MULTI-PROFILE INTERFACE SPECIFIC NETWORK SECURITY POLICIES - Computer-readable medium having a data structure stored thereon for defining a schema for expressing a network security policy. The data structure includes a first data field including data defining a parameter to be applied based on the network security policy. The network security policy defines at least one of the following: a firewall rule and a connection security rule. The data structure also includes a second data field having data specifying restrictions of the parameter included in the first data field. The parameter in the first data field and the restrictions in the second data field form the schema for expressing the network security policy to be processed. The network security policy manages communications between a computing device and at least one other computing device. | 11-13-2008 |
20080282314 | Firewall with policy hints - A firewall helps a user make a decision regarding network access for an application executing on a computing device by providing “hints” to the user about an appropriate network access policy. If at least one previously set firewall policy for the application exists in a context different from a current context, the user may be presented with information based on a previously set firewall policy. The information may be prioritized based on a source of the previously set firewall policy and other factors, to provide the user with a hint that facilitates making the decision appropriate in the current context. A programming interface to the firewall allows third party applications to specify a format in which hints are provided to the user. | 11-13-2008 |
20080282335 | Software firewall control - A software firewall that may be simply configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be translated to firewall filters for network interfaces of that network type. The translation may be performed automatically and may be updated based on network location awareness information. | 11-13-2008 |
20080282336 | Firewall control with multiple profiles - A networked computer with a software firewall that may be configured for any of a number of network contexts may be quickly configured with an appropriate set of rules for a current network context. The computer has multiple profiles, each containing rules applicable to a different network context. When a change in network context is detected, a difference between the profile for the current context and the profile with which the firewall was previously configured is determined. These differences are applied to quickly reconfigure the firewall without blocking, even temporarily, communications that are allowed in the previously configured and current profiles. Additionally, when the networked computer is connected to multiple networks simultaneously, an appropriate profile may be selected. | 11-13-2008 |
20080282340 | SAFE HASHING FOR NETWORK TRAFFIC - Secure network communications between a source computer and a destination computer utilizing a firewall. The firewall determines a remote endpoint and the local physical memory address associated with a local endpoint included in the outbound request. The remote endpoint and the local physical memory address are hashed to generate an index value corresponding to an entry in an internal state table of the firewall. When an inbound request is received, the firewall determines a remote endpoint and the local physical memory address associated with a local endpoint included in the inbound request. The remote endpoint and the local physical memory address of the inbound request are hashed to generate an index value corresponding to an entry in the internal state table of the firewall. The firewall forwards the inbound request to the local endpoint if a matching entry is found in the internal state table at the index value. | 11-13-2008 |
20080289026 | Firewall installer - Embodiments of the invention are directed to a firewall installer that receives a set of configuration instructions for configuring a firewall in a declarative format that describes one or more rules to be implemented by the firewall, and that automatically configures the firewall. Providing a firewall installer that is capable of configuring a firewall based upon declarative input rather than procedural process-oriented input facilitates administration of a firewall by allowing an administrator to specify desired firewall configuration at a higher, declarative level and frees the administrator from the need to specify procedures for implementing configuration changes in the firewall. In one embodiment of the invention, the firewall installer can receive and store input for configuring a firewall even when the firewall is not running, such that the firewall executes on those configuration changes when it next comes online. | 11-20-2008 |
20080289027 | Incorporating network connection security levels into firewall rules - Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts. | 11-20-2008 |
20090006595 | Edge traversal service dormancy - A system maintains a dormant state in the host, in which no beacons (or “bubbles”) are transmitted from the host when no application or service (collectively, “processes”) of the host is accepting unsolicited traffic via the edge traversal service. When at least one application or service begins to accept unsolicited traffic via the edge traversal service, the host enters a qualified state and begins transmitting the beacons. As each additional application or service begins to accept such traffic, the number of accepting applications and services is maintained. As applications and services terminate acceptance of such traffic, the number of accepting applications and services is decremented. When the last application or service terminates acceptance of unsolicited traffic via the edge traversal service, the host re-enters the dormant state and ceases transmission of its beacons. | 01-01-2009 |
20090006847 | Filtering kernel-mode network communications - Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system. | 01-01-2009 |
20090007219 | Determining a merged security policy for a computer system - Embodiments of the invention described herein are directed to a mechanism for determining whether at least one operation will be effective in view of at least one security policy. In exemplary implementations, determining whether at least one operation will be effective in view of at least one security policy may comprise determining a merged security policy for a computer system by merging security policies for the computer system from two or more sources. The security policies may be security policies set by a user and/or an administrator of the computer system, may be security policies of a computer network to which the computer system is connected, or may be security policies of one or more other computer systems that are above the computer system in a computer network hierarchy. | 01-01-2009 |
20090007251 | Host firewall integration with edge traversal technology - A host firewall can determine and consider whether unsolicited traffic is inbound from beyond the edge of the network and allow or block such traffic based at least in part upon this characteristic. In one implementation, an edge traversal parameter can be set on a host firewall rule, which typically includes other parameters such as port, protocol, etc. If the unsolicited traffic received via an edge traversal interface matches a host firewall rule that has the edge traversal criterion, then the firewall does not block the traffic. On the other hand, if the unsolicited traffic received via an edge traversal interface fails to satisfy the edge traversal criterion on any firewall rule, then the firewall blocks the traffic. | 01-01-2009 |
20090063584 | Versioning management - Versioning management provides for efficient and effective handling of varying policy versions, client versions and client platform versions in one system. Software version negotiation provides for simplified, secure policy management in an environment supporting varying versions of the same software product. In conjunction with parameter stripping, which resolves differences among varying minor versions of a software policy, software version negotiation allows for management tools of one version to manage client software, clients and/or client platforms of another version. Policy schema translation, in conjunction with parameter stripping as needed, provides a mechanism for converting policies that normally would be impossible to interpret on varying clients and/or client platforms to policy versions that can be understood by these clients and/or client platforms. Version targeting allows an administrator to push a policy to specific clients and/or client platforms to, among other things, address identified security issues or to provide version specific application enablement or enhancement. Together, these various versioning management methodologies simplify administration of a system consisting of varying policy versions, client versions and/or client platform versions while enhancing the flexibility of the system to apply policy throughout the system or any portion thereof. | 03-05-2009 |
20090177892 | PROXIMITY AUTHENTICATION - A security token is coupled to a computer and is available for use by both local and remote processes for on-demand response to a challenge. To minimize the security risk of an unattended session, the challenge may be issued to verify the presence of the token. When the token has a user interface, it may be used in conjunction with the computer to require that a user also participate in transferring displayed data between the token and computer. This helps to ensure that not only the token, but the user are both present at the computer during operation. For the most sensitive operations, such a confirmation may be required with each data submission. | 07-09-2009 |
20090178123 | TRUSTED INTERNET IDENTITY - A token or other storage device uses Internet identities to set file access attribute rights. Subsequently, requests to access a file can be controlled by confirming the Internet identity of the requester by either validating the request with a known public key or retrieving the public key from an Internet identity provider. Files may be stored encrypted and may be re-encrypted with the public key associated with Internet identity making the request. | 07-09-2009 |
20090183249 | TRUSTED STORAGE AND DISPLAY - A storage token has a display and a keyboard, or other input device, that allows a user to view a request to access a memory location and enter a response to the request. The display allows presentation of details of the request, such as a pathname to a requested memory location, metadata describing a cryptographic key for use in a transaction confirmation, and/or transaction details which are awaiting verification by a credential stored on the token. The storage token may also include a cryptographic engine and a secure memory allowing signing data returned in response to the request. | 07-16-2009 |
20090276595 | PROVIDING A SINGLE DRIVE LETTER USER EXPERIENCE AND REGIONAL BASED ACCESS CONTROL WITH RESPECT TO A STORAGE DEVICE - A method and a storage device may be provided. The storage device may include physical storage subdivided into a number of regions. The regions may start and end based on logical block addresses specified in a region table. At least one of the regions may be mapped to a logical drive letter. One or more others of the regions may be mapped to a subfolder with respect to the logical drive letter. The storage device may include an access control table. Each entry of the access control table may correspond to a respective region of the physical storage. Each of the entries of the access control table may indicate whether the respective region is protected and whether at least one entity is permitted protected access to the respective region after being successfully authenticated. | 11-05-2009 |
20090276837 | CREDENTIAL EQUIVALENCY AND CONTROL - A number of equivalent credentials may be associated with at least one entity. Each of the equivalent credentials may be of one of a number of types, such as, for example, a cryptographic key pair, a password, a biometric, or other types or combinations thereof. When one of the equivalent credentials is authenticated by an authentication control system, the at least one entity may be permitted access to a hardware device, software, or a service associated with the authentication control system. The authentication control system may include a number of authentication endpoints and blocking controls, each of which may be associated with a respective equivalent credential. After the authentication control system authenticates one of the equivalent credentials, a parameter of a blocking control and/or configurable credential-related attributes of an authentication endpoint associated with another of the equivalent credentials may be changed or reset. | 11-05-2009 |
20090287917 | SECURE SOFTWARE DISTRIBUTION - To protect against software piracy, a storage media has a cryptographically protected area that stores software to be installed onto a target device, such as a computer. The storage media may include a non-secure area holding boot files and an installation program. The installation program may gather target device-specific data for use by a certifying authority in generating a key that allows access to the secure area of the storage media only during the installation process. In this manner, a user never has access to the raw installation files, limiting the ability to copy and distribute those files for installation on non-authorized computers. The certifying authority may also prepare target device-specific data applied to the software before installation to create a custom software image that will only execute on the target device and that can be verified by the host OS prior to execution, allowing integrity confirmation. | 11-19-2009 |
20090307451 | DYNAMIC LOGICAL UNIT NUMBER CREATION AND PROTECTION FOR A TRANSIENT STORAGE DEVICE - A dynamic logical unit number system is implemented as a storage device that includes processing logic and storage functionality. A storage device may be configured to provide a first logical unit number when the storage device is attached to a computer system or other computing device. The storage device through its dynamic logical unit number system provides a configuration interface through which the computer system can configure additional logical unit numbers and reconfigure existing logical unit numbers of the storage device. After the redefinition of the logical unit numbers, the dynamic logical unit number system may cause a reestablishment of the connection between the storage device and the computer system. Upon establishing the new connection, the computer system recognizes the redefined logical unit numbers and treats each logical unit number as a separate storage device, including assigning a different number to each logical unit number. | 12-10-2009 |
20100088418 | EDGE TRAVERSAL SERVICE DORMANCY - A system maintains a dormant state in the host, in which no beacons (or “bubbles”) are transmitted from the host when no application or service (collectively, “processes”) of the host is accepting unsolicited traffic via the edge traversal service. When at least one application or service begins to accept unsolicited traffic via the edge traversal service, the host enters a qualified state and begins transmitting the beacons. As each additional application or service begins to accept such traffic, the number of accepting applications and services is maintained. As applications and services terminate acceptance of such traffic, the number of accepting applications and services is decremented. When the last application or service terminates acceptance of unsolicited traffic via the edge traversal service, the host re-enters the dormant state and ceases transmission of its beacons. | 04-08-2010 |
20100088759 | DEVICE-SIDE INLINE PATTERN MATCHING AND POLICY ENFORCEMENT - Inline pattern matching and policy enforcement may be implemented by a memory storage device. In an example embodiment, a device-implemented method includes acts of receiving, intercepting, and performing and conditional acts of invoking or permitting. A request from a host to perform a memory access operation is received at a memory storage device. Data flowing between an I/O channel and physical storage of the memory storage device is intercepted. A pattern matching procedure is performed on the data with reference to multiple target patterns in real-time while the data is being intercepted. If a pattern match is detected between the data and a target pattern, a policy enforcement mechanism is invoked. If a pattern match is not detected between the data and the multiple target patterns, the request from the host to perform the memory access operation is permitted. | 04-08-2010 |
20100174921 | DEVICE SIDE HOST INTEGRITY VALIDATION - Described is a technology by which a transient storage device or secure execution environment-based (e.g., including an embedded processor) device validates a host computer system. The device compares hashes of host system data against valid hashes maintained in protected storage of the device. The host data may be a file, data block, and/or memory contents. The device takes action when the host system data does not match the information in protected storage, such as to log information about the mismatch and/or provide an indication of validation failure, e.g., via an LED and/or display screen output. Further, the comparison may be part of a boot process validation, and the action may prevent the boot process from continuing, or replace an invalid file. Alternatively, the validation may take place at anytime. | 07-08-2010 |
20100185825 | TRANSIENT STORAGE DEVICE CONFIGURATION SILO - A device configuration silo is arranged to be accessed as an IEEE 1667-compatible silo which exposes interfaces to a host application to make changes to the presence of one or more other silos, as well as make changes to silo configurations on a per-silo basis for data and method sharing among silos across the ACTs on a storage device such as a transient storage device. The interfaces exposed by the device configuration silo are arranged to enable an authenticated provisioner, like administrator in a corporate network environment, to perform configuration changes to silos after the storage device is released into the field through a secure provisioning mechanism. In addition, users may make configuration changes to silos at runtime in some usage scenarios, for example to enable discrete portions of functionality on a storage device, by using a secure secondary authentication mechanism that is exposed by the device configuration silo. | 07-22-2010 |
20100199108 | Device Enforced File Level Protection - Described is a technology by which files that are hardware protected on a storage device, such as a USB flash drive, are managed on a host, including by integration with an existing file system. Each file maintained on a storage device is associated with a protection attribute that corresponds to that file's device hardware protection level. Requests directed towards accessing metadata or actual file data are processed based upon the protection attribute and a state of authentication, e.g., to allow or deny access, show file icons along with their level of protection, change levels, and so forth. Also described is splitting a file system file table into multiple file tables, one file table for each level of protection. Entries in the split file tables are maintained based on each file's current level; space allocation tracking entries are also maintained to track the space used by other split tables. | 08-05-2010 |
20100235596 | Offline Device-Side Logical Unit Number Controller - Described is a technology by which a single physical storage device such as a USB flash memory device is able to boot different computing devices via corresponding different operating systems. The storage device includes a selection mechanism that determines which virtual disk (corresponding to a LUN) is seen by the host as the currently active LUN having sector | 09-16-2010 |
20100287344 | CAPTURING AND LOADING OPERATING SYSTEM STATES - Operating system states capture and loading technique embodiments are presented that involve the capture and loading of baseline system states. This is accomplished, in one embodiment, by storing the states of a computer's operating system memory that it is desired to restore at a future time. No changes are permitted to the persisted storage associated with the computer. Instead, changes that would have been made to the persisted storage during an ensuing computing session, had they not been prevented, are stored in a separate computing session file. Whenever it is desired to return the operating system to its baseline condition, the stored baseline system memory states are loaded into the operating system memory, in lieu of the operating system memory's current states. | 11-11-2010 |
20100318617 | Local Loop For Mobile Peer To Peer Messaging - Techniques described herein describe a proxy used in an instant messaging system. The proxy, upon receiving an instant message (IM) from a first mobile device and addressed to a second mobile device, dynamically determines whether, and for how long to store the IM on a local proxy. Otherwise the IM is forwarded to a server. | 12-16-2010 |
20100318633 | Dynamic Time Weighted Network Identification and Fingerprinting for IP Based Networks Based on Collection - Techniques described herein describe a dynamic time weighted network identification and/or fingerprinting method. A method includes identifying one or more machines connected to a network of machines; performing an address resolution procedure on each of the one or more machines to determine one or more machine specific identifiers associated with each of the one or more machines; and applying a dynamic weighting to each identified machine on the network of machines as a function of a determined transience of each identified machine. | 12-16-2010 |
20100318745 | Dynamic Content Caching and Retrieval - This disclosure provides techniques for dynamic content caching and retrieval. For example, a computing device includes cache memory dedicated to temporarily caching data of one or more applications of the computing device. The computing device also includes storage memory to store data in response to requests by the applications. The storage memory may also temporarily cache data. Further, the computing device includes system software to represent to the applications of the computing device that the portions of the storage memory utilized to cache content are available to store data of the applications. In addition, the computing device includes application programming interfaces to provide content to a requesting application from a cache of the computing device and/or from a remote content source. | 12-16-2010 |
20100319072 | Hardware Specific Product License Validation - Server-side validation of hardware specific software product licenses is described herein. | 12-16-2010 |
20100325258 | CAPTURING A COMPUTING EXPERIENCE - The described implementations relate to capturing a computing experience. In one case, a user session capture tool can launch a remote user session where a user-interface and user inputs are gathered from a single computing device. Remote user session data produced by the remote user session can be analyzed to determine user activity. | 12-23-2010 |
20100333066 | METHOD AND SYSTEM FOR MANAGING SOFTWARE ISSUES - A method of managing software issues includes receiving issue data from a remote host, where the issue data is related to an issue associated with a software application installed on the remote host. The method identifies a potential solution for the issue and sends solution data to the remote host, where the solution data is related to the identified potential solution. Feedback data may be received from the remote host, where the feedback data is indicative of a degree to which the identified potential solution was effective in resolving the issue. | 12-30-2010 |
20100333212 | PORTABLE PARAMETER-BASED LICENSING - Portable parameter-based licensing techniques are described. These techniques allow licenses to be decoupled from any particular host device and utilized in a portable and flexible fashion. In at least some embodiments, license data that includes a license to use computer-related functionality can be stored in a secure execution environment. The secure execution environment can be provided by a suitable secure execution environment hosting device(s) (SEHD), such as a portable flash memory device for instance. The license data in the secure execution environment can then be utilized to authorize use of the computer-related functionality, according to the license, on any number of host devices not responsible for providing the secure execution environment. As a result, the owner of the license can use the computer-related functionality without being restricted to any particular host device. | 12-30-2010 |
20110296238 | DATA ENCRYPTION CONVERSION FOR INDEPENDENT AGENTS - The re-encryption of data can be performed with independent cryptographic agents that can automatically encrypt and decrypt data in accordance with cryptographic regions, such that data within a single cryptographic region is encrypted and decrypted with the same cryptographic key. An “in-place” re-encryption can be performed by reading data from a chunk in an existing cryptographic region, shrinking the existing cryptographic region past the chunk, expanding a replacement cryptographic region over the chunk, and then writing the data back to the same location, which is now part of the replacement cryptographic region. An “out-of-place” re-encryption can be performed by reading data from a chunk in an existing cryptographic region and then writing the data back to a location immediately adjacent that is part of a replacement cryptographic region. After the re-encrypted data is “shifted”, the cryptographic regions can be expanded and contracted appropriately, and another chunk can be selected. | 12-01-2011 |
20110302314 | EDGE TRAVERSAL SERVICE DORMANCY - A system maintains a dormant state in the host, in which no beacons (or “bubbles”) are transmitted from the host when no application or service (collectively, “processes”) of the host is accepting unsolicited traffic via the edge traversal service. When at least one application or service begins to accept unsolicited traffic via the edge traversal service, the host enters a qualified state and begins transmitting the beacons. As each additional application or service begins to accept such traffic, the number of accepting applications and services is maintained. As applications and services terminate acceptance of such traffic, the number of accepting applications and services is decremented. When the last application or service terminates acceptance of unsolicited traffic via the edge traversal service, the host re-enters the dormant state and ceases transmission of its beacons. | 12-08-2011 |
20130081116 | TRUSTED INTERNET IDENTITY - A token or other storage device uses Internet identities to set file access attribute rights. Subsequently, requests to access a file can be controlled by confirming the Internet identity of the requestor by either validating the request with a known public key or retrieving the public key from an Internet identity provider. Files may be stored encrypted and may be re-encrypted with the public key associated with Internet identity making the request. | 03-28-2013 |
20130152190 | Software Firewall Control - A software firewall that may be configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be implemented for network interfaces of that network type. The implementation may be performed automatically and may be updated based on network location awareness information. | 06-13-2013 |
20140337964 | Software Firewall Control - A software firewall that may be configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be implemented for network interfaces of that network type. The implementation may be performed automatically and may be updated based on network location awareness information. | 11-13-2014 |
20140351544 | DEVICE SIDE HOST INTEGRITY VALIDATION - Described is a technology by which a transient storage device or secure execution environment-based (e.g., including an embedded processor) device validates a host computer system. The device compares hashes of host system data against valid hashes maintained in protected storage of the device. The host data may be a file, data block, and/or memory contents. The device takes action when the host system data does not match the information in protected storage, such as to log information about the mismatch and/or provide an indication of validation failure, e.g., via an LED and/or display screen output. Further, the comparison may be part of a boot process validation, and the action may prevent the boot process from continuing, or replace an invalid file. Alternatively, the validation may take place at anytime. | 11-27-2014 |