公开(公告)号：US20110173699A1

公开(公告)日：2011-07-14

申请号：US12686959

申请日：2010-01-13

申请人： Igal Figlin ,  Arthur Zavalkovsky ,  Lior Arzi ,  Efim Hudis ,  Jennifer R. LeMond ,  Robert Eric Fitzgerald ,  Khaja E. Ahmed ,  Jeffrey S. Williams ,  Edward W. Hardy

发明人： Igal Figlin ,  Arthur Zavalkovsky ,  Lior Arzi ,  Efim Hudis ,  Jennifer R. LeMond ,  Robert Eric Fitzgerald ,  Khaja E. Ahmed ,  Jeffrey S. Williams ,  Edward W. Hardy

IPC分类号： G06F11/00

CPC分类号： H04L63/1441 ,  H04L63/1408 ,  H04L63/1433 ,  H04L63/205

摘要： A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be indicated and protective action may be taken.

摘要翻译： 一种采用多级处理的网络安全系统来识别安全威胁。 多台主机可能每个都包含一个代理，该代理可以根据在该主机本地感测到的原始数据来检测安全威胁的可能性。 主机可以共享从本地分析获得的信息，并且每个主机可以使用在一个或多个其他主机上生成的信息以及本地生成的信息来识别安全性关注，更确定地指出存在安全威胁。 基于多个主机产生的安全问题，可能会指出安全威胁，并可采取保护措施。

公开(公告)号：US08516576B2

公开(公告)日：2013-08-20

申请号：US12686959

申请日：2010-01-13

申请人： Igal Figlin ,  Arthur Zavalkovsky ,  Lior Arzi ,  Efim Hudis ,  Jennifer R. LeMond ,  Robert Eric Fitzgerald ,  Khaja E. Ahmed ,  Jeffrey S. Williams ,  Edward W. Hardy

发明人： Igal Figlin ,  Arthur Zavalkovsky ,  Lior Arzi ,  Efim Hudis ,  Jennifer R. LeMond ,  Robert Eric Fitzgerald ,  Khaja E. Ahmed ,  Jeffrey S. Williams ,  Edward W. Hardy

IPC分类号： H04L29/06

CPC分类号： H04L63/1441 ,  H04L63/1408 ,  H04L63/1433 ,  H04L63/205

摘要： A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be indicated and protective action may be taken.

摘要翻译： 一种采用多级处理的网络安全系统来识别安全威胁。 多台主机可能每个都包含一个代理，该代理可以根据在该主机本地感测到的原始数据来检测安全威胁的可能性。 主机可以共享从本地分析获得的信息，并且每个主机可以使用在一个或多个其他主机上生成的信息以及本地生成的信息来识别安全性关注，更确定地指出存在安全威胁。 基于多个主机产生的安全问题，可能会指出安全威胁，并可采取保护措施。

公开(公告)号：US20110295948A1

公开(公告)日：2011-12-01

申请号：US13207925

申请日：2011-08-11

申请人： Ravi T. Rao ,  Khaja E. Ahmed ,  R. Scott Briggs ,  Scott A. Plant

发明人： Ravi T. Rao ,  Khaja E. Ahmed ,  R. Scott Briggs ,  Scott A. Plant

IPC分类号： G06F15/16

CPC分类号： H04L9/3236 ,  H04L2209/30 ,  H04L2209/60

摘要： Described is a technology in which client content requests to a server over a wide area network (WAN) are responded to with hash information by which the client may locate the content among one or more peer sources coupled to the client via a local area network (LAN). The hash information may be in the form of a segment hash that identifies multiple blocks of content, whereby the server can reference multiple content blocks with a single hash value. Segment boundaries may be adaptive by determining them according to criteria, by dividing streamed content into segments, and/or by processing the content based on the content data (e.g., via RDC or content/application type) to determine split points. Also described is content validation using the hash information, including by generating and walking a Merkle tree to determine higher-level segment hashes in order to match a server-provided hash value.

摘要翻译： 描述了一种技术，其中客户端内容通过广域网（WAN）向服务器请求的哈希信息被响​​应，客户端可以通过该信息来定位经由局域网耦合到客户端的一个或多个对等端点中的内容（ LAN）。 哈希信息可以是标识多个内容块的段哈希形式，由此服务器可以引用具有单个散列值的多个内容块。 通过根据标准来确定它们，通过将流内容分成段，和/或通过基于内容数据（例如，经由RDC或内容/应用程序类型）处理内容来确定分割点，来分段边界可以是自适应的。 还描述了使用散列信息的内容验证，包括通过生成和行走Merkle树来确定较高级别的段哈希，以便匹配服务器提供的哈希值。

公开(公告)号：US07607008B2

公开(公告)日：2009-10-20

申请号：US10817154

申请日：2004-04-01

申请人： John Hal Howard ,  Daniel Salvatore Schiappa ,  Khaja E. Ahmed ,  Kyle S. Young

发明人： John Hal Howard ,  Daniel Salvatore Schiappa ,  Khaja E. Ahmed ,  Kyle S. Young

IPC分类号： H04L29/00

CPC分类号： H04L63/0807 ,  G06F21/31 ,  G06F2221/2115 ,  H04L63/0884

摘要： A user is authenticated for a relying computing entity (e.g., an enterprise) through an authentication broker service, wherein a trust relationship exists between the relying computing entity and the authentication broker service. The authentication broker service has a trust relationship with the relying computing entity and the authentication service that issued the identity of the user. The relying computing entity asks the authentication broker service to authenticate the identity of the user. The authentication broker service captures the user's credential (or directs the authentication service to do so) and sends an authentication response (e.g., a token) to the relying computing entity in order to authenticate the identity of the user to the relying computing entity. The relying computing entity verifies the authentication response based on the trust relationship between the relying computing entity and the authentication broker service.

摘要翻译： 用户通过认证代理服务为依赖计算实体（例如，企业）进行认证，其中在依赖计算实体和认证代理服务之间存在信任关系。 认证代理服务与依赖计算实体和颁发用户身份的认证服务具有信任关系。 依赖计算实体请求认证代理服务验证用户的身份。 认证代理服务捕获用户的凭证（或指示认证服务来执行），并将认证响应（例如，令牌）发送到依赖计算实体，以便向依赖计算实体认证用户的身份。 依赖计算实体根据依赖计算实体和认证代理服务之间的信任关系来验证认证响应。

公开(公告)号：US20080052509A1

公开(公告)日：2008-02-28

申请号：US11509476

申请日：2006-08-24

申请人： Khaja E. Ahmed

发明人： Khaja E. Ahmed

IPC分类号： H04L9/00

CPC分类号： H04L63/02 ,  H04L63/0428

摘要： A networked computer system in which a trusted intermediary device is allowed access to packets transmitted through a secured connection. An endpoint to a secured connection identifies a trusted intermediary device, such as by certificate provided by the intermediary device or by using identification information provided by a trusted server. The endpoint shares with the trusted intermediary device connection information that enables the intermediary device to access packets transmitted through the secured connection. Using the connection information, the intermediary device may modify authenticated packets, such as to perform network address translation, without disrupting the underlying secured connection. Similarly, the intermediary device may use the security information to read encrypted information and perform functions such as network traffic monitoring or filtering of unwanted network traffic.

摘要翻译： 一种网络计算机系统，其中允许信任的中间设备访问通过安全连接传输的分组。 安全连接的端点标识可信赖的中间设备，例如由中介设备提供的证书或通过使用由可信服务器提供的标识信息。 端点与信任的中间设备连接信息共享，使得中间设备能够访问通过安全连接传输的分组。 使用连接信息，中间设备可以修改认证的分组，例如执行网络地址转换，而不会中断基础的安全连接。 类似地，中间设备可以使用安全信息来读取加密信息并执行诸如网络流量监控或不需要的网络业务的过滤的功能。

公开(公告)号：US20120084851A1

公开(公告)日：2012-04-05

申请号：US13015180

申请日：2011-01-27

申请人： Eugene (John) Neystadt ,  Daniel Alon ,  Yair Tor ,  Mark Novak ,  Khaja E. Ahmed ,  Yoav Yassour

发明人： Eugene (John) Neystadt ,  Daniel Alon ,  Yair Tor ,  Mark Novak ,  Khaja E. Ahmed ,  Yoav Yassour

IPC分类号： G06F7/04

CPC分类号： G06F21/335 ,  G06F21/57 ,  G06F2221/2129 ,  H04L63/0807 ,  H04L63/0876 ,  H04L63/10 ,  H04L63/1433

摘要： Embodiments of the invention make the issuance of trustworthy device claims available to client devices as a service, so that a client device to which device claims are issues may use the device claims in relation to an attempt to access a network application. The service may conduct an assessment of the device's characteristics and/or state, characterize the results of this assessment in device claims, and issue the device claims to the device. The service may be accessible to a client device from outside administrative boundaries of an entity that makes a network application accessible, and thus may be useful to entities making network applications accessible in business-to-consumer (B2C) and business-to-business (B2B) topologies, such as over the publicly accessible Internet.

摘要翻译： 本发明的实施例使可信赖的设备权利要求的发布作为服务可用于客户端设备，使得设备要求的客户端设备是问题，可以使用与访问网络应用的尝试有关的设备权利要求。 该服务可以对设备的特性和/或状态进行评估，表征设备权利要求中的该评估的结果，并向设备发出设备声明。 客户端设备可以从实现网络应用的实体的外部管理边界访问该服务，因此对于使企业对消费者（B2C）和企业对企业（B2C）可访问的网络应用的实体可能是有用的 B2B）拓扑，例如通过可公开访问的互联网。

公开(公告)号：US07921173B2

公开(公告)日：2011-04-05

申请号：US12419884

申请日：2009-04-07

申请人： Robert George Atkinson ,  Joshua T. Goodman ,  James M. Lyon ,  Roy Williams ,  Khaja E. Ahmed ,  Harry Simon Katz ,  Robert L. Rounthwaite ,  Andrew V. Goldberg ,  Cynthia Dwork

发明人： Robert George Atkinson ,  Joshua T. Goodman ,  James M. Lyon ,  Roy Williams ,  Khaja E. Ahmed ,  Harry Simon Katz ,  Robert L. Rounthwaite ,  Andrew V. Goldberg ,  Cynthia Dwork

IPC分类号： G06F15/16

CPC分类号： G06Q10/107 ,  H04L51/12

摘要： The present invention provides for generating inputs that can be provided to a message classification module to facilitate more reliable classification of electronic messages, such as, for example, as unwanted and/or unsolicited. In one embodiment, a sending messaging server provides an appropriate response to address verification data thereby indicating a reduced likelihood of the sending messaging server using a forged network address. In another embodiment, it is determined if a messaging server is authorized to send electronic messages for a domain. In yet another embodiment, electronic message transmission policies adhered to by a domain are identified. In yet a further embodiment, a sending computer system expends computational resources to solve a computational puzzle and includes an answer document in an electronic message. A receiving computer system receives the electronic message and verifies the answer document.

摘要翻译： 本发明提供了用于生成可以提供给消息分类模块的输入，以便于电子消息的更可靠的分类，诸如例如不想要的和/或未经请求的。 在一个实施例中，发送消息收发服务器提供对地址验证数据的适当响应，从而指示发送消息服务器使用伪造网络地址的可能性降低。 在另一个实施例中，确定消息收发服务器是否被授权发送域的电子消息。 在又一实施例中，识别由域附加的电子消息传输策略。 在又一个实施例中，发送计算机系统花费计算资源来解决计算难题，并且包括电子消息中的应答文档。 接收计算机系统接收电子消息并验证答复文件。

公开(公告)号：US20090193093A1

公开(公告)日：2009-07-30

申请号：US12419884

申请日：2009-04-07

申请人： Robert George Atkinson ,  Joshua T. Goodman ,  James M. Lyon ,  Roy Williams ,  Khaja E. Ahmed ,  Harry Simon Katz ,  Robert L. Rounthwaite ,  Andrew V. Goldberg ,  Cynthia Dwork

发明人： Robert George Atkinson ,  Joshua T. Goodman ,  James M. Lyon ,  Roy Williams ,  Khaja E. Ahmed ,  Harry Simon Katz ,  Robert L. Rounthwaite ,  Andrew V. Goldberg ,  Cynthia Dwork

IPC分类号： G06F15/16

CPC分类号： G06Q10/107 ,  H04L51/12

摘要： The present invention provides for generating inputs that can be provided to a message classification module to facilitate more reliable classification of electronic messages, such as, for example, as unwanted and/or unsolicited. In one embodiment, a sending messaging server provides an appropriate response to address verification data thereby indicating a reduced likelihood of the sending messaging server using a forged network address. In another embodiment, it is determined if a messaging server is authorized to send electronic messages for a domain. In yet another embodiment, electronic message transmission policies adhered to by a domain are identified. In yet a further embodiment, a sending computer system expends computational resources to solve a computational puzzle and includes an answer document in an electronic message. A receiving computer system receives the electronic message and verifies the answer document.

摘要翻译： 本发明提供了用于生成可以提供给消息分类模块的输入，以便于电子消息的更可靠的分类，诸如例如不想要的和/或未经请求的。 在一个实施例中，发送消息收发服务器提供对地址验证数据的适当响应，从而指示发送消息服务器使用伪造网络地址的可能性降低。 在另一个实施例中，确定消息收发服务器是否被授权发送域的电子消息。 在又一实施例中，识别由域附加的电子消息传输策略。 在又一个实施例中，发送计算机系统花费计算资源来解决计算难题，并且包括电子消息中的应答文档。 接收计算机系统接收电子消息并验证答复文件。

公开(公告)号：US08881247B2

公开(公告)日：2014-11-04

申请号：US12889412

申请日：2010-09-24

申请人： Meir Mendelovich ,  John Neystadt ,  Khaja E. Ahmed

发明人： Meir Mendelovich ,  John Neystadt ,  Khaja E. Ahmed

IPC分类号： G06F15/16 ,  G06F11/30 ,  H04L9/32 ,  H04W12/06 ,  H04L29/06 ,  H04W88/02

CPC分类号： H04L9/3213 ,  H04L63/0807 ,  H04L2209/80 ,  H04W12/06 ,  H04W88/02

摘要： Architecture that utilizes the strong authentication mechanisms of network operators to provide authentication to mobile applications by identity federation. When a mobile client initiates request for access to an application outside the network operation infrastructure, the request is passed to an associated application secure token service. The application secure token service has an established trust and identity federation with the network operator. The application secure token service redirects the request to a network operator security token server, which then passes the request to a network operator authentication server for authentication against an operator identity service. Proof of authentication is then issued and returned from the network operator security token server to the application secure token service and the application, which allows the mobile client to access the application.

摘要翻译： 利用网络运营商的强认证机制的体系结构，通过身份联合为移动应用提供身份认证。 当移动客户端启动对网络操作基础架构之外的应用的访问请求时，该请求被传递到相关联的应用安全令牌服务。 应用安全令牌服务与网络运营商建立了建立的信任和身份联合。 应用安全令牌服务将请求重定向到网络运营商安全令牌服务器，该服务器然后将该请求传递给网络运营商认证服务器，以针对运营商身份服务进行身份验证。 然后从网络运营商安全令牌服务器发出认证证明，并向应用安全令牌服务和应用程序返回，允许移动客户端访问应用程序。

公开(公告)号：US08543808B2

公开(公告)日：2013-09-24

申请号：US11509476

申请日：2006-08-24

申请人： Khaja E. Ahmed

发明人： Khaja E. Ahmed

IPC分类号： H04L29/06 ,  H04L9/08 ,  G06F11/30

CPC分类号： H04L63/02 ,  H04L63/0428

摘要： A networked computer system in which a trusted intermediary device is allowed access to packets transmitted through a secured connection. An endpoint to a secured connection identifies a trusted intermediary device, such as by certificate provided by the intermediary device or by using identification information provided by a trusted server. The endpoint shares with the trusted intermediary device connection information that enables the intermediary device to access packets transmitted through the secured connection. Using the connection information, the intermediary device may modify authenticated packets, such as to perform network address translation, without disrupting the underlying secured connection. Similarly, the intermediary device may use the security information to read encrypted information and perform functions such as network traffic monitoring or filtering of unwanted network traffic.

摘要翻译： 一种网络计算机系统，其中允许信任的中间设备访问通过安全连接传输的分组。 安全连接的端点标识可信赖的中间设备，例如由中介设备提供的证书或通过使用由可信服务器提供的标识信息。 端点与信任的中间设备连接信息共享，使得中间设备能够访问通过安全连接传输的分组。 使用连接信息，中间设备可以修改认证的分组，例如执行网络地址转换，而不会中断基础的安全连接。 类似地，中间设备可以使用安全信息来读取加密信息并执行诸如网络流量监控或不需要的网络业务的过滤的功能。