-
公开(公告)号:US09009385B1
公开(公告)日:2015-04-14
申请号:US13174177
申请日:2011-06-30
CPC分类号: G06F3/0622 , G06F12/0802 , G06F12/14 , G06F12/1416 , G06F13/1663 , G06F21/556
摘要: At least one virtual machine implemented on a given physical machine in an information processing system is able to detect the presence of one or more other virtual machines that are also co-resident on that same physical machine. More particularly, at least one virtual machine is configured to avoid usage of a selected portion of a memory resource of the physical machine for a period of time, and to monitor the selected portion of the memory resource for activity during the period of time. Detection of a sufficient level of such activity indicates that the physical machine is also being shared by at least one other virtual machine. The memory resource of the physical machine may comprise, for example, a cache memory, and the selected portion of the memory resource may comprise one or more randomly selected sets of the cache memory.
摘要翻译: 在信息处理系统中的给定物理机器上实现的至少一个虚拟机能够检测一个或多个也同时驻留在同一物理机器上的其他虚拟机的存在。 更具体地,至少一个虚拟机被配置为避免在一段时间内使用物理机器的存储器资源的选定部分,并且在该时间段期间监视存储器资源的所选部分的活动。 检测足够的这种活动水平表明物理机器也被至少一个其他虚拟机共享。 物理机器的存储器资源可以包括例如高速缓冲存储器,并且存储器资源的选定部分可以包括高速缓冲存储器的一个或多个随机选择的组。
-
2.发明授权Security policy enforcement framework for cloud-based information processing systems 有权基于云的信息处理系统的安全策略实施框架公开(公告)号:US08689282B1
公开(公告)日:2014-04-01
申请号:US13336692
申请日:2011-12-23
申请人: Alina M. Oprea , Yinqian Zhang , Vijay Ganti , John P. Field , Ari Juels , Michael Kendrick Reiter
发明人: Alina M. Oprea , Yinqian Zhang , Vijay Ganti , John P. Field , Ari Juels , Michael Kendrick Reiter
IPC分类号: H04L29/06
CPC分类号: H04L63/20
摘要: Cloud infrastructure of a cloud service provider comprises a processing platform implementing a security policy enforcement framework. The security policy enforcement framework comprises a policy analyzer that is configured to identify at least one security policy associated with at least one tenant of the cloud service provider, to analyze the security policy against configuration information characterizing the cloud infrastructure of the cloud service provider, and to control execution of one or more applications of said at least one tenant within the cloud infrastructure in accordance with the security policy, based at least in part on one or more results of the analysis of the security policy. The security policy enforcement framework may be implemented in a platform-as-a-service (PaaS) layer of the cloud infrastructure, and may comprise a runtime controller, an operating system controller, a hypervisor controller and a PaaS controller.
摘要翻译: 云服务提供商的云基础设施包括实施安全策略实施框架的处理平台。 安全策略实施框架包括策略分析器,其被配置为识别与云服务提供商的至少一个租户相关联的至少一个安全策略,以针对表征云服务提供商的云基础设施的配置信息来分析安全策略;以及 至少部分地基于对安全策略的分析的一个或多个结果来根据安全策略来控制云基础设施内的所述至少一个租户的一个或多个应用的执行。 安全策略实施框架可以在云基础架构的平台即服务(PaaS)层中实现,并且可以包括运行时控制器,操作系统控制器,管理程序控制器和PaaS控制器。
-
公开(公告)号:US08799334B1
公开(公告)日:2014-08-05
申请号:US13339768
申请日:2011-12-29
IPC分类号: G06F17/30
CPC分类号: G06F21/577 , G06F2211/007 , G06F2221/2107
摘要: A client device or other processing device comprises a file processing module, with the file processing module being operative to provide a file to a file system for encoding, to receive from the file system a corresponding encoded file, and to verify that the file system stores at least a designated portion of an encapsulation of the encoded file. In an illustrative embodiment, the file processing module receives, in addition to or in place of the encoded file, a proof of correct encoding. The file system may comprise one or more servers associated with a cloud storage provider. Advantageously, one or more illustrative embodiments allow a client device to verify that its files are stored by a cloud storage provider in encrypted form or with other appropriate protections.
摘要翻译: 客户端设备或其他处理设备包括文件处理模块,文件处理模块可操作以向文件系统提供文件以进行编码,从文件系统接收对应的编码文件,并验证文件系统存储 至少编码文件的封装的指定部分。 在说明性实施例中,文件处理模块除了编码文件之外还是代替编码文件,接收正确编码的证明。 文件系统可以包括与云存储提供商相关联的一个或多个服务器。 有利地,一个或多个说明性实施例允许客户端设备验证其文件由加密形式的云存储提供商或其他适当的保护来存储。
-
公开(公告)号:US08706701B1
公开(公告)日:2014-04-22
申请号:US13174452
申请日:2011-06-30
CPC分类号: G06F17/30091 , G06F11/1088 , G06F17/30197 , G06F21/64
摘要: Example embodiments of the present invention provide authenticated file system that provides integrity and freshness of both data and metadata more efficiently than existing systems. The architecture of example embodiments of the present invention is natural to cloud settings involving a cloud service provider and enterprise-class tenants, thereby addressing key practical considerations, including garbage collection, multiple storage tiers, multi-layer caching, and checkpointing. Example embodiments of the present invention support a combination of strong integrity protection and practicality for large (e.g., petabyte-scale), high-throughput file systems. Further, example embodiments of the present invention support proofs of retrievability (PoRs) that let the cloud prove to the tenant efficiently at any time and for arbitrary workloads that the full file system (i.e., every bit) is intact, leveraging integrity-checking capabilities to achieve a property that previous PoRs lack, specifically efficiency in dynamic settings (i.e., for frequently changing data objects).
摘要翻译: 本发明的示例性实施例提供经认证的文件系统,其比现有系统更有效地提供数据和元数据的完整性和新鲜度。 本发明的示例性实施例的架构对于涉及云服务提供商和企业级租户的云设置是自然的,由此解决关键的实际考虑,包括垃圾收集,多个存储层,多层缓存和检查点。 本发明的示例性实施例支持强大的完整性保护和大型(例如,PB级)高吞吐量文件系统的实用性的组合。 此外,本发明的示例实施例支持使得云在任何时候有效地向租户提供证明的可检索证据(PoR),以及完整文件系统(即,每一位)完整的任意工作负载,利用完整性检查能力 实现以前的PoR缺少的属性,特别是动态设置的效率(即,频繁更改数据对象)。
-
5.发明授权公开(公告)号:US09471777B1
公开(公告)日:2016-10-18
申请号:US13404839
申请日:2012-02-24
CPC分类号: G06F21/55 , G06F21/45 , H04L9/002 , H04L63/1441
摘要: A processing device is configured to identify a plurality of defensive security actions to be taken to address a persistent security threat to a system comprising information technology infrastructure, and to determine a schedule for performance of the defensive security actions based at least in part on a selected distribution derived from a game-theoretic model, such as a delayed exponential distribution or other type of modified exponential distribution. The system subject to the persistent security threat is configured to perform the defensive security actions in accordance with the schedule in order to deter the persistent security threat. The distribution may be selected so as to optimize defender benefit in the context of the game-theoretic model, where the game-theoretic model may comprise a stealthy takeover game in which attacker and defender entities can take actions at any time but cannot determine current game state without taking an action.
摘要翻译: 处理设备被配置为识别要采取的多个防御性安全措施以解决对包括信息技术基础设施的系统的持续安全威胁,并且至少部分地基于所选择的确定用于执行防御性安全动作的调度 衍生自游戏理论模型的分布,例如延迟指数分布或其他类型的修改指数分布。 受到持续安全威胁的系统被配置为根据时间表执行防御性安全措施,以便阻止持续的安全威胁。 可以选择分配,以便在游戏理论模型的上下文中优化后卫利益,其中游戏理论模型可以包括隐形收购游戏,其中攻击者和后卫实体可以随时采取行动但不能确定当前游戏 状态而不采取行动。
-
公开(公告)号:US08635465B1
公开(公告)日:2014-01-21
申请号:US13432577
申请日:2012-03-28
申请人: Ari Juels , Alina M. Oprea
发明人: Ari Juels , Alina M. Oprea
IPC分类号: G06F12/14
CPC分类号: H04L63/0428 , G06F21/602 , H04L67/10
摘要: A processing device is configured to maintain counters for respective stored data blocks, and to encrypt a given one of the data blocks utilizing a value of the data block in combination with a value of its associated counter. The encryption may comprise a homomorphic encryption operation performed on the given data block as a function of the value of that data block and the value of its associated counter, with the homomorphic encryption operation comprising an operation such as addition or multiplication performed over a designated field. A given one of the counters is incremented each time the corresponding data block is subject to an update operation. The data block can be encrypted, for example, by combining a value of that data block with an additional value determined using the associated counter value, such as a one-time pad value determined as a function of the counter value.
摘要翻译: 处理设备被配置为维护相应存储的数据块的计数器,并且利用与其相关联的计数器的值相结合的数据块的值来加密给定的一个数据块。 加密可以包括对给定数据块执行的同态加密操作,作为该数据块的值和其相关联的计数器的值的函数,同形加密操作包括在指定字段上执行的加法或乘法 。 每当对应的数据块进行更新操作时,给定的一个计数器递增。 数据块可以被加密,例如通过将该数据块的值与使用相关联的计数器值确定的附加值组合,例如作为计数器值的函数确定的一次性填充值。
-
公开(公告)号:US08813234B1
公开(公告)日:2014-08-19
申请号:US13171759
申请日:2011-06-29
申请人: Kevin D. Bowers , Marten E. van Dijk , Ari Juels , Alina M. Oprea , Ronald L. Rivest , Nikolaos Triandopoulos
发明人: Kevin D. Bowers , Marten E. van Dijk , Ari Juels , Alina M. Oprea , Ronald L. Rivest , Nikolaos Triandopoulos
IPC分类号: G06F21/00
CPC分类号: G06F21/552 , H04L63/1408 , H04L63/1441 , H04L63/20
摘要: A processing device comprises a processor coupled to a memory and implements a graph-based approach to protection of a system comprising information technology infrastructure from a persistent security threat. Attack-escalation states of the persistent security threat are assigned to respective nodes in a graph, and defensive costs for preventing transitions between pairs of the nodes are assigned to respective edges in the graph. A minimum cut of the graph is computed, and a defensive strategy is determined based on the minimum cut. The system comprising information technology infrastructure subject to the persistent security threat is configured in accordance with the defensive strategy in order to deter the persistent security threat.
摘要翻译: 处理设备包括处理器,其耦合到存储器并且实现基于图的方法以保护包括信息技术基础设施的系统免受持久的安全威胁。 持续性安全威胁的攻击升级状态被分配给图中的相应节点,并且用于防止节点对之间的转换的防御成本被分配给图中的相应边缘。 计算图的最小值,并根据最小值确定防御策略。 包含受到持续安全威胁的信息技术基础架构的系统是根据防御策略配置的,以便阻止持续的安全威胁。
-
公开(公告)号:US08381062B1
公开(公告)日:2013-02-19
申请号:US12115145
申请日:2008-05-05
IPC分类号: G06F11/00
CPC分类号: G06F21/602 , G06F11/10 , G06F21/64 , H04L9/3221 , H04L63/123 , H04L63/126
摘要: A proof of retrievability (POR) mechanism is applicable to a file for providing assurances of file possession to a requesting client by transmitting only a portion of the entire file. The client compares or examines validation values returned from predetermined validation segments of the file with previously computed validation attributes for assessing the existence of the file. Since the archive server does not have access to the validation function prior to the request, or challenge, from the client, the archive server cannot anticipate the validation values expected from the validation function. Further, since the validation segments from which the validation attributes, and hence the validation values were derived, are also unknown to the server, the server cannot anticipate which portions of the file will be employed for validation.
摘要翻译: 可检索性(POR)机制的证明适用于通过传送整个文件的一部分来向请求客户端提供文件拥有保证的文件。 客户端比较或检查从文件的预定验证段返回的验证值与先前计算的验证属性,以评估文件的存在。 由于存档服务器在请求之前无法访问验证函数,或者从客户端询问,归档服务器无法预期验证函数预期的验证值。 此外,由于从其导出验证属性以及因此导出验证值的验证段对于服务器而言也是未知的,所以服务器不能预期该文件的哪些部分将用于验证。
-
9.发明授权公开(公告)号:US08978159B1
公开(公告)日:2015-03-10
申请号:US13731514
申请日:2012-12-31
申请人: Marten van Dijk , Samuel J. Curry , Robert D. Hopley , John G. Linn , Alina M. Oprea , Kenneth Ray
发明人: Marten van Dijk , Samuel J. Curry , Robert D. Hopley , John G. Linn , Alina M. Oprea , Kenneth Ray
IPC分类号: G06F21/62
CPC分类号: G06F21/6227 , G06F2221/2107
摘要: Access control systems are provided that mediate access to derivatives of sensitive data. A method is provided for processing a data request from a client, the data request comprising a client identifier and an indication of the intended use of the data, by receiving the data request from the client; providing the client identifier and indicated use to an access manager, wherein the access manager assesses a risk of providing access to the data for the indicated use; if the access manager grants access for the indicated use, receiving one or more keys with corresponding computing restrictions from the access manager; computing a result; and providing the result to the client, wherein the provided result comprises the derivative of sensitive data. The access manager grants the access for the indicated use, for example, based on a risk score.
摘要翻译: 提供访问控制系统,介绍对敏感数据导数的访问。 提供一种通过从客户端接收数据请求来处理来自客户端的数据请求的方法,所述数据请求包括客户端标识符和数据的预期用途的指示; 向访问管理器提供客户端标识符并指示使用,其中访问管理器评估为所指示的使用提供访问数据的风险; 如果访问管理器为所指示的使用者授予访问权限,则从访问管理器接收具有相应计算限制的一个或多个密钥; 计算结果; 并将结果提供给客户端,其中所提供的结果包括敏感数据的导数。 访问管理器例如基于风险分数来授予针对指定用途的访问。
-
-
-
-
-
-
-
-
搜索结果
9 条记录 (耗时 0.023 秒)
