公开(公告)号：US08898754B2

公开(公告)日：2014-11-25

申请号：US13455705

申请日：2012-04-25

申请人： Suresh N. Chari ,  Gang Chen ,  Todd E. Kaplinger

发明人： Suresh N. Chari ,  Gang Chen ,  Todd E. Kaplinger

IPC分类号： G06F7/04 ,  H04L29/06 ,  G06F21/31

CPC分类号： H04L63/0815 ,  G06F21/31

摘要： A method and computer program product for enabling authentication of an OpenID user when a requested identity provider is unavailable. A relying party receives a login request from the OpenID user, where the login request includes a username. The relying party reads a list of trusted identity providers that are associated with the received username and selects one of those identity providers. The relying party generating an OpenID identifier using an identification (e.g., Uniform Resource Locator) of the selected identity provider and the username. The relying party transmits an authentication request (request to authenticate the OpenID user) to the selected identity provider using the formed OpenID identifier. If the selected identity provider is unavailable, then the relying party selects another identity provider from the list of identity providers that are associated with the received username and repeats the above process.

摘要翻译： 一种方法和计算机程序产品，用于当请求的身份提供者不可用时，允许对OpenID用户进行认证。 依赖方从OpenID用户接收登录请求，其中登录请求包含用户名。 依赖方读取与所接收的用户名相关联的可信身份提供者列表，并选择其中一个身份提供者。 依赖方使用所选择的身份提供者的标识（例如，统一资源定位符）和用户名来生成OpenID标识符。 依赖方使用形成的OpenID标识符向所选择的身份提供者发送认证请求（用于认证OpenID用户的请求）。 如果所选择的身份提供者不可用，则依赖方从与所接收的用户名相关联的身份提供者的列表中选择另一个身份提供者并重复上述过程。

公开(公告)号：US20100011421A1

公开(公告)日：2010-01-14

申请号：US12172252

申请日：2008-07-13

申请人： Suresh N. Chari ,  Gang Chen ,  Todd Eric Kaplinger

发明人： Suresh N. Chari ,  Gang Chen ,  Todd Eric Kaplinger

IPC分类号： H04L9/00

CPC分类号： H04L63/0815 ,  G06F21/31

摘要： A method, system and computer program product for enabling authentication of an OpenID user when a requested identity provider is unavailable. A relying party receives a login request from the OpenID user, where the login request includes a username. The relying party reads a list of trusted identity providers that are associated with the received username and selects one of those identity providers. The relying party generating an OpenID identifier using an identification (e.g., Uniform Resource Locator) of the selected identity provider and the username. The relying party transmits an authentication request (request to authenticate the OpenID user) to the selected identity provider using the formed OpenID identifier. If the selected identity provider is unavailable, then the relying party selects another identity provider from the list of identity providers that are associated with the received username and repeats the above process.

摘要翻译： 一种方法，系统和计算机程序产品，用于当请求的身份提供者不可用时启用OpenID用户的认证。 依赖方从OpenID用户接收登录请求，其中登录请求包含用户名。 依赖方读取与所接收的用户名相关联的可信身份提供者列表，并选择其中一个身份提供者。 依赖方使用所选择的身份提供者的标识（例如，统一资源定位符）和用户名来生成OpenID标识符。 依赖方使用形成的OpenID标识符向所选择的身份提供者发送认证请求（用于认证OpenID用户的请求）。 如果所选择的身份提供者不可用，则依赖方从与所接收的用户名相关联的身份提供者的列表中选择另一个身份提供者并重复上述过程。

公开(公告)号：US08250635B2

公开(公告)日：2012-08-21

申请号：US12172252

申请日：2008-07-13

申请人： Suresh N. Chari ,  Gang Chen ,  Todd Eric Kaplinger

发明人： Suresh N. Chari ,  Gang Chen ,  Todd Eric Kaplinger

IPC分类号： G06F7/04

CPC分类号： H04L63/0815 ,  G06F21/31

摘要： A method, system and computer program product for enabling authentication of an OpenID user when a requested identity provider is unavailable. A relying party receives a login request from the OpenID user, where the login request includes a username. The relying party reads a list of trusted identity providers that are associated with the received username and selects one of those identity providers. The relying party generating an OpenID identifier using an identification (e.g., Uniform Resource Locator) of the selected identity provider and the username. The relying party transmits an authentication request (request to authenticate the OpenID user) to the selected identity provider using the formed OpenID identifier. If the selected identity provider is unavailable, then the relying party selects another identity provider from the list of identity providers that are associated with the received username and repeats the above process.

摘要翻译： 一种方法，系统和计算机程序产品，用于当请求的身份提供者不可用时启用OpenID用户的认证。 依赖方从OpenID用户接收登录请求，其中登录请求包含用户名。 依赖方读取与所接收的用户名相关联的可信身份提供者列表，并选择其中一个身份提供者。 依赖方使用所选择的身份提供者的标识（例如，统一资源定位符）和用户名来生成OpenID标识符。 依赖方使用形成的OpenID标识符向所选择的身份提供者发送认证请求（用于认证OpenID用户的请求）。 如果所选择的身份提供者不可用，则依赖方从与所接收的用户名相关联的身份提供者的列表中选择另一个身份提供者并重复上述过程。

公开(公告)号：US20120210407A1

公开(公告)日：2012-08-16

申请号：US13455705

申请日：2012-04-25

申请人： Suresh N. Chari ,  Gang Chen ,  Todd Eric Kaplinger

发明人： Suresh N. Chari ,  Gang Chen ,  Todd Eric Kaplinger

IPC分类号： G06F21/00

CPC分类号： H04L63/0815 ,  G06F21/31

摘要： A method and computer program product for enabling authentication of an OpenID user when a requested identity provider is unavailable. A relying party receives a login request from the OpenID user, where the login request includes a username. The relying party reads a list of trusted identity providers that are associated with the received username and selects one of those identity providers. The relying party generating an OpenID identifier using an identification (e.g., Uniform Resource Locator) of the selected identity provider and the username. The relying party transmits an authentication request (request to authenticate the OpenID user) to the selected identity provider using the formed OpenID identifier. If the selected identity provider is unavailable, then the relying party selects another identity provider from the list of identity providers that are associated with the received username and repeats the above process.

摘要翻译： 一种方法和计算机程序产品，用于当所请求的身份提供者不可用时，允许对OpenID用户进行认证。 依赖方从OpenID用户接收登录请求，其中登录请求包含用户名。 依赖方读取与所接收的用户名相关联的可信身份提供者列表，并选择其中一个身份提供者。 依赖方使用所选择的身份提供者的标识（例如，统一资源定位符）和用户名来生成OpenID标识符。 依赖方使用形成的OpenID标识符向所选择的身份提供者发送认证请求（用于认证OpenID用户的请求）。 如果所选择的身份提供者不可用，则依赖方从与所接收的用户名相关联的身份提供者列表中选择另一个身份提供者，并重复上述过程。

公开(公告)号：US08983877B2

公开(公告)日：2015-03-17

申请号：US13411174

申请日：2012-03-02

申请人： Suresh N. Chari ,  Ian Michael Molloy ,  Youngja Park

发明人： Suresh N. Chari ,  Ian Michael Molloy ,  Youngja Park

IPC分类号： G06N5/00 ,  G06F1/00 ,  G06N99/00 ,  G06F21/60

CPC分类号： G06N99/005 ,  G06F21/604

摘要： Applications of machine learning techniques such as Latent Dirichlet Allocation (LDA) and author-topic models (ATM) to the problems of mining of user roles to specify access control policies from entitlement as well as logs which contain record of the usage of these entitlements are provided. In one aspect, a method for performing role mining given a plurality of users and a plurality of permissions is provided. The method includes the following steps. At least one generative machine learning technique, e.g., LDA, is used to obtain a probability distribution θ for user-to-role assignments and a probability distribution β for role-to-permission assignments. The probability distribution θ for user-to-role assignments and the probability distribution β for role-to-permission assignments are used to produce a final set of roles, including user-to-role assignments and role-to-permission assignments.

摘要翻译： 潜在的Dirichlet分配（LDA）和作者主题模型（ATM）等机器学习技术的应用对于用户角色的挖掘问题，从授权中指定访问控制策略以及包含这些权利使用记录的日志的应用是 提供。 在一个方面，提供了赋予多个用户和多个权限的用于执行角色挖掘的方法。 该方法包括以下步骤。 使用至少一种生成机器学习技术，例如LDA来获得概率分布; 用于角色角色分配和概率分布＆bgr; 用于角色到权限分配。 概率分布与概念; 用于角色角色分配和概率分布; 角色到权限分配用于生成一组最终角色，包括用户角色分配和角色到权限分配。

公开(公告)号：US08028072B2

公开(公告)日：2011-09-27

申请号：US12041146

申请日：2008-03-03

申请人： David A. George ,  Raymond B. Jennings, III ,  Suresh N. Chari ,  Anees Shaikh

发明人： David A. George ,  Raymond B. Jennings, III ,  Suresh N. Chari ,  Anees Shaikh

IPC分类号： G06F15/16

CPC分类号： H04L12/5691 ,  H04L47/826 ,  H04L63/10

摘要： Methods, apparatus and computer program products implement session-specific URIs for allocating network resources by receiving a request from a user for at least one network resource; assigning a session-specific URI to the at least one network resource for use in identifying the at least one network resource and controlling access to the at least one network resource; updating a network directory service with the session-specific URI; and communicating the session-specific URI to the user. The user communicates the session-specific URI to other participants in the session during which the at least one network resource will be used. After a pre-determined time, the session ends and the at least one network resource is de-allocated by, for example, changing the URI of the at least one network resource. Frequent changes of URIs hinder efforts by unauthorized individuals to gain access to network resources.

摘要翻译： 方法，装置和计算机程序产品通过从用户接收至少一个网络资源的请求来实现用于分配网络资源的会话专用URI; 将特定于会话的URI分配给所述至少一个网络资源，以用于识别所述至少一个网络资源并控制对所述至少一个网络资源的访问; 使用会话特定URI更新网络目录服务; 并将会话特定URI传达给用户。 用户将会话特定URI传送到会话中的其他参与者，在该会话期间将使用至少一个网络资源。 在预定时间之后，会话结束，并且至少一个网络资源通过例如改变至少一个网络资源的URI而被去分配。 URI的频繁变化阻碍未经授权的人员获得网络资源的访问权限。

公开(公告)号：US07142670B2

公开(公告)日：2006-11-28

申请号：US09943720

申请日：2001-08-31

申请人： Suresh N. Chari ,  Josyula R. Rao ,  Pankaj Rohatgi ,  Helmut Scherzer

发明人： Suresh N. Chari ,  Josyula R. Rao ,  Pankaj Rohatgi ,  Helmut Scherzer

IPC分类号： H04K1/00 ,  H04L9/00

CPC分类号： G06F21/556 ,  H04L9/002 ,  H04L2209/043 ,  H04L2209/08

摘要： Methods, apparatus and computer software and hardware products providing method, apparatus and system solutions for implementing table lookups in a side-channel attack resistant manner. Embodiments are provided for devices and situations where there is limited amount of RAM memory available or restrictions on memory addressing. The solutions solve problems associated with look up tables with large indices, as well as problems associated with looking up large sized tables or a collection of tables of large cumulative size, in limited devices, in an efficient side-channel attack resistant manner. These solutions provide defenses against both first-order side channel attacks as well as higher-order side channel attacks. One aspect of the present invention is the creation of one or more random tables which are used possibly in conjunction with other tables to perform a table lookup. This denies an adversary information about the table lookup from the side channel and thereby imparting side-channel resistance to the table lookup operation. Another aspect of the present invention is the use of a combination of some operations such as Table Split, Table Mask and Table Aggregate, to achieve this side-channel resistance within the limited amounts of available RAM and limited memory addressing capabilities of the device performing table lookups.

公开(公告)号：US6148081A

公开(公告)日：2000-11-14

申请号：US196964

申请日：1998-11-20

申请人： Steven Szymanski ,  Jean Rene Menand ,  Vincent Dureau ,  Suresh N. Chari

发明人： Steven Szymanski ,  Jean Rene Menand ,  Vincent Dureau ,  Suresh N. Chari

IPC分类号： G06F21/22 ,  H04N5/00 ,  H04N7/16 ,  H04L9/32

CPC分类号： H04N21/443 ,  H04N7/163

摘要： A system and method implemented in an interactive television system for restricting or controlling the access rights of interactive television applications and carousels. The system broadcasts modules from a broadcast station to a plurality of receiving stations, which execute applications containing the modules. In one embodiment, the applications utilize a credential consisting of a producer identification number (ID) and an application ID for each of the grantor and grantee applications, an expiration date, a set of permission data, a producer certificate and a signature. An application requesting access and a carousel granting access may be identified by respective producer and application IDs. The credential utilizes public key encryption to ensure the integrity of the credential. The producer and application IDs may be replaced with wildcards so that rights may be granted to a group of producers or applications.

摘要翻译： 一种用于限制或控制交互式电视应用和转盘的访问权限的交互式电视系统中实现的系统和方法。 系统将模块从广播站广播到多个接收站，这些接收站执行包含模块的应用。 在一个实施例中，应用程序利用由生产者标识号（ID）和每个授权人和受让人应用程序的应用程序ID组成的证书，到期日期，一组许可数据，生产者证书和签名。 请求访问的应用程序和授予访问权限的转盘可以由相应的生产者和应用程序ID来标识。 该凭证利用公钥加密来确保凭证的完整性。 生产者和应用程序ID可以被通配符替换，以便可以向一组生产者或应用程序授予权限。

公开(公告)号：US6038319A

公开(公告)日：2000-03-14

申请号：US87386

申请日：1998-05-29

申请人： Suresh N. Chari

发明人： Suresh N. Chari

IPC分类号： H04N7/16 ,  H04L9/32

CPC分类号： H04N21/443 ,  H04N7/163

摘要： A system and method implemented in an interactive television system for restricting access between modules of different interactive television applications and carousels. The system broadcasts modules from a broadcast station to a plurality of receiving stations, which execute applications containing the modules. The applications utilize a credential consisting of a producer identification number (ID) and an application ID for each of the grantor and grantee applications/carousels, an expiration date, a producer certificate and a signature. A application requesting access (grantee) and a carousel granting access (grantor) are each identified by respective producer and application IDs. The credential utilizes public key encryption for ensure the integrity of the credential. The producer and application IDs of the grantee application and the application ID of the grantor carousel may be replaced with wildcards so that access to a single carousel's modules is granted to a group of producers or applications, or access to a group of carousels is granted to a single producer or application.

摘要翻译： 在交互式电视系统中实现的用于限制不同交互式电视应用和转盘之间的模块之间的接入的系统和方法。 系统将模块从广播站广播到多个接收站，这些接收站执行包含模块的应用。 应用程序使用由生产者标识号（ID）和每个设保人和受让人应用程序/转盘，应用程序ID，生产者证书和签名的应用程序ID组成的凭证。 请求访问（受让人）和授予访问权（转让人）的轮播的应用程序各自由相应的制作人和应用程序标识。 该凭证利用公钥加密来确保凭证的完整性。 受赠人应用程序的生产者和应用程序ID以及授权人轮播的应用程序ID可以用通配符替换，以便向一组生产者或应用程序授予访问单个轮播模块的权限，或者授予对一组轮播的访问权限 单一生产者或应用程序。

公开(公告)号：US20130097103A1

公开(公告)日：2013-04-18

申请号：US13274002

申请日：2011-10-14

申请人： Suresh N. Chari ,  Ian Michael Molloy ,  Youngja Park ,  Zijie Qi

发明人： Suresh N. Chari ,  Ian Michael Molloy ,  Youngja Park ,  Zijie Qi

IPC分类号： G06F15/18 ,  G06F17/30

CPC分类号： G06N20/00

摘要： Techniques for creating training sets for predictive modeling are provided. In one aspect, a method for generating training data from an unlabeled data set is provided which includes the following steps. A small initial set of data is selected from the unlabeled data set. Labels are acquired for the initial set of data selected from the unlabeled data set resulting in labeled data. The data in the unlabeled data set is clustered using a semi-supervised clustering process along with the labeled data to produce data clusters. Data samples are chosen from each of the clusters to use as the training data. The selecting, presenting, clustering and choosing steps are repeated with one or more additional sets of data selected from the unlabeled data set until a desired amount of training data has been obtained, wherein at each iteration an amount of the labeled data is increased.

摘要翻译： 提供了用于创建预测建模训练集的技术。 一方面，提供了一种用于从未标记的数据集生成训练数据的方法，包括以下步骤。 从未标记的数据集中选择一小段初始数据。 从未标记的数据集中选择的初始数据集中获取标签，从而产生标记数据。 未标记数据集中的数据使用半监督聚类过程与标记数据一起聚类以产生数据集群。 从每个群集中选择数据样本以用作训练数据。 使用从未标记的数据集中选择的一个或多个附加数据集重复选择，呈现，聚类和选择步骤，直到获得了所需量的训练数据，其中在每次迭代时，标记数据的量增加。