US Pat. No. 10,432,730

APPARATUS AND METHOD FOR BUS PROTECTION

UNITED STATES OF AMERICA ...

1. An apparatus for inhibiting a propagation of data on a bi-directional bus between the bus and a device, the apparatus comprising:a first portion having a first analog port and a digital output;
a second portion having a second analog port and a digital input, wherein the digital output is operably coupled to the digital input;
wherein the digital output of the first portion is configured to produce a digital representation of an analog input signal presented to the first analog port from the bus;
wherein the second analog port of the second portion is configured to produce an analog representation of a digital signal presented to the digital input, the analog representation presented to the device; and
wherein the first and second portion cooperate to inhibit the propagation of data presented to the second analog port as an input from the device.

US Pat. No. 10,432,729

AUTONOMOUS TEAM FORMATION AND TASK NEGOTIATION AMONG UNMANNED VEHICLES

Southwest Research Instit...

1. A system of autonomous vehicles for forming a team of autonomous vehicles to perform a designated set of tasks:a first autonomous vehicle having a processing system for storing a first set of agent capability data representing those of the tasks that the first autonomous vehicle is able to perform;
a second autonomous vehicle having a processing system for storing a second set of agent capability data representing those of the tasks that the second autonomous vehicle is able to perform;
one or more additional autonomous vehicles each having a processing system for storing an additional set of agent capability data representing those of the tasks that the additional autonomous vehicle is able to perform;
wherein each autonomous vehicle, after acceptance into the team, further stores needed capability data representing capabilities needed to perform the designated set of tasks, and further stores team capability data representing the capabilities of all vehicles who have joined the team;
wherein each of the autonomous vehicles is equipped with a communications system operable to send and receive at least the following types of messages: join request messages and join response messages; wherein each join request message contains received agent capabilities data representing the sending vehicle's capabilities; wherein each join response message contains team capabilities data representing the capabilities of all current team members;
wherein each of the autonomous vehicles is programmed, upon receipt of a join request message, to compare the needed capabilities data to the received capabilities data, thereby determining if there are matched capabilities, and if there are matched capabilities, to update the team capabilities data and to transmit a join response message;
wherein each of the autonomous vehicles is programmed, upon receipt of a join response message from a sending vehicle, if the message indicates the sending vehicle has joined the team, to update the team capabilities data; and
a new team member comprising a newly accepted autonomous vehicle that has been accepted into the team in response to a join request when no other autonomous vehicle and no other control process shad prior stored capabilities data representing capabilities of the newly accepted autonomous vehicle.

US Pat. No. 10,432,728

AUTOMATIC IMAGE SHARING WITH DESIGNATED USERS OVER A COMMUNICATION NETWORK

Google LLC, Mountain Vie...

1. A computer-implemented method comprising:causing display of a plurality of images in a user interface on a first device to a first user, wherein each of the plurality of images depicts a different person, wherein the plurality of images are obtained from a library of images associated with the first user;
receiving a selection of a particular image of the plurality of images based on first user input received by the first device;
determining a person identifier indicating a particular person depicted in the selected particular image, wherein the person identifier is designated as a person sharing criterion;
obtaining a first image associated with the first user, wherein the first image is obtained from the library of images associated with the first user, wherein the first image is not included in the plurality of images;
programmatically analyzing the first image to determine that the first image depicts a person that matches the person sharing criterion;
in response to the determination that the first image depicts the person that matches the person sharing criterion:
initiating a delay period associated with the first user for the first image;
assigning a status indicator to the first image, wherein the status indicator indicates a first status that the first image is to be shared with a second user;
determining whether second user input from the first user is received at the first device during the delay period, the second user input indicating that the first image is not to be shared with the second user; and
if it is determined that the second user input is received, updating the status indicator to a second status that indicates the first image is not to be shared with the second user; and
based on the determination that the first image depicts the person that matches the person sharing criterion, and in response to an expiration of the delay period and the status indicator indicating the first status, updating an access permission for the first image of the library of images associated with the first user to grant access to the first image to the second user of a second device over a communication network.

US Pat. No. 10,432,727

REDUCING NETWORK TRAFFIC WHEN REPLICATING MEMORY DATA ACROSS HOSTS

Amazon Technologies, Inc....

16. A method, comprising:receiving a request to replicate first memory data stored on a source computer;
accessing memory identification data that identifies second memory data stored in one or more memories associated with one or more potential destination computers, the memory identification data indicating contents of memory pages associated with the one or more memories;
identifying, using the memory identification data, one or more duplicate portions of the first memory data stored by the one or more of memories of the one or more potential destination computers;
selecting, based at least in part on the memory identification data, a destination computer; and
causing the destination computer to use the identified one or more duplicate portions of the first memory data to replicate the first memory data in the destination computer.

US Pat. No. 10,432,726

LAST-RESORT OPERATIONS TO SAVE AT-RISK-DATA

PURE STORAGE, INC., Moun...

1. A computing device comprising:an interface configured to interface and communicate with a dispersed or distributed storage network (DSN);
memory that stores operational instructions; and
processing circuitry operably coupled to the interface and to the memory, wherein the processing circuitry is configured to execute the operational instructions to:
detect a total number of errors that is associated with a set of memory devices of one or more sets of storage units (SUs) within the DSN that distributedly store a set of encoded data slices (EDSs), wherein a data object is segmented into a plurality of data segments, wherein a data segment of the plurality of data segments is dispersed error encoded in accordance with dispersed error encoding parameters to produce the set of encoded data slices (EDSs); and
when the total number of errors compares unfavorably to a priority error threshold level:
indicate that a minimum number of error-free EDSs are available of the set of EDSs;
select a mechanism for data retention process from a plurality of mechanisms for data retention process; and
execute the mechanism for data retention process that is selected from the plurality of mechanisms for data retention process.

US Pat. No. 10,432,725

SERVER ACCESS PROCESSING SYSTEM

INTERNATIONAL BUSINESS MA...

1. A computer program product for enabling server access processing in a Network File System (NFS) interconnection network including a server operable for transmitting data packets to a plurality of client devices connected to said server in response to data requests from said plurality of client devices to said server, the computer program product comprising computer readable program code stored on a non-transitory computer readable medium and configured such that when such program code is read by said server, the server is operable for:receiving data requests by said server from said client devices;
said server being operable in response to said computer readable program code for running a daemon program in a background, said daemon program being operable for monitoring said data requests from said client devices to said server, said daemon program being operable for determining when a data packet is sent from said server to a client device in response to a data request from said client device;
said client device being operable for sending zero window packets (ZWPs) from said client device to said server after receiving said data packet;
said server being operable in response to said computer readable program code for receiving said ZWPs sent from said client device, said daemon program being operable for counting a number of ZWPs received from said client device, said daemon program being further operable to provide a ZWP count representative of said number of ZWPs received from said client device; and
said daemon program being operable for using said ZWP count to control access to said server by said client device.

US Pat. No. 10,432,724

SERIALIZING ACCESS TO DATA OBJECTS IN A LOGICAL ENTITY GROUP IN A NETWORK STORAGE

INTERNATIONAL BUSINESS MA...

1. A computer program product to store data objects used by multiple client systems in a network storage over a network, wherein the computer program product comprises a computer readable storage medium having computer readable program instructions executed by a processor to perform operations, the operations comprising:generating data objects associated with a logical entity at a client storage;
determining a prefix for a container in the network storage associated with the logical entity;
including the prefix in names of the data objects in the logical entity;
adding the prefix to a lock queue shared by the client systems having access to the data objects in the container at the network storage; and
transmitting the data objects having the names including the prefix to the network storage to store in the container in the network storage.

US Pat. No. 10,432,723

STORAGE SERVER AND STORAGE SYSTEM

Toshiba Memory Corporatio...

1. A storage server comprising:first tiered storage devices that store data items, the first tiered storage devices comprising at least a first storage device associated with a first tier level, and a second storage device associated with a second tier level and having an access speed slower than that of the first storage device;
a network interface that communicates with each of a client and another storage server through a network, wherein said another storage server comprises second tiered storage devices; and
a processor configured to control the first tiered storage devices and the network interface,
wherein the processor is configured to:
read, when a read request is received from the client through the network interface, a data item designated by the read request from the first tiered storage devices, and transmit the read data item to the client through the network interface;
relocate data items among the first tiered storage devices, the relocated data items comprising a first data item of first access frequency that is moved from the second storage device to the first storage device and a second data item of second access frequency lower than the first access frequency that is moved from the first storage device to the second storage device; and
transmit first information indicative of placement of the relocated data items in the first tiered storage devices as a hint for data relocation among the second tiered storage devices, to said another storage server through the network interface,
wherein the first information comprises information indicative of a tier level at which each of the relocated data items is placed.

US Pat. No. 10,432,722

CLOUD STORAGE PLATFORM PROVIDING PERFORMANCE-BASED SERVICE LEVEL AGREEMENTS

Microsoft Technology Lice...

1. A computer-implemented method comprising:receiving, from a user device, a request for storage allocation that meets a storage service level agreement (SLA), wherein the storage SLA specifies one or more storage performance parameters including object size and time latency;
determining, for a virtual machine (VM) and based at least in part on the one or more storage performance parameters in the storage SLA:
a storage location among a set of candidate storage locations that meets the storage performance parameters; and
an amount of storage to allocate;
allocating the amount of storage at the storage location for the VM to use in satisfying storage requests;
receiving a storage request to perform a storage operation, the storage request associated with the storage SLA;
storing the storage request in a queue of queues, the queues for storing storage requests associated with SLAs with respective different object sizes and time latencies; and
retrieving the storage request from the queue and performing the storage operation at the storage location.

US Pat. No. 10,432,721

DISTRIBUTED STORAGE SYSTEM WITH WEB SERVICES CLIENT INTERFACE

Amazon Technologies, Inc....

1. A system, comprising:a distributed storage system of a data storage web service comprising a plurality of storage nodes that include one or more respective storage devices, wherein the distributed storage system is configured to store a plurality of data objects according to an encoding scheme such that each respective data object of the plurality of data objects is divided into a respective plurality of shards stored at different ones of the plurality of storage nodes, and wherein the respective data object can be reconstructed from a particular number of shards that is fewer than a total number of shards for that data object; and
a node implemented by one or more hardware processors that provides access to the storage nodes as part of the data storage web service and is configured to:
receive, from a client via an application programming interface (API) for accessing the data storage web service, a web services call that includes a request for one of the plurality of data objects;
evaluate a stored mapping between an identifier for the data object included in the request for the data object and the different storage nodes to identify at least some of the different storage nodes of the distributed storage system that store the plurality of shards of the data object;
request the plurality of shards of the data object from the identified storage nodes of the distributed storage system to retrieve a subset of the plurality of shards for the requested data object sufficient to reconstruct the data object from the subset according to the encoding scheme, wherein the subset includes at least the particular number of shards; and
based on the subset, return a reconstructed data object to the client.

US Pat. No. 10,432,720

SYSTEMS AND METHODS FOR STRONG INFORMATION ABOUT TRANSMISSION CONTROL PROTOCOL CONNECTIONS

Symantec Corporation, Mo...

1. A computer-implemented method for storing information about transmission control protocol connections, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:configuring a server with a transmission control protocol stack that is an alternative to a default transmission control protocol stack of an operating system of the server, wherein the default transmission control protocol stack is programmed to store a default set of connection information about transmission control protocol connections established through the default transmission control protocol stack;
receiving, at the server, a request to establish a transmission control protocol connection with the server;
routing the request through the alternative transmission control protocol stack instead of the default transmission control protocol stack; and
storing, at the server via the alternative transmission control protocol stack, connection information used by the transmission control protocol to maintain the transmission control protocol connection, wherein:
the connection information includes an Internet protocol address of a client that sent the request, a port number of the client that sent the request, and a transmission control protocol sequence number of the client that sent the request; and
the connection information excludes header information about the request such that the connection information has a smaller memory footprint than the default set of connection information.

US Pat. No. 10,432,719

SYSTEM AND METHOD FOR EFFICIENT VIRTUALIZATION IN LOSSLESS INTERCONNECTION NETWORKS

ORACLE INTERNATIONAL CORP...

1. A system for supporting efficient virtualization in a lossless interconnection network, comprising:one or more microprocessors;
a plurality of switches arranged in at least two levels, wherein each of the plurality of switches are associated with a linear forwarding table (LFT) of a plurality of LFTs;
a plurality of host channel adapters, wherein the plurality of host channel adapters are interconnected via the plurality of switches;
a plurality of hypervisors, wherein each of the plurality of hypervisors are associated with at least one host channel adapter of the plurality of host channel adapters; and
a plurality of virtual machines, wherein each virtual machine connects to a host channel adapter of the plurality of host channel adapters via a respective hypervisor;
wherein a virtual machine of the plurality of virtual machines performs a live migration from a first hypervisor at a first host channel adapter to a second hypervisor at a second host channel adapter, and wherein during the live migration, a local identifier (LID) of the virtual machine is updated; and
wherein, as a result of the migration of the virtual machine from the first host channel adapter to the second host channel adapter, a set of the plurality of LFTs are updated, the set of the plurality of LFTs being defined based upon a determination of a nearest common ancestor switch of the first host channel adapter and the second host channel adapter.

US Pat. No. 10,432,718

PREDICTIVE FILE SYNCHRONIZATION

INTERNATIONAL BUSINESS MA...

1. A method comprising:predicting from an input data of a user, at a time, using a processor and a memory of a computing device, wherein the input data comprises at least one from a group comprising a location of the user and an electronic message of the user, that the user will need to use a set of files during a future period, and wherein the predicting is responsive to a security setting in the data network changing to an undesirable value;
selecting from the set of files, a subset of files that are designated for synchronization with a remote storage over a data network;
computing a priority of a file in the subset according to a characteristic of the file in the subset; and
causing a synchronization operation to synchronize the subset of files in an order of priorities associated with the files in the subset.

US Pat. No. 10,432,717

SETUP SYNCHRONIZATION APPARATUS AND METHODS FOR END USER MEDICAL DEVICES

Ascensia Diabetes Care Ho...

1. An apparatus comprising:a controller including a memory;
a transceiver operatively coupled to the controller; and
a host computer interface operative to couple the controller to a host computer,
wherein the memory is operative to store instructions executable on the controller, the instructions adapted to cause the controller to:
scan for an advertising medical device using the transceiver,
establish a communications connection with a medical device advertising for synchronization, the medical device having a real-time clock, wherein the real-time clock is not running prior to the advertising for synchronization, and
transmit synchronization data to a medical device once a communication connection has been established.

US Pat. No. 10,432,716

METADATA SYNCHRONIZATION SYSTEM

Bank of America Corporati...

1. A method for metadata synchronization comprising:receiving, at a federated metadata repository, a plurality of metadata elements, said plurality of metadata element being transmitted from a plurality of applications, said plurality of applications being coupled to a plurality of application hubs;
receiving, at a governed metadata repository, a subset of the plurality of metadata elements, said subset of the plurality of metadata elements being entity-critical metadata elements, said entity-critical metadata elements comprising at least governed assets and relationships, each entity-critical metadata element including a six-part attribute key, each of said six-part attribute keys not being included in the plurality of metadata elements included in the federated metadata repository, each of said six-part attribute keys comprising a server name variable character attribute, a database/location variable character attribute, a schema name variable character attribute, a table/file name variable character attribute, a column/field name variable character attribute and an originating metadata repository number attribute;
crawling, via a crawler, the plurality of applications, to determine that each metadata element included in the plurality of metadata elements has been received at the federated metadata repository;
transmitting a first notification message to a first user in the event that a metadata element is not received at the federated metadata repository;
crawling, via the crawler, the federated metadata repository and the governed metadata repository to determine whether each metadata element that is included in both of the federated metadata repository and the governed metadata repository are identified using the same data type;
upon identification of a metadata element which is identified using one data type in the federated metadata repository and another data type in the governed metadata repository, conforming, via a processor, the data type of identified metadata element included in the federated metadata repository and the data type of the identified metadata element included in the governed metadata repository;
crawling further, via the crawler, the plurality of applications to identify an extinct metadata element in an application that is coupled to the federated metadata repository;
in response to the identifying of the extinct metadata element, removing, via the system, the extinct metadata element from the federated metadata repository; and
conforming, via the processor, the governed metadata repository to the federated metadata repository by removing further the extinct metadata element from the governed metadata repository.

US Pat. No. 10,432,715

ELECTRONIC APPARATUS, SYSTEM AND SYNCHRONIZATION METHOD

Toshiba Client Solutions ...

1. An electronic apparatus assigned with a first apparatus identifier, the electronic apparatus being able to be connected to a wearable sensing device, the electronic apparatus comprising:a non-volatile storage device comprising a data file that stores data sensed by the wearable sensing device; and
a processor that communicates with a server while performing synchronization of a backup file stored in the server and the data file, the server comprising a storage that stores the backup file of a first data file stored in the non-volatile storage device in the electronic apparatus and of a second data file stored in a second electronic apparatus assigned with a second apparatus identifier, a user identifier being assigned to at least one of the electronic apparatus or the second electronic apparatus, and the storage stores an apparatus file storing correspondence between the user identifier and at least one of the first apparatus identifier or the second apparatus identifier, wherein
the processor requests the server to transmit the at least one of the first apparatus identifier or the second apparatus identifier corresponding to the user identifier of a user of the wearable sensing device,
when the processor receives the first apparatus identifier and the second apparatus identifier corresponding to the user identifier, the processor synchronizes the data file stored in the non-volatile storage device and the backup file stored in the storage of the server by:
requesting the server transmit update data stored in the backup file which was updated by the second electronic apparatus after a last synchronization by the electronic apparatus,
receiving the update data transmitted from the server, and
updating the data file in the non-volatile storage device based on the update data.

US Pat. No. 10,432,714

DATA PROCESSING METHOD AND SYSTEM BASED ON ASYMMETRIC P2P NETWORK

TENCENT TECHNOLOGY (SHENZ...

1. A data processing system based on an asymmetric P2P network, comprising:a data server, configured to store a to-be-downloaded resource;
a computer terminal group, comprising at least one computer terminal, the at least one computer terminal communicated with the data server, and being configured to download the to-be-downloaded resource from the data server or another computer terminal in the computer terminal group;
a configuration server configured to store a control parameter that is set to a first control value or a second control value;
a directory server, and
a mobile terminal group, comprising a plurality of mobile terminals;
wherein each mobile terminal in the mobile terminal group is configured to:
establish a communication relationship with the data server, the computer terminal, and the configuration server;
download the to-be-downloaded resource from a computer terminal of the computer terminal group if the to-be-downloaded resource is available on the computer terminal;
download the to-be-downloaded resource from the data server if the to-be-downloaded resource is not available on any computer terminal of the computer terminal group;
read the control parameter from the configuration server;
after downloading the to-be-downloaded resource, in response to the control parameter being set to the second control value, upload download information of the mobile terminal to the directory server, the download information of the mobile terminal including address information of the mobile terminal and identity information of the to-be-downloaded resource acquired by the mobile terminal; and
after downloading the to-be-downloaded resource, in response to the control parameter being set to the first control value, avoid uploading the download information of the mobile terminal to the directory server.

US Pat. No. 10,432,713

APPLICATION AWARE INPUT/OUTPUT FENCING

Veritas Technologies LLC,...

1. A computer-implemented method comprising:determining a first weight assigned to a first application instance of a plurality of application instances and a second weight assigned to a second application instance of the plurality of application instances, wherein
each of the plurality of application instances is an instance of an application,
the first application instance is executed by a first node of a cluster of nodes, and
the second application instance is executed by a second node of the cluster of nodes; and
in response to detection of a network partition event, performing an application fencing operation, wherein
the network partition event results in partitioning of the cluster of nodes into at least a first sub-cluster and a second sub-cluster,
the first node is comprised in the first sub-cluster,
the second node is comprised in the second sub-cluster, and
the application fencing operation comprises
terminating one of the first application instance or the second application instance, wherein
the terminating is based, at least in part, on the first weight and the second weight, and
the terminating is performed without terminating either of the first node or the second node.

US Pat. No. 10,432,712

SYSTEM AND METHOD OF INJECTING STATES INTO MESSAGE ROUTING IN A DISTRIBUTED COMPUTING ENVIRONMENT

PTC Inc., Boston, MA (US...

1. A computer-implemented method of operating an intermediate server to load share authentication operations with a platform server, the method comprising:providing a platform server and a plurality of intermediate servers, wherein each of the plurality of intermediate servers connects and maintains a persistent connection to the platform server, and wherein the plurality of intermediate servers communicate and maintain a plurality of persistent connections with a plurality of edge servers;
receiving, by a port at an intermediate server among the plurality of intermediate servers, a service request from a given edge server of the plurality of edge servers over a first persistent connection, wherein the service request includes an identifier associated with an identification of a computing device connected to the given edge server;
determining, by a processor at the intermediate server, a state identifier based on the received identifier associated with the identification of the computing device, wherein the intermediate server maintains, in memory, the state identifier associated with an authentication exchange having been conducted between the computing device connected to the given edge server and the platform server;
inserting, by the processor at the intermediate server, the state identifier into the service request; and
transmitting, at the intermediate server, the service request to the platform server over a second persistent connection, wherein the service request is processed by the platform server subject to inclusion of the state identifier.

US Pat. No. 10,432,711

ADAPTIVE ENDPOINT SELECTION

Amazon Technologies, Inc....

1. A method for selecting, for a client device, a service endpoint from a plurality of service endpoints in a distributed system of a service provider, the method comprising:storing processing data for each of the plurality of service endpoints,
for at least a first service request from the client device, where a current history length is less than or equal to a threshold length, applying uniform random selection to select a first one of the plurality of service endpoints;
for at least a second service request from the client device, where the current history length for all of the plurality of service endpoints exceeds the threshold length:
calculating for each of the plurality of service endpoints and using the processing data:
a success rate based on a number of successfully processed requests from a plurality of received requests, wherein the success rate indicates a rate of success for the plurality of received requests;
an average latency based on latency associated with each of the successfully processed requests;
a latency score based on a minimum average latency and the average latency, wherein the minimum average latency is selected from the average latency for each of the plurality of service endpoints;
a raw score based on the latency score and the success rate; and
a selection weight based on the raw score and a balancing parameter, wherein the balancing parameter determines an extent to which the selection weight deviates, based on the processing data, from uniform weights across the plurality of service endpoints; and
selecting a second one of the plurality of service endpoints based on the selection weight; and
directing the first and second service requests to the first and second selected service endpoints respectively.

US Pat. No. 10,432,710

ANYCAST ROUTING TECHNIQUES IN A NETWORK

Level 3 Communications, L...

1. A method for servicing requests for content in a content delivery network (CDN), the method comprising:receiving, from a requesting device, a request for an Internet Protocol (IP) address for a content servicing device in the CDN;
obtaining an approximate geographic location of the requesting device based at least on the request for the IP address;
selecting a geographic-specific anycast IP address based at least on the approximate geographic location of the requesting device, the geographic-specific anycast IP address selected from a plurality of anycast IP addresses utilized in the CDN;
transmitting the geographic-specific anycast IP address to the requesting device, wherein the geographic-specific anycast IP address is associated with a first content servicing device; and
determining that the approximate geographic location of the requesting device is different from a geographic region of an end user device based on the end user device utilizing the geographic-specific anycast IP address to receive the content from a second content servicing device that is different from the first content servicing device.

US Pat. No. 10,432,709

LOAD BALANCING METHOD, LOAD BALANCING SYSTEM, LOAD BALANCING DEVICE AND TOPOLOGY REDUCTION METHOD

Industrial Technology Res...

1. A load balancing method, comprising:configuring a transmission progress value for each of a plurality of edge servers, and grouping the plurality of edge servers into a plurality of server groups, wherein the edge servers of each of the plurality of server groups provide one of a plurality of video streams, and each of the plurality of edge servers is grouped into at least one server group among the plurality of server groups;
receiving a download request corresponding to a first video stream among the plurality of video streams from a user device;
selecting a first server group from the plurality of server groups according to the download request, wherein the first server group provides the first video stream;
selecting one edge server having a minimum transmission progress value from the edge servers of the first server group as a first edge server to provide video data of the first video stream to the user device according to the transmission progress values of the edge servers of the first server group;
calculating an increment and accumulating the increment to the transmission progress value of the first edge server; and
redirecting the download request to the first edge server.

US Pat. No. 10,432,708

CONTENT DELIVERY NETWORK

Vimmi Communications Ltd....

1. A content delivery system, comprising:a distributed content delivery network (CDN) segmented to a plurality of segments, each of said plurality of segments comprising:
at least one edge server;
at least one access point providing access for at least one client device to said distributed CDN; and
a plurality of delivery servers deployed in said each segment to deliver content objects to said at least one client device;
wherein each respective edge server of each respective segment of said plurality of segments comprising at least one processor for executing a code of at least one management agent, said code comprising:
code instructions to monitor continuously a plurality of delivery servers deployed in said respective segment to update constantly a first content record locally stored by said respective edge server and listing a plurality of content objects, each of said plurality of content objects is associated in said first content record with at least one availability parameter indicative of availability of said each content object from at least one of said plurality of delivery servers deployed in said respective segment,
code instructions to receive, through said at least one access point, a content request from said at least one client device to retrieve at least one requested content object of said plurality of content objects,
code instructions to select, according to an analysis of said at least one availability parameter associated with said at least one requested content object in said first content record, a preferred delivery server from said plurality of delivery servers deployed in said respective segment to provide said at least one requested content object to said at least one client device, and
code instructions to provide an internet protocol (IP) address of said preferred delivery server to said at least one client device, and
wherein said preferred delivery server comprising at least one processor for executing a code of at least one delivery agent, said code comprising:
code instructions to monitor continuously said plurality of delivery servers deployed in said respective segment to update constantly a second content record locally stored by the preferred delivery server,
code instructions to receives said content request from said at least one client device which uses said IP address to establish a transmission session with said preferred delivery server to retrieve said at least one requested content object, and
code instructions to provide said at least one requested content object to said at least one client device such that in case said at least one requested content object is not stored locally by said preferred delivery server said preferred delivery server fetches said at least one requested content object from at least another one of said plurality of delivery servers, said at least another one delivery server is identified according to an analysis of said second content record.

US Pat. No. 10,432,707

OPTIMIZATION OF INTEGRATION FLOWS IN CLOUD ENVIRONMENTS

International Business Ma...

1. A method for efficiently determining computer resource allocation, the method comprising:monitoring an integration flow, the integration flow including a route, one or more nodes, and one or more secure connectors, wherein the one or more nodes and the one or more secure connectors are computing resources in a shared pool of configurable computing resources;
receiving a first message;
receiving a central processing unit (CPU) serialization load, the CPU serialization load comprising a set of processing data, the set of processing data reflecting the amount of a CPU processing load required to serialize and deserialize the first message on-premise;
receiving a first threshold of the CPU processing load of the first message, wherein the first threshold is a ratio of serialization load to CPU processing load of the first message;
determining that the set of processing data is below the first threshold, comprising:
determining the serialization load of the first message;
determining the CPU processing load of the first message;
determining the ratio of serialization load to CPU processing load; and
comparing the ratio of serialization load to CPU processing load to the first threshold;
identifying, based on the determining, a processing location of the integration flow at a second node of the one or more nodes, wherein the second node is hosted on a public cloud; and
transmitting, for processing, the first message to the second node.

US Pat. No. 10,432,706

LOW-LATENCY HIGH-THROUGHPUT SCALABLE DATA CACHING

ENGINE MEDIA LLC, Prince...

1. A system comprising:a first data source comprising a processor and a first memory, the first data source connected to a first data cache over a network, wherein the first data source is located in a same geographical region as the first data cache, and wherein the first data source stores a plurality of data entries selected based on a first geolocation of the first data source;
a master data source connected to the first data source over the network;
a second memory storing the first data cache; and
a load balancer service and a data cache service executing on one or more processors communicatively coupled with the memory to:
receive, by the load balancer service, a first request from a client device based on the client device being located in a second geolocation in close proximity to the first geolocation of the first data source;
request, by the load balancer service, a first data entry associated with the first request from the data cache service, wherein the first data entry is available from the master data source;
determine, by the data cache service, that the first data entry is unavailable in both the first data cache and the first data source; and
responsive to determining that the first data entry is unavailable, reject, by the load balancer service, the first request, wherein the first data source retrieves the first data entry from the master data source after the first request is rejected.

US Pat. No. 10,432,705

CONFIGURING CONTROL DEVICES OPERABLE FOR A LOAD CONTROL ENVIRONMENT

Lutron Technology Company...

12. A method comprising:causing a network device to display a plurality of configuration parameters, wherein the plurality of the configuration parameters are each associated with a plurality of configuration options for configuring control devices;
receiving, from a network device, an indication of a selection of a first configuration parameter associated with a control device;
determining configuration options for the first configuration parameter of the control device, wherein the determination of the configuration options indicates compatible configuration options based on a previously selected configuration option for a second configuration parameter of the control device, and wherein the determination of the configuration options indicates incompatible configuration options based on the previously selected configuration option for the second configuration parameter of the control device;
based on the determination, causing the network device to display the compatible configuration options and the incompatible configuration options;
receiving, from the network device, an indication of a selection of an incompatible configuration option of the first configuration parameter;
based on the selection of the incompatible configuration option of the first configuration parameter:
generating a result set that identifies control devices that meet the selected incompatible configuration option of the first configuration parameter;
determining from the result set that the selected incompatible configuration option of the first configuration parameter is not compatible with at least the selected configuration option for the second configuration parameter; and
causing the network device to display an alert message that indicates that the selected incompatible configuration option of the first configuration parameter is not compatible with the selected configuration option for the second configuration parameter.

US Pat. No. 10,432,704

TRANSLATION OF MESSAGES USING SENSOR-SPECIFIC AND UNIFIED PROTOCOLS

SAP SE, Walldorf (DE)

1. A method, comprising: receiving, at a load balancer, a first message from a first sensor to a backend application server, the first message in a first sensor-specific protocol, and the first message including a message handler name of a message handler that is to handle a payload of the first message;identifying, by the load balancer, the first sensor-specific protocol of the first message; translating, by the load balancer, the first message from the first sensor-specific protocol to a second message in a unified protocol associated with the backend application server; and transmitting, by the load balancer, the second message in the unified protocol to the backend application server for processing by a backend application server application;
receiving the second message at a message broker;
extracting, from the second message and by the message broker, the message handler name;
determining, by the message handler, that the backend server application provides a message handler named with the message handler name; in response to determining that the backend server application provides a message handler named with the message handler name, providing a payload of the second message to the backend server application;
receiving, by the load balancer, a third message, in the unified protocol, from the backend application server application, wherein the third message has a first topic, is targeted to sensors subscribed to the first topic, and has a retain flag set wherein the load balancer automatically sends the third message to new sensors that subscribe to the first topic after the third message is sent in response to the new sensors subscribing to the first topic;
determining, by the load balancer, that the first sensor has subscribed to the first topic;
in response to determining that the first sensor has subscribed to the first topic: performing, by the load balancer, a first translation of the third message, from the unified protocol to the first sensor-specific protocol, to create a fourth message; and sending, by the load balancer, the fourth message to the first sensor; after receiving the third message, receiving, at the load balancer, a subscription request for the first topic from a second sensor, the subscription request in a second sensor-specific protocol that is a different protocol than the first sensor-specific protocol and the unified protocol; determining, by the load balancer, that the third message has the retain flag set and has not been sent to the second sensor; and in response to determining that the third message has the retain flag set and has not been sent to the second sensor:
performing, by the load balancer, a second translation of the third message, from the unified protocol to the second sensor-specific protocol, to create a fifth message; and transmitting, by the load balancer, the fifth message to the second sensor.

US Pat. No. 10,432,703

ON-DEMAND SESSION UPGRADE IN A COORDINATION SERVICE

Facebook, Inc., Menlo Pa...

1. A method comprising:receiving, at a server in a group of servers and from a client device, a request for executing a transaction by the server;
determining, at the server, a type of the transaction as a first transaction type or a second transaction type;
responsive to a determination that the transaction is of the first transaction type, creating or using, by the server, an existing local session between the server and the client device for executing the transaction, wherein the transaction of the first transaction type does not require the local session to be kept track of by at least a majority of the servers in the group;
responsive to a determination that the transaction is of the second transaction type, converting, by the server, the existing local session to a global session between the client device and the server, wherein:
the existing local session is associated with a prior transaction that is of the first transaction type and is separate from the transaction, and
the transaction of the second transaction type requires the global session to be kept track of by at least a majority of the servers in the group for executing in the group, wherein converting the existing local session includes:
informing the servers in the group about the existing local session,
requesting, by the server, a leader server in the group to obtain a vote of the majority of the servers in the group to create an ephemeral node at the server using the global session, the ephemeral node representing the transaction of the second transaction type,
forwarding, by the leader server to the server, the vote to create the ephemeral node, and
creating, at the server and by the client device in response to receiving the vote, the ephemeral node, wherein the ephemeral node contains data required for the execution of the transaction of the second transaction type, and wherein the ephemeral node is stored in each server of the group of servers for a lifetime of the global session between the server and the client device; and
executing, at the server, the transaction in the group, wherein the executing includes: using the ephemeral node for discovering, based on metadata published by multiple services, a location of one or more of the multiple services executing in a distributed computing system.

US Pat. No. 10,432,702

SEPARATED DEVICE DETECTION ARCHITECTURE

Wells Fargo Bank, N.A., ...

1. A method for responding to a content retrieval request at a server, the method comprising:receiving the content retrieval request from a computing device;
detecting, at a device aware controller, a device capability of the computing device;
setting, at the device aware controller, a rule boundary for the content retrieval request based on the at least one device capability;
forwarding the content retrieval request with the rule boundary to a device agnostic controller;
receiving from the device agnostic controller at the device aware controller, data corresponding to the content retrieval request with the rule boundary applied; and
providing the data with the rule boundary applied to the computing device for presentation on the computing device.

US Pat. No. 10,432,701

DELIVERY OF INSTRUCTIONS IN HOST APPLICATIONS

Tealium Inc., San Diego,...

1. A method comprising:under control of a physical user computing device:
executing a host application comprising a first tag library, the first tag library configured to track interaction data indicative of end user interactions with the physical user computing device, wherein the first tag library comprises first content configured to being presented on the physical user computing device;
receiving a second tag library comprising modified content, wherein the modified content is different from the first content;
before recompiling the host application, constructing a tag object from the second tag library comprising the modified content; and
executing the tag object, wherein executing the tag object comprises:
causing presentation of the modified content instead of the first content on the physical user computing device.

US Pat. No. 10,432,700

CONVERSATION CONNECTED VISUALIZATION OF ITEMS BASED ON A USER CREATED LIST

Microsoft Technology Lice...

1. A method to provide conversation connected visualization of items based on a user created list, the method comprising:automatically extracting a list of items from a communication based on one of:
analysis of textual content entered into a body of the communication using natural language processing, and
receipt of one of a bulleted list and a numbered list entered into the body of the communication;
determining, with a processor of a computing device, a plurality of connections between the items on the list;
analyzing the items on the list to determine a type of each of the items on the list;
automatically generating, with the processor, a visualization of the items and the plurality of connections based on the type of each of the items on the list;
providing, with the processor, one or more prompts to allow a user to define or characterize the items;
associating the visualization with a conversation that includes the communication; and
providing the visualization to be displayed by a client application in conjunction with the conversation.

US Pat. No. 10,432,699

CROWD-SOURCED OPERATIONAL METRIC ANALYSIS OF VIRTUAL APPLIANCES

VMware, Inc., Palo Alto,...

21. A system for performing an operational metric analysis for a virtual appliance comprising:a processor; and
a memory storing program code, which, when executed on the processor, performs the operational metric analysis for the virtual appliance, comprising:
obtaining application operational data from a plurality of instances of the virtual appliance by identifying one or more operational features that are relevant an operational metric of the virtual appliance using an entropy-based model, wherein the entropy-based model is based upon a measure of how much information is obtained about the operational metric through the one or more operational features and the entropy-based model selects the one or more operational features by identifying a plurality of operational features for which a mutual information calculation between an operational feature and the operational metric is greater than one;
generating an operational metric prediction for the virtual appliance based on the application operational data;
determining a confidence factor in the operational metric prediction for the virtual appliance;
injecting the operational metric prediction for the virtual appliance in metadata of the virtual appliance; and
allocating resources for each instance of a second plurality of instances of the virtual appliance based on the operational metric prediction and the confidence factor for the virtual appliance in response to provisioning the second plurality of instances of the virtual appliance subsequent to the plurality of instances, wherein the resources comprise at least one of a processor resource, memory resource and network resource.

US Pat. No. 10,432,698

INFORMATION PROCESSING METHOD, APPARATUS, TERMINAL, AND SERVER

TENCENT TECHNOLOGY (SHENZ...

1. An information processing method performed at a first terminal having a processor and memory for storing one or more programs to be executed by the processor, the method comprising:after an exclusive binding relationship is established at a remote server between a webpage extraction application running on the first terminal and a user account of an instant messaging application running on a second mobile terminal:
displaying, by the first terminal, a webpage in a web browser running on the first terminal, wherein the webpage extraction application is located in the web browser;
detecting, by the first terminal, a predefined user operation on the webpage extraction application running on the first terminal to transmit the webpage currently displayed in the web browser on the first terminal to the second mobile terminal through the remote server, wherein the webpage includes a plurality of images;
in response to detecting the predefined user operation:
extracting, by the first terminal, an identifier of the webpage and address information of the plurality of images in the webpage that satisfy a side length threshold; and
sending, by the first terminal, the identifier of the webpage and the address information of the images that satisfy the side length threshold to the remote server, wherein the remote server, in a sequence, sends an information transmission prompt message corresponding to the document identifier to the second mobile terminal for display to a user of the second mobile terminal, receives an information transmission instruction message generated by the user of the second mobile terminal, forwards the identifier and the address information of the images that satisfy the side length threshold to the second mobile terminal and returns an information transmission notification message to the first terminal;
receiving, by the first terminal, the information transmission notification message from the remote server;
in response to receiving the information transmission notification message, generating, by the first terminal, an information sharing prompt message, the information sharing prompt message identifying a total number of webpages the webpage extraction application at the first terminal has shared with the instant messaging application at the second mobile terminal through the remote server during a predefined time period; and
sending, by the first terminal, the information sharing prompt message to the second mobile terminal through the remote server for display on the second mobile terminal.

US Pat. No. 10,432,697

METHOD AND SYSTEM FOR RE-DEPLOYING METADATA AND ASSOCIATED DATA FROM A SOURCE ORGANIZATION TO A DESTINATION ORGANIZATION

salesforce.com, inc., Sa...

1. A method for re-deploying metadata and data from a source organization of a first tenant of a multi-tenant database system to a destination organization of a second tenant of the multi-tenant database system that is different than the source organization, the method comprising:selecting, via a user system, metadata that is to be retrieved from the source organization;
automatically creating, via a metadata engine that executes at one or more hardware-based processors, a manifest file that comprises the selected metadata that is to be retrieved from the source organization;
storing the manifest file at a secure file storage where it is securely stored for re-deployment to the destination organization;
automatically retrieving, via a data engine that executes at one or more other hardware-based processors, data associated with the selected metadata, wherein the selected metadata and the data associated with the selected metadata collectively make up an application, wherein the selected metadata comprises: customized content of the source organization; and wherein the data comprises: records held by an object;
re-deploying, in response to an input from the user system, the manifest file of the selected metadata to the destination organization that is different than the source organization; and
re-deploying, via a data engine that executes at one or more other hardware-based processors, the data associated with the selected metadata to the destination organization that is different than the source organization,
wherein each organization has a unique identifier (ID) that defines a logical space provided to a particular tenant of the multi-tenant database system and represents data of that particular tenant so that data of that particular tenant data is separate from data of all other tenants of the multi-tenant data base system, and
wherein redeploying, via the data engine that executes at the one or more other hardware-based processors, the data comprises: automatically reconstructing, at the data engine when the manifest file has been re-deployed, relationships amongst the data that has been successfully migrated to the destination organization and a new identifier that is associated with the data at the destination organization.

US Pat. No. 10,432,696

TRANSMITTING APPARATUS, TRANSMITTING METHOD, RECEIVING APPARATUS, RECEIVING METHOD, PROGRAM, AND CONTENT DISTRIBUTION SYSTEM

Saturn Licensing LLC, Ne...

1. A receiving apparatus, comprising:receiving circuitry configured to receive content transmitted over the Internet, the content including streaming content from a content distribution server;
sending circuitry configured to
generate a manifest file corresponding to the content and indicating a quality of the received content, and
send the manifest file to a transmitting apparatus;
relaying circuitry configured to relay the content to a different receiving apparatus over the Internet; and
manifest file acquiring circuitry configured to acquire another manifest file that is distributed from the transmitting apparatus and that is generated by the different receiving apparatus,
wherein the manifest file is distributed to the different receiving apparatus, from the transmitting apparatus, over the Internet when the transmitting apparatus receives a request to transmit the manifest file from the different receiving apparatus over the Internet, and
wherein the manifest file is distributed to the different receiving apparatus, from the transmitting apparatus, by on-air broadcast different from the Internet, when the transmitting apparatus does not receive the request to transmit the manifest file from the different receiving apparatus over the Internet.

US Pat. No. 10,432,695

MEDIA APPLICATION BACKGROUNDING

GOOGLE LLC, Mountain Vie...

1. A method comprising:providing, by a first application executed by a processing device in a computing device, a playback of a media item received from a content platform, wherein the media item comprises a video portion and an audio portion, and wherein the playback of the video portion occurs on a display device of the computing device;
in response to the first application entering a background state during the playback of the media item, stopping the playback of the video portion on the display device while continuing to provide the playback of the audio portion while the first application is in the background state by sending a request to the content platform to continue sending the audio portion without sending the video portion; and
in response to the first application entering a foreground state during the playback of the audio portion without the playback of the video portion, resuming the playback of the video portion, wherein resuming comprises coordinating synchronization of the playback of the video portion with the playback of the audio portion that continued to be provided while the first application was in the background state.

US Pat. No. 10,432,694

METHOD FOR LOADING A WEB PAGE AT A USER EQUIPMENT, IN A TELECOMMUNICATION NETWORK, AND AN INTERNET PROTOCOL, IP, ACCESS POINT SERVER AS WELL AS A USER EQUIPMENT ARRANGED FOR OPERATION IN THE TELECOMMUNICATION NETWORK

TELEFONAKTIEBOLAGET LM ER...

1. A method for loading a web page at a web page requester, in a telecommunication network, the telecommunication network comprising an Internet Protocol (IP) access point server and a web server hosting the web page, the method comprising:receiving a request, by the IP access point server and from the web page requester, for loading the web page;
determining, by the IP access point server, that the web page qualifies for web page loading policy handling;
retrieving from the web server, by the IP access point server and in response to the request, web page markup data relating to the web page;
providing, by the IP access point server and to the web page requester, the web page markup data and policy handling information relating to the web page loading policy handling; and
processing, by the IP access point server, subsequent requests from the web page requester in accordance with the provided policy handling information for retrieving content at a web server for loading the web page.

US Pat. No. 10,432,693

SYSTEM, METHOD AND COMPUTER PROGRAM FOR SIGNING AND DEDICATING INFORMATION OBJECTS

SYNGRAFII INC., Toronto ...

1. A computer network implemented method of applying a personalization to electronic objects, the method comprising:receiving or accessing, by a computer device, a queue of electronic objects associated with a user;
determining, by the computer device, a recipient of an electronic object in the queue of electronic objects and accessing a profile data of the recipient in a database, wherein the profile data comprises a data item representing a historical interaction between the user and the recipient;
displaying the historical interaction to the user in connection with an online event involving both the user and the recipient;
displaying the profile data of the recipient to the user for generation of a signature or dedication associated with the electronic object;
generating, by a signature utility, the signature or dedication based on input received from the user;
applying the signature or dedication to the electronic object;
generating a biometric record associated with the electronic object, for validation that the generated signature or dedication is associated with the user; and
generating an encrypted unique identifier associated with the electronic object, for validation of the electronic object to which the generated signature or dedication is associated.

US Pat. No. 10,432,692

STREAMING WITH COORDINATION OF VIDEO ORIENTATION (CVO)

INTEL CORPORATION, Santa...

1. An apparatus of a client operable to receive streaming content from a server, the apparatus comprising one or more processors and memory configured to:signal, at the client, a device capability exchange message for transmission to the server, wherein the device capability exchange message indicates that the client is not an orientation-aware terminal; and
process, at the client, streaming content received from the server, wherein a rendering orientation of the streaming content is corrected for misalignment at the server prior to delivery of the streaming content to the client when the device capability exchange message indicates that the client is not an orientation-aware terminal.

US Pat. No. 10,432,691

METHODS AND NODES FOR TRANSMISSION OF A SYNCHRONOUS DATA OVER PACKET DATA NETWORK

Transmode Systems AB, St...

1. Method performed by a system of a communications network for transmission of a synchronous data stream having a bitrate determined by a clock frequency, over an asynchronous packet data network between a transmitter node and a receiver node, comprising:packaging, by the transmitter node, the synchronous data stream into data packets, wherein the size of the data packet payload is varied, such that the clock frequency of the synchronous data stream of a synchronous communications unit is indicated,
transmitting, by the transmitter node, the data packets onto the asynchronous packet data network with a fixed packet rate defined by a first clock frequency which corresponds to the average distance in time between two consecutive data packets transmitted onto the asynchronous packet data network, which is independent of the bitrate of the synchronous data stream,
receiving, by the receiver node, the data packets from the asynchronous packet data network,
detecting, by the receiver node, the fixed packet rate, and based on the fixed packet rate,
regenerating, by the receiver node, the first clock frequency by detection of a distance in time between two consecutive data packets received from the asynchronous packet data network, and reading, by the receiver node, data of the received data packets with a second clock frequency, which second clock frequency is adapted such that the amount of data stacked at the receiver node is more or less constant.

US Pat. No. 10,432,689

FEATURE GENERATION FOR ONLINE/OFFLINE MACHINE LEARNING

Netflix, Inc., Los Gatos...

1. A system comprising:a processor; and
a memory storing machine-readable instructions that when executed by the processor, cause the processor to perform operations comprising:
collecting, periodically, usage data representing usage of a media streaming service, the collecting comprising:
determining a set of contexts of the usage data, and
for each of the contexts within the set of contexts, collecting service data from services supporting the media service and storing that service data in a database;
performing an offline testing process comprising:
fetching service data for a defined context from the database,
generating a first set of feature vectors based on the fetched service data using a specified feature encoder that is configured to encode the first set of feature vectors in a specified manner, and
providing the first set of feature vectors to a machine-learning module; and
performing an online testing process comprising:
fetching active service data from the services supporting the media streaming service,
generating a second set of feature vectors based on the fetched active service data using the same specified feature encoder that is configured to encode the second set of feature vectors in the same specified manner, the same encoding allowing the system to dynamically transition between the offline testing process and the online testing process, and
providing the second set of feature vectors to the machine-learning module.

US Pat. No. 10,432,688

SYSTEM AND METHOD FOR OPTIMIZED DELIVERY OF LIVE ABR MEDIA

TELEFONAKTIEBOLAGET LM ER...

1. A method for providing live adaptive bitrate (ABR) video to a client at a premises, comprising:receiving, in a multicast stream, RTP packets containing an aggregate manifest for a channel and RTP packets containing adaptive bitrate (ABR) transport stream (TS) packets for the channel and identifying an ABR fragment to which the TS packets belong; and
when all RTP packets for a given ABR fragment have been received, de-packetizing the TS packets from the RTP packets in sequence order to reassemble the ABR fragment and caching the ABR fragment for delivery as requested to an ABR client on the premises.

US Pat. No. 10,432,687

BIOMETRIC MASKING

Cisco Technology, Inc., ...

1. An apparatus comprising:a camera configured to:
capture sample video data during a setup period when a user becomes a participant of a video conference, wherein the sample video data is not transmitted to other participants of the video conference; and
capture video data of the participant during the video conference;
an input/output module to transmit data to and receive data from a video conference server hosting the video conference;
processing circuitry; and
a biometric detection and obfuscation application configured to derive baseline data from the sample video data, the biometric detection and obfuscation application comprising at least one of:
a pulse masker to be executed by the processing circuitry and operative to detect and obfuscate facial coloration of the participant in the video data that is indicative of a pulse rate of the participant, the facial coloration being detected based on a comparison of the video data to the baseline data;
an expression and respiration masker to be executed by the processing circuitry and operative to detect and obfuscate a micro-expression and/or a respiration rate for the participant in the video data, the micro-expression and/or the respiration rate being detected based on a comparison of the video data to the baseline data; and
a pupil masker to be executed by the processing circuitry and operative to detect and obfuscate a pupil size change and/or a pupil movement in the video data for the participant, the pupil size change and/or a pupil movement being detected based on a comparison of the video data to the baseline data.

US Pat. No. 10,432,686

STREAMING MEDIA FILE MANAGEMENT

Amazon Technologies, Inc....

1. A method comprising:receiving, by a processing device of a media player, a portion of a streaming media file, the streaming media file comprising a first fragment comprising a first fragment-level metadata portion and first fragment media data;
downloading, by the processing device at a first bitrate, a first sub-portion of the first fragment-level metadata portion, wherein the first sub-portion of the first fragment-level metadata portion comprises a first track fragment run portion;
parsing, by the processing device, the first sub-portion of the first fragment-level metadata portion to identify a first fragment-level metadata portion size;
parsing, by the processing device, the first track fragment run portion to identify a first fragment media data size;
calculating, by the processing device, a first fragment size based on the first fragment-level metadata portion size and the first fragment media data size; and
performing, by the processing device, a download operation based on the first fragment size, wherein the download operation comprises at least one of:
canceling a current download of the first fragment in view of a determination that the first fragment size exceeds a current available download bandwidth,
continuing the current download of the first fragment at the first bitrate,
downloading a second fragment of the streaming media file at a second bitrate that is higher than the first bitrate, or
downloading the second fragment at a second bitrate that is lower than the first bitrate.

US Pat. No. 10,432,685

LIMITING KEY REQUEST RATES FOR STREAMING MEDIA

Brightcove, Inc., Boston...

1. A method comprising:maintaining, at a digital key-provider service, a series of digital keys corresponding to a series of portions of streaming media and statistics of digital key requests for each requestor-id of a plurality of requestor-ids, wherein a requester can access a portion of a streaming media item by submitting, to a media server, a key corresponding to the portion of streaming media;
receiving from a first client, at the key-providing service, a first key request for a first key needed to play a first portion of a streaming media item; and
in response to receiving the first key request, the key-providing service performing the steps of:
determining that the first key request includes a first requestor-id;
retrieving first statistics maintained for the first requestor-id;
wherein the first statistics include first rate information that reflects a current key-request rate associated with the first requestor-id;
updating the current key-request rate to indicate receipt of the first key request;
based at least in part on a comparison of the current key-request rate to a maximum key-request rate, determining whether to:
provide the first key to the first client without taking remedial action, or take remedial action;
responsive to determining to provide the first key to the first client without taking remedial action, providing the first key to the first client without taking remedial action; and
responsive to determining to take remedial action, taking remedial action.

US Pat. No. 10,432,684

PROCESSING FILES FROM A MOBILE DEVICE

MICROSOFT TECHNOLOGY LICE...

1. A method comprising:selecting, by a mobile device, a file stored on a computing device that is separate from the mobile device; and
providing, by the mobile device, the selected file stored on the computing device to a display device that is separate from the computing device and from the mobile device, to depict the selected file stored on the computing device, including submitting, by the mobile device, one or more commands to the computing device to cause the computing device to transmit the selected file to the display device for display, where there is no requirement that the display device and the computing device be in proximity of each other, that the display device and the mobile device be in proximity of each other, or that the computing device and the mobile device be in proximity of each other.

US Pat. No. 10,432,683

SYSTEM AND METHOD FOR MEDIA CONTENT STREAMING

AMOTECH CO., LTD., Inche...

1. A method, comprising:electronically receiving a media presentation description (MPD) from a network, the MPD describing multimedia content comprising alternative representations of a plurality of media types, and the MPD includes additional codec information for the alternative representation for support of media contents encoded with more than one encoding configuration;
selecting one of the alternative representations for at least one of the plurality of media types based on information included in the MPD;
requesting pieces of the selected alternative representation segment by segment; and electronically receiving a piece of media data,
wherein requesting the selected one of the alternative representation segment-by-segment comprises using HTTP GET requests with URLs derived based on information included in the MPD,
wherein the MPD is updated during playing back of piece of received media data, wherein a first segment of the selected one of the alternative representations contains a ftyp box and a moov box, but does not contain a moof box, the ftyp box, the moov box and the moof box conforming to ISO base media file format,
wherein the first segment does not contain a media sample, wherein a second segment of the selected one of the alternative representations contains the moof box and the media sample,
wherein the moov box is not associated with the media sample,
wherein an entry count in a stts box contained in the moov box is set to 0,
wherein the MPD includes information indicative of a value of a constant segment duration, information on byte range and time range of a media segment, and a frame rate specifying a frame rate of a video media type in the alternative representation, and
wherein the HTTP GET requests are performed based on the byte range only among the time range and the byte range.

US Pat. No. 10,432,682

METHOD AND SYSTEM OF REDIRECTING STREAMING CONTENT OVER A COMMUNICATION NETWORK

TEJAS NETWORKS LIMITED, ...

1. A method of redirecting streaming content from one user equipment to other available precise user equipment from a lookup server over a communication network, the method comprising:registering a plurality of User Equipment (UE) and a server with at least one lookup server, wherein the plurality of User Equipment comprises a first User Equipment (UE) and at least one second User Equipment (UE), each of the first UE, the at least one second UE and the server are tagged individually with a unique identifier, and wherein each unique identifier is associated with a physical address;
sourcing a content onto the first UE, wherein the first UE requests the lookup server for the physical address, matching with the physical address associated with the unique identifier of the server, wherein a session ID is assigned to a session, established on sourcing the content;
checking periodically integrity of the connection between the plurality of UE and the lookup server;
triggering, upon notification, to identify transfer of some or all content at the first UE to an available second UE from the at least one second UE, wherein triggering to identify the transfer of the some or all content from the first UE to the available second UE is at a rendezvous point, wherein the rendezvous point facilitates in restoring connection by changing the sourcing of the content from one server to other server that is registered with the lookup server; and
redirecting the transfer of the content of the server from the first UE to the available second UE in the established session, wherein the redirection is based on the unique identifier of the server comprising the content.

US Pat. No. 10,432,680

SYSTEM TIME FREQUENCY AND TIME INFORMATION

SONY CORPORATION, Tokyo ...

1. A method of a reception apparatus for receiving transmission frames, the method comprising:receiving, by circuitry of the reception apparatus, the transmission frames, each of the transmission frames including a bootstrap, a preamble, and a payload; and
determining, by the circuitry, an absolute point of time at which a first symbol of the bootstrap in one of the transmission frames was transmitted based on first time information included in the preamble of the one of the transmission frames, wherein
the one of the transmission frames is included in a plurality of transmission frames, and
the one of the transmission frames is the only transmission frame of the plurality of transmission frames that includes the first time information.

US Pat. No. 10,432,678

MULTIPARTY REAL-TIME COMMUNICATIONS SUPPORT OVER INFORMATION-CENTRIC NETWORKING

Cisco Technology, Inc., ...

1. A method, comprising:creating, at a conference server, a manifest for a conferencing event in a network, the manifest being created when the conferencing event is initiated;
adding a name tag identifying the conferencing event to the manifest;
activating the manifest to start the conferencing event, wherein activating the manifest enables the manifest to be read and updated;
receiving, at the conference server, an interest packet including one or more parameters indicating a named flow for the conferencing event being produced at a source node;
adding content metadata of the named flow to the manifest; and
sending the manifest to the source node to allow the source node to publish the named flow for the conferencing event.

US Pat. No. 10,432,677

PERSONALIZING A SOCIAL NETWORKING PROFILE PAGE

INTERNATIONAL BUSINESS MA...

1. A computer network comprising:a number of user devices; and
a preferences control module;
in which the preferences control module:
receives user preferences from an owner of a social network profile;
receives data describing a viewer of the owner's social networking profile; and
distinguishes, with an artifact distinguishing module, a number of artifacts on the owner's social networking profile, via the emphasis and de-emphasis thereof, from other artifacts on the profile based on the user preferences and data describing a viewer of the owner's social networking profile; and
provides a first of a number of versions of the owner's social networking profile to the viewer of the owner's social networking profile; the first version of the owner's profile comprising artifacts distinguished based on the data describing the viewer;
wherein the first version comprises emphasized artifacts based on the number of instances when the viewer has viewed the owner's profile; and
wherein distinguishing a number of artifacts on the owner's social networking profile from other artifacts on the profile further comprises, with a preference reception module, receiving a selection so that the artifact distinguishing module does not engage in a de-emphasis of time-sensitive artifacts describing where the owner of the social networking profile is located and when the owner of the social networking profile will be available; and
a viewer recognition module to:
receive input from a number of user devices descriptive of the number of instances of email interactions between the owner of the social networking profile and the viewer of the owner's social networking profile;
determine if a threshold number of instances of interaction have occurred; and
distinguish a number of artifacts on the owner's social networking profile from other artifacts on the profile based on the threshold being met.

US Pat. No. 10,432,676

ENHANCED DISCOVERY FOR AD-HOC MEETINGS

Microsoft Technology Lice...

1. A method for proximity validation comprising:receiving a query, from a client computing device, including a location identifier that corresponds with a specific location to identify a service identifier for the specific location, where the client computing device detects a transmitted proximity signal;
receiving a proximity signal, based on the transmitted proximity signal, comprising a proximity code from the client computing device, wherein the proximity signal comprises at least one of: a modulated light signal, an audible sound, an inaudible sound, and an ambient noise;
decoding the proximity signal to obtain the proximity code;
comparing the proximity code to a reference signal to determine whether the client computing device is proximate to the specific location;
validating the location identifier in response to determining that the client computing device is proximate to the specific location; and
providing the service identifier for a conference session to the client computing device when the location identifier is validated.

US Pat. No. 10,432,675

COLLISION PREVENTION IN SECURE CONNECTION ESTABLISHMENT

Microsoft Technology Lice...

1. A method for reducing failed secure connections in a network, by preventing collisions by increasing acceptance of secure connection requests during pendency of other network secure connection requests, the method comprising:a network node X sending an X-to-Y secure connection request toward a network node Y;
network node X receiving a Y-to-X secure connection request from network node Y while the X-to-Y secure connection request sent by network node X is pending, namely, after network node X has sent the X-to-Y secure connection request and before network node X has received from network node Y and processed a response to the X-to-Y secure connection request and a maximum predetermined time that network node X will wait for that response has not elapsed;
network node X sending toward network node Y an acceptance of the Y-to-X secure connection request, instead of network node X rejecting the Y-to-X secure connection request because the X-to-Y secure connection request is still pending;
network node X communicating with network node Y to establish a security association between network node X and network node Y, the security association based at least partially on information in the Y-to-X secure connection request, wherein the method is further characterized in at least one of the following ways:
the X-to-Y secure connection request is part of a first INIT phase, namely, an INIT phase in which network node X operates as Initiator and network node Y operates as Responder under a node X Internet Key Exchange protocol implementation, and wherein the Y-to-X secure connection request is part of a second INIT phase, namely, an INIT phase in which network node Y operates as Initiator and network node X operates as Responder under a node Y Internet Key Exchange protocol implementation; or
the X-to-Y secure connection request is part of a first AUTH phase, namely, an AUTH phase in which network node X operates as Initiator and network node Y operates as Responder under a node X Internet Key Exchange protocol implementation, and wherein the Y-to-X secure connection request is part of a second AUTH phase, namely, an AUTH phase in which network node Y operates as Initiator and network node X operates as Responder under a node Y Internet Key Exchange protocol implementation.

US Pat. No. 10,432,673

IN-CHANNEL EVENT PROCESSING FOR NETWORK AGNOSTIC MOBILE APPLICATIONS IN CLOUD BASED SECURITY SYSTEMS

Zscaler, Inc., San Jose,...

1. A method implemented in a mobile device communicatively coupled to a cloud based security system, the method for detecting and processing in-channel events associated with a network agnostic mobile application, the method comprising:intercepting outgoing data from the network agnostic mobile application at a tunnel interface on the mobile device configured to relay the outgoing data to the cloud based security system, wherein the intercepting is via a virtual tunnel interface with a default route thereto in a device routing table and with open listening ports for User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) traffic;
monitoring the outgoing data for network transactions from the network agnostic mobile application to maintain a context of the network transactions and intended responses for every request;
transmitting the outgoing data from the tunnel interface to the cloud based security system, wherein the transmitting comprises swapping packet source and destination addresses and replacing a destination port to one of the listening ports based on an associated packet protocol; and
receiving a response from the cloud based security system responsive to the outgoing data and processing any deviation from the intended responses including generating a notification for display on the mobile device.

US Pat. No. 10,432,672

DETECTION OF OFFLINE ATTEMPTS TO CIRCUMVENT SECURITY POLICIES

AIRWATCH LLC, Atlanta, G...

8. A method, comprising:monitoring an application executing in a computing device to detect a deletion of a user account on a computing device by the application, wherein the deletion is initiated locally on the computing device and the user account is associated with an enrollment of the computing device with a management service;
identifying data stored in a memory of the computing device that is subject to a policy received from the management service;
deleting the data from the memory of the computing device; and
deleting a value for a setting of the computing device, wherein the value for the setting was previously set to place the computing device in compliance with the policy.

US Pat. No. 10,432,671

DYNAMIC POLICY INJECTION AND ACCESS VISUALIZATION FOR THREAT DETECTION

1. A system comprising:one or more processors and non-transitory machine readable storage medium;
program instructions to monitor one or more live information flows, wherein the live information flows include flows of data from a plurality of sources to a plurality of destinations;
program instructions to provide a user interface that includes a plurality of buckets, wherein each bucket is associated with a different enforcement action and each bucket displays a total number of enforcement policies presently triggered in real-time that include the associated enforcement action;
program instructions to determine an occurrence of a security event within the one or more live information flows based on a trigger of an enforcement policy, wherein the enforcement policy includes a specification of a source, a destination, and an enforcement action, and when the data within the one or more live information flows matches at least the source and the destination of the enforcement policy, the enforcement policy is triggered and the enforcement action is applied; and
program instructions to update the user interface to reflect the occurrence of the security event by: (i) identifying a bucket from the plurality of buckets that is associated with the enforcement action applied by the enforcement policy, and (ii) increasing the total number of enforcement policies presently triggered in real-time by the enforcement action and displayed within the identified bucket,
wherein the program instructions are stored on the non-transitory machine readable storage medium for execution by the one or more processors.

US Pat. No. 10,432,670

SYSTEMS AND METHODS FOR NETWORK SECURITY MEMORY REDUCTION VIA DISTRIBUTED RULESETS

Fortress Cyber Security, ...

1. A method for providing distributed rule sets for network security appliances, comprising:generating, by a management server, from a rule database comprising a plurality of packet processing rules, a first rule set for a first security appliance by:
adding, to the first rule set, a first subset of the packet processing rules consisting of packet processing rules identified in the rule database as mandatory,
determining that a storage size of the first rule set is below a threshold, and
adding, to the first rule set, a second subset of the packet processing rules consisting of packet processing rules not identified in the rule database as mandatory, responsive to the determination that the storage size of the first rule set is below the threshold;
generating, by the management server, a second rule set for a second security appliance by:
adding, to the second rule set, the first subset of the packet processing rules,
determining that a storage size of the second rule set is below the threshold, and
adding, to the second rule set, a third subset of the packet processing rules consisting of packet processing rules not identified in the rule database as mandatory, responsive to the determination that the storage size of the second rule set is below the threshold and responsive to addition of the second subset of the packet processing rules to the first rule set, the third subset different from the second subset; and
transmitting, by the management server, the first rule set to the first security appliance and the second rule set to the second security appliance.

US Pat. No. 10,432,669

SECURITY APPLIANCE TO MONITOR NETWORKED COMPUTING ENVIRONMENT

Palo Alto Networks, Inc.,...

1. A method for evaluating a software defined infrastructure, comprising:retrieving configuration and operational information associated with the software defined infrastructure by a security appliance;
extracting selective information from the retrieved configuration and operational information by the security appliance;
storing extracted selective information in a plurality of data store;
evaluating selectively stored information for compliance to a policy, by the security appliance; and
generating a report based on the evaluation,
wherein, configuration and operational information includes information related to asset configuration, audit event and network communication associated with the software defined infrastructure; and
wherein the generated report includes a message component, a network query component and an event query component, wherein the message component includes a textual description of a violation, wherein the network query component is configured to submit a query to the security appliance to retrieve associated network flow information related to the violation, and wherein the event query component is configured to submit a query to the security appliance to retrieve associated audit events related to the violation.

US Pat. No. 10,432,668

SELECTABLE ENCRYPTION METHODS

AMERICAN EXPRESS TRAVEL R...

1. A computer-implemented method comprising:selecting, by a computer-based system and from a plurality of security policies stored in a database, a security policy that results in a risk level within a predetermined risk threshold,
wherein the security policy comprises a first encryption method;
determining, by the computer-based system, that the first encryption method has been exploited; and
selecting, by the computer-based system, a second encryption method.

US Pat. No. 10,432,666

METHOD AND APPARATUS FOR ASSOCIATING DATA LOSS PROTECTION (DLP) POLICIES WITH ENDPOINTS

Sailpoint Technology Hold...

1. A method of policy management in a data loss prevention (DLP) system, comprising:defining a policy model that associates a user with one or more endpoints, the user being associated with at least one role or group;
determining a set of policies for an endpoint in the DLP system using an identity of the user that is associated with the endpoint and a list of roles or groups for the user; and
determining a set of endpoints for distribution of a policy by generating an endpoint set, the endpoint set for the policy generated by the following sub-steps:
for each role or group that is a target of the policy, identifying each user associated with the role or group;
for each user associated with the role or group, identifying a list of one or more endpoints with which the user is associated; and
adding the one or more endpoints from the list into the endpoint set, wherein at least one of the determining steps is performed using a computer program executing in a hardware element;
generating a policy distribution list that includes the endpoint set associated with one or more policies for distribution to the endpoints; and
distributing each policy included in the distribution list to the endpoints identified in its associated endpoint set.

US Pat. No. 10,432,665

CREATING, MANAGING AND DEPLOYING DECEPTIONS ON MOBILE DEVICES

ILLUSIVE NETWORKS LTD., ...

4. A method for managing attacker incidents on a mobile device, comprising:instructing, by a deception management server, a mobile device manager (MDM) to deploy deceptions on a mobile device used by an employee of an organization in conjunction with a network of the organization;
in response to said instructing running, by the MDM, a dedicated agent on the mobile device;
registering, by the dedicated agent, the mobile device and its current deceptions state with the deception management server;
receiving, by the dedicated agent from the deception management server, a list of deceptions to install in the mobile device;
installing, by the dedicated agent, the deceptions in the received list in the mobile device, wherein the received deceptions include data leading to a trap server;
attempting, by an attacker, to use deceptive data installed in the mobile phone, to connect to a service;
in response to said attempting, triggering an incident in the trap server;
notifying, by the trap server, the deception management server, that an incident has occurred;
further instructing the MDM, by the deception management server, to run forensics on the mobile device;
in response to said further instructing, running by the MDM, forensics on the mobile device; and
transmitting forensic data, by a forensics collector in the dedicated agent, to the deception management server.

US Pat. No. 10,432,664

SYSTEMS AND METHODS FOR IDENTIFYING ILLEGITIMATE ACTIVITIES BASED ON GRAPH-BASED DISTANCE METRICS

Facebook, Inc., Menlo Pa...

1. A computer-implemented method comprising:generating, by a computing system, a bipartite node graph comprising a plurality of user account nodes, a plurality of edge nodes, and a plurality of connections connecting the plurality of user account nodes to the plurality of edge nodes, wherein each edge node of the plurality of edge nodes represents an edge connecting to at least two user account nodes of the plurality of user account nodes and each node of the at least two user account nodes is connected to at least one edge node of the plurality of edge nodes;
calculating, by the computing system, a distance score for each user account node of the plurality of user account nodes, wherein the distance score represents a minimum distance from a user account node of the plurality of user account nodes to a nearest illegitimate user account node of the plurality of user account nodes; and
determining, by the computing system, that a transaction is an illegitimate transaction based on the distance scores calculated for the each user account node of the plurality of user account nodes, wherein the calculating the distance score for each user account node of the plurality of user account nodes is performed iteratively, and further wherein after a threshold number of iterations, each user account node of the plurality of user account nodes that does not have a calculated distance score is assigned a distance score equal to a distance score cap value.

US Pat. No. 10,432,663

ELECTRONIC SECURITY KEYS FOR DATA SECURITY BASED ON QUANTUM PARTICLE STATES THAT INDICATES TYPE OF ACCESS

BANK OF AMERICA CORPORATI...

1. A system for determining a type of unauthorized access during communication of a quantum-level encrypted message, the system comprising:a first computing apparatus having a first memory and at least one first processor, wherein the memory stores one or more encryption algorithms and wherein the at least one first processor is configured to:
encrypt a message using at least one of the encryption algorithms and at least one quantum encryption keys that are generated using a first quantum particle state, and
initiate communication of the message to a predetermined message recipient,
wherein in response to at least an attempt to access the message during communication of the message to the predetermined recipient, the quantum particle state changes from the first quantum particle state to a second quantum particle state; and
a second computing apparatus in control of the predetermined message recipient and having a second memory and at least one second processor, wherein the second memory stores one or more decryption algorithms and wherein the at least one second processor is configured to:
receive the message,
attempt to decrypt the message using at least one of the decryption algorithms and at least one quantum decryption keys that are generated using the first quantum particle state; and
in response to failing to decrypt the message as a result of the quantum particle state changing from the first quantum particle state to a second particle state, determine the type of unauthorized access that occurred during communication of the message.

US Pat. No. 10,432,661

SCORE BOOSTING STRATEGIES FOR CAPTURING DOMAIN-SPECIFIC BIASES IN ANOMALY DETECTION SYSTEMS

Cisco Technology, Inc., ...

1. A method comprising:detecting, by a device in a network, an anomaly in the network using an anomaly detector, wherein the anomaly corresponds to an anomalous behavior exhibited by one or more nodes in the network;
computing, by the device, an anomaly score for the anomaly that represents a measure of the anomalous behavior;
once the anomaly score has been computed, adjusting, by the device, the anomaly score using a boost score, wherein the boost score is generated by a boosting function that accounts for domain-specific biases of the anomaly detector and multiplies the anomaly score by a factor based the domain specific biases of the anomaly detector; and
reporting, by the device, the anomaly to a supervisory device based on whether the adjusted anomaly score exceeds a reporting threshold.

US Pat. No. 10,432,660

ADVANCED CYBERSECURITY THREAT MITIGATION FOR INTER-BANK FINANCIAL TRANSACTIONS

QOMPLX, INC., Reston, VA...

1. A system for detection and mitigation of cyberattacks on inter-bank financial transaction networks comprising:an interface with an inter-bank financial transaction network, connected to an advanced cyber decision platform for mitigation of cyberattacks, the platform comprising:
a computer system or network comprising at least one memory, at least one processor, and a first plurality of programming instructions comprising an operating system;
a time series data store comprising at least a second plurality of programming instructions operating on the computer system or network which cause the computer system or network to:
monitor a plurality of network events on the inter-bank financial transaction network;
produce time-series data comprising at least a record of a network event on the inter-bank financial transaction network and the time at which the event occurred;
an observation and state estimation module comprising at least a third plurality of programming instructions operating on the computer system or network which cause the computer system or network to:
monitor a plurality of connected resources on the inter-bank financial transaction network;
establish a baseline of expected behavior for each connected resource based on that resource's activity on the inter-bank financial transaction network over a defined period of time; and
produce a cyber-physical graph representing at least a portion of the plurality of connected resources, the cyber-physical graph comprising at least the logical relationships between the portion of the plurality of connected resources on the inter-bank financial transaction network, the physical relationships between any connected resources that comprise at least a hardware device, the expected behaviors for each connected resource, and any deviations from expected behavior for each connected resource;
a directed computational graph module comprising at least a fourth plurality of programming instructions operating on the computer system or network which cause the computer system or network to:
perform a plurality of analysis and transformation operations on at least a portion of the time-series data;
perform a plurality of analysis and transformation operations on at least a portion of the cyber-physical graph; and
produce a directed computational graph based on the analysis and transformation operations performed on the time-series data and the cyber-physical graph; and
a transaction validator comprising at least a fifth plurality of programming instructions operating on the computer system or network which cause the computer system or network to:
receive inter-bank financial transaction requests;
analyze each transaction request based on the information contained in the directed computational graph;
determine whether the transaction request is valid based on the analysis of the transaction request;
if the transaction is determined to be valid, forward the transaction for completion; and
if the transaction is determined to be invalid, deny the transaction and generate an alert or a change to the cyber-physical graph.

US Pat. No. 10,432,658

SYSTEMS AND METHODS FOR IDENTIFYING AND PERFORMING AN ACTION IN RESPONSE TO IDENTIFIED MALICIOUS NETWORK TRAFFIC

WATCHGUARD TECHNOLOGIES, ...

1. A computer-implemented method of determining a malware protocol being used by a malware application to communicate to a malicious system, so that a blackhole system may then use the determined protocol to direct a potentially infected client device to perform a conditional action, the method comprising:responding to a determination using a list of domain names associated with malicious sources that a domain name received from the potentially infected client device is associated with a malicious system by sending the potentially infected client device an internet protocol (IP) address of the blackhole system rather than an IP address of the malicious system so as to intercept a first network communication from the potentially infected client device at the blackhole system;
determining a malware protocol of the malware application through pattern matching and real-time interaction with the potentially infected client device in an iterative process in which the blackhole system, in response to receiving the first network communication, attempts to establish a connection with the malware application from the potentially infected client device, by sending more than one response communications to that first network communication using a first guessed malware protocol and depending on whether or not that first guessed protocol establishes a connection with the malware application, iteratively using more than one successive, guessed malware protocols from a plurality of protocols, to the infected client device until a successful connection has been made to identify the corresponding guessed malware protocol as a matching protocol; and
the blackhole system using the matching protocol to emulate a malicious system by sending an instruction to the malware application to uninstall said malware application stored on the potentially infected client device.

US Pat. No. 10,432,657

METHOD AND SYSTEM FOR TRACKING FRAUDULENT ACTIVITY

PAYPAL, INC., San Jose, ...

1. A system for tracking potentially fraudulent activity associated with one or more web sites, the system comprising:a database having stored therein first data identifying a first spoof site and a first identifier for a first internet document from the first spoof site, the first identifier being based on an analysis of a first source code of the first internet document; and
a server communicatively coupled to the database, the server comprising:
a memory having instructions embodied thereon; and
one or more processors communicatively coupled to the memory, the one or more processors configured to execute the instructions to cause the server to perform operations comprising:
receiving second data identifying a candidate site;
retrieving a second internet document from the candidate site;
generating a second identifier for the second internet document based on an analysis of a second source code of the second internet document;
comparing the second identifier to the first identifier;
based on the comparison between the second identifier and the first identifier, determining that a source of the first internet document is the same as the source of the second internet document; and
based on a determination that the source of the first internet document is the same as the source of the second internet document, identifying the candidate site as a second spoof site.

US Pat. No. 10,432,655

IOT AND POS ANTI-MALWARE STRATEGY

Mcafee, LLC, Santa Clara...

1. A device for providing device security, the device comprising:one or more processors; and
memory including instructions which, when executed, cause the one or more processors to at least:
detect a combination of function calls;
determine whether the combination of function calls is a forbidden combination of function calls for the device based on a limited intended functionality of the device, the forbidden combination of function calls including a first function call and a second function call, the first function call allowed in isolation from the second function call, the second function call allowed in isolation from the first function call; and
in response to determining that the combination of function calls is forbidden for the device, perform a responsive action.

US Pat. No. 10,432,654

MEASURE-BASED ANOMALY DETECTION

ThetaRay Ltd., Hod HaSha...

1. A computer system, comprising:a) a processing module configurable to receive data comprising a plurality of measurements, each measurement being a N-dimensional data point (MDP) wherein N?3, the processing module further configurable to utilize a measure-based Gaussian correlation (MGC) kernel
x, y?X to generate an associated distribution;b) a detection module configurable to detect an abnormal measurement using a plurality of representatives chosen from the associated distribution, wherein the plurality of chosen representatives is smaller than the plurality of measurements; and
c) a configuration and operation server operative to configure the processing and detection modules,
whereby the use of the MGC kernel and of only chosen representatives instead of the plurality of measurements enables the computer system to detect abnormal measurements faster and more efficiently.

US Pat. No. 10,432,653

METHOD AND APPARATUS FOR DETECTING ANOMALY TRAFFIC

PENTA SECURITY SYSTEMS IN...

1. A method for detecting anomaly traffic, comprising:generating a plurality of different encoders on the basis of traffic data for learning;
generating a plurality of pieces of image data on the basis of traffic data for each session, which is a detection target;
determining whether the traffic data for each session is abnormal based on binary cross entropy (BCE) of the plurality of pieces of image data and a preset threshold value;
generating data clusters according to each of the plurality of different encoders using a clustering algorithm based on the traffic data for learning and the plurality of different encoders when the traffic data for each session is determined normal based on the BCE;
generating output data by inputting the plurality of image data to each of the plurality of different encoders for each image data sequentially; and
re-determining whether the traffic data for each session is abnormal based on whether the output data included in the data cluster according to each of the different encoders;
wherein the plurality of different encoders outputs different data for one image data, and wherein the generating a plurality of pieces of image data comprises:
converting each character constituting a character string included in the traffic data for each session into a plurality of one-hot vectors in a reverse order;
generating a matrix by combining the plurality of one-hot vectors; and
generating an image representing the location of each character in the matrix.

US Pat. No. 10,432,652

METHODS FOR DETECTING AND MITIGATING MALICIOUS NETWORK BEHAVIOR AND DEVICES THEREOF

F5 Networks, Inc., Seatt...

1. A method for network security implemented by a network traffic management system comprising one or more anomaly detection apparatuses, server devices, or client devices, the method comprising:receiving a first set of network traffic;
applying a web application model and an anomaly detection model to the received first set of network traffic to generate, respectively, one or more likelihood scores and at least one flow score based on the likelihood scores, wherein sub-models of the web application model are associated with one or more browsing patterns for a web application to which the first set of network traffic is directed;
determining when the flow score exceeds a threshold; and
initiating, based on a stored policy, a mitigation action with respect to the first set of network traffic, when the determination indicates that the flow score exceeds the threshold.

US Pat. No. 10,432,651

SYSTEMS AND METHODS TO DETECT AND MONITOR DNS TUNNELING

Zscaler, Inc., San Jose,...

1. A method of detecting Domain Name System (DNS) tunneling, the method comprising:obtaining data related to DNS traffic between a plurality of DNS nameservers and a plurality of clients over a period of time, wherein the step of obtaining data is performed by a distributed security system with one or more cloud nodes operating as DNS proxies for the clients;
logging, in a log node, the data related to the DNS traffic obtained over the period of time;
fetching, from the log node, the data related to the DNS traffic obtained over the period of time;
for each DNS nameserver, processing the data fetched from the log node to determine a score based on the data related to the DNS traffic for the respective DNS nameserver, the score configured to characterize DNS queries from one or more clients of the plurality of clients to the respective DNS nameserver over the period of time, wherein each score incorporates all DNS queries associated with the respective DNS nameserver over the period of time;
analyzing the scores of the plurality of DNS nameservers to determine if one or more of the plurality of DNS nameservers has a score indicating that the respective DNS nameserver is suspected of being subjected to DNS tunneling;
further monitoring the one or more DNS nameservers suspected of being subjected to DNS tunneling to determine if DNS tunneling is actually occurring on the one or more DNS nameservers; and
blocking the DNS tunneling through the distributed security system.

US Pat. No. 10,432,650

SYSTEM AND METHOD TO PROTECT A WEBSERVER AGAINST APPLICATION EXPLOITS AND ATTACKS

1. A method of protecting, from packet data communication exploits, a target computer server system having a request handling interface that responds to a data processing request of a packet data communication, the method comprising:receiving over a data communication network a plurality of data processing requests;
identifying as being anomalous, by an automated anomaly analyzer, a first data processing request of the plurality of data processing requests, the first data processing request having been transmitted by a first packet data protocol sending device,
wherein in response to the identifying as being anomalous, the automated anomaly analyzer:
(1) directs the first data processing request to a first diagnostic instrumented module configured to provide virtualization of the request handling interface in processing the first data processing request and to determine an anomaly severity of the first data processing request, and
(2) performs a second data processing comprising:
(a) transmitting, to the first packet data protocol remote sending device, a packet data protocol redirect request for accessing the target computer server system,
(b) transmitting, to the first packet data protocol sending device, a response to the first data processing request at a reduced content data byte per second rate compared with the rate of the response to the second data processing request, and
(c) transmitting, to the first packet data protocol sending device, a response including invoking code requesting additional data from a network server resource other than the first packet data protocol sending device; and
identifying as being non-anomalous, by the automated anomaly analyzer, a second data processing request of the plurality of data processing requests,
wherein in response to the identifying as being non-anomalous, the automated anomaly analyzer transmits the second data processing request to the target computer server system.

US Pat. No. 10,432,649

SYSTEM AND METHOD FOR CLASSIFYING AN OBJECT BASED ON AN AGGREGATED BEHAVIOR RESULTS

FireEye, Inc., Milpitas,...

1. A computer-implemented method for detecting malicious behavior, comprising:processing an object within a virtual machine;
receiving a response object resulting from or created in response to the processing of the object within the virtual machine;
parsing the response object by at least subdividing the response object into a plurality of sub-objects, the plurality of sub-objects including a first sub-object and a second sub-object;
determining a first behavior match result based, at least in part, on whether information associated with the first sub-object corresponds to at least one of a first plurality of identifiers associated with malicious activity;
determining a second behavior match result based, at least in part, on whether information associated with the second sub-object corresponds to at least one of a second plurality of identifiers associated with malicious activity;
aggregating at least the first behavior match result with the second behavior match result to produce an aggregated result, wherein a malicious behavior score is calculated based, at least in part, on the aggregated result; and
classifying the object according to the malicious behavior score.

US Pat. No. 10,432,648

AUTOMATED MALWARE FAMILY SIGNATURE GENERATION

Palo Alto Networks, Inc.,...

15. A method, comprising:receiving a set of metadata associated with a plurality of samples;
clustering the samples;
determining, for members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster; and
evaluating the similarities for suitability as a malware family signature, including by generating a query encompassing the similarities and performing the query against a malware repository.

US Pat. No. 10,432,647

MALICIOUS INDUSTRIAL INTERNET OF THINGS NODE ACTIVITY DETECTION FOR CONNECTED PLANTS

Honeywell International I...

1. A method for identifying malicious activity in an IIoT ecosystem utilizing a unified architecture (UA) transport protocol comprising:retrieving, by an intelligent security agent, historical communication data from a UA log related to communications between a UA server and a plurality of UA clients in the IIoT ecosystem;
clustering, by the intelligent security agent, the historical communication data to group communications of the historical communication data based on a combination of an unsupervised clustering algorithm and a supervised classifier algorithm;
identifying a plurality of patterns that indicate the malicious activity based on the grouped communications;
receiving current communication data;
determining whether the current communication data matches the one of the plurality of patterns; and
responsive to a grouped element of the grouped communications matching the pattern, identifying a group of communications between the UA server and the plurality of UA clients as the malicious activity.

US Pat. No. 10,432,646

PROTECTION AGAINST MALICIOUS ATTACKS

F-Secure Corporation, He...

1. A computer-implemented method for protecting a computer from malicious attacks, comprising executing on a processor the steps of:a) monitoring network traffic from a first device configured to provide DNS-based address resolution functionality for the network traffic, wherein the network traffic comprises DNS (Domain Name System) name-to-IP resolution related network traffic comprising domain name-to-IP key value pairs;
b) monitoring further network traffic from a further device that is not configured to provide for DNS-based address resolution functionality for the further network traffic, wherein the further network traffic comprises name-to-IP resolution related network traffic that is targeting routable IP (Internet Protocol) addresses;
c) determining that the monitored further name-to-IP resolution related network traffic is related to a domain name;
d) based on the monitored further name-to-IP resolution related network traffic determined to be related to a domain name, searching for and finding a domain name associated with the monitored DNS related network traffic and identifying that the domain name related to the monitored further name-to-IP resolution related network traffic and the domain name associated with the monitored DNS related network traffic are matching domain names;
e) based on the matching domain names being found in the searching, determining that IP addresses related to the matching domain names do not match, and based on determining that the IP addresses do not match, determining that an internal name-to-IP resolution from a local configuration file of the computer is used for the domain name; and
f) based on determining that the internal name-to-IP resolution from the local configuration file of the computer is used for the domain name and that the IP addresses related to the matching domain names do not match, preventing or restricting communication related to the domain name.

US Pat. No. 10,432,644

ACCESS CONTROL SYSTEM FOR ENTERPRISE CLOUD STORAGE

Box, Inc., Redwood City,...

1. A computer-implemented method for rule-based access control, the method comprising:receiving from a client device a request to perform an operation with respect to a resource stored in a cloud storage environment, the request comprising a plurality of attributes associated with the resource being requested and the client device;
identifying at least one set of rules applicable to the operation, the at least one set of rules performing access control of the resource in the cloud storage environment, the at least one set of rules comprises a combination of primitives arranged to dynamically evaluate two types of attributes, wherein a first type of attribute corresponds to a first set of attributes from the plurality of attributes associated with the resource being requested and a second type of attribute corresponds to a second set of attributes from the plurality of attributes associated with the client device;
determining that evaluation of a first one of the rules includes a first call to an external service to retrieve first information for evaluating the first rule;
determining that evaluation of a second one of the rules includes a second call to the external service to retrieve second information for evaluating the second rule;
combining the first call and the second call to form a batched call to the external service;
evaluating the at least one set of rules by:
performing the batched call to the external service,
receiving, in response to the batched call, the first information to evaluate the first rule and the second information to evaluate the second rule, and
determining whether the first rule is satisfied based at least in part on the first information, and determining whether the second rule is satisfied based at least in part on the second information, wherein the at least one set of rules corresponds to the primitives that correlate to a combination of the two types of attributes; and
determining an action to perform with respect to the resource based on a result of the evaluation of the at least one set of rules.

US Pat. No. 10,432,643

SYSTEM AND METHOD FOR VALIDATING USERS USING SOCIAL NETWORK INFORMATION

Zoosk, Inc., San Francis...

1. A method of granting at least one privilege to a user on a first web site, comprising:receiving a user identifier that is asserted to be used to access information from the user's account on a second web site;
at least attempting to retrieve the information from the user's account on the second web site responsive to the user identifier received;
responsive to the attempt to retrieve the information, causing the information to be retrieved:
generating a score using the information retrieved;
comparing the score to a plurality of thresholds to determine whether the score is in a first range, a second range or a third range;
responsive to the score being in the first range, granting the user the at least one privilege on the first web site without further monitoring the user;
responsive to the score being in the second range, not granting the user the at least one privilege on the first web site; and
responsive to the score being in the third range between the first range and the second range, granting the user the at least one privilege on the first web site while further monitoring the user; and
responsive to the attempting not causing the information to be retrieved, not granting the user the at least one privilege on the first web site.

US Pat. No. 10,432,642

SECURE DATA CORRIDORS FOR DATA FEEDS

T-Mobile USA, Inc., Bell...

1. A computing device configured to provide a secure data corridor, the computing device comprising:a processor;
a network interface communicatively coupled to the processor and configured to enable communications with a mobile traffic network;
a storage device for content and programming;
a security application stored in the storage device, wherein execution of the security application by the processor configures the computing device to perform acts comprising:
receiving a request from a subject for at least one data element of a data feed;
identifying a use-case for the data feed;
assigning a security label to the use-case that includes a data sensitivity rating of the use-case;
comparing a clearance of the subject to the security label of the use-case;
upon determining that the clearance of the subject is at or above the data sensitivity rating of the use-case, allowing the subject access privilege to the data feed via the secure data corridor; and
assigning an additional data sensitivity rating to the secure data corridor that corresponds with or is substantially similar to a particular data sensitivity rating of the data feed that is transmitted through the secure data corridor.

US Pat. No. 10,432,641

SECURE DATA CORRIDORS

T-Mobile USA, Inc., Bell...

1. A computing device configured to provide a secure data corridor between a source and at least one secure data container, the computing device comprising:a processor;
a network interface communicatively coupled to the processor and configured to enable communications with a mobile traffic network;
a storage device for content and programming;
a security application stored in the storage device, wherein execution of the security application by the processor configures the computing device to perform acts comprising:
receiving a request from a subject for a data feed comprising at least one data element included in the at least one secure data container;
identifying a use-case for the data feed;
determining a data sensitivity rating of the data feed;
determining a security level of each data element of the data feed;
determining, for each data element of the data feed, one or more security controls that are mapped to the data element;
assigning a security label to the use-case;
comparing a clearance of the subject to the security label of the use-case;
upon determining that a clearance of the subject is at or above the security label of the use-case, allowing the subject privilege to the data feed via the secure data corridor;
upon determining that the clearance of the subject is below the security label of the use-case, denying the subject privilege to the data feed via the secure data corridor; and
associating an additional data sensitivity rating to the secure data corridor based on one or more incoming data feeds transmitted from the source into the at least one secure data container.

US Pat. No. 10,432,640

GENOME SHARING

23andMe, Inc., Mountain ...

1. A method for sharing genetic data, comprising:providing an account database comprising records for a plurality of users of an application, a genotype database comprising genotype records associated with the plurality of users, and a phenotype database comprising phenotype records associated with the plurality of users;
receiving, from a first account, a request to share non-public data with a second account in the application, wherein:
the first account comprises a first account profile of a first user, one or more first user phenotype records, and one or more first user genotype records,
the one or more first user phenotype records are stored in the phenotype database, are uniquely associated with the first account profile of the first user, and comprise phenotype information of the first user,
the one or more first user genotype records are stored in the genotype database, are uniquely associated with the first account profile of the first user, and comprise genotype information of the first user,
the second account comprises a second account profile of a second user, one or more second user phenotype records, and one or more second user genotype records,
the one or more second user phenotype records are stored in the phenotype database, are uniquely associated with the second account profile of the second user, and comprise phenotype information of the second user,
the one or more second user genotype records are stored in the genotype database, are uniquely associated with the second account profile of the second user, and comprise genotype information of the second user,
the request comprises an indication of the non-public data associated with the first account to share with the second account;
in response to receiving the request from the first account, notifying the second account of the request from the first account;
in response to notifying the second account of the request from the first account, receiving, from the second account, an acceptance of the request to share non-public data through the application, wherein:
the acceptance comprises an indication of the non-public data associated with the second account to share with the first account;
in response to receiving, from the second account, the acceptance of the request, establishing sharing from the first account profile to the second account and sharing from the second account profile to the first account, wherein establishing sharing comprises the application retrieving information from the genotype database and the phenotype database; and
after establishing sharing, storing sharing information comprising, for a shared profile, information pertaining to an account to which the shared profile is shared.

US Pat. No. 10,432,639

SECURITY MANAGEMENT FOR GRAPH ANALYTICS

Amazon Technologies, Inc....

1. A method, comprising:performing, by one or more processors and memory:
generating a bit vector representing one or more access permissions associated with respective vertices of a graph data set;
reading at least a portion of the bit vector;
performing a first graph analytics algorithm, wherein the performing the algorithm includes determining, based at least in part on a portion of the bit vector, whether access permission to one or more vertices of the graph data set is granted; and
transmitting to a client, via a network, results of execution of the algorithm based on the one or more vertices of the graph data set to which the access permission was granted.

US Pat. No. 10,432,638

INFRASTRUCTURE AWARE ADAPTIVE RESOURCE ALLOCATION

CISCO TECHNOLOGY, INC., ...

1. A method comprising:receiving, by a resource manager of a network, a request to allocate a first container instance in the network;
determining, by the resource manager, a set of candidate computing nodes in the network that are capable of hosting the first container instance;
requesting, from an infrastructure monitor with infrastructure data from the network, health metrics for the set of candidate computing nodes with each candidate computing node in the set of candidate computing nodes classified in one of three classifications;
selecting, by the resource manager, based on the health metrics for the set of candidate computing nodes, an optimal computing node to host the first container instance; and
allocating the first container instance on the optimal computing node,
wherein,
the three classifications include a white list, a grey list, and a black list,
the white list indicates one or more of the candidate computing node are not experiencing a major problem,
the grey list indicates one or more of the candidate computing node are experiencing a minor problem, and
the black list indicates one or more of the candidate computing node are experiencing the major problem.

US Pat. No. 10,432,637

USING SOCIAL NETWORKING THRESHOLDS IN ACCESS CONTROL DECISIONS

INTERNATIONAL BUSINESS MA...

1. A computer-implemented method for controlling access to privileged content, stored within a computer system, of a first user by a second user, comprising:receiving a computer request, by the second user, to access the privileged content of the first user;
determining whether the second user is included within a list designating a privilege right for the privileged content;
retrieving, based upon the second user not being included within the list, a threshold criteria;
permitting, within the computer system, the second user to access the privilege content based upon a comparison between the threshold criteria and social network statistics associated with the second user, wherein
the threshold criteria comprises the second user being listed on a friends list by a predetermined number of users listed as friends by the first user for a predetermined period of time, and
the method improves upon computer technology by providing a series of machine logic based rules that selectively permit and deny the second user to access to the privileged content.

US Pat. No. 10,432,636

SECURING MDNS IN ENTERPRISE NETWORKS

Extreme Networks, Inc., ...

1. A computer implemented method for securing a multicast domain name system in an enterprise network, the method comprising:receiving at a network device, multicast domain name system (mDNS) packets comprising one or more service advertisement records of a service; and
in response to receiving the mDNS packets comprising the one or more service advertisement records of the service:
transmitting, by the network device to a server with valid service records of known services, a request for an indication of whether the service is valid;
in response to receiving, from the server, a response that indicates that the service is valid, validating, at the network device, the one or more service advertisement records by including the one or more service advertisement records in the mDNS packets;
in response to receiving, from the server, a response that indicates that the service is not valid, excluding the one or more service advertisement records from the mDNS packets; and
sending, by the network device, the mDNS packets to a client device.

US Pat. No. 10,432,635

INTER-APPLICATION MANAGEMENT OF USER CREDENTIAL DATA

salesforce.com, inc., Sa...

1. A method, comprising:providing, with a hardware computing device, at least one of two security framework configurations, wherein a first configuration utilizes a cookie and a second configuration utilizes server-side storage;
performing user authorization, with the hardware computing device, using at least one of the two security framework configurations, wherein performing the user authorization with the server-side storage includes storing developer-defined user information (DDUI) in a shared session cache;
wherein either the user is recognized because a cookie or a session context containing a security token was provided, or the user is not recognized and diverted to a security handshake, or a token request is utilized to obtain a session identifier, API endpoint and authentication token;
wherein when using the server-side storage, the hardware computing device is configured to not write locally to an application memory, but instead to access a shared session cache, where each of a plurality of servers are to be given access to a specific session cache; and
wherein performing the user authorization is done through a client web application executed by a hardware computing device to allow access to an on-demand database service.

US Pat. No. 10,432,634

GATING OF FULL NETWORK ACCESS PENDING DELIVERY OF NOTIFICATION INFORMATION

International Business Ma...

1. A method for execution by one or more processing modules of an access point of a network, the method comprises:receiving notification information indicating a required user action for network access compliance;
storing the notification information for provisioning, via a notification message, to one or more target client devices accessing or attempting to access network resources via the access point; receiving target criteria for use in identifying the one or more target client devices; receiving compliance information relating to the notification information; establishing, based on the compliance information, a compliance condition relating to the notification message;
receiving network resource access level information relating to the compliance condition, the network resource access level information specifying a permitted network resource access level applicable to non-compliance with the compliance condition by the one or more target client devices;
identifying, based on the target criteria, a target client device; and
transmitting the notification message for receipt by the identified target client device, the notification message including the stored notification information.

US Pat. No. 10,432,633

REPLACING UNAUTHORIZED MEDIA ITEMS WITH AUTHORIZED MEDIA ITEMS ACROSS PLATFORMS

Google LLC, Mountain Vie...

8. A system comprising:a memory; and
a processing device of a user device, operatively coupled to the memory, to:
provide, to a content sharing platform, a request to send, to a third-party platform that is separate from the content sharing platform, a notice pertaining to an unauthorized media item, the unauthorized media item being an unauthorized copy of an authorized media item of a user associated with the user device, the user being a rights holder of the unauthorized media item and the authorized media item;
receive, from the content sharing platform, a user interface identifying a set of versions of the authorized media item; and
provide a selection of one or more of the set of versions of the authorized media item via the user interface to the content sharing platform, wherein providing the selection of the one or more of the set of versions of the authorized media item causes the content sharing platform to generate a notice identifying the unauthorized media item to the third-party platform, the notice further identifying the one or more of the set of versions of the authorized media item that are to be presented by the third-party platform in place of the unauthorized media item.

US Pat. No. 10,432,632

METHOD FOR ESTABLISHING NETWORK CONNECTION, GATEWAY, AND TERMINAL

Huawei Technologies Co., ...

1. A method for establishing a network connection, wherein the method comprises:performing, by a gateway, authentication on a terminal that requests to access a first wireless local area network (WLAN) that corresponds to a first WLAN access point (AP);
if authentication succeeds, performing, by the gateway, authorization on the terminal, and sending, by the gateway, a first terminal address to the terminal, so that the terminal accesses the first WLAN corresponding to the first WLAN AP, and transmitting, between the terminal and the first WLAN, a packet identified by using the first terminal address;
obtaining, by the gateway, from an initial service network, a terminal address that is assigned to the terminal to access the initial service network;
establishing, by the gateway, a user plane connection to the terminal, wherein the terminal accesses the first WLAN;
receiving, by the gateway, by using the established user plane connection, a connection selection request sent by the terminal, wherein the connection selection request comprises connection selection information;
when the terminal disconnects from the first WLAN corresponding to a first WLAN AP, and re-chooses to access a second WLAN corresponding to a second WLAN AP, performing, by the gateway, authentication on the terminal;
if authentication succeeds, performing, by the gateway, authorization on the terminal, and sending, by the gateway, a second terminal address to the terminal, so that the terminal accesses the second WLAN corresponding to the second WLAN AP, and transmitting, between the terminal and the second WLAN, a packet identified by using the second terminal address;
determining, by the gateway, according to the connection selection information in the connection selection request, a service network selected by the terminal; and
establishing, by the gateway, a connection between the terminal and the service network selected by the terminal.

US Pat. No. 10,432,631

SYSTEM AND METHOD FOR PROVIDING A UNIVERSAL SECURITY HANDLER FOR A CLOUD-BASED INTEGRATION PLATFORM

ORACLE INTERNATIONAL CORP...

1. A system for configuring connections in a cloud-based integration platform, the system comprising:a microprocessor;
a memory device;
a cloud-based integration platform executing on the microprocessor, wherein the cloud-based integration platform comprises a web interface operating to configure connections used to access protected resources on cloud services that implement security protocols for permitting access to the protected resources;
a universal security configuration interface in the web interface, wherein the universal security configuration interface is configured to:
receive a resource selection from an associated user of the system for access to a protected resource on a specified cloud service;
in response to the resource selection, display a plurality of interfaces prompting the associated user to provide custom credential information for satisfying a plurality of security properties of a security protocol of the specified cloud service comprising custom values, syntaxes, and/or grammars for a set of security properties for an authorization flow particular to the specified cloud service for permitting the access to the protected resource using an access token in a step of a plurality of ordered steps of the authorization flow particular to the specified cloud service; and
receive the custom credential information for satisfying the plurality of security properties of the security protocol of the specified cloud service to permit the access to the protected resource using the access token in the step of the plurality of ordered steps of the authorization flow of the security protocol particular to the specified cloud service; and
store the received custom credential information in the memory device; and
a plurality of software components in the cloud-based integration platform, wherein the plurality of software components operate to:
receive a request from an application associated with the connection for access to a selected protected resource on the specified cloud service;
retrieve the custom credential information from the universal security configuration interface;
use the custom credential information retrieved from the universal security configuration interface to obtain the access token from the cloud service, for use by the application to access the selected protected resource in accordance with the authorization flow particular to the specified cloud service; and
provide the token and the custom credential information to the application for access by the application to the selected protected resource using the access token in the step of the authorization flow of the security protocol particular to the specified cloud service.

US Pat. No. 10,432,630

INFORMATION PROCESSING APPARATUS, RECORDING MEDIUM, AND COMMUNICATION CONTROLLING METHOD

RICOH COMPANY, LTD., Tok...

1. A system for connection to a first network and to a second network, the system comprising:a conference managing device; and
a network connection controlling device,
the conference managing device including,
first memory storing first computer-executable instructions, and
one or more first processors configured to execute the first computer-executable instructions such that the one or more first processors are configured to, store device information in which a first device connected to the first network is registered,
authenticate an information terminal connected to the second network based on authentication information transmitted from the information terminal, and
register identification information about the information terminal in registration information in response to successful authentication of the information terminal,
the network connection controlling device including, second memory storing second computer-executable instructions, and one or more second processors configured to execute the second computer-executable instructions such that the one or more second processors are configured to, receive, from the second network, a request for transition to a communication controlled states,
in response to receiving the request, transition to the communication controlled state, and in response to transitioning to the communication controlled state, restrict transmission of information from the second network to the first network while allowing the information terminal registered in the registration information to transmit information to the first device that is registered in the device information.

US Pat. No. 10,432,629

ONE STEP SECURITY SYSTEM IN A NETWORK STORAGE SYSTEM

Apple Inc., Cupertino, C...

1. A method for managing access to resources stored on a network storage system, the method comprising, at a master device:managing a plurality of computing devices that form the network storage system, wherein the network storage system enables the plurality of computing devices to access at least one resource provided by at least one computing device of the plurality of computing devices;
receiving, from a first computing device of the plurality of computing devices, a selection of the at least one resource to be shared with a second computing device of the plurality of computing devices; and
in response to determining that the second computing device is unknown to the master device:
generating a set of access credentials associated with the at least one resource,
identifying, among the plurality of computing devices, a computing device that manages the at least one resource,
causing the computing device to bind the set of access credentials to the at least one resource,
causing the set of access credentials to be installed on the second computing device, and
providing lookup information for the at least one resource to the second computing device to enable the second computing device to access the at least one resource.

US Pat. No. 10,432,627

SECURE SENSOR DATA TRANSPORT AND PROCESSING

Intel Corporation, Santa...

1. A device including sensor-based security, comprising:one or more secured resources;
sensor circuitry to generate sensor data;
a trusted execution environment comprising access control circuitry to control access to the secured resources based on the generated sensor data, the access control circuitry including:
matching circuitry to compare the generated sensor data to previously captured sensor data associated with one or more authorized users permitted to access the one or more secured resources; and
output circuitry to, based at least in part on results of the comparison:
permit a user of the device to access the one or more secured resources; or
prevent the user of the device from accessing the one or more secured resources; and
processing circuitry to:
initiate a temporary suspension of execution in the device; and
during the temporary suspension, transfer the generated sensor data from memory circuitry associated with the sensor circuitry to the trusted execution environment.

US Pat. No. 10,432,626

OPTICAL NETWORK UNIT ONU REGISTRATION METHOD, APPARATUS, AND SYSTEM

Huawei Technologies Co., ...

1. An optical line terminal (OLT), wherein the OLT comprises:a passive optical network (PON) port, wherein the PON port is connected to a first group of optical network units (ONUs) and a second group of ONUs, wherein the first group of ONUs comprises at least one ONU and the second group of ONUs comprises at least one ONU, wherein a backpressure priority of the first group of ONUs is lower than a backpressure priority of the second group of ONUs;
a non-transitory memory comprising instructions; and
a processor coupled to the non-transitory memory;
wherein the instructions, when executed by the processor, facilitate:
when upstream service congestion occurs, reducing a value of total uplink bandwidth allocated by the PON port to the first group of ONUs.

US Pat. No. 10,432,625

ALLOWING BEACON DEVICE TO ACCESS MESH NETWORK USING AUTHENTICATION KEY

SK Planet Co., Ltd., Seo...

1. A service device comprising:a communication circuit configured to communicate with one or more beacon devices or mobile communication terminals via a network, and to receive location information of a mobile communication terminal device mapped to a beacon device; and
a control circuit configured to:
set a particular spatial range as a criterion for forming a mesh network,
set and store an authentication key required for accessing the mesh network,
perform, when the beacon device attempts to access the mesh network, a first authentication operation including receiving an authentication key of the beacon device through the communication circuit and comparing the received authentication key with the stored authentication key to determine whether the received authentication key is identical to the stored authentication key,
perform, when the received authentication key is identical to the stored authentication key, a second authentication operation including receiving location information of the beacon device through the communication circuit and determining, using the received location information as location information of the beacon device for the second authentication operation, whether a location of the beacon device is within the particular spatial range, and
allow the beacon device to access the mesh network when the beacon device passes both the first authentication operation and the second authentication operation.

US Pat. No. 10,432,624

IDENTITY VERIFICATION METHOD, TERMINAL, AND SERVER

TENCENT TECHNOLOGY (SHENZ...

1. An identity verification method performed at an electronic device having one or more processors and memory storing a plurality of programs, the method comprising:displaying and/or playing in an audio form action guide information selected from a preset action guide information library, and collecting a corresponding set of action images within a preset time window, wherein the action guide information includes mouth shape guide information, and the displaying and/or playing includes displaying the action guide information selected from the preset action guide information library and displaying reading progress information at a speed corresponding to the action guide information;
performing matching detection on the collected set of action images and the action guide information, to obtain a living body detection result indicating whether a living body exists in the collected set of action images;
according to the living body detection result that indicates that a living body exists in the collected set of action images:
collecting user identity information and performing verification according to the collected user identity information, to obtain a user identity information verification result; and
determining the identity verification result according to the user identity information verification result.

US Pat. No. 10,432,623

COMPANION OUT-OF-BAND AUTHENTICATION

Plantronics, Inc., Santa...

1. A method for authenticating a user comprising:establishing a first wireless communication link between a headset and a first computing device and a second wireless communication link concurrent with the first wireless communication link between the headset and a second computing device;
receiving at the first computing device from a secure system over a communication link a user authentication request;
transmitting the user authentication request from the first computing device to the headset over the first wireless communication link; and
transmitting an authentication response from the headset to the second computing device over the second wireless communication link;
transmitting the authentication response from the second computing device to the secure system over a third wireless communication link, the third wireless communication link independent from the communication link, the first wireless communication link, and the second wireless communication link.

US Pat. No. 10,432,622

SECURING BIOMETRIC DATA THROUGH TEMPLATE DISTRIBUTION

INTERNATIONAL BUSINESS MA...

1. A computer-implemented method for safeguarding biometric data, the method comprising:receiving, by a processor, a first biometric data unit;
generating a template based upon the first biometric data unit;
sending the template to a plurality of template storage devices external to the processor, each template storage device having a unique device identifier;
generating, by the processor, a biometric query comprising a second biometric data unit;
sending the biometric query to at least some of the plurality of template storage devices external to the processor;
receiving, by the processor, a plurality of match scores from at least some of the plurality of template storage devices external to the processor, wherein the match scores reflect the degree of similarity between the first biometric data unit and the second biometric data unit calculated by a source template storage device;
consolidating the plurality of match scores to generate an authentication score, and comparing the authentication score to an authentication threshold;
comparing the plurality of match scores to an integrity threshold to generate device match scores for the some of the plurality of template storage devices; and
notifying an external system of the need for action regarding one of the some of the plurality of template storage devices when the one of the some of the plurality of template storage devices has a device match score that is lower than the other device match scores for the other of the some of the plurality of template storage devices.

US Pat. No. 10,432,620

BIOMETRIC AUTHENTICATION

MASTERCARD INTERNATIONAL ...

1. A computer-implemented method for operating a user device having at least a trusted application and an external application installed on the user device, the method comprising:operating the trusted application to obtain registration credentials which are configured to be entered by a user to log in to a secured function of the external application, wherein the trusted application is in a Trusted Execution Environment of the user device and the external application is on the user device and outside the Trusted Execution Environment;
causing the trusted application to store the registration credentials with an identifier of the external application and/or the secured function;
receiving an indication that the user requires access to the secured function which can only be accessed following validation of an identity of the user;
performing a biometric validation of the identity of the user based at least in part on data collected from a biometric sensor associated with the user device, the biometric validation being performed within the Trusted Execution Environment; and
in response to said performing the biometric validation, causing authentication credentials to be passed from the trusted application to the secured function of the external application to obtain access to the secured function, wherein the authentication credentials are based on the registration credentials.

US Pat. No. 10,432,619

REMOTE KEYCHAIN FOR MOBILE DEVICES

NetIQ Corporation, Provo...

1. A method, comprising:registering a mobile device for a remote keychain for access to a service;
providing the mobile device an asset token for linking to the service on the mobile device;
instructing the mobile device to remove a credential for access to the service from the mobile device; and
delivering the credential back to the mobile device from the remote keychain upon receipt of the access token from the mobile device indicating the mobile device is attempting access to the service, wherein delivering further includes redirecting an application executing on the mobile device to the service with the credential embedded in a header of a redirected call from the application to the service.

US Pat. No. 10,432,618

ENCRYPTED VERIFICATION OF DIGITAL IDENTIFICATIONS

MorphoTrust USA, LLC, Bi...

1. A computer-implemented method comprising:capturing, by a detector device, an image of a digital identification displayed on a user device, wherein:
the digital identification displayed on the user device is assigned a time-dependent security status that periodically adjusts display of the digital identification on the user device based on the assigned security status,
each time a display of the digital identification on the user device is adjusted, a different optically scannable credential corresponding to particular security status is (i) selected from among multiple optically scannable credentials stored on the user device and associated with a different security status, and (ii) displayed on the digital identification, and
each optically scannable credential is associated with a different decryption key that is specified by the security status and used to decrypt encrypted data associated with each optically scannable credential;
obtaining, by the detector device and from a digital identification server, credential data that identifies a present optically scannable credential included in the digital identification that was selected by the user device from among the multiple optically scannable credentials stored on the user device for a present security status assigned to the digital image when the detector device captured the image of the digital identification;
detecting, by the detector device, the present optically scannable credential within the captured image based on the obtained credential data;
extracting, by the detector device and from the captured image, encrypted data associated with the present optically scannable credential;
obtaining, by the detector device and from the digital identification server, a present decryption key associated with the present optically scannable credential;
decrypting, by the detector device and based on the present decryption key, the encrypted data using the decryption key to extract a decrypted payload from the encrypted data;
providing, by the detector device and to the digital identification server, the decrypted payload extracted from the encrypted data;
in response to providing the decrypted payload extracted from the encrypted data to the digital identification server, receiving, by the detector device and from the digital identification server, verification results indicating whether the decrypted payload matches verified user information associated with the digital identification; and
providing, for output on the detector device, a notification representing an authenticity of the digital identification based on the verification results received from the digital identification server.

US Pat. No. 10,432,617

ONE TIME PASSCODE

MasterCard International ...

1. A computer implemented one-time passcode authentication system comprising:an authentication server configured to receive authentication requests, the authentication server comprising a first computer processor and a first non-transitory computer-readable medium having a first computer-executable program embedded thereon;
an application server configured to receive access requests, the application server comprising a second computer processor and a second non-transitory computer-readable medium having a second computer-executable program embedded thereon;
wherein the first computer-executable program of the authentication server is configured to receive the authentication request and an identification parameter, and generate a token and an authentication data set based on the authentication request and the identification parameter; and
wherein the second computer-executable program of the application server is configured to receive the access request from the authentication server, query the authentication server to authenticate the token, and enable access to an application if the token is authenticated, and auto-populate a set of login credentials within the application, wherein the set of login credentials are extracted from the access request, and wherein the application is being accessed on the application server.

US Pat. No. 10,432,616

HARDWARE-BASED DEVICE AUTHENTICATION

McAfee, LLC, Santa Clara...

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:request, by a computing device, access to a particular domain of a remote computing system;
receive, using a secured microcontroller of the computing device, a seed from the remote computing system associated with the particular domain;
persistently store the seed in secured memory of the computing device, wherein the secured memory is accessible to the secured microcontroller of the computing device, and wherein the secured memory is inaccessible to resources of an operating system of the computing device;
receive a request, from the particular domain, to establish a secure session between the computing device and the particular domain;
access, in the secured memory of the computing device, the seed corresponding to the particular domain, wherein the seed is accessed in response to the request to establish the secure session between the computing device and the particular domain, and the seed is unique to a pairing of the computing device and the particular domain;
derive, using the secured microcontroller, a hash of the seed and a value known to both the computing device and the particular domain, wherein a different hash is derived each time a secure session between the computing device and the particular domain is requested;
send, using the secured microcontroller, the hash of the seed and the value to another device associated with the particular domain to authenticate the computing device to the particular domain, wherein the hash of the seed and the value is sent independent of a processor and the operating system of the computing device and is used to authenticate the computing device; and
communicate security posture data over a secured channel between the computing device and the particular domain, the security posture data describing attributes of the computing device based, at least in part, on the authentication of the computing device to the particular domain.

US Pat. No. 10,432,614

TECHNIQUES FOR VERIFYING USER INTENT AND SECURELY CONFIGURING COMPUTING DEVICES

Apple Inc., Cupertino, C...

1. A method for enabling a computing device to securely configure a peripheral computing device, the method comprising, at the computing device:approving a request received from the peripheral computing device to engage in a setup procedure for the peripheral computing device;
receiving, from the peripheral computing device:
(1) an audio signal that encodes (i) a password, and (ii) timing information, and
(2) a light signal; and
in response to identifying that the timing information correlates with the light signal:
extracting the password from the audio signal, and
establishing a communication link with the peripheral computing device based on the password.

US Pat. No. 10,432,613

HTTPS ENABLED CLIENT TOOL

Dell Products L. P., Rou...

1. A method comprising:creating, by a computing system, a digital certificate that is self-signed and that:
identifies the computing system as a server for a bi-directional Hypertext Transfer Protocol Secure (HTTPS) communication; and
identifies a remote browser as a client for the bi-directional HTTPS communication;
assigning the digital certificate a validity period of one day;
generating, by the computing system, a unique private key for the digital certificate;
providing, by the computing system, the digital certificate to the remote browser for authentication of the computing system as the server in the HTTPS communication; and
after successful authentication, performing, by the computing system, the bi-directional HTTPS communication with the remote browser;
while performing the bi-directional HTTPS communication, periodically renewing, by the computing system, the digital certificate at a pre-defined time interval within the validity period; and
making the unique private key unavailable in the computing system.

US Pat. No. 10,432,611

TRANSACTION PROCESSING METHOD AND CLIENT BASED ON TRUSTED EXECUTION ENVIRONMENT

Alibaba Group Holding Lim...

1. A method implemented by a client including one or more computing devices, the method comprising:downloading a certificate of a server;
storing the certificate of the server into a share buffer in a normal environment, the share buffer being accessible in both the normal environment and a secure environment;
performing verification of a server in the secure environment;
storing a public key of the certificate of the server into a secure buffer in the secure environment after successfully verifying the certificate of the server, the secure buffer being accessible in the secure environment and not accessible in the normal environment;
obtaining the public key in the secure environment;
generating a session key and encrypting the session key using the public key in the secure environment, the session key being generated by the client in a respective session between the client and the server, the session key being terminated after the respective session is ended;
transmitting the encrypted session key to the server in the normal environment;
encrypting pre-obtained transaction information using the session key in the secure environment; and
transmitting the encrypted transaction information to the server in the normal environment.

US Pat. No. 10,432,610

AUTOMATED MONITORING AND MANAGING OF CERTIFICATES

VMware, Inc., Palo Alto,...

1. A computer-implemented method for automated monitoring of certificate expiration and automated provisioning of a signed certificate in a computing system, said computer-implemented method comprising:automatically periodically accessing a plurality of computing nodes in said computing system for said certificate expiration of a certificate of said plurality of computing nodes, wherein said automatically periodically accessing is provided by a centralized management tool of said computing system;
automatically determining said certificate of said plurality of computing nodes has an impending certificate expiration, by said centralized management tool of said computing system;
in response to said determining, automatically generating an alert, by said centralized management tool, that indicates said impending certificate expiration of said certificate;
accessing, by said centralized management tool of said computing system, a certificate signing request from a computing node of said plurality of computing nodes,
wherein said computing node is a host in a virtualization infrastructure that provides underlying hardware for supporting a virtual machine (VM) and a workload of the VM, and wherein said centralized management tool is stored and executed on a single client device communicatively coupled with said computing system;
providing said certificate signing request to a certificate authority by said centralized management tool;
accessing a signed certificate from said certificate authority for said computing node; and
providing said signed certificate to said computing node, by said centralized management tool, such that there is automated provisioning of said signed certificate at said computing node to establish trust of said computing node in said computing system.

US Pat. No. 10,432,609

DEVICE-BOUND CERTIFICATE AUTHENTICATION

Device Authority Ltd., B...

1. A non-transitory computer readable medium useful in association with a computer which includes one or more processors and a memory, the computer readable medium including computer instructions which are configured to cause the computer, by execution of the computer instructions in the one or more processors from the memory, to bind a digital certificate that can be stored on a computer-readable medium to multiple devices by at least:receiving at a server computer a request from a remote device through a computer network wherein the request identifies the certificate and identifies the multiple devices,
retrieving the certificate;
for each of the multiple devices:
retrieving a digital fingerprint of the device; and
including the digital fingerprint in the certificate;
and
sending the certificate with the included digital fingerprints to the remote device through the computer network;
wherein the server computer in response to the request serves a device driver cryptographically signed with the certificate so that any of the devices can install the device driver only upon a condition in which one of the digital fingerprints corresponds to the installing device.

US Pat. No. 10,432,608

SELECTIVELY ENABLING MULTI-FACTOR AUTHENTICATION FOR MANAGED DEVICES

AIRWATCH LLC, Atlanta, G...

1. A non-transitory computer-readable medium containing instructions that, when executed by the at least one computing device, cause the at least one computing device to perform stages comprising:receiving an authentication request from a client device, the authentication request including a first authentication factor corresponding to a single sign-on (“SSO”) credential, wherein the SSO credential is downloaded to the client device, wherein the authentication request originates at a first client application executing on the client device;
determining, at an identity provider service separate from the client device, whether at least one second authentication factor should be requested, including determining that the at least one second authentication factor should be requested based on a version of an application executing on the client device; and
in response to determining that the at least one second authentication factor should be requested:
requesting the at least one second authentication factor from the client device, including determining the first client application does not natively support the at least one second authentication factor and, as a result, requesting the at least one second authentication factor from a second client application;
receiving the at least one second authentication factor from the client device;
after confirming the at least one second authentication factor from the second client application, sending, from the identity provider service, an identity assertion to the first client application, wherein the first client application provides the identity assertion to a service provider that is separate from the identity provider service; and
authenticating the client device in response to verifying the first authentication factor and the at least one second authentication factor.

US Pat. No. 10,432,607

SYSTEM AND METHOD FOR SINGLE SIGN-ON SESSION MANAGEMENT WITHOUT CENTRAL SERVER

JPMORGAN CHASE BANK, N.A....

1. A computer server configured for single sign-on session management, the computer server comprising:at least one communication interface coupled to at least one protected web resource;
one or more computer processors, operatively connected with the at least one communication interface, restricting user access to the at least one protected web resource;
at least one plug-in module residing on the one or more computer processors and being configured to:
receive, from a first client device, a first request to access the at least one protected web resource, the first request comprising first user credentials;
determine, completely within the computer server and independent of any other server, whether the first user credentials can be authenticated;
when the first user credentials cannot be authenticated, deny the first request or perform further authentication;
when the first user credentials are authenticated, authorize the first request, create first session credentials for the first client device, and transmit the created first session credentials to the first client device;
the at least one plug-in module being further configured to:
receive, from the first client device or a second client device, a second request to access the at least one protected web resource, the second request comprising the first session credentials or second session credentials; and
validate, completely within the computer server and independent of any other server, the received first session credentials or the received second session credentials;
when the received first session credentials or the received second session credentials are validated, authorize the second request, and
when the received first session credentials or the received second session credentials cannot be validated, deny the second request or perform further authentication.

US Pat. No. 10,432,606

LAWFUL INTERCEPTION OF ENCRYPTED COMMUNICATIONS

TELEFONAKTIEBOLAGET LM ER...

1. A method of providing access to an encrypted communication between a sending node and a receiving node to a Law Enforcement Agency, the method comprising, at a Key Management Server function, by first:storing at a database cryptographic information used to encrypt the communication, the cryptographic information associated with an identifier used to identify the encrypted communication between the sending node and receiving node; then
receiving a request originating from a Law Enforcement Agency for Lawful Intercept, the request including an identity of a target for Lawful Interception and wherein the request is received after the encrypted communication between the sending node and the receiving node has started; then
using the target identity to determine the identifier, and retrieving from the database the cryptographic information associated with the identifier, the cryptographic information usable to decrypt the encrypted communication; and then
sending one of information derived from the cryptographic information and a decrypted communication towards the Law Enforcement Agency.

US Pat. No. 10,432,605

SCALABLE RISK-BASED AUTHENTICATION METHODS AND SYSTEMS

United Services Automobil...

1. A scalable, risk-based authentication system comprising:a memory;
a processor in communication with the memory, the processor operable to execute software modules, the software modules comprising:
a plurality of fraud monitoring engines to:
analyze user data and organization data, and
generate a set of risk factors based on the user data and the organization data;
wherein the plurality of fraud monitoring engines includes:
a batch risk scorer to periodically generate an indication of an overall risk of a user account based on user patterns and previous alerts associated with the user account;
an information security monitoring engine to access alerts relating to enterprise information security; and
a social network analyzer to analyze the user's social network to identify relationships indicating fraud;
a risk aggregator in communication with the plurality of fraud monitoring engines to:
receive the set of risk factors, and
transform the set of risk factors into risk indicators;
wherein the risk factors indicative of the user's behavior include alerts related to the behavior of the user, wherein the alerts are determined by;
comparing the behavior of the user with the behavior of a peer group of the user;
determining whether the behavior of the user deviates from the behavior of the peer group of the user above a threshold level; and
generating an alert when the behavior of the user deviates above the threshold level; and
an authentication engine to:
receive the risk indicators from the risk aggregator, and
rank authentication methods according to a level of invasiveness, wherein the most invasive authentication methods require user-provided information, wherein the least invasive authentication methods no user-provided information;
generate an authentication plan for a requested activity that includes an authentication method, wherein the authentication plan is based on the level of user invasiveness required by the authentication method, the risk indicators and the requested activity.

US Pat. No. 10,432,604

SYSTEM AND METHOD FOR POOL-BASED IDENTITY AUTHENTICATION FOR SERVICE ACCESS WITHOUT USE OF STORED CREDENTIALS

eBay Inc., San Jose, CA ...

1. A method comprising:receiving, at an authentication authority, an authentication request from a web service provider, the authentication request comprising a service request by a service requestor to the web service provider to access a web service, and a service requestor identifying information;
determining authentication information from the service request sent to the web service, the service request comprising the authentication information;
validating the authentication information using independently verifiable data; and
in response to validating the authentication information meets the independently verifiable data, sending a grant or denial of access to the web service.

US Pat. No. 10,432,603

ACCESS TO DOCUMENTS IN A DOCUMENT MANAGEMENT AND COLLABORATION SYSTEM

Amazon Technologies, Inc....

1. A computer-implemented method, comprising:receiving a first request to provide a user access to a document managed by a document management and collaboration system; and
providing the user with access to the document by at least:
transmitting a notification to a first user device associated with the user indicating access to the document has been provided;
receiving a second request to access the document;
making out-of-band access credentials available to a second user device in response to the second request based at least in part on a login credential associated with the second request provided to the document management and collaboration system;
obtaining the out-of-band access credentials from the first user device; and
providing access to the document by at least:
obtaining the out-of-band access credentials from the first user device; and
determining a confidence score of the out-of-band access credentials, the confidence score determined based at least in part on a number of independent authentication factors including at least the login credential and one or more attributes of the second user device.

US Pat. No. 10,432,602

ELECTRONIC DEVICE FOR PERFORMING PERSONAL AUTHENTICATION AND METHOD THEREOF

Samsung Electronics Co., ...

1. An electronic device comprising:a display;
a sensing circuit; and
a processor configured to:
capture a plurality of authentication images through the sensing circuit during a specific time,
generate a plurality of preview images, wherein each of the plurality of preview images corresponds to a low resolution image of each of the plurality of authentication images,
generate a guide that directs an authentication target, in association with the at least one of the plurality of authentication images, to be in a location for capturing a valid image for an authentication,
control the display to output the at least one of the plurality of preview images and the guide, wherein the at least one of the plurality of preview images and the guide are used by a user to align the authentication target with the sensing circuit,
select at least one first image from the plurality of authentication images based on validity of the plurality of authentication images, wherein a number of images of the selected at least one first image is less than a number of images of the plurality of authentication images,
perform the authentication based on a biometric information in the selected at least one first image, and
apply an image filter to at least one of the plurality of preview images such that sensitive information in the at least one of the plurality of preview images is not recognized,
wherein a resolution of the at least one first image is higher than a resolution of the at least one of the plurality of preview images.

US Pat. No. 10,432,601

CONTENT ACTIVATION VIA INTERACTION-BASED AUTHENTICATION, SYSTEMS AND METHOD

Nant Holdings IP, LLC, C...

1. A method of activating content, the method comprising:enabling an electronic device to access an authentication agent;
obtaining, by the electronic device, a digital representation of an interaction within a physical environment comprising a plurality of physical objects, wherein the digital representation is obtained from a defined perspective of the physical environment;
discriminating at least two different objects from the plurality of physical objects in the physical environment as a first valid authentication object and a second valid authentication object based on the digital representation;
generating a first set of authentication features from the digital representation and associated with the first valid authentication object, and a second set of authentication features from the digital representation and associated with the second valid authentication object, wherein generating comprises using one or more image data analysis techniques to generate the first set of authentication features and the second set of authentication features;
establishing, by the authentication agent, a content access level as a function of a juxtaposition of the first set of authentication features with respect to the second set of authentication features, wherein the juxtaposition is determined when the first set of authentication features and the second set of authentication features represent a difference between an expected and observed centroid of authentication features within a defined set of frames of the digital representation from the defined perspective of the physical environment, and wherein the content access level is derived based on how well the authentication features match salient authentication features mapped to the content access levels and at least one of relative position information or relative orientation information derived from relative positions or relative orientations of the first valid authentication object with respect to the second valid authentication object within the physical environment represented in the digital representation;
activating, by the authentication agent, content based on the content access level; and
configuring an output device to present the content according to the content access level.

US Pat. No. 10,432,600

NETWORK-BASED KEY DISTRIBUTION SYSTEM, METHOD, AND APPARATUS

Uniken, Inc., Chatham To...

1. An apparatus comprising:a first electronic data port configured to transmit electronic data to one or more electronic devices and receive electronic data from the one or more electronic devices;
a second electronic data port configured to transmit electronic data to one or more management servers and receive electronic data from the one or more management servers; and
at least one processor that, when executing one or more network-based key distribution operations, is configured to:
receive, from an electronic device of the one or more electronic devices, a verification message indicating that the electronic device is not corrupt before receiving a unique universal identifier (UUID) from the electronic device,
receive, from the electronic device, the UUID, wherein the UUID is associated with an application stored in a memory of the electronic device,
receive, from a management server of the one or more management servers, a server key stored in a credential store and that is associated with the UUID received from the electronic device, and
establish one or more secure channels for electronic data communication with the electronic device based on the received UUID and the server key.

US Pat. No. 10,432,599

SECURE SOCKET LAYER KEYSTORE AND TRUSTSTORE GENERATION

1. A computer-readable storage medium storing instructions that, when executed by a processor of a computing device, cause the processor to perform operations comprising:requesting a keystore file from a keystore distribution system;
receiving the keystore file from the keystore distribution system, wherein the keystore file comprises a signed public key combined, by the keystore distribution system, with a private key generated by the keystore distribution system, and wherein the signed public key comprises a public key generated by the keystore distribution system that is digitally signed with a private key provided by a certificate authority of the keystore distribution system; and
performing a startup procedure utilizing the keystore file to establish, by the computing device, a secure channel over which to exchange information with at least one client computing device over a network.

US Pat. No. 10,432,598

SYSTEM AND METHOD FOR PROVIDING CONTROLLED APPLICATION PROGRAMMING INTERFACE SECURITY

CAPITAL ONE SERVICES, LLC...

1. A method of providing access to data comprising:creating, by at least one remote server that is remote from a device, a customer data key specific to:
a first application,
a user of the first application, and
the device upon which the first application resides;
sending, to enable storage of the customer data key in the device, the customer data key to the first application via an application programming interface (API) call, wherein the API call is made via an API employed to provide connectivity between the first application and underlying data in the at least one remote server, the API configured to limit access to the underlying data in the at least one remote server in accordance with a user control; and
activating, after creating the customer data key, by the at least one remote server, and via a second application in an out-of-band authentication, the customer data key by:
validating a user credential via the second application;
outputting an alert that the first application is requesting authorization to access the underlying data; and
activating, by the at least one remote server and in response to receiving an authorization, the customer data key to enable access to at least a portion of the underlying data using the activated customer data key via the API.

US Pat. No. 10,432,597

DIGITAL SECURITY BUBBLE

Wickr Inc., Pleasanton, ...

1. A method comprising:receiving, at a first device, a notification of an encrypted encapsulation from a security platform;
obtaining, by the first device, the encrypted encapsulation from the security platform in response to receiving the notification, wherein the encrypted encapsulation includes an encrypted message, an encrypted first key, and a device identifier associated with an intended recipient;
decrypting, by the first device, the encrypted encapsulation;
comparing, by the first device, the received device identifier with a local device identifier;
decrypting, by the first device, the encrypted first key using a private key of the intended recipient in response to a determination that the received device identifier matches the local device identifier;
decrypting, by the first device, the encrypted message using the first key to produce a decrypted message; and
providing, by the first device, the decrypted message to a recipient.

US Pat. No. 10,432,596

SYSTEMS AND METHODS FOR CRYPTOGRAPHY HAVING ASYMMETRIC TO SYMMETRIC KEY AGREEMENT

1. A method for generating data for use in cryptography or secure modulation, the method comprising:generating a public code using a secret key by a processor, wherein the public code includes an interior matrix and a summing matrix, both having a predetermined dimension of rows and columns;
sending the public code and a rule of obfuscation to a first computing device node using a transmitter, wherein the rule of obfuscation includes the predetermined dimension corresponding to the interior matrix and the summing matrix;
generating an obfuscated matrix pattern from the interior matrix using a processor, based upon at least a subset of parameters associated with the rule of obfuscation; and
generating a symmetric code from the summing matrix using a processor, based upon the rule of obfuscation, for use in communication between the first computing device and a second computing device.

US Pat. No. 10,432,595

SECURE SESSION CREATION SYSTEM UTILILIZING MULTIPLE KEYS

BANK OF AMERICA CORPORATI...

1. A system for creating a secure session utilizing multiple keys, the system comprising:one or more memory devices having computer readable code store thereon; and
one or more processing devices operatively coupled to the one or more memory devices, wherein the one or more processing devices are configured to execute the computer readable code to:
access an organization application, through an organization system or a third party system;
access two or more digital signatures corresponding to the organization application, wherein the two or more digital signatures are included within a single certificate, wherein the two or more digital signatures are validated by two or more certification authorities, and wherein at least two of the two or more certification authorities are separate certification authorities;
attempt to verify at least one of the two or more digital signatures as being signed by a certification authority that is trusted;
receive two or more public keys, wherein at least one of the two or more public keys are associated with the single certificate;
create a symmetric session key for the secure session with the organization application;
encrypt the symmetric session key to create an encrypted symmetric session key using the two or more public keys;
send the encrypted symmetric session key to the organization application, wherein the encrypted symmetric session key is decrypted by the organization application using two or more private keys corresponding to the two or more public keys; and
receive and send information from and to the organization application using the symmetric session key.

US Pat. No. 10,432,594

PRIMITIVE FUNCTIONS FOR USE IN REMOTE COMPUTER MANAGEMENT

KASEYA LIMITED, Dublin (...

1. A non-transitory computer readable storage memory encoded with one or more computer programs being executed to cause a processor to perform:transmitting, from a remote computer management server to a managed computer, a dynamically loaded library (DLL) including one or more sets of instructions that, when implemented by agent software, produce functionality not enabled by the agent software at the time the DLL is transmitted to the managed computer, the functionality performed by the DLL comprising:
transmitting device identification information to the remote computer management server indicating existence of at least one device connected to the managed computer;
receiving at the managed computer another DLL comprising additional commands instructing the agent software to perform management actions responsive to the identification information transmitted, the additional commands identifying a communication protocol to be used by the agent software when communicating with the at least one device; and
transmitting from the managed computer to the remote computer management server a result of the performance of the management action.

US Pat. No. 10,432,593

SECURE SOFTWARE UPDATES

Apple Inc., Cupertino, C...

1. A method for updating software modules installed on electronic devices, the method comprising, at a computing device:storing a latest version identifier for a latest version of a software module stored on a server device;
establishing a connection with an electronic device;
obtaining, from the electronic device, a current version identifier for the software module installed on the electronic device;
comparing the latest version identifier to the current version identifier to determine whether an update is available for the software module; and
in response to determining that the update is available:
transmitting, to the server device, a request for the latest version of the software module stored on the server device,
receiving, from the server device, the latest version of the software module, wherein the latest version of the software module is encrypted using a unique encryption key associated with the electronic device,
providing the latest version of the software module to the electronic device for installation at the electronic device, and
updating a configuration of the electronic device to cause the electronic device to install the latest version of the software module in response to closing the connection with the computing device.

US Pat. No. 10,432,592

PASSWORD ENCRYPTION FOR HYBRID CLOUD SERVICES

Citrix Systems, Inc., Fo...

1. A system comprising:a gateway server, associated with an internal cloud, configured to receive messages from a user device and to forward the messages to a computing device associated with an external cloud different from the internal cloud; and
a workspace cloud connector computing device associated with the internal cloud, wherein the workspace cloud connector computing device is communicatively coupled to the gateway server and different from the user device, the workspace cloud connector computing device configured to:
prevent a first message of the messages being forwarded to the computing device associated with the external cloud, from being delivered to the computing device associated with the external cloud based on detecting that the first message includes plaintext user identity credentials for an internal application;
generate an encryption key;
encrypt the plaintext user identity credentials using the encryption key;
generate a first hash of the encryption key;
transmit a second message including the encrypted user identity credentials and the first hash of the encryption key to the computing device associated with the external cloud;
in response to transmitting the second message including the encrypted user identity credentials and the first hash of the encryption key to the computing device associated with the external cloud, receive a routing address of a virtual delivery agent computing device from the computing device associated with the external cloud; and
transmit a third message including the encryption key and the routing address of the virtual delivery agent computing device to the user device.

US Pat. No. 10,432,591

ESTABLISHING A COMMUNICATION EVENT USING SECURE SIGNALING

Microsoft Technology Lice...

11. A communications controller for establishing a communication event between an initiating device and a responding device under the control of the communications controller, the communications controller comprising:a computer-readable storage device having computer-executable instructions stored thereon; and
one or more hardware processors in communication with the computer-readable storage device that, having executed the computer-executable instructions, configure the communications controller to:
establish a first connection with an initiating device using a first communication protocol;
generate a plaintext session key that identifies a communication session;
select a wrapper key and a wrapper key identifier that identifies the requested wrapper key;
encrypt the plaintext session key using the wrapper key to obtain an encrypted session key;
transmit the plaintext session key, the encrypted session key, and the wrapper key identifier to the initiating device;
terminate the first connection with the initiating device;
establish a second connection with the initiating device using a second communication protocol; and
receive a communication event payload and the wrapping key identifier using the second connection.

US Pat. No. 10,432,590

ESTABLISHING A COMMUNICATION EVENT USING SECURE SIGNALLING

Microsoft Technology Lice...

11. An initiating device for establishing a communication event with a responding device under the control of a remote communications controller, the initiating device comprising:a computer-readable storage medium storing computer-executable instructions; and
one or more hardware processors in communication with the computer-readable storage medium that, having executed the computer-executable instructions, configures the initiating device to:
establish a first connection with a communications controller using a first communication protocol;
receive an encrypted session key, a plaintext session key, and a wrapping key identifier using the first connection, wherein the wrapping key identifier identifies a wrapping key used to encrypt the encrypted session key;
terminate the first connection with the communications controller;
encrypt a communication event payload based on the plaintext session key;
establish a second connection with the communications controller using a second communication protocol; and
transmit the communication event payload, the encrypted session key, and the wrapping key identifier to the communications controller using the second connection.

US Pat. No. 10,432,589

SECURE END-TO-END COMMUNICATIONS

Symphony Communication Se...

1. A computer-implemented method performed by a client device of a user, comprising:obtaining, from a communication server, conversation key data for participating in a single, secure conversation between a plurality of users;
deriving a conversation key from the conversation key data, the conversation key generated by an organization system remote from the communication server and administered by an organization different from an organization that administers the communication server,
wherein the conversation key comprises a cryptographic key that permits the plurality of users to participate in the single, secure conversation from a plurality of conversations established by the organization system;
encrypting a message of the user using the conversation key; and
sending the encrypted message to the communication server for delivery to other users of the plurality of users,
wherein the communication server cannot decrypt the encrypted message.

US Pat. No. 10,432,588

SYSTEMS AND METHODS FOR IMPROVING HTTPS SECURITY

Zscaler, Inc., San Jose,...

1. A gateway in a cloud system, configured to implement HyperText Transfer Protocol (HTTP) HTTP Strict Transport Security (HSTS), the gateway comprising:a network interface, a data store, and a processor communicatively coupled to one another; and
memory storing computer executable instructions, and in response to execution by the processor, the computer-executable instructions cause the processor to
receive a domain request from a user device executing an HSTS application configured to detect the domain request from a browser or application executed on the user device;
transmit a response to the user device with support of HTTP Security (HTTPS) by the domain;
receive an updated domain request with information removed based on the HTTPS support of the domain; and
redirect the user device to the domain.

US Pat. No. 10,432,587

VPN DEEP PACKET INSPECTION

AVENTAIL LLC, San Jose, ...

1. A method for establishing a connection, the method comprising:receiving a packet from a client through a virtual private network (VPN) connection;
determining application information from a the source of the packet;
sending an access request with the application information to a gateway server; and
allowing a proxied VPN session based on results of the access request, wherein a connection identifier for the proxied VPN session is sent to a proxy that allows the proxy to send requests to the gateway server in the same context as the tunnel server and to receive the results, and wherein an administrator views the state of the VPN session at a management console, and the gateway server tracks the state of the VPN session in a data store.

US Pat. No. 10,432,586

TECHNOLOGIES FOR HIGH-PERFORMANCE NETWORK FABRIC SECURITY

Intel Corporation, Santa...

10. A method for fabric security, the method comprising:enabling, by a network device, a first port of the network device, wherein the first port is coupled to a link partner;
determining, by the network device, whether the first port is an edge port when enabling the first port, wherein determining whether the first port is an edge port comprises securely identifying whether the link partner coupled to the first port is a compute node; and
enforcing, by the network device, a fabric management partition at the first port in response to determining that the first port is an edge port, wherein the first port is associated with a limited member of the management partition and the first port is prevented from communicating with other limited members of the management partition;
wherein securely identifying whether the link partner coupled to the first port is a compute node comprises establishing a backchannel communication session with a host fabric interface of the link partner using the first port, and receiving a node type indicator from the host fabric interface via the backchannel communication session.

US Pat. No. 10,432,584

MANAGING LAME DELEGATED DOMAINS WITHIN A MANAGED DNS SERVICE

VERISIGN, INC., Reston, ...

1. A computer-implemented method for managing lame delegated domains, the method comprising:receiving, at a domain name system (DNS) service provider, a request to configure a domain name;
determining that the domain name is lame delegated to the DNS service provider;
transmitting, in response to the request, an identification of a name server associated with the DNS service provider, wherein the identification is to be added to a trusted registry associated with the domain name to verify ownership of the domain name; and
upon determining that the identification of the name server has been added to the trusted registry, determining that the request is associated with a rightful owner of the domain name.

US Pat. No. 10,432,583

ROUTING AGENT PLATFORM WITH A 3-TIER ARCHITECTURE FOR DIAMETER COMMUNICATION PROTOCOL IN IP NETWORKS

Syniverse Technologies, L...

1. A method of routing messages using a Diameter Protocol in a computer network, the method comprising:deploying a Diameter Connection Router (DCR) between a plurality of peers and a plurality of Diameter Load Balancers (DLBs), the DCR interfacing with the plurality of peers and configured to communicate with each DLB within the plurality of DLBs;
providing a plurality of Diameter Routing Agents in communication with each DLB of the plurality of DLBs;
exposing a public Internet Protocol (IP) address of the DCR to the plurality of peers as a single point of contact between the plurality of peers and the computer network, wherein an internal topology of the computer network is hidden from the plurality peers;
receiving, by the DCR, a message from a first peer of the plurality of peers;
selecting, by the DCR, a first DLB from the plurality of DLBs and routing the message to the first DLB, wherein a rule is created for subsequent messages from the first peer to bypass the DCR and to be routed to the first DLB;
establishing a connection between the first DLB and each of the plurality of DRAs, thereby enabling the message from the first peer to reach any of the plurality of the DRAs;
routing the message from the first DLB to a first DRA of the plurality of DRAs, wherein the first DRA performs message mediation based on an attribute selected from the group consisting of Diameter headers, Attribute-Value-Pair (AVP) of the message, and an identity of the first peer;
routing the massage from the first DRA to a second DLB of the plurality of DLBs, the second DLB having a routing path to a second peer of the plurality of peers, the second DLB being selected by the first DRA;
routing the message from the second DLB to the DCR;
routing the massage from the DCR to the second peer; and
responsive to a request to teardown a connection between the first peer and the second peer, deleting the rule for routing the subsequent messages from the first peer to bypass the DCR and to be routed from the first peer to the first DLB.

US Pat. No. 10,432,582

TECHNOLOGIES FOR SCALABLE LOCAL ADDRESSING IN HIGH-PERFORMANCE NETWORK FABRICS

Intel Corporation, Santa...

1. A network device for data packet forwarding, the network device comprising:a packet ingress module to extract a destination local identifier (DUD) from a data packet, wherein the DUD comprises a binary value having a first length; and
a multicast processing module to:
compose a multicast mask, wherein the multicast mask comprises a binary value having the first length and wherein the multicast mask is indicative of an upper part of an address space of the DLID;
determine whether the DLID is included in the upper part of the address space using the multicast mask;
determine a multicast group as a function of the DUD in response to a determination that the DLID is included in the upper part of the address space; and
forward the data packet to the multicast group in response to the determination that the DLID is included in the upper part of the address space.

US Pat. No. 10,432,581

NETWORK IDENTIFICATION AS A SERVICE

Smartpipe Technologies Lt...

1. A method of modifying a network request comprising:receiving, at an intermediate network device in a service provider network, a network request from a client device;
modifying, at the intermediate network device, the network request to include a network identifier; and
transmitting, from the intermediate network device, the network request to a server device located outside the service provider network;
wherein modifying the network request comprises:
selecting the network identifier from a set of available network identifiers, wherein a different network identifier is associated with each network request;
generating, for the received network request, a mapping between the selected network identifier and data originating from the service provider network,
wherein the set of available network identifiers comprises network identifiers that are not associated with an active mapping at a time of selection,
wherein the mapping is configured to persist for a predefined time period following receipt of the network request, and
wherein the selected network identifier is returned to the set of available network identifiers on expiry of the predefined time period,
such that there is no correlation between a network identifier and a network request or data originating from the service provider network outside of the mapping; and
configuring a data broker accessible from outside the service provider network based on the mapping, the data broker being configured to transmit at least a portion of the data originating from the service provider network based on the mapping within the predefined time period.

US Pat. No. 10,432,580

MESSAGE PROCESSING METHOD, APPARATUS, AND SYSTEM

HUAWEI TECHNOLOGIES CO., ...

1. A message processing method, comprising:sending, by a Dynamic Host Configuration Protocol for Internet Protocol version 6 (DHCPv6) client apparatus, a first message requesting assignment of an Internet Protocol version 6 (IPv6 ) address to a DHCPv6 server, wherein the first message comprises a first random identifier generated by the DHCPv6 client apparatus, wherein the first random identifier identifies the DHCPv6 client apparatus, and wherein the first message does not comprise a Dynamic Host Configuration Protocol (DHCP) unique identifier (DUID);
receiving, by the DHCPv6 client apparatus, a first reply message from the DHCPv6 server, wherein the first reply message comprises a first IPv6 address, first configuration information, and the first random identifier;
sending, by the DHCPv6 client apparatus, a second message to the DHCPv6 server, wherein the second message comprises a second random identifier generated by the DHCPv6 client apparatus using a preset algorithm and the first random identifier, wherein the second random identifier identifies the DHCPv6 client apparatus, wherein the second random identifier is different from the first random identifier, and wherein the second message does not comprise the DUID; and
receiving, by the DHCPv6 client apparatus, a second reply message from the DHCPv6 server, wherein the second reply message comprises a second IPv6 address, second configuration information, and the second random identifier.

US Pat. No. 10,432,579

INTERNET PROTOCOL ADDRESS ALLOCATION METHOD AND ROUTER

Huawei Technologies Co., ...

1. An Internet Protocol address allocation method comprising:receiving, by a router, a first delegate prefix of an upper-level network device sent by the upper-level network device, wherein the upper-level network device is a network device connected to a wide area network (WAN) interface of the router;
generating, by the router, a local prefix of the router and a second delegate prefix of the router according to the first delegate prefix of the upper-level network device, wherein generating the local prefix of the router and the second delegate prefix of the router comprises:
increasing, by the router, a quantity of bits in the first delegate prefix of the upper-level network device by one to obtain the second delegate prefix of the router; and
sending, by the router, the local prefix of the router and the second delegate prefix of the router to a lower-level router of the router, wherein the lower-level router is a router connected to a local area network (LAN) interface of the router; wherein the local prefix of the router enables the lower-level router to determine an Internet Protocol (IP) address of a WAN interface of the lower-level router; and the second delegate prefix of the router enables the lower-level router to generate a local prefix of the lower-level router.

US Pat. No. 10,432,578

CLIENT ADDRESS BASED FORWARDING OF DYNAMIC HOST CONFIGURATION PROTOCOL RESPONSE PACKETS

Cisco Technology, Inc., ...

1. A method comprising:receiving, by a first relay agent on a first network device, a first discovery message associated with a first client device, the first discovery message including a first discovery message identifier field comprising a first identifier corresponding to the first client device, wherein the first client device is associated with a subnet;
registering, by the first relay agent with a map server, the first identifier with an address of the first network device;
adding, by the first relay agent, a gateway address corresponding to the first relay agent to the first discovery message, the gateway address being in an Endpoint Identification (EID) space;
encapsulating, by the first relay agent, the first discovery message;
forwarding, by the first relay agent, the encapsulated first discovery message over a network to a border device;
decapsulating, by the border device, the encapsulated first discovery message;
forwarding, by the border device, the decapsulated first discovery message to a dynamic host configuration protocol (DHCP) server having an address not in the EID space;
receiving, by the border device in response to forwarding the decapsulated first discovery message to the DHCP server, a first offer message having a first offer message destination address comprising the gateway address corresponding to the first relay agent and a first offer message identifier field comprising the first identifier;
extracting, by the border device from the first offer message identifier field in the first offer message, the first identifier corresponding to the first client device;
querying, by the border device, the map server for a first location address corresponding to the extracted first identifier corresponding to the first client device;
encapsulating, by the border device, the first offer message; and
forwarding, by the border device, the encapsulated first offer message over the network to the first location address.

US Pat. No. 10,432,577

METHOD AND DEVICE FOR REDIRECTION TO WEB PAGE

1. A method for redirection to a Web page, comprising:when a first device receives a Domain Name System (DNS) request from a second device and a domain name requested by the DNS request is not a domain name of a gateway of the first device and satisfies a redirection condition, sending, by the first device, a response message of the DNS request to the second device, wherein an unused virtual Internet Protocol (IP) address in a locally preset virtual IP address group is carried in the response message, and the unused virtual IP address being a virtual IP address having not been used for redirecting a DNS response packet yet;
establishing, by the first device, a correspondence between the virtual IP address and the domain name satisfying the redirection condition; and
after the first device receives a Transport Control Protocol (TCP) data packet sent from the second device, replacing the virtual IP address carried in the TCP data packet with a designated IP address, and forwarding, according to the designated IP address, interactive data packets between the second device and the designated IP address.

US Pat. No. 10,432,576

USER DEVICE TO DOMAIN NAME RESOLVER MAPPING

Instart Logic, Inc., Pal...

1. A method of selecting an edge proxy server to serve web contents to user devices by an authoritative name server, comprising:receiving domain name system (DNS) queries from a domain name resolver;
creating by the authoritative name server a list of user devices served by the domain name resolver based on the received DNS queries;
determining by the authoritative name server a geographical location indicating geographical locations of the list of user devices served by the domain name resolver based on the created list of user devices served by the domain name resolver, wherein the geographical location indicating the geographical locations of the list of user devices served by the domain name resolver is different from a geographical location of the domain name resolver;
wherein determining the geographical location indicating the geographical locations of the list of user devices served by the domain name resolver comprises: determining a weighted average of the geographical locations of the list of user devices served by the domain name resolver; and
selecting by the authoritative name server an edge proxy server in response to a future DNS query received from the domain name resolver based at least in part on the determined geographical location indicating the geographical locations of the list of user devices served by the domain name resolver.

US Pat. No. 10,432,575

CONFIGURING A PROTOCOL ADDRESS OF A NETWORK DEVICE USING AN ADDRESS RESOLUTION PROTOCOL REQUEST

Verizon Patent and Licens...

1. A device, comprising:a memory; and
one or more processors to:
monitor a network port for an address resolution protocol (ARP) request from a sender device,
the ARP request including a sender hardware address associated with the sender device, a sender protocol address associated with the sender device, and a target protocol address associated with a target device;
detect the ARP request based on monitoring the network port for the ARP request;
determine that the device is able to configure a protocol address of the device using a protocol other than ARP;
determine a value associated with the target protocol address,
the value indicating a quantity of times that the target protocol address has been received in one or more ARP requests;
prevent, until a threshold quantity associated with configuring the protocol address using the protocol other than ARP has occurred, the device from configuring the protocol address with the target protocol address; and
determine that the value satisfies the threshold quantity; and
configure the protocol address of the device using the target protocol address based on determining that the value satisfies the threshold quantity.

US Pat. No. 10,432,574

MANAGING FOR-SALE GROUP POSTINGS

Facebook, Inc., Menlo Pa...

1. A method comprising:identifying, using one or more processors and for a social networking system user, a plurality of group memberships corresponding to a plurality of social networking groups in which the user has a membership, wherein each group comprises a plurality of posts;
analyzing, using the one or more processors, the plurality of posts from each of the plurality of groups in which the user has a membership to identify a plurality of user-to-user sale listings from each of the plurality of social networking groups in which the user has a membership;
aggregating, using the one or more processors, the identified plurality of user-to-user sale listings from each of the plurality of social networking groups in which the user has a membership into a personalized newsfeed for the social networking system user such that the personalized newsfeed comprises user-to-user sale listings from a subset of the plurality of social networking groups in which the user has a membership; and
providing, using the one or more processors, the personalized newsfeed to the social networking system user.

US Pat. No. 10,432,573

INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING METHOD AND TERMINAL DEVICE

Saturn Licensing LLC, Ne...

1. An information processing device comprising:a plan sharing server that calculates, for one or more events for which a plan is set by one or more of users in a user group composed of the plurality of users capable of sharing information by satisfying a predetermined condition and for which the information is capable of being shared in the user group, a score on a predetermined calculation basis using event information which is information related to the events, wherein when the information processing device receives a notification from an external device indicating that the event information has been updated the plan sharing server is caused to recalculate the score; and
a graphical user interface for enabling display of the plan, wherein the graphical user interface comprises a setting area that enables the user to set an importance, in degrees of a scale from low to high, for each element of a plurality of elements used in calculating the score such that the user can see the degree of importance of an element relative to the degree of importance of another element by viewing the setting area.

US Pat. No. 10,432,572

CONTENT POSTING METHOD AND APPARATUS

Path Mobile Inc Pte. Ltd....

1. A method comprising:receiving, by at least one server, a posting request for posting on a social networking feed, wherein the posting request comprises texts;
determining, by the at least one server, whether the texts of the posting request comprise a predetermined hash tag;
if it is determined that the texts of the posting request do not comprise the predetermined hash tag, posting the texts on the social networking feed;
if it is determined that the texts of the posting request comprise the predetermined hash tag,
selecting, by the at least one server, an image from a plurality of candidate images stored in at least one database,
selecting, by the at least one server, a portion of the texts of the posting request that does not include the predetermined hash tag, and
causing, by the at least one server, to post an article on the social networking feed such that the selected portion of the texts overlays a portion of the selected image on the posted article.

US Pat. No. 10,432,571

AUTOMATED CONNECTION OF ELECTRONIC MESSAGING AND SOCIAL NETWORKING SERVICES METHOD AND APPARATUS

OATH INC., New York, NY ...

1. A method comprising:providing, at a computing device, a user interface display of an electronic message, the electronic message being directed to a user via an electronic messaging service, the display of the electronic message comprising a display of a user-selectable action of a social networking service, the user-selectable action having a corresponding universal resource locator (URL) identifying the social networking service and the user-selectable action;
receiving, at the computing device, input from the user via the user interface display, the input indicating a selection by the user of the action;
automatically forming a connection, via the computing device, with the social networking service and by a connection service of the electronic messaging service, the automatic connection formation further comprising procuring, by the connection service before invoking the determined action, authorization permitting the connection service to access the social networking system to perform the determined action with the social networking service on behalf of the user, the authorization comprising a token;
transmitting, via the computing device and by the connection service using the formed connection between the connection service of the electronic messaging service and the social networking service, a request on behalf of the user, the request comprising a request that the social networking service perform the action selected by the user;
receiving, via the computing device and by the connection service of the electronic messaging service using the formed connection between the connection service and the social networking service, a reply from the social networking service in response to the request that the social networking service perform the action selected by the user; and
causing, via the computing device and as a response to the selection by the user of the action in the display of the electronic message presented in the user interface of the electronic messaging service, the user interface to be updated to include information indicative of the reply received from the social networking service.

US Pat. No. 10,432,570

SYSTEMS AND METHODS FOR TRANSACTION MESSAGING USING SOCIAL NETWORKING PLATFORMS

Mastercard International ...

1. A computer-implemented method for processing purchase transaction messages on a social network platform, the method implemented using a social network matching (SNM) computing device including a processor and a memory, said method comprising:monitoring, by the SNM computing device, a plurality of social network messages transmitted over the social network platform;
detecting, by the SNM computing device, a predefined hashtagged identifier included within at least one of the monitored plurality of social network messages;
storing, by the SNM computing device in a database, a plurality of item providers, each of the item providers registered with the SNM computing device to provide items in at least one of a plurality of item categories;
receiving, by the SNM computing device, a subset of the social network messages posted publicly to the social network platform, wherein the subset includes the publicly posted social network messages having a predefined hashtagged identifier, and wherein each social network message of the subset includes a plain text keyword identifying a requested item for purchase by a respective requestor, the plain text keyword being separate from the predefined hashtag identifier;
parsing, by the SNM computing device, each social network message of the subset to determine a location of the requester;
determining, by the SNM computing device, one or more of the registered item providers for each social network message of the subset based on one or more of a location of the one or more registered item providers, the location of the requester, the item being requested, or items provided by the one or more registered item providers;
formatting, by the SNM computing device according to predefined formatting rules, each social network message of the subset;
transmitting, by the SNM computing device and after the formatting, each of the social network messages in the subset to the respective one or more registered item providers;
receiving, by the SNM computing device in response to transmitting each of the social network messages in the subset, a confirmation from a first registered item provider of the respective one or more registered item providers that the first registered item provider will provide the requested item to the respective requestor;
transmitting, by the SNM computing device in response to the confirmation for each of the social network messages in the subset, a payment request to the respective requestor, the payment request configured to redirect the requestor to a secure communication channel;
processing, by the SNM computing device for each of the social network messages in the subset, payment card information received from the respective requestor via the secure communication channel for the respective requested item;
transmitting, by the SNM computing device, the payment card information to a payment card processor, wherein the respective requestor is charged for the requested item; and
notifying, by the SNM computing device for each of the social network messages in the subset, the first registered item provider to provide the requested item to the respective requestor.

US Pat. No. 10,432,569

PORTABLE ELECTRONIC DEVICE, INFORMATION PROCESSING METHOD, AND PROGRAM

SONY INTERACTIVE ENTERTAI...

1. An information processing method that is executed by a processor of a portable electronic device, the method comprising:communicating with another portable electronic device different from the portable electronic device,
wherein the portable electronic device comprises a GPS receiver, a Bluetooth module, a microphone, an acceleration sensor, and a digital camera;
acquiring relation information that is information about a relation between a user of the portable electronic device and a user of the another portable electronic device from an external server through a network, upon communicating with the other portable electronic device;
acquiring, from the external server, interaction information that is information about interactions done in the past between the user of the portable electronic device and the user of the another portable electronic device;
notifying the user of the portable electronic device of the acquired relation information and the interaction information using a relation notification on a display of the portable electronic device,
wherein the relation notification appears in a same color as a relation notification shown on the another portable electronic device, and
wherein the relation notification is not displayed if a speed of the user is greater than a predetermined speed as determined by the acceleration sensor;
during a social interaction between the user of the portable electronic device and the user of the another portable electronic device, collecting social interaction information,
wherein the social interaction information includes a distance between the portable electronic device and the another portable electronic device during the social interaction,
wherein the social interaction information further includes GPS data collected from the GPS receiver, audio collected by the microphone, and video acquired by the digital camera;
transmitting the social interaction information to the external server;
determining a type of the social interaction using the social interaction information; and
classifying the user of the another portable electronic device using the distance between the portable electronic device and the another portable electronic device during the social interaction.

US Pat. No. 10,432,567

DISPLAY OF A NOTIFICATION THAT IDENTIFIES A KEYWORD

NOKIA TECHNOLOGIES OY, E...

1. A method comprising:receiving an indication of a first message;
receiving an indication of a second message;
determining that the first message has an unread status;
determining that the second message has an unread status;
determining, with at least a processor, that at least one keyword is represented in a body of the first message and a body of the second message in response to the determination that the first message has an unread status and the determination that the second message has an unread status;
generating a notification that identifies the keyword, signifies the receipt of the first message, and signifies the receipt of the second message; and
causing display of the notification on at least one display of a device.

US Pat. No. 10,432,566

DETERMINING MEMBERSHIP CAUSES FOR NEW USER AND CONTINUED INVOLVEMENT IN SOCIAL NETWORK SITES

International Business Ma...

1. A computer-implemented method of determining a reason a user joins a computer-implemented social network service, the method performed by a social network server executing on at least one processor, comprising:automatically monitoring access to content in a social network site by a newly added member of the social network service to form an initial access history of user interactions with the social network site, the initial access history comprising at least one uniform resource identifier (URI) representing at least one item the newly added member joining the social network service has accessed within a given amount of time after signing up as a member of the social network service;
analyzing the initial access history to determine the reason for joining the social network service by the newly added member, the analyzing comprising at least:
identifying in the initial access history the at least one uniform resource identifier (URI) representing the at least one item on a network of computers;
determining content of the at least one item, which is reflective of the newly added member's original interest, to be the reason;
requesting the newly added member to confirm the reason; and
confirming the reason based on an answer provided by the newly added member; and
customizing posts on a social network web page associated with the social network service according to the newly added member's original interest,
wherein the initial access history comprises at least a plurality of uniform resource identifiers (URIs), which the newly added member joining the social network service has accessed within the given amount of time after signing up as a member of the social network service, and the content, which is reflective of the newly added member's original interest, is determined as a common feature occurring across the plurality of URIs.

US Pat. No. 10,432,564

METHOD AND APPARATUS FOR PROVIDING USER EXPRESSION SERVICE IN COMMUNICATION SYSTEM

Samsung Electronics Co., ...

1. A method for providing a user interaction service in a communication system using a server, the method comprising:receiving, from a gateway, a request message for a user expression of a terminal;
identifying a preference of the terminal based on a user preference document associated with the terminal, wherein the preference of the terminal indicates whether the terminal prefers to receive the request message for the user expression, and wherein the user preference document is obtained from an XML document management server (XDMS);
transmitting, to the terminal, the request message for the user expression in response to identifying that the terminal prefers to receive the request message for the user expression;
receiving, from the terminal, a first response message including information about the user expression; and
transmitting the first response message to the gateway,
wherein the request message for the user expression includes at least one of a description about the user expression, a way for a participation of the user expression, or an expiration time of the user expression.

US Pat. No. 10,432,563

MAIL SERVER AND MAIL DELIVERY METHOD

Fujitsu Client Computing ...

1. A non-transitory computer-readable recording medium having stored therein a mail delivery program of a mail server including a processor, the mail delivery program causing the processor to perform:determining whether a mail accepted by the mail server with a transmission request contains:
information indicating that the mail includes a content that has been already transmitted, and
information indicating concealment of the content of the mail at a forwarding of the mail, wherein the information indicating concealment indicates that the content includes a confidential description;
concealing, upon determining that the mail contains both the information indicating the mail is already transmitted and the information indicating concealment, the confidential description by replacing the confidential description with another description;
transmitting the mail after the concealing of the confidential description;
querying a relay server, which relays the accepted mail, about whether the relay server includes a concealment function that performs the concealing of the confidential description;
determining, based on a response to the query, whether the relay server includes the concealment function; and
transmitting, upon determining that the relay server includes the concealment function, the accepted mail to the relay server.

US Pat. No. 10,432,562

REDUCING PHOTO-TAGGING SPAM

Facebook, Inc., Menlo Pa...

1. A method comprising, by one or more computing systems:receiving a plurality of requests to tag a plurality of respective users in an image;
processing the plurality of requests to determine a relationship between two or more of the requests;
determining a probability that the two or more requests are illegitimate tags based on the determined relationship;
comparing the determined probability to a predetermined threshold to determine that the determined probability is greater than the predetermined threshold; and
applying one or more distribution policies to the two or more requests based on the determined probability being greater than the predetermined threshold.

US Pat. No. 10,432,561

PROXIMITY-BASED COMMUNICATION

International Business Ma...

1. A computer-implemented method for proximity-based communication, comprising:detecting an incoming communication via a first mode of communication from a caller/sender at a communication device of an intended recipient at a first time;
identifying, in response to the detecting of the incoming communication and prior to determining whether to allow transmission to the intended recipient, one or more individuals in proximity to the communication device of the intended recipient using ambient proximity technology;
retrieving, in response to the detecting of the incoming communication, information for each individual of the one or more individuals from a social network profile of the individual using the ambient proximity technology;
assigning a classification to each of the one or more individuals based on the retrieved information;
determining, based on the classification of each of the one or more individuals previously determined to be in proximity, whether to allow transmission of the first mode of communication to the intended recipient;
responsive to determining that the first mode of communication is not allowed, canceling transmission of the communication, such that communications are re-allowed when the one or more individuals is no longer in proximity; and
responsive to determining that the first mode of communication is allowed, allowing transmission of the communication to the intended recipient.

US Pat. No. 10,432,558

SYNCHRONOUS CONFERENCING WITH AGGREGATION OF MESSAGES

International Business Ma...

1. A method for operating a synchronous conference on a computing system, the method comprising:providing, by one or more processors, at least one sequence of original messages to be sent from a sender user to a corresponding at least one receiver user via a network;
aggregating, by one or more processors, the original messages of each sequence into corresponding aggregated messages according to a time distance between each pair of consecutive original messages of said each sequence, wherein consecutive original messages that are within a predefined temporal proximity are aggregated as a pair;
adding, by one or more processors, each original message from the original messages to a current aggregated message, the current aggregated message being sent to said corresponding at least one receiver user in response to no further original message being provided within an aggregation time;
updating, by one or more processors, the aggregation time according to a measure of corresponding time distances;
calculating, by one or more processors, a running average of at least part of the corresponding time distances, and
updating, by one or more processors, the aggregation time according to the running average; and
sending, by one or more processors, aggregated messages to the corresponding at least one receiver user via the network, wherein the aggregated messages are exchanged in a synchronous conference between the sender user and the corresponding at least one receiver user, wherein the original messages are aggregated into the aggregated messages before being exchanged between the sender user and the corresponding at least one receiver user.

US Pat. No. 10,432,557

NETWORK DEVICE

NEW H3C TECHNOLOGIES CO.,...

1. A network device, comprising:a first forwarding board;
a second forwarding board;
an interface board, comprising a control apparatus and a network interface chip, the control apparatus is connected to the first forwarding board via a first Input/Output (I/O) bus, connected to the second forwarding board via a second I/O bus, and connected to the network interface chip via a network interface bus;
wherein the control apparatus is to form a first upstream packet flow which is sent to the first forwarding board via the first I/O bus and a second upstream packet flow which is sent to the second forwarding board via the second I/O bus using data packets received through the network interface chip from exterior of the network device;
wherein the control apparatus is to select and connect one of a first downstream packet flow and a second downstream packet flow to the network interface chip through the network interface bus according to an active/standby state of the first forwarding board and the second forwarding board, wherein the first downstream packet flow is processed by the first forwarding board and received through the first I/O bus and the second downstream packet flow is processed by the second forwarding board and received through the second I/O bus,
wherein the first I/O bus is a first Peripheral Component Interconnect Express (PCI-E) bus, the second I/O bus is a second PCI-E bus; the first forwarding board comprises a first PCI-E root complex (RC) which is connected to the first PCI-E bus, and a first Central Processing Unit (CPU) capable of driving the first PCI-E RC; the second forwarding board comprises a second PCI-E root complex (RC) which is connected to the second PCI-E bus, and a second CPU capable of driving the second PCI-E RC; the control apparatus comprises:
a first PCI-E endpoint connected to the first PCI-E bus;
a second PCI-E endpoint connected to the second PCI-E bus;
a first receiving cache queue and a first sending cache queue which are connected to the first PCI-E endpoint;
a second receiving cache queue and a second sending cache queue which are connected to the second PCI-E endpoint;
a network interface bus controller connected to the network interface chip through the network interface bus;
a duplication driver which connects the network interface bus controller respectively to the first receiving cache queue and the second receiving cache queue, to form the first upstream packet flow using the first receiving cache queue, and form the second upstream packet flow using the second receiving cache queue; and
a selecting and switching component which selects and connects one of the first sending cache queue and the second sending cache queue to the network interface bus controller, to connect one of the first downstream packet flow and the second downstream packet flow to the network interface chip through the network interface bus.

US Pat. No. 10,432,556

ENHANCED AUDIO VIDEO BRIDGING (AVB) METHODS AND APPARATUS

Marvell International Ltd...

13. A network device that supports an audio video bridging (AVB) communication protocol, the network device comprising:one or more integrated circuit devices;
a database implemented on the one or more integrated circuit devices, the database including network addresses; and
a lookup engine implemented on the one or more integrated circuit devices, the lookup engine coupled to, or including, the database, wherein the lookup engine is configured to
perform lookups in the forwarding database using header information of frames received by the network to device, including performing a lookup in connection with a frame received at a first port of the network device, and determining whether a destination address in a header of the frame is included in the database;
wherein the one or more integrated circuit devices are configured to
determine that a frame priority indicator in a header of a frame received at a first port of the network device has, when the frame was received at the first port, a value flagging the frame as to be handled by the network device according to the AVB communication protocol,
when the lookup engine determines that the destination address in the header of the frame is not included in the database, prevent the frame from being transmitted by any port of the network device according to the AVB communication protocol, including either (i) dropping the frame so that the frame is not transmitted by any port of the network device, or (ii) transmitting the frame only from a first set of one or more ports of the network device according to a communication protocol that is different than the AVB communication protocol, and
when the one or more integrated circuit devices determine, based on the lookup in the database, that the frame is permitted to be transmitted by the network device according to the AVB communication protocol, transmit the frame from a second set of one or more ports of the network device according to the AVB communication protocol.

US Pat. No. 10,432,554

BANDWIDTH PROVIDING METHOD BASED ON MULTI-FLOW GROUPING

KT Corporation, Seongnam...

1. A method of managing a bandwidth, performed by a network apparatus under control of a network control apparatus in a software defined networking (SDN) environment, the method comprising:receiving a first packet flow and a second packet flow;
identifying a flow group to which the first packet flow and the second packet flow belong based on a flow group table; and
in response to the identifying that the first packet flow and the second packet flow belong to same flow group, assigning a unified bandwidth to the first packet flow and the second packet flow, thereby managing the unified bandwidth,
wherein the same flow group comprises the first packet flow and the second packet flow which are one of transmitted by different terminals of a same user and transmitted by different services of a same terminal, and
wherein the first packet flow and the second packet flow are received by the network control apparatus through different network apparatuses, and the network control apparatus requests each of the different network apparatuses to modify respective flow group tables based on information on the identified flow group.

US Pat. No. 10,432,553

SYSTEMS AND METHODS FOR TRANSPORTATION OF MULTIPLE CONSTANT BITRATE DATA STREAMS

MICROSEMI SOLUTIONS (U.S....

8. A packetizer for transparently transmitting multiple constant bitrate (CBR) data streams over a packet network with reduced delay, the packetizer comprising:a processor;
a frequency input for receiving a frequency reference signal;
a timing input for receiving a timing reference signal;
a timestamper connected to receive the timing reference signal from the timing input and generate a timestamp for each of a plurality of CBR data streams;
a clock rate comparer connected to receive the frequency reference signal from the frequency input and generate a rate indication for each of the plurality of CBR data streams;
a buffer for buffering payload data from each of the plurality of CBR data streams;
a time division multiplexing (TDM) controller connected to receive the rate indication for each CBR data stream from the clock rate comparer for that CBR data stream; and
a packet generator connected to receive payload data for each CBR data stream from the buffer for that CBR data stream, and to receive the timestamp for each CBR data steam from the timestamper for that CBR data stream, the packet generator configured to:
define a plurality of timeslots in a packet payload area, each timeslot comprising a predetermined number of consecutive bytes;
separate each CBR data stream into a plurality of CBR data segments, each CBR data segment comprising a number of bytes less than or equal to the predetermined number of consecutive bytes in each timeslot of the packet payload area;
combine the plurality of CBR data streams into a single packet flow by time division multiplexing the CBR data segments into the timeslots of the packet payload area of each packet of a sequence of packets under control of the TDM controller, such that the packet payload area of each packet contains a plurality of CBR data segments for each of the plurality of CBR data streams;
for each current packet of the sequence of packets, generate and insert control data into the packet payload area of the current packet, the control data comprising:
timeslot occupation information indicating which bytes of each timeslot of the packet payload area of the current packet contain valid data from the corresponding CBR data segment, and
redundant timeslot occupation information indicating which bytes of each timeslot of the packet payload area of a previous packet in the sequence of packets contain valid data from the corresponding CBR data segment; and
insert the timestamp from a different one of the CBR data streams and an identification of which different one of the CBR data streams the timestamp corresponds to into a packet overhead area of at least some packets of the sequence of packets, such that the sequence of packets collectively include timestamps from each of the plurality of CBR data streams.

US Pat. No. 10,432,552

JUST-ENOUGH-TIME PROVISIONING OF SERVICE FUNCTION CHAIN RESOURCES

Fujitsu Limited, Kawasak...

1. A method for provisioning a service function chain, comprising:obtaining, by a resource orchestrator in a network, a service function chain specifying:
for each of two or more service functions, a mapping of the service function to a respective physical node along a specified forwarding path; and
a first starting time at which to instantiate resources for a first service function in the service function chain on the physical node mapped to the first service function;
instantiating the resources for the first service function on the physical node mapped to the first service function at the first starting time, the first starting time being prior to arrival of a first packet in a packet flow for the service function chain at the physical node mapped to the first service function; and
subsequent to instantiating the resources for the first service function on the physical node mapped to the first service function at the first starting time, instantiating resources for a second service function in the service function chain on the physical node mapped to the second service function at a second starting time, the second starting time being prior to arrival of the first packet at the physical node mapped to the second service function.

US Pat. No. 10,432,551

NETWORK REQUEST THROTTLING

Amazon Technologies, Inc....

1. A system, comprising:at least one processor;
a memory, storing program instructions, that when executed by the at least one processor cause the at least one processor to implement a request handler;
the request handler, configured to:
for a plurality of network requests received from a source within a given time period:
direct processing of the plurality of network requests;
based, at least in part, on the processing of the plurality of network requests, calculate respective processing costs for the plurality of network requests, wherein the respective processing cost of at least one of the plurality of network requests is different than the respective processing cost for another one of the plurality of network requests;
detect an occurrence of a modification event;
in response to detection of the modification event, modify at least one of the respective processing costs based at least in part on identification of an event type of the modification event;
update a request processing balance for processing network requests in the given time period based, at least in part, on subtracting the respective processing costs, including the at least one of the respective processing costs as modified, for the plurality of network requests from the request processing balance to determine a current request processing balance;
receive another network request subsequent to the plurality of network requests from the source within the given time period; and
in response to receiving the other network request, deny the other network request based, at least in part, on a determination that the current request processing balance is one or more of zero, negative or allocated to the plurality of network requests.

US Pat. No. 10,432,550

METHOD AND DEVICE FOR COMPUTING RESOURCE SCHEDULING

ALIBABA GROUP HOLDING LIM...

1. A method for resource scheduling comprising:acquiring, by a resource scheduling device, a resource configuration quantity of a cluster, the cluster including a plurality of hosts, the plurality of hosts including a plurality of current hosts each running one or more instances, the resource configuration quantity comprising a total capacity of each host in the cluster;
acquiring, by the resource scheduling device, an actual resource utilization quantity of each host in the cluster, the actual resource utilization quantity acquired by analyzing resources actively utilized by instances executing on each host;
generating, by the resource scheduling device, a resource parameter based on the resource configuration quantity and the actual resource utilization quantity;
calculating, by the resource scheduling device, a number of predicted hosts in the cluster according to the resource parameter by predicting the resource utilization quantities of instances in a given cluster, the predicting generating maximum value of resource utilization quantities of the hosts in a prospective time period based on the corresponding actual resource utilization quantities;
comparing, by the resource scheduling device, the predicted resource utilization quantities to resource configuration quantities of the plurality of hosts;
determining, by the resource scheduling device, one or more to-be-migrated hosts and one or more target hosts from the current hosts in the cluster when a number of current hosts in the cluster is greater than the number of predicted hosts; and
migrating, by the resource scheduling device, an instance of the one or more instances running on a to-be-migrated host of the one or more to-be-migrated hosts to a target host of the one or more target hosts when the number of current hosts is greater than the number of predicted hosts.

US Pat. No. 10,432,549

METHOD AND SYSTEM FOR SCOPE-SENSITIVE LOADING OF SOFTWARE RESOURCES

EMC IP Holding Company LL...

1. A method for scope-sensitive loading of software resources in web applications, comprising:obtaining, from a web browser, a request for a web application;
obtaining a scope of the requested web application,
wherein the scope determines required web application functionalities and wherein the scope comprises at least one selected from a group consisting of a, a software as a service (SaaS) tenant name, a SaaS subscription name and a SaaS subscription plan;
based on the scope, generating a list of required software resources that implement the required web application functionalities, wherein generating the list of required software resources comprises:
identifying, for at least one required web application functionality, in a hierarchically structured web application organization scheme, prerequisite functionalities;
for at least one identified prerequisite functionality, naming, in the list of required software resources, the software resources associated with the prerequisite, functionality; and
for at least one required web application functionality, naming, in the list of required software resources, the software resources associated with the required web application functionality;
collecting the required software resources, based on the list of required software resources;
providing the collected required software resources to the web browser;
receiving, after providing the collected required software resources to the web browser, a request for a missing software resource from the web browser; and
providing the missing software resource to the web browser.

US Pat. No. 10,432,548

WORKLOAD DEPLOYMENT IN COMPUTING NETWORKS

Hewlett Packard Enterpris...

1. A computing system comprising:a hardware processor;
a communication engine communicatively coupled to the processor to receive a workload deployment request for deployment of a workload on a plurality of resources of a computing network, wherein the workload deployment request includes deployment details related to the workload; and
a deployment engine communicatively coupled to the processor to:
determine an unavailability of interoperable resources for deployment of the workload based on interoperability information associated with each resource of the plurality of resources;
identify a plurality of resource sets from the plurality of resources for deployment of the workload, wherein deploying the workload on the plurality of resource sets comprises changing a configuration of a resource included within the plurality of resource sets;
rate the plurality of resource sets based on deployment parameters, wherein the deployment parameters include:
an amount of failed and successful attempts of upgrades and downgrades; and
a time of a most recent successful upgrade attempt and a time of a less recent successful upgrade, wherein the resource set having the less recent time of the successful upgrade is rated higher than the time of the most recent successful upgrade;
determine an amount of existing workloads to be migrated from a first set of resources to a second set of resources to accommodate the deployment request of the workload; and
select the first set of resources from amongst the plurality of resource sets for deployment of the workload based on the rating of the plurality of resource sets.

US Pat. No. 10,432,547

VERIFYING FUNCTIONALITY RESTRICTIONS OF COMPUTING DEVICES

Hewlett-Packard Developme...

1. A method comprising:receiving, by a first computing device, a verification code, wherein the verification code is a phrase or a number of random alphanumeric characters received by the first computing device;
determining, by the first computing device, whether a configuration file received from a second computing device has been executed;
determining, by the first computing device, a status of a configuration mode of the first computing device based on whether the configuration file has been executed to restrict at least one functionality of the first computing device;
generating, by the first computing device in response to the configuration file having been executed, a checksum from the verification code and the executed configuration file to generate a notification message;
generating, by the first computing device, a unique pattern from the checksum, wherein generating the unique pattern includes lighting light emitting diodes (LEDs) on the first computing device according to corresponding bits of the checksum included in the notification message; and
providing, by the first computing device, the unique pattern to a proctor for indicating that the at least one functionality of the first computing device is restricted.

US Pat. No. 10,432,546

SYSTEM, METHOD, AND RECORDING MEDIUM FOR QUEUE MANAGEMENT IN A FORWARDER

INTERNATIONAL BUSINESS MA...

1. A queue management system, comprising:a processor; and
a memory, the memory storing instructions to cause the processor to execute:
dropping a packet in a forward flow queue from a perspective sent from a forwarder to a receiver if the packet in the forward flow queue includes an acknowledged packet in the reverse flow queue from a perspective sent from a receiver back to the forwarder and returning allocated memory for the dropped packet to the system;
prioritizing a first packet to be sent to the forwarder from the sender if the reverse flow queue from the receiver to the forwarder is determined not to include the first packet; and
examining metadata and TCP options of both of the packet and the acknowledged packet,
wherein the dropping drops the packet in the forward flow queue from the perspective sent from the forwarder to the receiver if the metadata of the packet does not match the metadata of the acknowledged packet.

US Pat. No. 10,432,545

APPARATUS, SYSTEM, AND METHOD FOR TIMELY DETECTION OF INCREASES IN THE MAXIMUM TRANSMISSION UNIT OF PATHS WITHIN NETWORKS

Juniper Networks, Inc., ...

1. An apparatus comprising:at least one communication port that facilitates communication between a source computing device and a destination computing device via a path within a network; and
a processing unit communicatively coupled to the communication port, wherein the processing unit:
monitors the network for any changes to the path that potentially affect a maximum transmission unit of the path by:
engaging a traceroute tool to initiate transmission of packets that trace the path and return information that identifies each hop included in the path; and
creating a record that identifies each hop included in the path at a specific point in time;
detects, while monitoring the network, a change to at least one hop included in the path by:
transmitting, by way of the traceroute tool, a packet that makes a round trip from the source computing device to the destination computing device via the path and then back to the source computing device;
identifying, within a header of the packet that made the round trip, each hop included in the path; and
determining, by comparing at least one hop listed in the packet with the record, that the path has changed since the specific point in time; and
in response to detecting the change to the hop, initiating a maximum transmission unit discovery process by:
identifying a packet size that corresponds to the maximum transmission unit of the path; and
testing the path for an increase in the maximum transmission unit of the path by transmitting a test packet whose size is larger than the packet size that corresponds to the maximum transmission unit of the path.

US Pat. No. 10,432,544

ENHANCED SEQUENCE NUMBER UPDATING OF ROUTES ASSOCIATED WITH MIGRATING VIRTUAL MACHINES

Cisco Technology, Inc., ...

1. A method comprising:at a networking device running an overlay network:
detecting that a virtual endpoint has migrated on the overlay network from a first computing device connected to the overlay network to a second computing device connected to the overlay network;
determining a modified Layer 2/Layer 3 route for the virtual endpoint at the second computing device, wherein in the modified Layer 2/Layer 3 route for the virtual endpoint at the second computing device, a Layer 2 route of the virtual endpoint at the second computing device is the same as a Layer 2 route of the virtual endpoint at the first computing device;
determining a sequence number for a parent Layer 2 route for the modified Layer 2/Layer 3 route, wherein the parent Layer 2 route is the Layer 2 route in the modified Layer 2/Layer 3 route;
determining a sequence number for association with the modified Layer 2/Layer 3 route based on the sequence number for the parent Layer 2 route; and
advertising the modified Layer 2/Layer 3 route and the sequence number for association with the modified Layer 2/Layer 3 route to other networking devices running the overlay network.

US Pat. No. 10,432,543

DUAL JITTER BUFFERS

Microsoft Technology Lice...

1. A system comprising:a memory;
a processor;
a network interface configured to receive data packets via a network connection, wherein the data packets are from a communication session having multiple participants;
a media control unit to identify each of the multiple participants as active participants or as passive participants;
a first set of jitter buffers, communicably coupled to the network interface, and each assigned to one of the active participants,
wherein the first set of jitter buffers each have a first size and receives information associated with the data packets;
a second set of jitter buffers, communicably coupled to the network interface, and each assigned to one of the passive participants,
wherein the second set of jitter buffers each have a second size that is larger than the first size of the first set of jitter buffers; and
wherein the second set of jitter buffers receives the information associated with the data packets; and
a decoder to decode data packets from the first set of jitter buffers to create a first output signal which is routed to the active participants and to decode data packets from the second set of jitter buffers to create a second output signal which is routed to the passive participants.

US Pat. No. 10,432,542

TELECOMMUNICATION NETWORK CONFIGURED TO CONTROL NETWORK COMMUNICATION ROUTES

VODAFONE IP LICENSING LIM...

10. A method for determining a network path of a communication, the method being implemented by a platform control unit of a mobile telecommunications network that includes a core and a Radio Access Network (RAN) both comprising a Node B and a Radio Network Controller (RNC) and having radio means for wireless communication with mobile terminals registered with the network, the platform control unit being located at either the Node B or the RNC, the method comprising:via the platform control unit:
host a plurality of applications at an application layer of the platform control unit;
provide network traffic services for a subset of user traffic of the mobile telecommunications network, the subset of user traffic being determined based on at least one of a user traffic type and a mobile terminal associated with user traffic, wherein the network traffic services are configured to cause the subset of user traffic to be routed from the RAN to at least one of the plurality of hosted applications and from the at least one of the plurality of hosted applications back to the RAN;
operate a broker mechanism that controls distribution of data between at least some of the plurality of applications, wherein distributing the data is based on (1) a determined topic associated with the data and (2) an identified subscription that each of the at least some of the plurality of applications has with the broker mechanism; and
expose operational information about the RAN to the plurality of applications, wherein the operational information is collected over a reporting period that is set based on a determined intended use of the operational information by the plurality of applications.

US Pat. No. 10,432,541

SOURCE PRIORITIZED USEFUL SUB-PAYLOAD COMPUTER DATA TRANSMISSIONS

Microsoft Technology Lice...

1. A source computer system comprising:at least one processor; and
memory comprising instructions stored thereon that when executed by at least one processor cause at least one processor to perform acts comprising:
receiving a computer-readable request at the source computer system to transmit an overall payload comprising feedback data from the source computer system to a remote destination computer system, with the feedback data providing information about an experience in the source computer system;
in response to the request, defining via the source computer system, a plurality of sub-payloads in the overall payload, with each of the defined sub-payloads being a computer-usable payload that includes feedback data regarding the experience and that is configured to be used to determine information about the experience in the source computer system without one or more other sub-payloads in the overall payload, with the plurality of sub-payloads comprising a first sub-payload and a second sub-payload, and with the first sub-payload comprising a first type of feedback data and the second sub-payload comprising a second type of feedback data that is different from the first type of feedback data;
in response to the request, prioritizing via the source computer system, the sub-payloads relative to each other to produce a computer-readable sub-payload priority order of transmitting the sub-payloads from the source computer system to the destination computer system, with the prioritizing using a set of computer-readable rules that dictate different priorities for different sets of data in the sub-payloads based on one or more factors comprising one or both of sub-payload size and sub-payload importance;
transmitting one or more of the sub-payloads from the source computer system to the destination computer system separately from each other in the sub-payload priority order, wherein the one or more transmitted sub-payloads comprise multiple sub-payloads that are each different sizes, and wherein the rules favor sending smaller sub-payloads earlier than larger sub-payloads;
generating data associating the one or more transmitted sub-payloads with the overall payload; and
transmitting to the destination computer system the data associating the one or more transmitted sub-payloads with the overall payload.

US Pat. No. 10,432,540

DETERMINING QUALITY INFORMATION FOR A ROUTE

Comcast Cable Communicati...

1. A method, comprising:receiving, by a sending device and from a requesting device, a request for content;
sending, by the sending device, via a plurality of routing devices associated with a route, and based on the request, a packet to the requesting device, wherein the packet comprises an indication to each of the plurality of routing devices to respectively send information indicating their bandwidth;
receiving, by the sending device, from a first routing device of the plurality of routing devices, and based on the indication, first information indicating a first bandwidth of the first routing device;
receiving, by the sending device, from a second routing device of the plurality of routing devices, and based on the indication, second information indicating a second bandwidth of the second routing device; and
causing, by the sending device and based on the received first information and the received second information, sending of the content to the requesting device.

US Pat. No. 10,432,539

NETWORK TRAFFIC DATA SUMMARIZATION

MICRO FOCUS LLC, Santa C...

1. An apparatus comprising:a processor;
a memory on which is stored machine readable instructions executable by the processor to:
access network traffic data pertaining to data flows among nodes in a network;
partition the network traffic data into a plurality of windows;
for each of the plurality of windows, aggregate data flows between pairs of nodes;
compute a data distribution of each of the aggregated data flows;
select a summary structure for each of the aggregated data flows based on the computed data distributions of the aggregated data flows;
generate a summary of each of the aggregated data flows using the selected summary structures for the aggregated data flows;
store the generated summaries;
classify queries applied to a summary of an aggregated data flow; and
select a new summary structure for the aggregated data flow based on the classified queries.

US Pat. No. 10,432,538

LINK STATE DETERMINATION METHOD, APPARATUS AND COMPUTER STORAGE MEDIUM

Sanechips Technology Co.,...

9. An apparatus for determining a state of a link in a switching network, the apparatus comprising: one or more processors executing computer readable instructions for a resetting codeword window detection module, a leaky bucket value determination module and a link state determination module, whereinthe resetting codeword window detection module is arranged to determine a number of customized resetting codewords of a received data stream within a set time window;
the leaky bucket value determination module is arranged to determine a leaky bucket value of the link in real time according to a situation that each of cells corresponding to the received data stream is received correctly or incorrectly; and
the link state determination module is arranged to determine the state of the link according to the determined number of the customized resetting codewords and the determined leaky bucket value;
wherein when determining the leaky bucket value of the link in real time according to the situation that each of cells corresponding to the received data stream is received correctly or incorrectly, the leaky bucket value determination module is further arranged to:
when a number of cells which are received continuously and correctly is equal to a number of cells corresponding to a set decrease rate of the leaky bucket value, decrease the leaky bucket value of the link by a first value;
when a number of cells which are received continuously and incorrectly is equal to a number of cells corresponding to a set increase rate of the leaky bucket value, increase the leaky bucket value of the link by a second value; and
when a receiving situation indicator about each of the cells is not received within a set period of time, initiate a timer, and after the timer expires, increase the leaky bucket value of the link by a third value.

US Pat. No. 10,432,537

SERVICE FUNCTION CHAINING BASED ON RESOURCE AVAILABILITY IN THE TIME DIMENSION

Fujitsu Limited, Kawasak...

1. A method for identifying a qualified service function chaining solution in a network, comprising:receiving, at a resource orchestrator, a service function chain request specifying two or more service functions to be performed on respective physical nodes in the network and a first starting time at which to launch a first one of the two or more service functions specified in the service function chain request, each physical node in the network being represented as a vertex in a resource orchestration framework;
determining a first ending time for performance of the first service function that together with the first starting time defines a first time duration for performance of the first service function;
identifying one or more vertices in the resource orchestration framework at which the first service function is available during the first time duration;
mapping a first one of the identified vertices to the first service function in a candidate service function chain;
determining a second starting time at which to launch a second one of the two or more service functions dependent on the first starting time; and
providing the candidate service function chain, the first starting time, and the second starting time to a first neighbor vertex of the first one of the identified vertices.