US Pat. No. 10,771,547

ONLINE MATCHMAKING FOR P2P TOPOLOGIES

Sony Interactive Entertai...

1. A method for improved peer to peer matchmaking, the method comprising:a) obtaining network information from a plurality of devices;
b) selecting a plurality of users to form peer to peer connections via a corresponding plurality of devices to create a set of potential matches;
c) retrieving device connection statistics for each pair of devices in the set of potential matches;
d) comparing device connection statistics to one or more threshold values;
e) removing from the set of potential matches, users with devices that have at least one connection statistic that does not satisfy a threshold condition for that connection statistic as determined from said comparing the device connection statistics to the one or more threshold values;
f) selecting replacement devices for the devices removed in step e) wherein the replacement devices were not part of the set of potential matches;
g) initiating peer to peer connections among selected peers in a resulting refined set of matched peers.

US Pat. No. 10,771,546

MANAGING GROUPS OF USERS IN AN APPLICATION CLIENT

MZ IP Holdings, LLC, Pal...

1. A method, comprising:identifying a first group of users of an online system, wherein the online system allows users to interact with one another;
grouping the first group of users into a first isolation group;
identifying a second group of users of the online system, wherein the second group of users is separate from the first group of users; and
by a computer processing device, grouping the second group of users into a second isolation group, wherein:
the first isolation group and the second isolation group comprise logical boundaries that restrict interaction within the online system between users in the first isolation group and users in the second isolation group; and
the first isolation group and the second isolation group are hosted on the same server.

US Pat. No. 10,771,545

KEYCHAIN SYNCING

Apple Inc., Cupertino, C...

1. A method comprising:receiving, at a first peer device, a modification to a keychain stored on the first peer device in a group of peer devices, each peer device having been registered into the group through a user account;
for each respective other peer device in the group of peer devices, determining, by the first peer device, whether the keychain of the first peer device matches a respective other keychain on the respective other peer device;
generating, by the first peer device, a respective update request for each respective other peer device in the group of peer devices for which the other respective other keychain does not match the keychain of the first peer device, the respective update request indicating one or more modifications to be made to the respective other keychain;
encrypting, by the first peer device and for each respective other peer device for which the respective update request was generated and using a respective encryption key that specifically corresponds to, and was received from, the respective other peer device, the respective update request; and
transmitting, by the first peer device and to each respective other peer device through a network, the respective encrypted update request for each respective other peer device.

US Pat. No. 10,771,544

ONLINE FASHION COMMUNITY SYSTEM AND METHOD

BLOOMPAPERS SL, Bilbao (...

1. A system, comprising:a computing device including a processor and a memory coupled to the processor, the memory storing software instructions executable on the processor, wherein the software instructions are configured to cause the computing device, when executed, to interact with a database coupled to the computing device and having stored therein data comprising plural fashion images, each fashion image including plural fashion items shown together, the fashion items shown together defining an ensemble;
a computer network site implemented on the computing device and arranged to provide interactive access over a worldwide computer network to the plural fashion images;
wherein the software instructions are further configured to cause the computing device, when executed, to—
for each fashion image, process the stored data to associate each of the fashion items that appears in the image to at least one element of fashion information;
select a subset of the ensembles in the database based on at least one user input selection criterion, wherein the selection criterion comprises one or more elements of fashion information, and the subset is selected to include ensembles that include a first fashion item associated in the database with the selection criterion;
identify a second fashion item in the database so that the first and second fashion items together define a pair of fashion items;
for the pair of fashion items, calculate a first degree of correlation as a percentage or ratio of the number of ensembles with the first fashion item that also include the second fashion item, divided by the total number of ensembles with the first fashion item; and calculate a second degree of correlation as a percentage or ratio of the number of ensembles with the second fashion item that also include the first fashion item, divided by the total number of ensembles with the second fashion item; and
provide over the worldwide computer network a display that indicates at least some of the pairs of fashion items and the corresponding degrees of correlation for each of the indicated pairs.

US Pat. No. 10,771,543

SERVICE PROCESSOR FOR CONFIGURING SERVERS JOINING PEER TO PEER NETWORK

Lenovo (Singapore) Pte. L...

1. An apparatus, comprising:a processor; and
storage accessible to the processor and bearing instructions executable by the processor to:
determine that a new computer system is present that has not had settings other than at most default settings applied to a basic input output system (BIOS) executable by the new computer system to boot the new computer system;
based at least in part on a determination that the new computer system one or more of is the same model of computer as the apparatus, has the same BIOS version as the apparatus, and has the same baseboard management controller (BMC) version as the apparatus, facilitate at least first settings to be provisioned to the new computer system to establish the first settings in the new computer system at least in part based on:
encapsulation of the first settings in an extensible markup language (XML) document;
omission of at least a second setting from the XML document, the omission being made based at least in part on a determination that the new computer system one or more of is not the same model of computer as the apparatus, does not have the same BIOS version as the apparatus, and does not have the same baseboard management controller (BMC) version as the apparatus; and
transmission of the XML document to the new computer system.

US Pat. No. 10,771,542

NETWORK MAPPING IN CONTENT DELIVERY NETWORK

Level 3 Communications, L...

1. A computer-implemented method in a content delivery network (CDN), wherein said CDN comprises a plurality of delivery servers, and wherein said CDN delivers content on behalf of at least one content provider, the computer-implemented method comprising:determining, by a particular CDN name server of one or more CDN name servers, an estimated popularity of the particular CDN name server for a particular resolver;
determining, based on the estimated popularity, network data with respect to the particular CDN name server relative to the particular resolver;
determining network map data using at least the network data from the particular CDN name server;
in response to a client request, at least one CDN name server of the one or more CDN name servers determining at least one delivery server of the plurality of delivery servers to process said client request, wherein said determining uses said network map data; and
providing said client with information about said at least one delivery server to process said client request.

US Pat. No. 10,771,541

AUTOMATED MANAGEMENT OF CONTENT SERVERS BASED ON CHANGE IN DEMAND

Level 3 Communications, L...

1. A method comprising:using a computer to detect a change in demand for server resources across a first load-bearing system having content servers hosting content;
in response to the change in demand, determining, from the content servers hosting the content, two or more content servers having a lowest priority level from a set of priority levels;
in response to determining that two or more content servers have the lowest priority level, determining, from the two or more content servers, a first content server having a least number of active sessions and selecting, from the two or more content servers, the first content server;
stopping client requests from being directed to the first content server based on determining the first content server having the least number of active sessions;
based on determining the first content server having the least number of active sessions, determining to wait until existing active sessions have been terminated on the first content server before removing the first content server from the first load-bearing system;
storing an entry in a table, wherein the entry is associated with the hosted content, and wherein the entry indicates a priority level, a minimum threshold of content servers, and a maximum threshold of content servers;
removing the first content server from the first load-bearing system, in response to a total number of content servers on the first load-bearing system being greater than the minimum threshold of content servers associated with the hosted content;
adding the removed first content server to a second load-bearing system having one or more other content servers hosting separate content, in response to a number of the one or more other content servers on the second load-bearing system being less than the maximum threshold of content servers associated with the separate hosted content, the second load-bearing system connected to the first load-bearing system via a network connection;
causing the separate hosted content to be stored on the removed first content server;
causing client requests for the separate hosted content to be directed to at least the removed first content server on the second load-bearing system;
receiving a first content file on a second content server, wherein the second content server is at an idle state, wherein the idle state corresponds to a lowest priority level, and wherein the first content file is at a highest priority level; and
setting a priority of the second content sever to the highest priority level based on the first content file.

US Pat. No. 10,771,540

ANYCAST ROUTING TECHNIQUES IN A NETWORK

Level 3 Communications, L...

1. A method for servicing requests for content in a content delivery network (CDN), the method comprising:receiving, from a requesting device, a request for an Internet Protocol (IP) address for a content servicing device in the CDN;
obtaining an approximate geographic location of the requesting device based at least on the request for the IP address;
selecting a geographic-specific anycast IP address based at least on the approximate geographic location of the requesting device, the geographic-specific anycast IP address selected from a plurality of anycast IP addresses utilized in the CDN;
transmitting the geographic-specific anycast IP address to the requesting device, wherein the geographic-specific anycast IP address is associated with a first content servicing device; and
determining that the approximate geographic location of the requesting device is different from a geographic region of an end user device based on the end user device utilizing the geographic-specific anycast IP address.

US Pat. No. 10,771,539

SYSTEMS AND METHODS FOR CROSS-CLUSTER SERVICE PROVISION

Amadeus S.A.S., Sophia A...

1. A system for cross-cluster service provision, comprising:a first computing cluster, including:
service-providing nodes, and
a first controller that collects status information concerning the service-providing nodes, the status information indicating at least one service-providing node endpoint; and
a second computing cluster comprising,
service-consuming nodes,
a service that receives requests for the service from the service-consuming nodes and distributes the requests among a set of specified endpoints, and
a second controller that performs health checks on the specified endpoints, retrieves the status information from the first controller, and updates the set of specified endpoints based on the status information;
wherein updating the set of specified endpoints includes at least one of adding another endpoint to the set of specified endpoints and removing an existing endpoint from the set of specified endpoints.

US Pat. No. 10,771,538

AUTOMATED ETL RESOURCE PROVISIONER

International Business Ma...

1. A method for provisioning of cloud resources for ETL job execution, comprising:in response to a structured English query language (SQL) command input for performance against a relational database, generating an access path by an optimizer that identifies an overall cost to cloud resources that are specified as available to execute the SQL command against the relational database, wherein the access path comprises a plurality of operator steps that are performed to carry out the SQL command and each of the operator steps indicate, as a function of the specified available cloud resources, an associated database operator command, a step cost and a step function statistic, and wherein each step cost is determined as a combination of amounts of instructions, seeks and page transfers generated by a central processing unit in executing the associated database operator command;
in response to determining that the overall cost exceeds an upper threshold cost value for execution of the SQL command input, identifying a first operator step of the operator steps that has a step cost that meets a condition that is selected from the group consisting of: having a value that is above an expected threshold for the associated database operator command of the first operator step, and having a value that is more than a specified percentage above the step costs of others of the operator steps;
adjusting an attribute of a first cloud resource of the cloud resources that is associated with the first operator step that has the higher than expected step cost;
generating a revised access path by the optimizer in response to the SQL command input which reduces the step cost of the first operator step and reduces the overall cost in the revised access path, wherein the step cost of the first operator step comprises a function of the cloud resources that are specified as available using the adjusted attribute to execute the SQL command against the relational database; and
wherein the steps of the method are performed by a configured computer processor.

US Pat. No. 10,771,537

TECHNOLOGIES FOR SCRAMBLING IN LOAD BALANCERS

Intel Corporation, Santa...

1. A network device comprising:communication circuitry; and
a compute engine in communication with the communication circuitry, wherein the compute engine is to:
generate a plurality of data sets each having a value that has a sequential relationship with a value of a hash profile;
determine, with a load balancing function, a distribution for the plurality of data sets to each of a plurality of bins, each bin mapped to one of a plurality of destinations;
determine, as a function of the distribution, an unfairness score indicative of the distribution being unequal among each of the destinations; and
enable, in response to a determination that the unfairness score exceeds a specified threshold, a scrambling function to be performed during configuration of the plurality of bins with the destinations, the scrambling function comprising a bit-swapping technique to remap each of the plurality of destinations into the plurality of bins.

US Pat. No. 10,771,535

METHOD, APPARATUS, AND SYSTEM FOR EXECUTING DISTRIBUTED TRANSACTION RESOURCES

HUAWEI TECHNOLOGIES CO., ...

1. A method for executing distributed transaction resources for a machine to machine communications (M2M) system, the method comprising:receiving, by a first managed object device of the M2M system, a first transaction resource creation request sent by an application server of the M2M system for a first transaction, wherein the first transaction resource creation request comprises an identifier of a first to-be-operated resource, a first execution time, and a first to-be-executed operation;
receiving, by a second managed object device of the M2M system different from the first managed object device, a second transaction resource creation request sent by the application server for the first transaction, wherein the second transaction resource creation request comprises an identifier of a second to-be-operated resource, a second execution time, and a second to-be-executed operation; and
sending, by the first managed object device, a response indicative of successful creation of a first transaction resource of the first transaction to the application server, and sending, by the second managed object device, a response indicative of successful creation of a second transaction resource of the first transaction to the application server, wherein the first transaction resource comprises the first execution time and the first to-be-executed operation, and the second transaction resource comprises the second execution time and the second to-be-executed operation.

US Pat. No. 10,771,534

POST DATA SYNCHRONIZATION FOR DOMAIN MIGRATION

Amazon Technologies, Inc....

1. A system, comprising:a target host device, comprising one or more processors and local persistent storage, configured to implement one or more virtual machines (VMs), wherein the local persistent storage of the target host device is allocated to the one or more VMs, wherein the target host device is part of a provider network that comprises a plurality of host devices, including a source host device, each host device implementing one or more VMs in an execution environment of the respective host device;
wherein the one or more VMs on the target host device comprises a migrating VM, wherein the migrating VM is being migrated from the source host device; and
wherein the target host device is configured to:
obtain a read request directed to the migrating VM on the target host device;
attempt to retrieve data associated with the read request from the local persistent storage of the target host device;
determine that at least a portion of the data associated with the read request does not reside in the local persistent storage of the target host device;
communicate with the source host device to retrieve at least the portion of the data associated with the read request from the local persistent storage of the source host device; and
respond to the read request using at least the data portion from the local persistent storage of the source host device.

US Pat. No. 10,771,533

ADAPTIVE COMMUNICATION CONTROL DEVICE

International Business Ma...

1. A computer-implemented method for controlling data transfers within a group of networked devices, comprising executing on a computer processor the steps of:integrating computer-readable program code into a computer system comprising a processor, a computer readable memory in circuit communication with the processor, and a computer readable storage medium in circuit communication with the processor; and
the processor executing program code instructions stored on the computer-readable storage medium via the computer readable memory and thereby:
in response to receiving a request to transfer a data item to each of a plurality of devices that are interconnected on a network, selecting one of the devices and assigning a power value to the selected device that is indicative of a quality of a power supply to the device;
assigning a connection value to the selected device that is indicative of a quality of network connections available to the selected device to communicate with others of the devices;
incrementing a master state value of the selected device in response to determining that a request of a same type of data of the received request was processed by the selected device;
setting a one of the devices that has a highest combination value generated from respective ones of the assigned master state value, power values and connection values as a master device to receive the request to transfer the data item and to transfer the data item to each of other ones of the devices that are not set as the master device as client devices to the master device; and
designating the other ones of the devices that are not set as the master device as client devices of the master device with respect to transfer of the data item, wherein the client device designations prevent a transfer of the data to the client devices item from any other device that is not the master device.

US Pat. No. 10,771,532

INTELLIGENT ELECTRONIC DEVICES, SYSTEMS AND METHODS FOR COMMUNICATING MESSAGES OVER A NETWORK

1. An intelligent electronic device (IED) comprising:at least one sensor coupled an electrical power distribution system, the at least one sensor configured to measure at least one parameter of the electrical power distribution system and generate at least one analog signal indicative of the at least one parameter;
at least one analog-to-digital converter configured to receive the at least one analog signal and convert the at least one analog signal to at least one digital signal; and
at least one processor configured to receive the at least one digital signal and calculate at least one power parameter of the electrical power distribution system, the at least one processor including:
an event handler that determines at least one event has occurred in the IED and/or in relation to parameters of the electrical power distribution system;
an event classifier that extracts parameters from each of the at least one event and compares the extracted parameters for each event to at least one user programmable setting to classify each event as a first type of event or a second type of event;
an email formatter that formats each classified event into a message in accordance with at least one user programmable setting based on the classification, wherein, based on the at least one user programmable setting, at least one user selectable value is retrieved, formatted, and added to the message by the email formatter; and
an email client that checks for messages formatted from a first type of event according to a first predetermined interval and emails the first type of event messaged, the email client checks for massages formatted from a second type of event according to a second predetermined interval, groups the second type of event messages occurring within the second predetermined interval, and emails the grouped messages in a single email, wherein the first predetermined interval is shorter than the second predetermined interval.

US Pat. No. 10,771,531

INTELLIGENT WALKER AGENTS IN A NETWORK

Cisco Technology, Inc., ...

1. A method comprising:receiving, at a device in a network, a path computation agent configured to determine a path in the network that satisfies an objective function, wherein the path computation agent is a walker agent, wherein the device receives the path computation agent from another device in the network that cannot execute a computation that updates state information:
executing, by the device, the path computation agent to update the state information regarding the network maintained by the path computation agent;
selecting, by the device, a neighbor of the device in the network to execute the path computation agent based on the updated state information regarding the network;
instructing, by the device, the selected neighbor to execute the path computation agent with the updated state information regarding the network; and
unloading, by the device, the path computation agent from the device after selecting the neighbor of the device to execute the path computation agent.

US Pat. No. 10,771,530

TRANSPORT PATH-AWARE QUALITY OF SERVICE FOR MOBILE COMMUNICATIONS

VIASAT, INC., Calsbad, C...

1. A method for managing streaming media service to a plurality of user devices disposed within a plurality of transport craft traveling through a multi-carrier communications system, the method comprising:determining that a user device is presently consuming a first media content portion in transit aboard a transport craft traveling along a craft transport path through a multi-carrier communications system;
associating the craft transport path as a device transport path for the user device responsive to the determining;
computing a congestion map to indicate congestion conditions for a plurality of carriers of the multi-carrier communications system along the device transport path, the congestion map indicating a first carrier as uncongested with respect to servicing the user device during a first service timeframe, and the congestion map indicating a second carrier as congested with respect to servicing the user device during a second service timeframe subsequent to the first service timeframe;
identifying a second media content portion predicted to be consumed by the user device during the second service timeframe in accordance with the user device presently consuming the first media content portion; and
scheduling transmission of at least some of the second media content portion to the user device during the first service timeframe via the first carrier for storage local to the user device responsive to the identifying.

US Pat. No. 10,771,529

ARTIFICIAL INTELLIGENCE COMMUNICATION ASSISTANCE FOR AUGMENTING A TRANSMITTED COMMUNICATION

Grammarly, Inc., San Fra...

1. A method of electronic communication assistance, the method comprising:intercepting an electronic communication at an artificial intelligence assistant computing facility, wherein the electronic communication was transmitted from a first electronic identifier associated with a first user to a second electronic identifier associated with a second user, the electronic communication comprising a communication content and comprising or associated with the first electronic identifier associated with the first user;
encoding the electronic communication for processing creating an encoded electronic communication;
retrieving from a communication profile database a second communication profile for the second user using the second electronic identifier, wherein the second communication profile comprises a second user communication attribute that identifies a receiving communication preference;
processing the encoded electronic communication with a processor to generate a modified electronic communication that is a modified version of the electronic communication, wherein the processor uses the second user communication attribute to process the encoded electronic communication, wherein the processor generates the modified electronic communication by summarizing language from the electronic communication based at least in part on the second user communication attribute; and
transmitting the modified electronic communication to the second electronic identifier.

US Pat. No. 10,771,528

COMMON DISTRIBUTION OF AUDIO AND POWER SIGNALS

OneView Controls, Inc., ...

1. A network-powered speaker unit (“NSU”), comprising:a power management subsystem, including at least a control signal input to dynamically set an output voltage level;
a digital processing subsystem including at least a control signal output to the power management subsystem, the control signal output value being derived from the measured power envelope of a digital audio signal;
a network interface coupled to the power management subsystem and coupled to a data pass-through to the digital processing subsystem, the power management subsystem configured to draw electrical energy from a network cable connected to the network interface, and the digital processing subsystem configured to receive a digital audio stream transmission via the network interface and the data pass-through to pass the digital audio stream to the digital processing subsystem; and
an amplifier powered by electrical energy with a dynamically set output voltage level from the power management subsystem and configured to use the electrical energy to amplify the digital audio signal driving one or more audio transducers to produce audio.

US Pat. No. 10,771,527

CACHING AND STREAMING OF DIGITAL MEDIA CONTENT SUBSETS

Fastly, Inc., San Franci...

1. A method comprising:providing a digital media caching environment using a cache node, including:
receiving a request from an end user device for a selected portion of digital media content in a first format;
responsive to the request from the end user, identifying an origin server acting as a persistent storage location for an original media file comprising the selected portion of digital media content;
retrieving a header corresponding to the original media file, the header comprising metadata for the original media file;
identifying an origin format of the original media file at least from the header;
processing the header to identify a byte range of the digital media content corresponding to the selected portion;
retrieving the selected portion from the origin server using the byte range;
responsive to the request from the end user, transmuxing the selected portion of the digital media content from the origin format into the first format and providing the selected portion to the end user device in the first format;
storing the selected portion in the first format to a cache memory of the cache node;
receiving a subsequent request for the selected portion in a second format;
transmuxing a copy of the selected portion from the cache memory from the first format to the second format and providing the content in the second format in response to the subsequent request; and
storing the selected portion in the second format to the cache memory.

US Pat. No. 10,771,526

METHOD FOR DELIVERING MUSIC CONTENT TO A SMART PHONE

1974 Productions, Inc., ...

1. A method of distributing media content using mobile communication devices, comprising:providing digital media access cards, the digital media access cards promoting selected media content and containing enciphered information;
allowing a user of a mobile communication device to be granted access to a digital media access card;
generating an identification number, the identification number associated with the selected media content;
deciphering the enciphered information to create deciphered information, the deciphered information allowing the user to access a web server associated with the digital media access cards with the user's mobile communication device and download application software enabling the user to access the selected media content with the user's mobile communication device, the deciphered information further including machine-readable code corresponding to the identification number, whereby the application software facilitates reading the machine readable code with the mobile communication device and transmitting the code to the web server with the mobile communication device;
receiving the identification number with the web server and using the identification number to locate a table value in a database wherein identification numbers from a plurality of media access cards are each associated with a table value corresponding to media content associated with the access cards; and
using the table value to identify a media code associated with the selected media content in a content server whereupon the media code is transmitted to the mobile communications device whereby the mobile communication device may transmit the media code to the content server, the content server transmitting the selected media content to the mobile communication device upon receiving the media code from the mobile communication device,
wherein the machine readable code corresponding to the identification number is embedded in a larger field of machine readable code, the card including an indicia recognizable by the application software, the indicia indicating the location of the machine readable code corresponding to the identification code within the larger field of machine readable code.

US Pat. No. 10,771,525

SYSTEM AND METHOD OF DISCOVERY AND LAUNCH ASSOCIATED WITH A NETWORKED MEDIA DEVICE

FREE STREAM MEDIA CORP., ...

1. A method comprising:accessing a multicast capability of an operating system of a client device associated with a user through an application residing on the client device;
discovering, through the client device, at least one other data processing device in an active state of reception of data from the client device through a shared computer network based on the multicast capability accessed in the client device in accordance with wirelessly broadcasting, through the client device, a multicast message to the at least one other data processing device, the at least one other data processing device being communicatively coupled to the client device through the shared computer network;
determining, through the client device, that an application residing on the at least one other data processing device discovered to be in the active state of reception of the data from the client device through the shared computer network is similar to the application residing on the client device based on the wirelessly broadcast multicast message to the at least one other data processing device; and
enabling, through the client device, access to an identifier of the application residing on the at least one other data processing device determined to be similar to the application residing on the client device.

US Pat. No. 10,771,524

METHODS AND SYSTEMS FOR A DECENTRALIZED DATA STREAMING AND DELIVERY NETWORK

Theta Labs, Inc., San Jo...

1. A computer-implemented method utilized by a tracker server for distributing a data file within a decentralized data delivery network, comprising:receiving a client statistic from a first cacher peer node, wherein the client statistic comprises a first location of the first cacher peer node and a performance specification of the first cacher peer node, and wherein the decentralized data delivery network implements a hybrid architecture comprising one or more peer-to-peer (P2P) connections layered over a content delivery network (CDN) having at least one CDN server providing a first plurality of fragments of the data file to the first cacher peer node;
sending a caching instruction to the first cacher peer node to download a subset of the first plurality of fragments of the data file from the CDN server, wherein the caching instruction is generated based on the client statistic;
receiving a request from a viewer peer node in the decentralized data delivery network for accessing one or more target fragments of the data file;
extracting, from the received request, a content type of the requested data file, and a second location of the viewer peer node;
generating a cacher peer list by selecting, from cacher peer nodes currently active in the decentralized data delivery network, one or more cacher peer nodes to provide access to the one or more target fragments of the data file, wherein at least one selected cacher peer node is selected based on the second location of the viewer peer node, a third location of the at least one selected cacher peer node, and the content type of the requested data file; and
transmitting the generated cacher peer list to the viewer peer node.

US Pat. No. 10,771,523

ASYNCHRONOUS REAL-TIME MEDIA TRANSFER OVER WIRELESS NETWORKS

DISH Network L.L.C., Eng...

1. A method for asynchronous wireless media transfer, the method comprising:receiving, by a media device, an electronic communication from a user interface, the electronic communication corresponding to a request for video service from a content provider system that is communicably couplable with the media device via a wireless network;
consequent to the electronic communication, configuring the media device, by the media device, to provide an asynchronous session within which video content is subsequently transferred from the content provider system to the media device via the wireless network, where:
the configuring the media device comprises utilizing a network layer and a transport layer of the media device to execute operations of a configuration session;
the operations of the configuration session are executed without utilizing a presentation layer and an application layer of the media device;
the configuration session comprises:
creating specifications of asynchronous session parameters to define delivery operations for subsequent delivery of the video content with the asynchronous session; and
storing an encrypted token in storage of the media device, the encrypted token corresponding to the specifications of the asynchronous session parameters;
subsequent to the configuring the media device, requesting, by the media device, opening of the asynchronous session at least in part by transmitting the encrypted token to the content provider system via the wireless network from the transport layer of the media device;
at a session layer of the media device, starting the asynchronous session within which video packets corresponding to the video content are delivered from the content provider system to the media device in accordance with the specifications of the asynchronous session parameters; and
causing, by the media device, display of at least part of the video content.

US Pat. No. 10,771,522

CROWDSOURCED PREDICTION OF CDN PERFORMANCE FOR ZERO BUFFER DELIVERY OF CONTENT

Roku, Inc., Los Gatos, C...

1. A crowdsource server, comprising:a memory; and
at least one processor communicatively coupled to the memory and configured to:
receive, from a media device, a request to identify a bit-rate valiant of a secondary content among a plurality of bit-rate variants of the secondary content to stitch into a stream of a primary content;
access records of prior downloads of the secondary content by a plurality of media devices, wherein the records were provided to the crowdsource server by the plurality of media devices in a crowdsourced manner;
identify a subset of the records of the prior downloads of the secondary content by the plurality of media devices that are relevant to the media device based on the request from the media device;
generate a recommendation for the bit-rate variant of the secondary content among the plurality of bit-rate variants of the secondary content at a server among a plurality of servers to download by the media device based on the subset of the records; and
provide the recommendation to the media device;
wherein the media device downloads the recommended bit-rate variant of the secondary content from the server, and stitches the downloaded bit-rate variant of the secondary content into the stream of the primary content.

US Pat. No. 10,771,521

METHODS AND SYSTEMS FOR OVERLAYING AND PLAYBACK OF AUDIO DATA RECEIVED FROM DISTINCT SOURCES

Spotify AB, Stockholm (S...

1. A method, comprising:at a media presentation system having a network connection, one or more processors, and memory storing instructions for execution by the one or more processors, wherein the media presentation system is distinct from a remote server and distinct from a client device:
receiving, over a first communications channel, from the remote server via the network connection, a first data stream for a first media item;
playing the first media item; and
while playing the first media item:
receiving, over a second communications channel distinct from the first communications channel, from an application at the client device distinct from the remote server and distinct from the media presentation system, a second data stream for audio data that includes vocals provided by a user as the first media item plays;
measuring a latency of the second communications channel;
overlaying, with the first media item, the vocals provided by the user as the first media item plays to generate a composite data stream, the overlaying comprising:
offsetting the first data stream from the second data stream in accordance with the measured latency of the second communications channel; and
combining the first and second data streams in accordance with the offset of the data streams; and
playing the composite data stream, including the overlaid vocals provided by the user and the first media item.

US Pat. No. 10,771,520

METHODS AND SYSTEMS FOR INTELLIGENT UTILIZATION OF OFF-PEAK NETWORK BANDWIDTH

Comcast Cable Communicati...

1. A method, comprising:receiving, by a content server from a user device, a request for a content item;
initiating sending, to the user device, the content item;
receiving, at a first time, a teardown command to suspend sending the content item after a first portion of the content item has been sent to the user device, wherein the teardown command comprises a timestamp indicative of a time associated with the teardown command;
determining that playback of the content item is likely to be resumed during a peak time period after the first time, wherein the peak time period is when a utilization of the content server satisfies a threshold;
determining, based on the timestamp, a resume point indicative of a second portion of the content item for playback during the peak time period; and
pre-positioning, based on the resume point and during an off-peak time period when the utilization of the content server does not satisfy the threshold, the second portion of the content item proximate to the user device.

US Pat. No. 10,771,519

PROXY STREAMS IN A VIDEO STREAMING NETWORK

International Business Ma...

1. A method for code testing in a video streaming network, said method comprising:providing, by one or more processors to one or more user devices, a first broadcast stream comprising a first program containing video content, said first broadcast stream deployed for providing streaming media programs to multiple user devices;
providing, by the one or more processors, a copy of the first broadcast stream to a device under test configured to test new code installed at the device under test via a processing of the first broadcast stream by the new code installed at the device under test, said device under test being a generic computer comprising a communication module that controls reception and transmission of data over multiple Internet Protocol (IP) communication links; and
monitoring, by the one or more processors, error performance of the device under test with respect to the installed new code being tested via the processing of the first broadcast stream by the new code installed at the device under test, said monitoring error performance of the device under test comprising monitoring encoding parameters used for encoding the copy of the first broadcast stream that is being streamed to the device under test.

US Pat. No. 10,771,518

SYSTEMS AND METHODS FOR MULTIPLE DEVICE CONTROL AND CONTENT CURATION

1. A client electronic device configured to participate in at least one content capture session executable by a plurality of electronic devices comprising each of a master electronic device and the client electronic device, the client electronic device comprising:a communication means configured to communicate data between the master electronic device and the client electronic device,
wherein communicated data between the master electronic device and the client electronic device comprises a master-mode indicator, and wherein the client device is configured to operate as the master electronic device upon a receipt of the master-mode indicator; and
a content capturing means configured to capture content associated with the at least one content capture session.

US Pat. No. 10,771,517

SHARING USER CONTEXT AND PREFERENCES

MICROSOFT TECHNOLOGY LICE...

1. A computer-performed method for replicating a context of a user experience, from a first user computing device, on a second user computing device, the method comprising:responsive to determining a task performed by an application in a user session on the second user computing device, generating a request for a set of context data corresponding to the task;
sending the request for the set of context data to a server associated with a data store containing contextual information from the user experience from the first user computing device;
receiving a subset of the context data from the server; and
utilizing the subset of the context data on the second user computing device to replicate the context of the user experience from the first user computing device in the user session on the second user computing device.

US Pat. No. 10,771,516

COMMUNICATION-BASED DIGITAL ALLIANCE MANAGEMENT

Project Affinity, Inc., ...

1. A computer-implemented method of communicating digital data among user accounts based digital alliances, comprising:receiving, by a processor, a request from a user device associated with a user account to establish alliances for a specific organization of a group of members,
the request including information regarding a set of digital communications in a communication account of each of the group of members;
creating and storing, by the processor, digital alliance data representing an alliance for each pair of a group of user accounts for the group of members based on the sets of digital communications associated with the corresponding pair of members;
receiving a query for information regarding relationships within one or more organizations different from the specific organization from a certain device associated with a certain user account of the group of user accounts;
in response to the query, determining a specific set of relationships between the group of user accounts and a specific set of individuals who belong to the one or more organizations and corresponding relationship strengths from the sets of digital communications;
transmitting specific types of information regarding the specific set of relationships within the one or more organizations to the certain device.

US Pat. No. 10,771,515

SUPPLEMENTING USER WEB-BROWSING

Jonathan Davar, Saratoga...

1. A method, comprising:accessing a portable aggregated social graph associated with a user, the portable aggregated social graph including a plurality of focal group members from disparate social networks, the plurality of focal group members organized into one or more focal groups;
recognizing content associated with an interface presented via a computing device;
selecting at least one focal group member of the plurality of focal group members based on the content and information associated with the plurality of focal group members, the at least one member associated with a focal group of the one or more focal groups;
providing access to information associated with the at least one focal group member of the focal group of the portable aggregated social graph, the at least one focal group member having at least one association with the user;
displaying with the content a visual element representative of the at least one focal group member; and
adaptively updating a level of affinity between the user and the at least one focal group member based at least in part on the selecting of the at least one focal group member.

US Pat. No. 10,771,514

SYSTEMS AND METHODS FOR FACILITATING THE SHARING OF USER-GENERATED CONTENT OF A VIRTUAL SPACE

Disney Enterprises, Inc.,...

1. A system for facilitating the sharing of user-generated content of a virtual space, the system comprising:one or more physical processors configured by computer-readable instructions to:
receive information that defines user-generated content of a virtual space, wherein instances of the virtual space are executed by computing platforms of different platform types that are associated with users of the virtual space, wherein user-generated content corresponds to entry and/or selection of virtual space content by the users via source computing platforms, the entry and/or selection of virtual space content corresponding to requests to define the user-generated content, and wherein the user-generated content is shareable between the source computing platforms and end computing platforms that are of the different platform types, the sharing being facilitated through platform type-specific conversions of the information that defines the user-generated content, the received information including first information that defines first user-generated content, the first user-generated content corresponding to entry and/or selection by a first user via a first source computing platform of virtual space content corresponding to the requests to define the first user-generated content, wherein the first source computing platform is of a first platform type;
determine estimated cost information associated with executing platform type-specific conversions of the information defining the user-generated content on the end computing platforms that are of different platform types than the source computing platforms, the estimated cost information providing a description of a level of quality of the user-generated content when executed on the end computing platforms, the estimated cost information being determined prior to the conversions of the information defining the user-generated content;
receive requests to share the user-generated content;
determine notifications to be sent to the computing platforms of the users in response to receiving the requests to share the user-generated content, the notifications including information relating to the estimated cost information, such that after determining first estimated cost information associated with executing a second platform type-specific conversion of the first information on a first end computing platform of the second platform type, a first notification is determined to be sent to the first source computing platform and/or a second notification is determined to be sent to the first end computing platform.

US Pat. No. 10,771,513

MULTI-USER CONTENT PRESENTATION SYSTEM

FACEBOOK, INC., Menlo Pa...

1. A computer-implemented method comprising:providing, to a user via a client device, a presentation feed comprising a plurality of content presentations, each of the content presentations of the plurality of content presentations comprising one or more user-generated content items;
receiving a first content item and a second content item to append to content presentations of the plurality of content presentations;
providing, within the presentation feed and based on appending the first content item and the second content item to the content presentations of the plurality of content presentations, an interactive notification element comprising a visual indication indicating the first appended content item and the second appended content item;
navigating, in response to a first user interaction with the interactive notification element, to the first appended content item;
updating, based on navigating to the first appended content item, the visual indication of the interactive notification element to no longer indicate the first appended content item;
navigating, in response to a second user interaction with the interactive notification element, to the second appended content item; and
updating, based on navigating to the second appended content item, the visual indication of the interactive notification element to no longer indicate the second appended content item.

US Pat. No. 10,771,512

VIEWING A VIRTUAL REALITY ENVIRONMENT ON A USER DEVICE BY JOINING THE USER DEVICE TO AN AUGMENTED REALITY SESSION

Microsoft Technology Lice...

1. A system for augmented reality viewing, the system comprising:a memory associated with a computing device, the memory including an augmented reality session component; and
a processor that executes the augmented reality session component to:
generate a unique code corresponding to a user device;
broadcast information corresponding to the unique code from the user device, the information configured to be received by an augmented reality device;
display the unique code on the user device; and
join the user device to an augmented reality session of the augmented reality device using received identification information from the augmented reality device and based at least in part on the unique code displayed on the user device being scanned by the augmented reality device.

US Pat. No. 10,771,511

COMMUNICATION METHOD TO MAINTAIN AN APPLICATION SESSION BETWEEN A TERMINAL AND AN APPLICATION SERVER

AIRBUS DS SLC, Elancourt...

1. A method of communication between a first communicating entity connected to a first network through a first NAT gateway of a first local network and an application server, where the application server is associated with a configurable NAT gateway enabling at least one address of at least the first NAT gateway to be made to correspond to at least one public address of the first communicating entity, called a peer reflexive address, comprising:establishing a first sequence of exchanges of candidates, where the candidates comprise at least one IP address and one port, comprising:
collecting candidates by the first entity from a server using the ICE, STUN or TURN protocols in order to be reached by a remote server through the first NAT gateway;
exchanging candidates between the first entity and the application server resulting in transmission of the peer reflexive address between the configurable NAT gateway and the first NAT gateway;
transmitting to the application server by the first entity of a history of candidates attributed to the first entity;
verifying channels between peers of candidates established between the first entity and the application server;
generating a first transmission channel establishing a first application session;
detecting by the first communicating entity of a new access network comprising a second NAT gateway or of a reconnection to the first access network after a disconnection, resulting in the establishment of a second sequence of exchanges of new candidates comprising steps similar to the first sequence;
automatic configuring the configurable NAT gateway by a function of the application server so as to modify the correspondence between the source address of the first or second NAT gateway with the peer reflexive address of the configurable NAT gateway which is configurable from the history of the candidates sent by the communicating entity, and
generating a second transmission channel between the first communicating entity and the application server ensuring that the first application session is maintained.

US Pat. No. 10,771,510

IMS APPLICATION CONTROL PROTOCOL

TELEFONAKTIEBOLAGET L M E...

1. A method for use in a communications network comprising an Internet Protocol Multimedia Subsystem (IMS) to control an application media session between at least two User Equipments, the method comprising:receiving, from a User Equipment, a SIP INVITE message including a Session Description Protocol (SDP) field indicating to set up a Message Session Relay Protocol (MSRP) media session between the User Equipment and the IMS;
establishing a Session Initiation Protocol (SIP) session between the User Equipment and a SIP application server within the IMS;
establishing the MSRP media session between the User Equipment and a Media Resource Function (MRF) controlled by the SIP application server;
receiving, via the MSRP media session, an indication of a sharing capability that is supported by the User Equipment; and
forwarding, via the MRF, the indication of a sharing capability to a second User Equipment, the forwarding including communicating the indication of the sharing capability over the MSRP media session between the second User Equipment and the MRF;
wherein the method further comprises:
sending, to the second User Equipment, a second SIP INVITE message;
establishing the SIP session between the second User Equipment and the SIP application server;
establishing the MSRP media session between the second User Equipment and the MRF;
receiving, from the User Equipment, a StartAppinstance message corresponding to an application specified in the indication of the sharing capability;
forwarding the StartAppinstance message to the second User Equipment; and
after forwarding the StartAppinstance message, exchanging synchronization information corresponding to the application between the User Equipment and the second User Equipment.

US Pat. No. 10,771,509

TERMINAL INTEROPERATION USING CALLED-TERMINAL FUNCTIONAL CHARACTERISTICS

T-Mobile USA, Inc., Bell...

12. A terminal of a telecommunications network, the terminal comprising:a communications interface communicatively connectable with at least two access networks of respective, different types;
a user interface;
at least one processor; and
a memory storing instructions that, when executed by the at least one processor, cause the at least one processor to perform operations comprising:
detecting, using the communications interface, network service provided by an access network;
establishing connectivity with a presence-information server via the access network;
transmitting presence information to the presence-information server via the access network, the presence information indicating a type of the access network;
receiving, via the access network, an indication of a content item and an altered content item associated with the indication, the content item and the altered content item corresponding to higher resolution content and lower resolution content, respectively;
presenting, via the user interface, the altered content item and a link or icon representing the indication of the content item;
subsequently, receiving, via the user interface, a request to retrieve the content item;
in response to the received request to retrieve the content item, retrieving, via a second access network that is different from the access network, the content item; and
presenting, via the user interface, the content item.

US Pat. No. 10,771,508

SYSTEMS AND METHODS FOR ESTABLISHING A VIRTUAL SHARED EXPERIENCE FOR MEDIA PLAYBACK

1. A method for establishing a virtual shared connection, the method comprising:receiving an invitation from a first device associated with a first media consumer, the invitation associated with a media file;
sending the invitation to a second device associated with a second media consumer;
in response to sending the invitation, receiving an acceptance;
in response to receiving the acceptance, causing synchronous playback of content from the media file to the first device and the second device such that the playback is synchronized on first device and the second device;
during synchronous playback, reaching a trigger in the media file;
upon reaching the trigger, accessing a consumer provided content file identified by the trigger, wherein the consumer provided content is generated by a third media consumer that previously consumed the content of the media file;
simultaneously causing display of consumer provided content of the consumer provided content file on the first and second devices;
receiving a user communication from the first device; and
causing, during synchronous playback, the user communication to be displayed on the second user device and not the first user device.

US Pat. No. 10,771,507

SECURE COMMUNICATION METHOD OF IMS SYSTEM BASED ON KEY FILE

AnKang HENTE Technology C...

1. A secure communication method of an IMS (IP Multimedia Subsystem) system based on a key file, comprising the following steps:obtaining an IMS account by a UE;
sending the IMS account and authentication information to a background server by the UE;
generating an electronic work order by the background server according to the received authentication information to enable customer service personnel to manually audit the authentication information and the IMS account according to a preset rule and the electronic work order;
generating a key file by the background server according to the IMS account, the authentication information and UE information and sending the key file to the UE when determining that the IMS account and the authentication information are correct;
adding the IMS account, an IMS account password, the UE information and attribute information of the background server to the key file; and
activating the IMS account by the UE according to the key file and performing network communication according to the IMS account.

US Pat. No. 10,771,506

DEPLOYMENT OF A SECURITY POLICY BASED ON NETWORK TOPOLOGY AND DEVICE CAPABILITY

Juniper Networks, Inc., ...

1. A device, comprising:a communication interface; and
one or more processors to:
receive network topology information of a network and device capability information of devices in the network;
detect a threat to the network using a threat feed from a threat detection system,
the threat feed being included in a plurality of threat feeds used by the device, and
the plurality of threat feeds including:
a Command and Control (CnC) feed indicating a list of identified malicious entities or a Geographical Internet Protocol (Geo IP) feed indicating a list of at least one of locations or internet protocol (IP) addresses associated with locations that include malicious entities,
an Infected Host Feed indicating a list of entities that have been identified as infected with malware, and
a Malware feed indicating a list of identified malicious files;
determine threat information associated with the threat based on the threat feed used to detect the threat;
select a security policy and an enforcement device of the network to enforce the security policy based on the network topology information, the device capability information, and the threat information,
the enforcement device being selected from a switch nearest an affected client device, a firewall nearest the affected client device, a firewall at a perimeter of the network, and an internal segmentation firewall,
the firewall nearest the affected client device being selected as the enforcement device, and not the switch nearest the affected client device, to enforce a first security policy when the threat feed used to detect the threat is the CnC feed or the Geo IP feed,
the switch nearest the affected client device and the firewall at the perimeter of the network being selected as the enforcement device to enforce a second security policy when the threat feed used to detect the threat is the Infected Host Feed, and
the internal segmentation firewall being selected as the enforcement device, and not the firewall at the perimeter of the network nor the switch nearest the affected client device, to enforce a third security policy when the threat feed used to detect the threat is the Malware feed; and
perform an action associated with the threat based on the security policy and the enforcement device.

US Pat. No. 10,771,505

INFRASTRUCTURE LEVEL LAN SECURITY

NICIRA, INC., Palo Alto,...

1. A computer-implemented method of providing encryption keys, comprising:receiving an identification of first and second secure wires enabled in a Layer 2 (L2) domain on which a plurality of secure wires are to be enabled;
generating first and second different encryption keys for the first and second secure wires;
in response to a selection of a first virtual network interface card (vNIC) to add to the first secure wire, providing the first key to a first host on which the first vNIC executes in order for the first host to encrypt and decrypt messages exchanged between the first vNIC and a plurality of vNICs connected to the first secure wire on at least a second host without the first host being required to negotiate any keys for the first secure wire on a point-to-point basis with any other hosts, including the second host, the plurality of vNICs associated with a plurality of virtual machines (VMs) executing on at least the second host; and
in response to a selection of a second vNIC to add to the second secure wire, providing the second key to a third host on which the second vNIC executes in order for the third host to encrypt and decrypt messages exchanged between the second vNIC and a third vNIC connected to the second secure wire associated with a particular VM in the plurality of VMs without the third host being required to negotiate any keys for the second secure wire on a point-to-point basis with any other hosts, wherein the first secure wire defines a logical L2 network that stretches across Layer 3 (L3) boundaries.

US Pat. No. 10,771,504

SYSTEMS AND METHODS FOR IDENTIFYING DATA BREACHES

NortonLifeLock Inc., Tem...

1. A computer-implemented method for detecting unauthorized data shares, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:creating a privacy score for a particular online entity based on data generated and aggregated by a security server of a security service, wherein:
the security service provides a plurality of digital security services to users, the digital security services comprising (1) an anonymized inbox service that manages anonymized email aliases for users and (2) a web content analysis service that analyzes web content; and
creating the privacy score comprises creating the privacy score based on (1) a determination, collected from the anonymized inbox service, that the particular online entity has shared a user's personal data with other entities and (2) a number of fingerprinting scripts, identified by a tracker crawler of the web content analysis service, being served from one or more domains owned by the particular online entity; and
providing the privacy score within a vendor reputation database maintained by the security service, wherein the database enables users to (1) query the database for privacy information about online entities and (2) contribute user-input that details privacy information about online entities.

US Pat. No. 10,771,503

DISSUADING STOLEN PASSWORD REUSE

SAP SE, Walldorf (DE)

1. A computer-implemented method comprising:initiating, by a software application executing on a primary server, a user authentication process prompting a user to enter, via a graphical user interface, login credentials;
determining that the login credentials have been flagged;
injecting, in response to the determining, tracking cookies on a computing device used by the user;
creating, using information obtained from the injected tracking cookies, a virtual profile of the user, the virtual profile comprising a list of password trials per website, timestamps for password trials, and an origin of at least one stolen password;
directing the user from the primary server to a fake server mimicking the software application executing on the primary server;
obtaining, by the fake server and based on the virtual profile, metadata associated with the user interacting with the fake server that characterizes the user, the metadata comprising a browser fingerprint;
providing data comprising the obtained metadata;
generating an alert using the obtained metadata that (i) characterizes the user including the browser fingerprint and (ii) warns the user that access to the software application is unauthorized; and
causing the alert to be displayed in the graphical user interface for viewing by the user.

US Pat. No. 10,771,502

REFLEXIVE BENIGN SERVICE ATTACK ON IOT DEVICE(S)

Bank of America Corporati...

1. A partially secure, internet-connected system, comprising:at least one Internet-of-Things (IoT) device;
said IoT device comprising a connection to the internet;
said connection to the internet comprising a gateway node;
said gateway node comprising hardware and/or software, and connected to said IoT device and the internet;
wherein an element of said system bombards the IoT device with communications packets in a manner mimicking a traditional Denial-Of-Service (DOS) attack;
said bombardment directing the IoT device's resources to responding to the bombardment, said bombardment further comprising a dynamic high-level mode of bombardment, said high-level bombardment being established dynamically based on a current IoT device functionality, wherein the system preserves an amount of resources necessary for the current IoT device functionality, said high-level bombardment fully utilizing the resources remaining above said amount of preserved resources, said dynamic high-level bombardment preventing the IoT device from sending any packets unnecessary for the current IoT device functionality, while maintaining the current device functionality; and
said directing of resources prevents the device from being harnessed in a malicious Distributed-Denial-Of-Service (DDOS) attack.

US Pat. No. 10,771,501

DDOS ATTACK DEFENSE METHOD, SYSTEM, AND RELATED DEVICE

TENCENT TECHNOLOGY (SHENZ...

1. A method for defending against a distributed denial of service attack, the method comprising:receiving, by a blocking device, packets that enter a service network providing services to servers that are receiving the services from the service network;
parsing the packets to identify attacking packets and generating alarm data based on the attacking packets;
determining, by the blocking device, a blocking policy for blocking the attacking packets based on the alarm data and blocking rules; and
initiating, by the blocking device, a blocking action to block the attacking packets based on the blocking policy,
wherein the blocking rules are used to determine whether the servers are attacked based on types of clients of an internet service provider, which is defined by at least one of payment method by the clients, bandwidth purchased by the clients, and quantity of users of the clients, and the blocking rules are customized according to a request of one of the clients of the internet service provider, the one of the clients being at least one of a border gateway protocol high-defense client or a client with a priority higher than priorities of other clients.

US Pat. No. 10,771,500

SYSTEM AND METHOD OF DETERMINING DDOS ATTACKS

AO KASPERSKY LAB, Moscow...

1. A method for protecting against a distributed denial-of-service (DDoS) attack, the method comprises:receiving one or more requests from a first user for a service executing on a server;
generating a first vector associated with the first user comprised of a plurality of characteristics indicative of the first user accessing the service;
calculating a comparison between the first vector and a reference vector, wherein the reference vector comprises an averaged distribution of characteristics for a plurality of users accessing the service;
calculating a difference between the first vector and the reference vector;
responsive to determining that the calculated difference between the first vector and the reference vector exceeds a first threshold value, determining that the service is under a denial-of-service attack, that the first vector is indicative of behavior of repeat access requests of a webpage with a password, and that the first user is a malicious user;
determining that the service is not under a denial-of-service attack and that the first user is a legitimate user responsive to determining the calculated difference is less than a second threshold value; and
handling requests due to a possible cyberattack, shortening a time interval for gathering data for the reference vector, and reducing a threshold value used for the comparison responsive to receiving an indication that the service has ceased.

US Pat. No. 10,771,499

AUTOMATIC HANDLING OF DEVICE GROUP OVERSUBSCRIPTION USING STATELESS UPSTREAM NETWORK DEVICES

Arbor Networks, Inc., We...

1. A distributed denial of service (DDoS) attack mitigation system comprising:a plurality of stateless network devices connected to a network; a plurality of Deep Packet Inspection (DPI) devices connected to one or more of the plurality of stateless network devices, each of the plurality of DPI devices configured to detect a DDoS attack and further configured to detect on over-subscription condition caused by a flow of network traffic thereto so as to generate and transmit an over-subscription signal;
a controller connected to one or more of the plurality of stateless network devices and connected to the plurality of DPI devices, the controller comprising logic integrated with or executable by a processor, the logic being configured to;
receive an over-subscription signal from a first DPI device of the one or more DPI devices;
analyze the over-subscription signal received from the first DPI device; update a network traffic policy;
send the updated network policy to the plurality of stateless network devices;
send the updated network policy from the plurality of stateless network devices to the plurality of DPI devices;
based the updated network policy:
either i) redirecting at least some of network traffic destined for the first DPI device to one of the plurality of DPI devices different from the first DPI device based upon customer priority prescribed in the network traffic policy associated with network traffic to be diverted to another DPI device;
or ii) dropping lower network traffic to the first DPI device based on the analyzed over-subscription signal; and
send a signal indicative of the updated network policy to at least some of the plurality of stateless network devices to achieve load-balancing of the network traffic flowing to the one or more DPI devices.

US Pat. No. 10,771,498

VALIDATING DE-AUTHENTICATION REQUESTS

Marvell Asia Pte., Ltd., ...

1. An apparatus for validating a de-authentication request, the apparatus comprising:a wireless controller configured to receive the de-authentication request and determine whether the de-authentication request is invalid based on the wireless controller's receipt of two or more responses to a timing request sent by the wireless controller in response to the de-authentication request, wherein only one response is expected, and wherein the two or more responses include an address of a first station, and at least one response of the two or more responses to the timing request includes a confirmation of transmitting the de-authentication request, the confirmation received from one of the first station or a second station, and at least one response of the two or more responses to the timing request includes a denial of transmitting the de-authentication request, the denial received (i) from the first station if the confirmation is received from second station or (ii) from the second station if the confirmation is received from the first station.

US Pat. No. 10,771,497

USING IP ADDRESS DATA TO DETECT MALICIOUS ACTIVITIES

DataVisor, Inc., Mountai...

1. A method comprising:obtaining a collection of data associated with a plurality of user events;
processing the collection of data to compute a plurality of IP address properties that comprise particular features associated with one or more individual IP addresses and one or more IP address ranges, wherein the IP address properties include a predictable IP address property for a particular user for each IP address the user has used, wherein each predictable IP address property for the particular user corresponds to a calculated probability that the particular user will use a specific IP address or IP address range again based on prior IP address usage; and
using the plurality of IP address properties to calculate a probability that events associated with particular IP addresses or IP address ranges are malicious, wherein calculating the probability that events associated with a particular IP address or IP address ranges are malicious includes determining that a group of correlated users all have a predictable IP address property indicating a low likelihood that the user will use to use the corresponding IP address or IP address range again.

US Pat. No. 10,771,496

INSIDER THREAT DETECTION UTILIZING USER GROUP DATA OBJECT ACCESS ANALYSIS

Imperva, Inc., Redwood C...

1. A method in a suspicious access detection module implemented by one or more computing devices for detecting suspicious access requests from access requests that identify different ones of a plurality of files, wherein the plurality of files are organized within a plurality of folders, the method comprising:determining, based on a first access data describing a plurality of access requests sent on behalf of a plurality of users of an enterprise, the following:
a set of user accessed folders, for each respective one of the plurality of users, that identifies those of the plurality of folders that include those of the files that were identified by those of the plurality of access requests sent on behalf of the respective one of the users,
a plurality of user groups determined based on similarities between the sets of user accessed folders of the plurality of users,
a set of group accessed folders, for each respective one of the plurality of user groups, that identifies those of the plurality of folders in the sets of user accessed folders determined for the respective ones of the users in the respective one of the user groups, and
for each of the plurality of user groups, which of the others of the plurality of user groups are considered nearby that user group based on a level of commonality between folders in the set of group accessed folders determined for that user group and the sets of group accessed folders determined for the respective ones of the others of the plurality of user groups;
determining, based on a second access data describing at least a first access request, that the first access request is suspicious, wherein the first access request identifies a first file of the plurality of files and was issued on behalf of a first user of the plurality of users, wherein the first user is determined to belong to a first user group of the plurality of user groups, wherein the determining that the first access request is suspicious includes determining that the first file is included in a first folder of the plurality of folders and that the first folder is not within the respective sets of group accessed folders determined for the first user group and those of the user groups determined to be nearby the first user group, wherein the first folder being within the set of group accessed folders determined for the first user group would be considered regular and non-suspicious and the first folder being within the sets of group accessed folders determined for user groups determined to be nearby the first user group would be considered irregular but not suspicious; and
causing an alert to be generated responsive to the first access request being determined to be suspicious.

US Pat. No. 10,771,495

CYBER-ATTACK DETECTION AND NEUTRALIZATION

General Electric Company,...

1. A method comprising:receiving, from a plurality of sensors, time-series input signals comprising time series sensor data that is measured of an industrial operation of an industrial asset and transforming the time series sensor data into feature values in a feature space;
detecting an abnormal feature value among the transformed feature values in the feature space based on a position of the abnormal feature value with respect to predetermined normalcy boundary line integrated within the feature space, wherein the normalcy boundary line identifies abnormal feature values corresponding to abnormal transformed time series sensor readings measured by one or more sensors;
converting the abnormal feature value from the transformed time-series input signals into a normal feature value within the predetermined normalcy boundary representing a true estimate of a time-series input signal of the abnormal feature value by masking a portion of, but not all of, the abnormal feature value to generate neutralized signals; and
outputting the neutralized signals to a computing device associated with the industrial asset while the industrial asset remains powered on.

US Pat. No. 10,771,494

RUNTIME PROTECTION OF WEB SERVICES

International Business Ma...

1. A computer-implemented method for protecting a runtime Web service application, the method comprising:instrumenting, by a computer, the Web service application to log its operation and create an execution trace;
identifying, by the computer, a trace point vulnerability using one or more data payloads and one or more security rules;
identifying, by the computer, a first candidate trace point operation associated with the trace point vulnerability;
computing, by the computer, a supplementary candidate operation based on the first candidate trace point operation and the trace point vulnerability, wherein the supplementary candidate operation addresses a difference between a transformation required to satisfy a security rule and a transformation performed by the first candidate trace point operation; and
further instrumenting, by the computer, the Web service application with the supplementary candidate operation.

US Pat. No. 10,771,493

COGNITIVE SECURITY EXPOSURE ANALYSIS AND RESOLUTION BASED ON SECURITY TRENDS

International Business Ma...

1. A method, in a data processing system comprising a processor and a memory, the memory comprising instructions that are executed by the processor to specifically configure the processor to implement a security vulnerability analysis engine, the method comprising:ingesting, by the security vulnerability analysis engine executing in the data processing system, content from a plurality of content source computing devices to identify instances of security vulnerability content in the ingested content;
performing, by the security vulnerability analysis engine, a security trend analysis on the instances of security vulnerability content to identify a relative ranking of security vulnerabilities;
identifying, by the security vulnerability analysis engine, computing resources of a specified computing infrastructure and a criticality of the computing resources to an operation of the computing infrastructure;
generating, by the security vulnerability analysis engine, a prioritized listing of security vulnerabilities associated with the computing infrastructure based on the relative ranking of security vulnerabilities and the criticality of the computing resources in the computing infrastructure; and
outputting, by the security vulnerability analysis engine, a notification to a user via a user computing device, indicating the prioritized listing of security vulnerabilities, wherein identifying a criticality of the computing resources to an operation of the computing infrastructure comprises:
evaluating each computing resource of the computing infrastructure with regard to a plurality of criticality factors; and
ranking the computing resources relative to one another based on results of evaluating the computing resources with regard to the plurality of criticality factors, and wherein the plurality of criticality factors comprise at least one of mission and customer impact, safety and environmental impact, ability to isolate single-point failures, preventative maintenance history, corrective maintenance history, mean time between failures, probability of failure, spares lead time, asset replacement value, or planned utilization rate.

US Pat. No. 10,771,492

ENTERPRISE GRAPH METHOD OF THREAT DETECTION

Microsoft Technology Lice...

1. A method for analyzing security alerts, comprising:generating an enterprise graph based on information associated with an enterprise, wherein the enterprise graph identifies relationships between computers of the enterprise, wherein the relationships are based on an architecture and function performed in the enterprise;
receiving a first security alert produced by a first security component associated with a first computer of the enterprise;
receiving a second security alert produced by a second security component associated with a second computer of the enterprise;
based on the enterprise graph, determining a strength of a relationship between the first computer and the second computer, wherein the strength of the relationship is based on what type of machine the first computer is, what type of machine the second computer is and where the first computer is located in the enterprise, and where the second computer is located in the enterprise;
identifying a significant relationship between the first and second security alerts;
identifying a potential security incident based on the significant relationship between the first and second security alerts and based on the strength of the relationship between the first computer and the second computer;
ranking the first security alert, the second security alert, and a third security alert, wherein the third security alert is not associated with a potential security incident;
prioritizing the first security alert and the second security alert over the third security alert based on the association of the first security alert and the second security alert with the potential security incident;
presenting the first and second security alerts of the potential security incident as a chain of events, wherein the first security alert and the second security alert form the chain of events, which is compared to a criteria of attack to determine the security incident, and wherein the relationship helps define the chain of events; and
concluding that the potential incident is an actual attack.

US Pat. No. 10,771,491

PACKET ANALYSIS BASED IOT MANAGEMENT

Palo Alto Networks, Inc.,...

11. A method comprising:obtaining, by a mirror port provided in a local area network including an Internet of things (IoT) device, data packets transmitted to and from the IoT device;
mirroring, by the mirror port, the data packets transmitted to and from the IoT device; obtaining, by an IoT device management engine, the mirrored data packets from the mirror port;
analyzing, by the IoT device management engine, at least one of the mirrored data packets using deep packet inspection to identify transaction data from payload of the at least one of the mirrored data packets;
generating, by the IoT device management engine, an event log for the IoT device from the transaction data, the event log, at least in part, used to generate a historical record for the IoT device;
updating, by the IoT device management engine, the event log in real-time to indicate current operation of the IoT device;
profiling, by an IoT device profiling engine, the IoT device into a device profile based on the historical record for the IoT device;
determining, by the IoT device profiling engine, baseline behavior of the IoT device from historical records of a plurality of IoT devices including the historical record for the IoT device;
receiving, by the IoT device profiling engine, the event log updated in real-time from the IoT device management engine;
determining, by the IoT device profiling engine, abnormal device behavior of the IoT device using the event log received from the IoT device management engine and the baseline behavior;
updating, by the IoT device profiling engine, the device profile to indicate the abnormal device behavior of the IoT device;
determining, by an IoT device vulnerability determination engine, whether the IoT device is vulnerable to attack; and
terminating, by the IoT device vulnerability determination engine, flow of data to and from the IoT device if it is determined that the IoT device is vulnerable to attack.

US Pat. No. 10,771,490

DETECTING ANOMALOUS NETWORK DEVICE ACTIVITY

Rapid7, Inc., Boston, MA...

1. A method for detecting anomalous network device activity, the method comprising:receiving, using an interface, pre-existing traffic data associated with a host device;
analyzing, using a processor executing instructions stored on a memory, the pre-existing traffic data associated with the host device;
assigning, using the processor, an identification label to the host device based on the pre-existing traffic data;
assigning an expected behavioral parameter to the host device based on the identification label;
detecting the pre-existing traffic data deviates from the expected behavioral parameter;
classifying the pre-existing traffic data as anomalous based on the data deviating from the expected behavioral parameter; and
issuing, using the processor, an alert upon classifying the pre-existing traffic data associated with the host device as anomalous.

US Pat. No. 10,771,489

ARTIFICIAL INTELLIGENCE METHOD AND SYSTEM FOR DETECTING ANOMALIES IN A COMPUTER NETWORK

AKITRA, INC., Sunnyvale,...

1. An enterprise network system comprising:a data source coupled to a network;
a router coupled to the data source;
a switch device coupled to the router;
an instant auto discovery engine (IAE) module coupled to switch device, the discovery module configured to monitor traffic to the switch device to detect all of a plurality of client devices, including a plurality of IoT devices, coupled to the switch device, detect all of a plurality of sensor devices coupled to the switch device, and detect all of a plurality input device coupled to the switch device, the IAE module comprising a catalog of each of the plurality of client devices, input devices, sensing devices, or other network devices;
a behavior analytics engine (BAE) module coupled to the switch device, the BAE module configured to monitor traffic to the switch device and configured to detect one or more anomalies from a flow of traffic;
an intelligent machine learning engine (IMLE) module configured with the BAE module, the IMLE module configured to process the flow of data through one of a plurality of processes, one of the plurality of processes numbered from one through N, where N is greater than 5, the plurality of processes being categorized into a clustering process, a classification process, a regression process, an association process, a probabilistic processes comprising a Bayesian Network, or a graph based model, alone or in combination with any of the other aforementioned processes;
a smart security engine (SSE) module, the SSE being configured to implement a security measure from feedback from the BAE module;
an autonomous decision engine (ADE) module coupled to the SSE module, the ADE module configured for a remediation process, the remediation process comprising an autonomous decision engine comprising a sense process, plan process, and an act process (collectively the “AI processes”), and configured to make a decision from the flow of data to remediate and take appropriate action based upon the what signal is received from the client device, and processed through a behavior analytics engine thereby feeding information into the autonomous decision engine taking into account information selected form an a status of an internal state, a response associated with the internal state and a received input, and a model associated with the device from a catalog stored in a database for remediation to reason over achieving a future state using remediation to predict a future state and use the AI processes to ensure migration to the future state; and
whereupon the IAE module, BAE module, ADE module, and SSE module are configured to discover instantly the plurality of client devices connected to the network, monitoring the flow of data from each of the plurality of the client devices, detecting at least one anomaly, and taking a remediation action for the detected anomaly.

US Pat. No. 10,771,488

SPATIO-TEMPORAL ANOMALY DETECTION IN COMPUTER NETWORKS USING GRAPH CONVOLUTIONAL RECURRENT NEURAL NETWORKS (GCRNNS)

Cisco Technology, Inc., ...

1. A method comprising:receiving, at a device, sensor data from a plurality of nodes in a computer network;
using, by the device, the sensor data and a graph that represents a topology of the nodes in the network as input to a graph convolutional neural network;
providing, by the device, an output of the graph convolutional neural network as input to a convolutional long short-term memory recurrent neural network, wherein the graph convolutional neural network is configured to produce its output based in part on a spatial dependency between the nodes in the computer network;
detecting, by the device, an anomaly in the computer network by comparing a reconstruction error associated with an output of the convolutional long short-term memory recurrent neural network to a defined threshold, wherein the convolutional long short-term memory recurrent neural network is configured to produce its output based on a temporal dependency of the sensor data; and
initiating, by the device, a mitigation action in the computer network for the detected anomaly.

US Pat. No. 10,771,487

METHOD FOR PROTECTING IOT DEVICES FROM INTRUSIONS BY PERFORMING STATISTICAL ANALYSIS

Gryphon Online Safety Inc...

1. A method for protecting from intrusion an IoT device connected via a router to a network comprising a server, the method performed in the router comprising the steps of:obtaining reference traffic pattern data for said IoT device operating in a normal operating mode;
collecting operating traffic pattern data for said IoT device;
determining a statistical deviation between said reference traffic pattern data and said operating traffic pattern data by performing a statistical analysis;
selecting a predetermined threshold value of said statistical deviation;
comparing said statistical deviation with said predetermined threshold value to determine whether said statistical deviation is greater than said predetermined threshold;
flagging abnormal activity responsive to a determination that said statistical deviation is greater than said predetermined threshold value.

US Pat. No. 10,771,486

SYSTEMS AND METHODS FOR DETECTING NETWORK SECURITY THREAT EVENT PATTERNS

Splunk Inc., San Francis...

1. A computer-implemented method, comprising:causing display of a graphical user interface (GUI) including interface elements used to define a meta-notable event rule, the meta-notable event rule including:
a plurality of notable event states, at least one of the plurality of notable event states corresponding to a correlation search used to identify timestamped event data matching one or more search criteria, wherein at least one of the plurality of notable event states is a start state and at least one of the plurality of notable event states is an end state, and
a plurality of transition rules, each transition rule defining one or more criteria for transitioning between two notable event states of the plurality of notable event states;
receiving, via the GUI, input specifying: at least one of the plurality of notable event states, at least one of the plurality of transition rules, and a plurality of notable event state groupings, wherein each notable event grouping of the plurality of notable event state groupings includes a selected set of notable event states of the plurality of notable event states and is associated with a respective grouping label corresponding to a phase of a network security attack;
executing a plurality of correlation searches against timestamped event data stored by a data intake and query system to identify a plurality of notable events from the timestamped event data, the timestamped event data generated by the data intake and query system based on raw machine data created by one or more components of an information technology or security environment;
analyzing the plurality of notable events using the meta-notable event rule by determining whether any set of notable events from the plurality of notable events satisfies a set of transition rules from the plurality of transition rules linking the start state to the end state of the meta-notable event rule; and
in response to determining that a set of events satisfies the meta-notable event rule, storing a record identifying the set of notable events satisfying the meta-notable event rule, the set of notable events satisfying the meta-notable event rule indicating a potential security threat involving at least one computing device of the information technology or security environment.

US Pat. No. 10,771,485

SYSTEMS AND METHODS FOR CROSS-CHANNEL ELECTRONIC COMMUNICATION SECURITY WITH DYNAMIC TARGETING

BANK OF AMERICA CORPORATI...

1. A system for cross-channel electronic communication security, wherein the system provides dynamic construction and targeting of adaptive simulated malicious electronic communications for unsecure communication identification, the system comprising:a memory device with computer-readable program code stored thereon;
a communication device, wherein the communication device establishes operative communication with a plurality of networked devices via a communication network;
a processing device operatively coupled to the memory device and the communication device, wherein the processing device executes the computer-readable program code to:
construct a first simulated malicious electronic communication for a user, wherein the first simulated malicious electronic communication is associated with a first electronic communication medium, wherein constructing the first simulated malicious electronic communication comprises:
embedding an action tag in a body of the first simulated malicious electronic communication, wherein the action tag is structured for determining a predetermined user action associated with the first simulated malicious electronic communication;
transmit, via a first communication channel, the first simulated malicious electronic communication to a first user device associated with the first electronic communication medium;
determine, via the embedded action tag, a first user action performed by the user on the first simulated malicious electronic communication;
construct a second simulated malicious electronic communication for the user based on the first user action, wherein constructing the second simulated malicious electronic communication comprises constructing the second simulated malicious electronic communication such that the second simulated malicious electronic communication is associated with a second electronic communication medium; and
transmit, via a second communication channel associated with the second electronic communication medium, the second simulated malicious electronic communication to the user.

US Pat. No. 10,771,484

INTEGRATED NETWORK INTRUSION DETECTION

Intel Corporation, Santa...

1. One or more non-transitory machine-readable media comprising a plurality of instructions stored thereon that, when executed, causes a compute device to:identify an application associated with a network flow;
analyze communication statistics for network traffic associated with the application;
configure, based on the statistical analysis of network traffic associated with the application, an application-specific network policy associated with the application, wherein the application-specific network policy includes one or more application-specific rules, wherein to configure, based on the statistical analysis of network traffic associated with the application, the application-specific network policy associated with the application comprises to auto-configure, based on the statistical analysis, a threshold for a number of requests indicative of abnormal behavior of the application; and
apply the application-specific network policy to the network flow, wherein to apply the application-specific network policy to the network flow comprises to apply the one or more application-specific rules to the network flow.

US Pat. No. 10,771,483

IDENTIFYING AN ATTACKED COMPUTING DEVICE

British Telecommunication...

1. A computer implemented method to identify an attacked computing device in a system of network-connected computing devices providing a plurality of computing services with a processor integrated into a circuit, the method comprising:receiving, using the processor, a first data structure including data modeling relationships between vulnerabilities of computing services in a first proper subset of the plurality of computing services and exploitation of the vulnerabilities to identify one or more series of exploits involved in a network attack;
receiving, using the processor, a second data structure including data modeling the computing devices in the system including network connections of each computing device; and
comparing, using the processor, the first data structure and the second data structure to identify the attacked computing device as an intermediate device in communications between at least two computing services in any of the one or more series of exploits by following each of the one or more series of exploits, associating each exploit with a particular computing device of the computing devices, and identifying any intermediate device in communication between exploited devices as the attacked computing device.

US Pat. No. 10,771,482

SYSTEMS AND METHODS FOR DETECTING GEOLOCATION-AWARE MALWARE

CA, Inc., San Jose, CA (...

1. A computer-implemented method for detecting geolocation-aware malware, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:receiving, by the computing device, trajectory information for network traffic carrying the geolocation-aware malware, wherein the trajectory information comprises paths intended to be taken by the network traffic carrying the geolocation-aware malware;
identifying, from the trajectory information, a target geolocation characteristic required to activate the geolocation-aware malware;
establishing, on an image of a user machine, an execution environment having the target geolocation characteristic;
running, on the image of the user machine, the geolocation-aware malware; and
analyzing functioning of the geolocation-aware malware to identify malicious activity by the geolocation-aware malware.

US Pat. No. 10,771,481

METHOD, MOBILE SWITCHING CENTRE, MSC, AND A COMPUTER PROGRAM PRODUCT FOR DETECTING INTERCONNECT BYPASS

TELEFONAKTIEBOLAGET LM ER...

1. A method for detecting interconnect bypass by a subscription identity in a telecommunication network, said telecommunication network comprising at least a Mobile Switching Center (MSC), said method comprising:setting, by said MSC, a bypass threshold value, said bypass threshold value being an integer number;
receiving, by said MSC, a grey list from any of a Home Subscription Server (HSS), a Home Location Register (HLR), and an Application Server (AS), and entering said grey list at said MSC, wherein said grey list contains subscription identities suspected of involvement with interconnect bypass;
monitoring, by said MSC, for originating calls per a predefined period of time, from each of one or more subscription identities contained in the grey list that connect to the MSC; and
detecting, by said MSC, when said number of originating calls for any one of said one or more subscription identities exceeds said bypass threshold value, and issuing an alert message, thereby indicating an interconnect bypass by said any one of said one or more subscription identities.

US Pat. No. 10,771,480

SYSTEMS AND METHODS FOR DETECTING AND RESPONDING TO SECURITY THREATS USING APPLICATION EXECUTION AND CONNECTION LINEAGE TRACING

Prismo Systems Inc., San...

1. A process for detecting suspicious activity in a network and in a computer server system, comprising:receiving at a collector server, from a first connection and application execution sensor, a first piece of activity data from an observed system, the first piece of activity data comprising a first set of attributes, each attribute having a particular value;
combining, using the collector server, a first set of context information with the first piece of activity data to generate a first activity record, wherein the first piece of activity data includes attributes describing an aspect of an application executing on the observed system;
comparing, using the collector server, the first activity record to a set of baseline signatures, where each baseline signature comprises a second set of attributes, each attribute having a particular value and each baseline signature being unique in the combination of values of its attributes, where the second set of attributes includes an application name and a server name;
incrementing, using the collector server, a count of a first matching baseline signature from the set of baseline signatures when the first activity record has the same values for all attributes in the first matching baseline signature;
receiving at a collector server, from a second connection and application execution sensor, a second piece of activity data comprising a third set of attributes, each attribute having a particular value;
combining, using the collector server, a second set of context information with the second piece of activity data to generate a second activity record; and
generating, using the collector server, an alert when the values of the attributes of the second activity record differ from all baseline signatures in the set of baseline signatures by at least a predetermined threshold number of attributes and reconfiguring a policy on the second connection and application execution sensor that controls traffic in response to the generated alert.

US Pat. No. 10,771,479

CONFIGURING MODULAR ALERT ACTIONS AND REPORTING ACTION PERFORMANCE INFORMATION

Splunk Inc., San Francis...

1. A computer-implemented method performed by a security application of a data intake and query system, the method comprising:receiving, through a graphical interface for creating modular alerts, input defining a modular alert comprising:
a correlation search used to identify notable events from events stored by the data intake and query system in a field-searchable data store, wherein each of the events includes a time stamp and a portion of raw machine data produced by a component of an information technology or security environment and reflects activity in the information technology or security environment, and wherein the correlation search is executed based on a recurring schedule specified in the input;
a triggering condition reflected in criteria in the correlation search, the triggering condition representing detection of a potential security threat; and
a plurality of actions to be executed based on the triggering condition being satisfied during execution of the correlation search, the plurality of actions including:
a first action involving execution of a query against time stamped event data stored by the data intake and query system in the field-searchable data store, wherein the query is used to obtain additional information related to a notable event identified based on execution of the correlation search, and wherein execution of the query returns first results information, and
a second action to be executed by a security application that is external to the data intake and query system, wherein execution of the second action by the security application returns second results information;
persisting the modular alert in memory;
executing the correlation search included in the modular alert according to the recurring schedule;
detecting the triggering condition in the modular alert;
based on detecting the triggering condition, executing the plurality of actions in the modular alert including the first action and the second action;
obtaining information associated with execution of the plurality of actions; and
causing display of a graphical user interface (GUI) including information representing a notable event identified based on execution of the correlation search, the first results information obtained by executing the first action involving execution of a query against time stamped event data stored by the data intake and query system, and the second results information obtained based on the security application executing the second action.

US Pat. No. 10,771,478

SECURITY MONITORING AT OPERATING SYSTEM KERNEL LEVEL

Comcast Cable Communicati...

1. A method comprising:determining, for each process of a plurality of processes executing on a computing device, one or more privileges for accessing one or more host interfaces;
based on a determination that a process, of the plurality of processes, is attempting to access a host interface of the one or more host interfaces, determining whether the process is privileged to access the host interface based on the one or more privileges determined for the process;
determining, based on a validation check performed after expiration of a validity period associated with the process, whether the process is valid, wherein the validity period is based on one or more of:
behavior of the process, or
the determined one or more privileges associated with the process;
based on a determination that the process is not privileged to access the host interface or that the process is not valid, determining that the process is not authorized to access the host interface; and
storing information indicating unauthorized attempts, by one or more processes of the plurality of processes, to access the one or more host interfaces.

US Pat. No. 10,771,477

MITIGATING COMMUNICATIONS AND CONTROL ATTEMPTS

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
transmit an initial communication and control profile for a first malware family to a first network monitoring system, wherein the initial communication and control profile comprises: (1) a domain corresponding to a communication and control channel, and (2) at least one URL pattern comprising a path used by the communication and control channel;
at least in part in response to receiving information from a second network monitoring system, revise the initial communication and control profile for the first malware family, including by adding an additional URL pattern comprising an additional path used by the communication and control channel; and
transmit an updated communication and control profile to the first network monitoring system; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,771,476

DEFEATING MAN-IN-THE-MIDDLE ATTACKS IN ONE LEG OF 1+1 REDUNDANT NETWORK PATHS

Cisco Technology, Inc., ...

1. A method, comprising:obtaining, at an elimination point device in a network, a master secret from a network controller;
assessing, by the elimination point device and using the master secret, whether an incoming packet received by the elimination point device from a redundant path between the elimination point device and a replication point device in the network includes a valid message integrity check (MIC), wherein the incoming packet is a 1+1 packet redundancy;
determining, by the elimination point device, whether the incoming packet was injected maliciously into the redundant path, based on the assessment of the incoming packet; and
initiating, by the elimination point device, performance of a mitigation action in the network, when the elimination point device determines that the incoming packet was injected maliciously into the redundant path.

US Pat. No. 10,771,475

TECHNIQUES FOR EXCHANGING CONTROL AND CONFIGURATION INFORMATION IN A NETWORK VISIBILITY SYSTEM

Extreme Networks, Inc., ...

1. A method for operating a network visibility system comprising a data plane component and a control plane component, the method comprising:receiving, by the control plane component of the network visibility system, one or more first messages from the data plane component of the network visibility system, the one or more first messages comprising information identifying one or more service instances of the data plane component and information identifying one or more egress ports available on the data plane component, wherein the data plane component of the network visibility system is configured to intercept traffic on one or more networks to be monitored and to forward the intercepted traffic to one or more analytic servers;
retrieving, by the control plane component, configuration information stored on the control plane component, the configuration information comprising one or more network prefixes of one or more networks to be monitored by the network visibility system;
determining, by the control plane component, one or more mappings that maps the one or more network prefixes to the one or more egress ports and the one or more service instances, wherein determining the one or more mappings comprises using a round-robin matching of the one or more network prefixes to the one or more egress ports and the one or more service instances, each mapping in the one or more mappings identifying a network prefix, a service instance of the data plane component, and an egress port of the data plane component;
generating, by the control plane component, one or more packet forwarding rules to be programmed on the data plane component based on the one or more mappings, wherein the one or more packet forwarding rules comprise, for at least one mapping of the one or more mappings, at least one packet forwarding rule for forwarding ingress packets destined for an IP address covered by the network prefix in the at least one mapping to the egress port identified in the at least one mapping; and
transmitting, by the control plane component to the data plane component, one or more second messages including the one or more packet forwarding rules, to program the data plane component;
generating, at the data plane component and using a whitelist access control list, a whitelist table to filter out part of the intercepted traffic such that the filtered out part of the intercepted traffic is dropped and is not forwarded to the one or more analytic servers;
determining, by the data plane component and using the whitelist table, a list of one or more packets to be dropped and not to be forwarded to the one or more analytic servers; and
forwarding, by the data plane component, ingress packets, which are not in the list of one or more packets and are destined for an address covered by the one or more network prefixes in the one or more mappings, to the one or more egress ports identified in the one or more mappings.

US Pat. No. 10,771,474

SYSTEMS AND METHODS FOR COMMUNICATION CONTROL IN A RESTRICTED ENVIRONMENT

TECORE, INC., Hanover, M...

20. A method for providing persistent inbound calling to a wireless communications device operating within a restricted geographical area, comprising:a network access controller controls RF distribution equipment to generate a restricted access boundary having a three-dimensional boundary;
the controller:
detects a wireless device at or within the boundary,
compels the wireless device to register with the controller,
tracks a geographic location of the wireless device within the boundary,
determines a classification of the wireless device as one of known, unknown and restricted,
for known wireless devices, maintains the known wireless device locked to the controller, and
for unknown and restricted wireless devices:
places a first call to the wireless device,
receives a first answer from the wireless device,
establishes a first connection with the wireless device,
sending a first message to the wireless device,
receives and processes a first response from the wireless device,
initiates a first call clearance, and
repeats a call function of placing a call, receiving an answer, establishing a connection, sending a message, receiving and processing a response from the wireless device, and initiating a call clearance until the wireless device powers off.

US Pat. No. 10,771,473

MEETING JOIN FOR MEETING DEVICE

Microsoft Technology Lice...

1. A method for providing a meeting service for an online meeting, the method comprising:conducting an online meeting by processing audio communications between a plurality of devices including a first participant computing device;
authenticating the first participant computing device to the online meeting;
after authenticating with the first participant computing device, receiving over a network from the first participant computing device that is already authenticated with the online communication session, admission information, the admission information comprising an indication that a second participant computing device has established that it is within a locational proximity with the first participant computing device;
responsive to receiving the admission information, admitting the second participant computing device to join the online meeting based upon the received indication and the previous authentication of the first participant computing device, the second participant computing device not authorized to be admitted to join the online meeting prior to having first established the locational proximity with the first participant computing device; and
responsive to admitting the second participant computing device to join the online meeting, providing audio communications of the online meeting from the plurality of devices to the second participant computing device.

US Pat. No. 10,771,472

SYSTEM AND METHOD FOR ACCESS CONTROL USING NETWORK VERIFICATION

OPEN TEXT SA ULC, Halifa...

1. A computing device, comprising:a processor;
a non-transitory computer readable medium coupled to the processor, the non-transitory computer readable medium storing computer executable instructions, the computer executable instructions executable by the processor of the computing device to:
store, at the computing device, first access control data associated with a first device identifier and second access control data associated with a second device identifier, the first access control data specifying a first level of access for a first local application on the computing device to first application data at a content provisioning platform remote from the computing device and the second access control data specifying a second level of access for the first local application to the first application data at the content provisioning platform;
when the computing device is connected to a first access point:
determine an identifier of the first access point;
determine that the first access control data is associated with the identifier of the first access point;
intercept a first request from the first local application to the content provisioning platform for the first application data;
based on the determination that the first access control data is associated with the identifier of the first access point, determine if the first local application is permitted to access the first application data according to the first access control data;
based on a determination that the first local application is not permitted to access the first application data according to the first access control data, block the first request; and
based on a determination that the first local application is permitted to access the first application data according to the first access control data, allow the first request to be sent to the content provisioning platform through the first access point;
when the computing device is connected to a second access point:
determine an identifier of the second access point;
determine that the second access control data is associated with the identifier of the second access point;
intercept a second request from the first local application to the content provisioning platform for the first application data;
based on the determination that the second access control data is associated with the identifier of the second access point, determine if the first local application is permitted to access the first application data according to the second access control data;
based on a determination that the first local application is not permitted to access the first application data according to the second access control data, block the second request; and
based on a determination that the first local application is permitted to access the first application data according to the second access control data, allow the second request to be sent to the content provisioning platform through the first access point.

US Pat. No. 10,771,470

AUTOMATIC ROOM CHECK-IN UPON DETECTING DEVICE IDENTIFIER OF NEW GUEST ON NETWORK OF HOSPITALITY ESTABLISHMENT

Guest Tek Interactive Ent...

1. An apparatus for controlling automatic check-in at a hospitality establishment, the apparatus comprising:a storage device;
a network interface for coupling to a computer network of the hospitality establishment; and
one or more processors coupled to the storage device and the network interface;
wherein, by the one or more processors executing a plurality of software instructions loaded from the storage device, the one or more processors are configured to:
detect a device identifier of a user device in network traffic transmitted on the computer network of the hospitality establishment;
search a set of authorized user devices to determine whether the device identifier corresponds to any locally recognized user device at the hospitality establishment;
in response to determining that the device identifier corresponds to a locally recognized user device, take no further action because a firewall at the hospitality establishment has already been configured with one or more device-specific rules for the locally recognized user device;
in response to determining that the device identifier does not correspond to any locally recognized user device at the hospitality establishment, query one or more databases of the hospitality establishment to determine whether the device identifier is associated with a new guest registered for a particular room of the hospitality establishment; and
send a room access key to the user device via the computer network and configure the firewall with at least one rule allowing Internet access for the user device in response to determining that the device identifier is associated with the new guest registered for the particular room;
wherein the room access key allows the new guest registered for the particular room to open a door lock of the particular room.

US Pat. No. 10,771,469

CLOUD SERVICE ACCOUNT MANAGEMENT

Skyhigh Networks, LLC, C...

1. A method of implementing cloud service account management by an enterprise, the method comprising:identifying, using a hardware processor, traffic, wherein the traffic is associated with an access at a cloud computing service, the access made using an unmanaged account that is not managed by the enterprise;
generating, using the hardware processor, a request to obtain credentials associated with the unmanaged account;
receiving the credentials associated with the unmanaged account;
in response to receiving the credentials associated with the unmanaged account, placing, using the hardware processor, the unmanaged account in a management mode so that the unmanaged account becomes a managed account; and
monitoring, using the hardware processor, the managed account at the cloud computing service.

US Pat. No. 10,771,468

REQUEST FILTERING AND DATA REDACTION FOR ACCESS CONTROL

AMAZON TECHNOLOGIES, INC....

1. A system, comprising:at least one processor; and
memory storing instructions that, when executed by the at least one processor, cause the system to:
receive a request at a gateway serving as a proxy to at least one resource in a resource provider environment, the request received from a client device and intended for an endpoint associated with the at least one resource;
determine a role for a first registered function comprising code for execution in the resource provider environment, the role having a set of permissions for limiting the first registered function and for granting access to the at least one resource in the resource provider environment, the gateway and the first registered function associated with a first account, the at least one resource associated with a second account and accessible via the endpoint by the first registered function;
determine, by the first registered function using an access control list, to provide the request to the endpoint;
provide the request to the endpoint to access to the at least one resource;
store log data associated with the request in a first data store;
execute a second registered function on the log data, the second registered function triggered by the storing of the log data in the first data store;
redact the log data by the second registered function to generate redacted log data; and
store the redacted log data in a second data store accessible to the client device.

US Pat. No. 10,771,467

EXTERNAL ACCESSIBILITY FOR COMPUTING DEVICES

1. A computing device operated by a user of the computing device, said computing device comprising:a verification public key;
an access control module configured to authorize an external access entity to access a cryptographic module located within the computing device, wherein:
said authorization comprises verifying a digital signature affixed by the external access entity using the verification public key;
the external access entity is not the user and is not a module executing on the computing device;
the cryptographic module is configured to use one or more communication encryption keys for encrypted communications with other devices; and
the cryptographic module is configured to provide access to the one or more communication encryption keys to an external access entity authorized by the access control module for a specified amount of time, and said cryptographic module is further configured to discontinue the access to any of said communication encryption keys after the specified amount of time expires;
said computer device further comprising an access archive module configured to record any authorized access of the cryptographic module by an external access entity, wherein a record stored in the access archive module cannot be modified or deleted by an authorized external access entity; and
the access archive module is further configured to output recorded information pertaining to authorized access by an external access entity.

US Pat. No. 10,771,466

THIRD-PARTY AUTHORIZATION OF ACCESS TOKENS

International Business Ma...

1. A method for third-party authorization, the method comprising:receiving, by a resource server in a computer system, a client request from a client, wherein the client request includes an access token;
sending, by the resource server, to an introspection gateway, an introspection request for the access token based on the client request, wherein the introspection gateway uses a third-party authorization server from a plurality of third-party authorization servers to handle the introspection request;
selecting, by the introspection gateway, the third-party authorization server from the plurality of third-party authorization servers to handle the introspection request;
determining a protocol for the third-party authorization server;
converting the introspection request into a third-party request used by the third-party authorization server to introspect the access token using the protocol;
receiving a resource server response from the introspection gateway, wherein the resource server response identifies a set of scopes for the access token;
determining whether the access token has sufficient scope from the resource server response; and
responsive to the access token having the sufficient scope, granting the client access to the resource server.

US Pat. No. 10,771,465

UNIFIED WORKSPACE FOR THIN, REMOTE, AND SAAS APPLICATIONS

VMware, Inc., Palo Alto,...

1. A method comprising:receiving a request for a software as a service (SaaS) application, wherein the request is received following the addition of an entitlement and expected provisioning state of the SaaS application for a group of users;
determining whether the SaaS application supports just in time provisioning or security assertion markup language (SAML); and
in response to determining that the requested SaaS application does not support just in time provisioning or SAML, provisioning the SaaS application for a user, the provisioning comprising:
generating a random password configured for single sign-on for the user;
providing a request to the SaaS application to create an account for the user;
updating a single sign-on service with received user account information including the random password;
provisioning the SaaS application for the user; and
creating a SaaS account in an application entitlement object store with a new provision key that provides single sign-on access to the SaaS application to the user using the random password and without providing the random password to the user.

US Pat. No. 10,771,464

SYSTEMS AND METHODS FOR SECURING SOCIAL MEDIA FOR USERS AND BUSINESSES AND REWARDING FOR ENHANCING SECURITY

SecureMySocial, Inc., Ru...

1. A method of configuring a social media filtering system, comprising:presenting to a user a configuration section of a graphical user interface containing one or more input fields;
receiving information input by a user into the one or more input fields in the configuration section of the graphical user interface;
transmitting over the internet the information input by the user to a server;
using, by the server, the information input by the user to establish a rule or a set of rules for data being posted by users to a social media platform;
determining by the server, based on one or more of (i) the established rule or the set of rules and (ii) one or more pieces of configuration information, whether the rule, the set of rules, or the configuration information requires an action from the social media filtering system, wherein the determining comprises performing an expression match between a text portion of posted social media data and filtering criteria comprising information provided by the user;
identifying the action required by the rule; and
performing the action required by the rule.

US Pat. No. 10,771,463

THIRD-PARTY AUTHORIZATION OF ACCESS TOKENS

International Business Ma...

1. A computer system comprising:a resource server running on the computer system, wherein the resource server:
receives a client request from a client in which the client request includes an access token;
sends an introspection request to an introspection gateway, wherein the introspection request is for introspection of the access token based on the client request and, wherein the introspection gateway uses a third-party authorization server from a plurality of third-party authorization servers to handle the introspection request;
receives a response from the introspection gateway, wherein the response identifies a set of scopes for the access token;
determines whether the access token has sufficient scope from a resource server response; and
grants the client access to the resource server in response to the access token having the sufficient scope;
wherein the introspection gateway:
selects the third-party authorization server from the plurality of third-party authorization servers to handle the introspection request;
determines a protocol for the third-party authorization server; and
converts the introspection request into a third-party request used by the third-party authorization server to introspect the access token using the protocol.

US Pat. No. 10,771,462

USER TERMINAL USING CLOUD SERVICE, INTEGRATED SECURITY MANAGEMENT SERVER FOR USER TERMINAL, AND INTEGRATED SECURITY MANAGEMENT METHOD FOR USER TERMINAL

ELECTRONICS AND TELECOMMU...

1. An integrated security management method for a user terminal, comprising:receiving, by an integrated security management server, authentication information from at least one user terminal that use a cloud service;
authenticating, by the integrated security management server, the user terminal using the received authentication information;
transmitting, by the integrated security management server, task information to the user terminal so as to control the user terminal;
receiving, by the integrated security management server, at least one of a result of processing the task information and state information from the user terminal that verifies the task information; and
managing, by the integrated security management server, a state of the user terminal based on at least one of the result of processing and the state information.

US Pat. No. 10,771,461

MOBILE USER INTERFACE SYSTEM AND METHODS THEREFOR

Elbit Systems of America,...

1. A method comprising:connecting a mobile computer system to a vehicle computer system, wherein the vehicle computer system does not include a display device;
receiving, by the mobile computer system, mission operations data comprising access control data for accessing via an access control interface of the mobile computer system the mission operations data by user input authentication data available as a common access card issued by the U.S. government, and wherein the mission operations data is further customized for a particular mission from the vehicle computer system, the mission operations data customized for a particular mission generated by one or more vehicle I/O sensors coupled to the vehicle computer system;
displaying the mission operations data customized for a particular mission on a display device of the mobile computer system;
detecting docking of a plurality of mobile computer systems, one of which is the mobile computer system and the remainder of which are other mobile computer systems excluding the mobile computer system, to a mission planning server system located at a base facility;
downloading the mission operations data from the vehicle computer system in parallel and simultaneously with other mission operations data from corresponding the other mobile computer systems to the mission planning server system; and
wiping the mission operation data from non-volatile memory within the mobile computer system by overwriting with all zeros.

US Pat. No. 10,771,460

MOBILE USER INTERFACE SYSTEM AND METHODS THEREFOR

Elbit Systems of America,...

1. A method comprising:detecting docking of a plurality of mobile computer systems to a mission planning server system located at a base facility;
uploading a first mission data and a second mission data in parallel and simultaneously to each of a plurality of mobile computer systems from the mission planning server system, wherein the first and second mission data comprises access control data for accessing via an access control interface the first and second mission data by user input of authentication data available as a common access card issued by the U.S. government;
detecting docking of a first mobile computer system of the plurality of mobile computer system to a docking device of a vehicle computer system;
responsive to detecting the docking, connecting an external data communication network of the vehicle computer system to a bridge logic device in the first mobile computer system via the docking device;
uploading, via the external data communication network, the first mission data to a non-volatile random access memory of the vehicle computer system and coupled to the bridge logic device in the first mobile computer system; and
uploading, via the external data communication network, the second mission data to the non-volatile random access memory of the vehicle computer system and coupled to the bridge logic device in the first mobile computer system, the second mission data comprising programming instructions for execution on the vehicle computer system, wherein the vehicle computer system is external to the first mobile computer system.

US Pat. No. 10,771,459

TERMINAL APPARATUS, SERVER APPARATUS, BLOCKCHAIN AND METHOD FOR FIDO UNIVERSAL AUTHENTICATION USING THE SAME

Electronics and Telecommu...

1. A method for Fast Identity Online (FIDO) universal authentication using a terminal apparatus, a server apparatus, and a blockchain, comprising:sending, by the terminal apparatus, a FIDO service request for any one of FIDO registration, FIDO authentication, and FIDO deregistration for an application service provided by the server apparatus to the server apparatus;
verifying, by the blockchain, a FIDO service response message, which is created as a result of local authentication of a user in the terminal apparatus in response to the FIDO service request; and
processing, by the server apparatus, the FIDO service request based on whether the FIDO service response message is successfully verified by the blockchain,
wherein the verifying of the FIDO service response message is configured such that, when the FIDO service request is a request for the FIDO authentication or the FIDO deregistration and when a credential identifier thereof is included in an authentication information list that includes credential identifiers associated with the identification information of the user, the terminal apparatus performs local authentication of the user, creates an electronic signature signed with a private key associated with the credential identifier, and creates the FIDO service response message, including the electronic signature and the credential identifier, and
wherein the processing of the FIDO service request is configured such that the blockchain acquires information that is required for verifying second information included in the FIDO service response message from a blockchain database using first information included in the FIDO service response message and verifies the FIDO service response message by verifying the second information using the acquired information.

US Pat. No. 10,771,458

PROXIMITY-BASED USER AUTHENTICATION

MicoStrategy Incorporated...

1. A method comprising:detecting, by a client device, a change in a proximity status of a second device that has been designated as an authentication token for a user, wherein the change in the proximity status indicates that the second device has entered a predetermined level of proximity of the client device after previously being outside the predetermined level of proximity;
in response to detecting the change in proximity status indicating that the second device has entered the predetermined level of proximity to the client device, sending, by the client device and to a server system, a proximity status change message indicating that the proximity status has changed such that the second device has entered the predetermined level of proximity of the client device;
after sending the proximity status change message indicating that the second device entered the predetermined level of proximity of the client device, determining, by the client device, that the proximity status of the second device is maintained based on detecting the second device remaining within the predetermined level of proximity of the client device;
after determining that the proximity status of the second device is maintained, receiving, by the client device, data indicating an attempt to access a resource using the client device while the second device is within the predetermined level of proximity to the client device;
in response to receiving the data indicating the attempt to access the resource, sending, by the client device, an authentication request to the server system;
receiving, by the client device and from the server system, data indicating approval of the authentication request determined based on the proximity status of the second device that the client device determined before the attempt to access the resource; and
providing, by the client device, access to the resource based on receiving the data indicating approval of the authentication request.

US Pat. No. 10,771,457

SYSTEM AND METHOD FOR PROVIDING A ONE-TIME KEY FOR IDENTIFICATION

1. A system, comprising:a memory that stores instructions;
a processor that executes the instructions to perform operations, the operations comprising:
transmitting, if a first key of a worker device matches a second key received from a customer device, identification details received from the customer device to the worker device; and
transmitting, in response to receipt of an acknowledgement of the identification details from the worker device, an authentication of the second key and the identification details to the customer device, wherein the acknowledgement further verifies that a worker possesses the worker device or verifies a location of the worker.

US Pat. No. 10,771,456

TOKEN BASED ONE-TIME PASSWORD SECURITY

Amazon Technologies, Inc....

1. A computer implemented method for securing access in computing systems, the method comprising:generating a plurality of one-time password (OTP) codes based at least in part on a seed value;
encoding the plurality of OTP codes by applying a hash function to the plurality of OTP codes, the hash function for an individual one of the OTP codes based at least in part on a time identifier that indicates a predetermined event duration during which the respective OTP code is valid; and
providing a data structure containing the plurality of encoded OTP codes to a verification system to authenticate one or more access requests to one or more cloud-based services, the seed value being inaccessible to the verification system, and the a plurality of OTP codes being valid during the predetermined event duration.

US Pat. No. 10,771,455

SYSTEM AND METHOD FOR ENABLING SECURE AUTHENTICATION

Cryptomathic Ltd., Cambr...

1. A mobile device for enabling secure authentication between a user and a third party using a one-time-passcode (OTP) authentication mechanism, the mobile device comprising:a mobile device screen for displaying information to the user; and
first circuitry configured to implement a local one-time-passcode generating module which is configured to:
generate at regular intervals a local one-time-passcode which is unique to the mobile device and is valid for use in a single authentication, wherein the local one-time-passcode is a regularly changing local one-time-passcode;
receive, from second circuitry configured to implement a remote authentication module, a third party one-time-passcode which is unique to the third party via a short message service (SMS) message sent from the remote authentication module; and
combine the regularly changing locally generated local one-time-passcode with the received third party one-time-passcode to generate a combined one-time-passcode for authenticating the user to the third party,
wherein the combined one-time-passcode is displayed to the user on the mobile device screen.

US Pat. No. 10,771,454

INFORMATION PROCESSING SYSTEM AND INFORMATION PROCESSING METHOD

KYOCERA DOCUMENT SOLUTION...

1. An information processing system, comprising:a terminal device;
an end server; and
an intermediate server connected to the terminal device and the end server via a network, the intermediate server including
a communication device that communicates with the terminal device and the end server,
a memory device that stores an ID correspondence table that registers a combination of first login information and second login information, the first login information being for logging in to the intermediate server, the second login information being for logging in to the end server, and
a controller,
when the controller executes an information processing program, the controller operating as
an ID issue receiving unit that receives an issue application using the second login information from the terminal device, the issue application being an application for issuing the first login information for accessing an API (Application Programming Interface) of the intermediate server and logging in to the intermediate server by the terminal device,
an end server accessing unit that,
when the ID issue receiving unit receives the issue application from the terminal device,
accesses an API (Application Programming Interface) of the end server by using the second login information used in the issue application received from the terminal device to log in to the end server, and
determines whether or not login to the end server is successful,
an ID issuing unit that,
where the login is successful,
issues, to the terminal device, the first login information on a basis of the issue application, and
registers a combination of the issued first login information and the second login information provided from the terminal device in the ID correspondence table in a one-to-one correspondence, and
an end server access receiving unit that
receives an access request from the terminal device, the access request requesting to access the end server by using the first login information and the second login information, and
where a combination of the first login information and the second login information in the access request is registered in the ID correspondence table, causes the end server accessing unit to access the end server.

US Pat. No. 10,771,453

USER-TO-USER INFORMATION (UUI) CARRYING SECURITY TOKEN IN PRE-CALL AUTHENTICATION

Cisco Technology, Inc., ...

1. A telecommunication apparatus, comprising:a hardware processor in a caller station where telephone calls are initiated, the hardware processor configured to:
generate a telephone call set-up message associated with a telephone call, the telephone call set-up message including a user-to-user information (UUI) field,
generate a security token which includes an authentication key that is embedded in the security token at the caller station prior to initiating the telephone call,
include the security token in the UUI field of the telephone call set-up message, and
establish the telephone call once an authentication subsystem in a telecommunication component of a telecommunication system authenticates the authentication key that is embedded in the security token of the UUI field of the telephone call set-up message, wherein the authentication subsystem sends a response message to the telecommunication component after authenticating the authentication key that is embedded in the security token, wherein if the security token is deemed valid based on the authenticating, the response message indicates that a telephone call establishment process should continue, further wherein if the security token is deemed invalid based on the authenticating, the response message indicates that the telephone call is unauthorized or that the telephone call should be released; and
a network interface configured to:
send the telephone call set-up message through a telephone network to the authentication subsystem before the telephone call is established with a subscriber.

US Pat. No. 10,771,452

AUTONOMOUS CONFIGURATION OF EMAIL CLIENTS DURING EMAIL SERVER MIGRATION

SKYKICK, INC., Seattle, ...

1. A computer-implemented method for facilitating electronic mail clients to migrate from a first source system to a first destination system, the electronic mail clients including a first electronic mail client being executed on a first computing system, wherein a mail assistant application is also being executed on the, first computing system, the method comprising:obtaining, by the mail assistant application, first user information regarding a first user that is using the first computing system, the first user information including an identification associated with the first user;
sending, by the mail assistant application, the first user information to a remote computer, wherein the remote computer is separate and distinct from the destination system;
receiving, at the mail assistant application from the remote computer, first destination system information regarding the first user, the first destination system information indicating an account of the first user at the first destination system;
sending, by the mail assistant application, one or more requests to receive user credential information;
obtaining, by the mail assistant application, a credential associated with the first user for logging into the first source system based on received credential information;
causing, by the mail assistant application, the credential to be confirmed by a logging into the first destination system or the first source system using the credential and the account of the first user at the first destination system;
after a confirmation of the credential, generating, by the mail assistant application, first configuration information for automatically connecting the first electronic mail client to the first destination system;
effectuating, by the mail assistant application, the connection of the first electronic mail client to the first destination system using the first configuration information;
receiving, at the mail assistant application from the remote computer, information regarding the first user, the information indicating an address of the first user at a second destination system;
causing, by the mail assistant application, the credential to be confirmed by a logging into the second destination system using the credential and the address of the first user at the second destination system;
after a confirmation of the credential, generating, by the mail assistant application, second configuration information for automatically connecting the first electronic mail client to the second destination system;
effectuating, by the mail assistant, the connection of the first electronic mail client to the first destination system using the second configuration information;
obtaining, by the mail assistant application, an order key associated with the first user; and
sending the order key to the remote computer for verification.

US Pat. No. 10,771,451

MOBILE AUTHENTICATION AND REGISTRATION FOR DIGITAL CERTIFICATES

Queralt, Inc., New Haven...

1. A system for peer-to-peer registering a user and a mobile device to an online service server via a network connection based on a public-private key pair in which certified information about the user and information about the mobile device are used in a new registration request where the private key is securely retained in the device and the public key is registered with the online service server, the system comprising:a memory and a processor;
a software executing on the mobile device transmitting information about the user from the mobile device to a Public Key Infrastructure (PKI) authentication server via a network connection;
said software executing on the mobile device receiving from the PKI authentication server a digitally signed electronic document containing certified information about the user;
wherein the certified information about the user is selected from the group consisting of: the user's name, an email address, an expiration date, a unique serial number assigned to the electronic document by the second authentication server, the user's public key, information about rights and uses associated with the electronic document, a name of an authentication service that issued the electronic document, an authentication service signature, and an algorithm identifier that identifies which algorithm was used to sign the electronic document and combinations thereof;
said software executing on the mobile device transmitting a registration request to the online service server via a network connection;
said online service server transmitting data relating to the registration request to a Fast Identity Online (FIDO) authentication server via a network connection;
said software executing on the mobile device receiving a peer-to-peer registration request based on the public-private key pair from a the FIDO authentication server via a network connection;
said software executing on the mobile device retrieving the certified information about the user from the digitally signed electronic document;
said software executing on the mobile device inserting the certified information about the user and inserting information about the mobile device into a peer-to-peer registration message and transmitting the peer-to-peer registration message to the FIDO authentication server.

US Pat. No. 10,771,450

METHOD AND SYSTEM FOR SECURELY PROVISIONING A REMOTE DEVICE

BlackBerry Limited, Wate...

1. A method at a computing device for provisioning a network-connected device within a security platform, the method comprising:receiving a first connection request, the first connection request being from an electronic apparatus distinct from the network-connected device, and including a network-connected device identifier for the network-connected device;
authenticating the first connection request, thereby creating a first connection;
receiving a second connection request, the second connection request being from the network-connected device and including the network-connected device identifier and a shared platform credential;
receiving a request from the network-connected device to add the network-connected device to the security platform;
adding the network-connected device to the security platform based on a concurrent first connection and the request from the network-connected device to add the network-connected device to the security platform;
receiving a third connection request from a second network-connected device;
determining that no connection request including an identifier for the second network-connected device was received from any electronic apparatus; and
ignoring the third connection request.

US Pat. No. 10,771,449

METHOD AND SYSTEM FOR TRUSTWORTHINESS USING DIGITAL CERTIFICATES

MASTERCARD INTERNATIONAL ...

1. A method for generating digital certificates for anonymous users in blockchain transactions, comprising:storing, in a memory of a processing server, a blockchain, wherein the blockchain is comprised of a plurality of blocks, each block including a block header and one or more transaction values, where each transaction value includes data related to a blockchain transaction including at least a sending address, a recipient address, and a transaction amount;
receiving, by a receiving device of the processing server, a certificate request from a computing device, wherein the certificate request includes at least a user public key of a cryptographic key pair;
executing, by a querying module of the processing server, a query on the memory to identify a subset of transaction values included in the blockchain where the included sending address or recipient address was generated using the user public key;
determining, by a determination module of the processing server, a confidence level associated with the computing device based on at least the data included in each transaction value included in the subset;
generating, by a generation module of the processing server, a digital certificate based on the determined confidence level associated with the computing device; and
electronically transmitting, by a transmitting device of the processing server, the generated digital certificate to the computing device,
wherein responsive to the computing device engaging in a blockchain transaction with a secondary computing device, the computing device having sent the generated digital certificate to the secondary computing device, the generated digital certificate is configured to cause the secondary computing device to transmit the blockchain transaction to a node associated with the blockchain responsive to the determined confidence level associated with the computing device being equal to or above a confidence level associated with the secondary computing device.

US Pat. No. 10,771,448

SECURE FEATURE AND KEY MANAGEMENT IN INTEGRATED CIRCUITS

CRYPTOGRAPHY RESEARCH, IN...

1. A method comprising:receiving, by a security manager core of an integrated circuit, a digitally signed message comprising a signature and feature update information, the feature update information comprising a command that, when executed by the security manager core; enables the security manager core to update a functionality of a hardware feature of the integrated circuit to be at least one of locked, unlocked, or modified;
obtaining, by the security manager core, a secret key from a secure memory of the integrated circuit;
verifying, by the security manager core, the signature of the digitally signed message using the secret key; and
executing, by the security manager core, the command to update the functionality of the hardware feature when the signature is verified, wherein the executing the command comprises:
sending, by the security manager core, a first signal to the hardware feature to lock the functionality of the hardware feature when the feature update information specifies the functionality is to be locked;
sending, by the security manager core, a second signal to the hardware feature to unlock the functionality of the hardware feature when the feature update information specifies the functionality is to be unlocked; or
sending, by the security manager core, a third signal to the hardware feature to modify the functionality of the hardware feature when the feature update information specifies the functionality is to be modified, wherein the command is associated with an encrypted payload;
deriving, by the security manager core, a mixed key using a base key accessible to the security manager core;
deriving, by the security manager core, a transport key using the mixed key;
decrypting, by the security manager core, the encrypted payload using the transport key to obtain a decrypted payload; and
delivering, by the security manager core, the decrypted payload to the hardware feature.

US Pat. No. 10,771,447

TENANT-AWARE DISTRIBUTED APPLICATION AUTHENTICATION

Illumina, Inc., San Dieg...

1. A computer-implemented method of authenticating clients accessing a cluster of a plurality of application hosting platform instances, the method comprising:from a client authenticated to access a first application hosted on a first application hosting platform instance of the cluster via an authentication token, receiving, at a second instance of the application hosting platform, a request to access a second application hosted on the second application hosting platform instance of the cluster;
responsive to the request, fetching the authentication token from the client to the second instance of the application hosting platform;
determining one of the application hosting platform instances of the cluster as being a primary authentication application hosting platform instance based on tenant-specific authentication configuration information comprising a specified primary authentication application hosting platform instance, wherein the tenant-specific authentication configuration information comprising the specified primary authentication application hosting platform instance is configurable per tenant;
sending a validation request for the authentication token to the primary authentication application hosting platform instance;
receiving validation confirmation of the authentication token from the primary authentication application hosting platform instance; and
responsive to receiving validation confirmation, granting access to the second application hosted on the second application hosting platform instance to the client.

US Pat. No. 10,771,446

WIRELESS COMMUNICATION APPARATUS, AUTHENTICATION APPARATUS, WIRELESS COMMUNICATION METHOD AND AUTHENTICATION METHOD

KABUSHIKI KAISHA TOSHIBA,...

1. An electronic apparatus, comprising:first wireless communication circuitry configured to communicate with a first electronic apparatus via a first wireless signal conforming to a wireless LAN standard, wherein a first address is assigned to the first wireless communication circuitry; and
second wireless communication circuitry configured to receive a second wireless signal conforming to a standard of near field communication and notifying a service set identifier (SSID) of a wireless communication system comprising the first electronic apparatus;
wherein the first wireless communication circuitry is further configured to:
transmit an association request frame comprising the first address in a source address field and a second address assigned to the first electronic apparatus in a destination address field to the first electronic apparatus after reception of the SSID via the second wireless communication circuitry;
receive an association response frame comprising a status code from the first electronic apparatus; and
transmit a data frame to the first electronic apparatus, if the status code of the association response frame indicates a success.

US Pat. No. 10,771,445

ELECTRONIC DEVICE, SERVER, ELECTRONIC DEVICE CONTROLLING METHOD, INFORMATION PROCESSING METHOD AND RECORDING MEDIUM

SONY CORPORATION, Tokyo ...

1. An information processing device, comprising:an interface configured to
receive an instruction of an association operation executed by an association operation program in an electronic device from a user; and
store a log information of the association operation executed by the association operation program having been executed by the electronic device between another device; and
circuitry configured to
determine an execution range of the association operation program in the electronic device, the association operation program being a program executed by the electronic device regarding the association operation between the electronic device and the other electronic device within the determined execution range, wherein the execution range is a range of allowed functions that are permitted to be performed,
wherein the association operation program describes an entity executing an operation, a function of an Application Programming Interface (API) to be used, and a parameter set for the API,
wherein the electronic device and the other device are external to the information processing device, and
wherein the association operation program includes a first part in which permission based on the authentication information is necessary for execution, and a second part in which the permission based on the authentication information is not necessary for execution, and
the circuitry is configured to execute the second part regardless of the authentication information.

US Pat. No. 10,771,444

DISTRIBUTED AUTHENTICATION

Hewlett-Packard Developme...

1. A system, comprising:a microprocessor;
a non-transitory machine-readable storage device that stores instructions that are executable by the microprocessor to:
operate a key distribution module to:
generate a paired public key and private key in association with a user, to split the private key into a set of shares, and
distribute members of the set of shares to a set of devices associated with the user, wherein:
a size of the set of shares is generated such that a number of members of the set of shares exceeds a number of members of the set of devices, and
a device of the set of devices associated with the user receives multiple members of the set of shares;
operate an authentication module to:
generate a challenge to authenticate the user, and
grant the user access to a resource upon receiving an authenticating response to the challenge;
operate a challenge module to:
distribute the challenge to members of the set of devices; and
operate a combiner module to:
receive partial responses from members of the set of devices, combine the partial responses into a group signature, and
provide the group signature to the authentication module, where:
each partial response corresponds to a member of the set of shares, and
the group signature serves as an authenticating response to the challenge when generated from partial responses corresponding to a threshold number of shares.

US Pat. No. 10,771,443

METHOD AND APPARATUS FOR PROVIDING ENHANCED STREAMING CONTENT DELIVERY WITH MULTI-ARCHIVE SUPPORT USING SECURE DOWNLOAD MANAGER AND CONTENT-INDIFFERENT DECODING

III Holdings 12, LLC, Wi...

1. A method comprising:receiving a request from a user device for executing selected content;
identifying a download assistant service to facilitate the fulfillment of the request;
selecting a codec from among a plurality of codecs depending on a method of executing content employed at the user device and a designated content type of the selected content,wherein the plurality of codecs comprise at least two different codecs to handle at least one of different types of content and different methods of executing content at the user device;calling the selected codec to verify a license associated with the selected content;
generating, by the selected codec, an installation code;
sending, by the selected codec and to the download assistant, an activation code based on the installation code, the activation code indicating verification of the license associated with the selected content; and
providing to the user device the selected download assistant service and the selected codec for enabling execution of the selected content at the user device,
wherein the executing comprises performing multiple simultaneous or near simultaneous downloads of the selected content via the selected download assistant service, placing the selected content into buffers via the selected download assistant service, and decrypting and unpacking the buffers via the selected codec.

US Pat. No. 10,771,442

SYSTEM AND METHOD FOR AUTHENTICATING AND ENABLING AN ELECTRONIC DEVICE IN AN ELECTRONIC SYSTEM

ANVAYA SOLUTIONS, INC., ...

1. A requesting device node, executing on a computing system, the requesting device node comprising:a device query data packet generator, executing on the computing system, to generate a device query packet including data representing one or more identifiers of a protected device and a particular paired system; and
an obfuscation state machine of the particular paired system configured with a pre-defined quantity of state elements, a pre-defined quantity of the state elements being functional state elements, the obfuscation state machine being programmed with an authentication key to cause the obfuscation state machine to transition the protected device from an initial obfuscation state to a functional state, the protected device being further configured to obtain the authentication key from secure data storage if a flag is asserted.

US Pat. No. 10,771,441

METHOD OF SECURING AUTHENTICATION IN ELECTRONIC COMMUNICATION

ADUCID S.R.O., Brno-Priz...

1. A method of securing authentication in electronic communication between at least one user authentication means and at least one server authentication means, comprising the steps of:performing primary authentication in a first step of an authentication transaction, wherein a secondary authentication secret is created within said primary authentication and shared between the user authentication means and the server authentication means, wherein the secondary authentication secret is valid only for a given authentication transaction;
creating a first authentication vector element product by using said secondary authentication secret as an input for a transformation, performed by the user authentication means separately on at least one authentication vector element (AVE(i)), wherein an authentication vector is an ordered set of authentication vector elements (AVE (i)),
transferring the first authentication vector product from the user authentication means to the server authentication means; and
evaluating the transferred first authentication vector product by the server authentication means using the secondary authentication secret,
wherein a value of the authentication vector element (AVE (i)) is stored in the user authentication means and/or the value of the authentication vector element (AVE (i)) are entered into the user authentication means by the user or obtained from an information medium or from an outer environment before or during the authentication transaction, and/or the value of the authentication vector element (AVE (i)) are obtained before or during the authentication transaction from a transformed value of the authentication vector element (T-AVE(i)) using information entered by the user or obtained from an information medium or the outer environment, and an authentication vector element reference (AVER(i)) are stored in the server authentication means or obtained (AVER(i)) before or during the authentication transaction from an information medium or from the outer environment.

US Pat. No. 10,771,440

DETECTING DISCLOSED CONTENT SOURCES USING DYNAMIC STEGANOGRAPHY

Box, Inc., Redwood City,...

1. A method comprising:identifying a rendered view of an object comprising an image, the image having multiple sites where one or more steganographic messages have been placed, wherein the one or more steganographic messages correspond to one or more attributes of a source that have been encoded into the image by modifying pixel data in the image, wherein a particular steganographic message comprises a matrix of squares where a square of the matrix of squares represents a binary value used to modify the pixel data at a given pixel location;
uploading the rendered view of the object to a server to detect a steganographic message by retrieving object attributes from a security database and using the object attributes to implement at least one of scaling the object or partitioning the object to identify the multiple sites having placement of the one or more steganographic messages within a partition of the object;
decoding the steganographic message from at least one of the multiple sites that was detected using the at least one of scaling the object or partitioning the object to identify the source; and
extracting user information according to steganographic settings associated with the object.

US Pat. No. 10,771,439

SHIELDED NETWORKS FOR VIRTUAL MACHINES

MICROSOFT TECHNOLOGY LICE...

1. A method, performed by a host computing device comprised of storage hardware and processing hardware, and a network interface card (NIC), the method comprising:executing a virtualization layer that manages the execution of virtual machines (VMs) on the host computing device;
securely capturing health data of the host computing device, the health data corresponding to boot and/or code state of the host computing device;
sending the health data via a network to a guardian service implemented by one or more guardian hosts;
receiving a health certificate via the network from the guardian service, the health certificate corresponding to a determination by the guardian service that the health data is consistent with securely stored prior health data of the host computing device;
transmitting the health certificate and an identifier of the VM via the network and in response receiving a VM key of a VM on the host computing device, wherein the VM key is uniquely associated with the VM, and wherein the VM key is sent to the host computing device based on the transmitted health certificate and the identifier of the VM; and
configuring the virtualization layer to use the VM key to (i) encrypt outbound network communications from the VM, and (ii) decrypt inbound network communications before they are delivered to the VM, wherein the outbound network communications remain encrypted by the VM key when they are transmitted by the NIC of the host.

US Pat. No. 10,771,438

CONTEXT-BASED PROTOCOL STACK PRIVACY

INTERDIGITAL PATENT HOLDI...

1. A method for use in a wireless transmit/receive unit (WTRU), the method comprising:selecting a privacy profile, wherein the privacy profile includes privacy and security settings for each layer of a protocol stack of the WTRU, wherein the privacy and security settings include at least one of (1) using anonymous dynamic host configuration protocol (DHCP) signaling parameters, the anonymous DHCP signaling parameters including a hostname, (2) using a non-static medium access control (MAC) address, and (3) using a non-static Internet protocol (IP) address; and
instructing each respective layer of the protocol stack of the WTRU with the privacy and security settings based on the selected privacy profile.

US Pat. No. 10,771,437

SYSTEMS AND METHODS FOR DELIVERING MESSAGES OVER A NETWORK

SLING MEDIA L.L.C., Fost...

1. An automated process executable by a computer system operating as a message server communicating via a network with a client device, the automated process comprising:receiving a first message from the client device at the message server via the network;
in response to the first message, the message server establishing a connection between the message server and the client device via the network;
maintaining the connection between the message server and the client device as a persistent connection;
subsequently receiving an instruction message by the message server from a network service that is separate from the message server that identifies the client device; and
in response to the instruction message received from the network service, the message server sending a message to the client device via the persistent connection previously established between the message server and the identified client device to direct the identified client device to establish an outgoing connection to the network service that is identified in the instruction message.

US Pat. No. 10,771,436

DYNAMIC WHITELIST MANAGEMENT

CISCO TECHNOLOGY, INC., ...

1. A method comprising:at a proxy for a network:
obtaining a traffic flow;
determining whether a security policy in a whitelist for the traffic flow is active; and
if it is determined that the security policy for the traffic flow is active:
selectively decrypting the traffic flow to produce one or more traffic flow attributes;
based on the one or more traffic flow attributes, determining whether the traffic flow is potentially malicious;
in response to determining that the traffic flow is potentially malicious, deactivating the security policy for the traffic flow; and
in response to deactivating the security policy for the traffic flow, decrypting one or more subsequent traffic flows.

US Pat. No. 10,771,435

ZERO TRUST AND ZERO KNOWLEDGE APPLICATION ACCESS SYSTEM

Netskope, Inc., Santa Cl...

1. A system for providing policy-controlled communication over the Internet between a plurality of remote services and a plurality of third party applications executing on a client device, the system comprising:a client endpoint function configured to execute on the client device while coupled to a first VPN tunnel, the client endpoint function comprising:
a first policy component, enforcing a plurality of policies on network packet traffic for a plurality of applications, wherein the plurality of policies specify one or more aspects of processing of network sessions from a third party application to a remote service,
an first interceptor component that identifies network packet traffic and network sessions compliant with the plurality of policies, and
a first VPN endpoint component, which provides a connection to a mid-link server using a first VPN tunnel configured in accordance with the plurality of policies, wherein:
the first VPN endpoint component establishes the first VPN tunnel from the client device to the mid-link server, and
the network packet traffic being redirected by the first interceptor component to the first VPN tunnel and away from other network interfaces for the plurality of remote services;
a service endpoint function that operates a remote service of the plurality of remote services, the service endpoint function at a service location, the service endpoint function further comprising:
a second interceptor component that identifies network packet traffic using the plurality of policies, and
a second VPN endpoint component that connects to the mid-link server using a second VPN tunnel configured in accordance with the plurality of policies, wherein:
the second VPN endpoint component establishes the second VPN tunnel between the service location and the mid-link server,
the second VPN endpoint component provides the remote service to a third party application of the plurality of third party applications running on the client device, and
the second VPN tunnel carries the network packet traffic from the remote service and the mid-link server with the network packet traffic being related to a corresponding third party application executing on the client device; and
a mid-link server, coupled to the first VPN tunnel and the second VPN tunnel, the mid-link server comprising:
a first and second VPN termination point that authenticates and terminates the first and second VPN tunnels at a mid-link server,
a second policy component, wherein the second policy component uses the plurality of policies to specify at least: policy-based routing, packet re-addressing, and content mediation rules on packet traffic arriving from the first VPN tunnel,
a router component interposed between the first and second VPN tunnels, wherein the router component operating to route network packet traffic between the first and second VPN tunnels via a route specified by the plurality of policies,
an inspection component that analyzes network packet traffic in accordance with the plurality of policies, and
a mediation component, effective to mask network addresses of the client device and service devices from each other, wherein the third party application operates with the remote service to provide functionality to the client device.

US Pat. No. 10,771,434

ROUTE SIGNALING DRIVEN SERVICE MANAGEMENT

Juniper Networks, Inc., ...

1. In a system having a plurality of network devices, wherein the plurality of network devices includes a first network device and a second network device, a method of modifying services provided by one or more of the network devices, the method comprising:identifying defined events in each of a plurality of applications, wherein the plurality of applications includes a first application and wherein the defined events include a first defined event associated with the first application;
assigning a signal-route to each defined event, wherein assigning a signal-route to each defined event includes assigning a first signal-route to the first defined event;
executing the first application within the first network device;
detecting occurrence of the first defined event within the first application executing on the first network device; and
in response to detecting occurrence of the first defined event within the first application executing on the first network device, modifying one or more services provided by the second network device, where modifying one or more services includes:
modifying a routing information base (RIB) of the first network device, wherein modifying includes changing the RIB by adding the first signal-route to or removing the first signal-route from the RIB; and
advertising, from the first network device to the second network device, the change in the RIB.

US Pat. No. 10,771,433

AUTOMATIC MANAGEMENT OF FIREWALL RULES AND POLICIES IN ACCORDANCE WITH RELEVANCY TO NETWORK TRAFFIC OF A WIRELESS NETWORK

Fortinet, Inc., Sunnyval...

1. A computer-implemented method, in a firewall device having a processor and a network communication interface, the firewall device implemented at least partially in hardware and on a data communication network, for automatically managing firewall rules and policies in accordance with application changes of a wireless network, the method comprising the steps of:storing firewall rules in a repository of the firewall device;
detecting at a station that an application has been added, and enabling related firewall rules at the firewall device;
assigning default values to relevancy scores for firewall rules when initially stored;
identifying the application from a network packet associated with a wireless network;
applying a specific firewall rule to the network packet being examined based on the identified application and based on a ranking of a relevancy score, wherein the specific firewall rule belongs to a predetermined rule category, and the relevancy score is above a specific relevancy threshold;
responsive to the specific firewall rule application, increasing the relevancy score associated with the specific firewall rule and decreasing relevancy scores for other firewall rules of the predetermined firewall rule category that are not applied to the network packet;
ranking firewall rules of the category, for order of application, based on the relevancy scores;
disabling firewall rules having relevancy scores below a predetermined relevancy threshold;
and detecting at the station that the application has been removed, and disabling related firewall rules at the firewall device.

US Pat. No. 10,771,432

SYSTEMS AND METHODS FOR DYNAMIC FIREWALL POLICY CONFIGURATION

Level 3 Communications, L...

1. A method for firewall configuration comprising:receiving, at a processing device, input defining a firewall policy for a firewall managing access to a subnet of network components deployed within a communications network, the firewall policy including a firewall configuration for the firewall and a network component configuration for a network component of the subnet of network components;
executing, using the processing device and a virtual network component, first instructions associated with the firewall configuration;
executing, using the processing device and the virtual network component, second instructions associated with the network component configuration;
determining, based on the execution of the first instructions, that the firewall configuration is valid;
determining, based on the execution of the second instructions, that the network component configuration is valid;
automatically configuring, using the processing device, the firewall configuration at the firewall and the network component configuration at the network component in response to determining that the firewall configuration and the network component configuration are valid;
activating, using the processing device, the firewall within the communications network to manage traffic to and from the subnet;
receiving a modification to the firewall policy to unblock an application from accessing the subnet;
modifying the firewall policy to allow at least a portion of network traffic associated with the application to pass through the firewall unblocked; and
implementing the modified firewall policy at the firewall.

US Pat. No. 10,771,431

SYNCHRONIZING IP INFORMATION OF VIRTUAL MACHINES

Lenovo Enterprise Solutio...

1. A method for synchronizing internet protocol (IP) information of virtual machines in a switch, the method comprising:prior to a migration of a virtual machine within a subnet:
obtaining, by a switch, an IP relevant message of the virtual machine within the subnet by snooping a transmission of another device in the subnet;
recording, by the switch, IP information and connection information of the virtual machine based on the IP relevant message; and
in response to migration of the virtual machine, modifying, by the switch, connection information of the virtual machine while maintaining the IP information of the virtual machine through migration.

US Pat. No. 10,771,430

DYNAMIC RESOURCE CONFIGURATION SYSTEM AND METHOD FOR DISTRIBUTED COMPUTING ENVIRONMENTS

EMC IP Holding Company LL...

1. A dynamic resource configuration system comprising:a computing system in communication with a resource, the computing system comprising at least one processor and at least one memory to store computer readable instructions that when executed by the at least one processor:
receive, from the resource, a network configuration request message to configure one or more network parameters of the resource;
obtain a unique identity of the resource using the received network configuration request message;
receive a null message in response to a first resource information record request based on the unique identity of the resource;
assign a temporary Internet Protocol (IP) address to the resource in response to receiving the null message;
transmit, after receiving the null message and to the resource using the assigned temporary IP address, a second resource information record request;
obtain, from the resource and based on the second resource information record request, resource information comprising customized configuration parameters for the resource and characteristic information for the resource;
replace the temporary IP address with a new IP address based on the resource information;
select a preboot execution environment (PXE) server from among a plurality of PXE servers, the selected PXE server to be used for configuration of the resource by applying the customized configuration parameters to the resource in accordance with one or more customization policies; and
communicate with the selected PXE server to configure the resource using the customized configuration parameters.

US Pat. No. 10,771,429

MECHANISMS FOR SOLVING AN IP FRAGMENTATION OVERLAPPING ISSUE IN L2VPN USING MULTIPLE IP ADDRESSES IN GRE HEADERS

VMware, Inc., Palo Alto,...

1. A computer-implemented method for using multiple IP addresses in Generic Routing Encapsulation (“GRE”) IP headers to prevent Internet Protocol Identifier (“IPID”) fragmentation overlapping in L2VPN networks, the method comprising:receiving, by an edge service gateway, a packet that requires fragmentating;
determining whether the edge service gateway is configured to prevent IPID fragmentation overlapping;
in response to determining that the edge service gateway is configured to prevent IPID fragmentation overlapping:
creating a plurality of packet fragments based on, at least in part, the packet;
wherein a packet fragment of the plurality of packet fragments:
comprises a GRE IP header, one or more additional headers, and a portion of the packet;
stores an IPID generated for the packet in an IPID field in the GRE IP header;
stores a source private IP address in a source IP address field in the GRE header;
stores a destination private IP address in a destination IP address field in the GRE header; and
wherein the source private IP address, the destination private IP address and the IPID collectively form a packet identifier of the packet.

US Pat. No. 10,771,428

GEOCODING WITH GEOFENCES

GEOFRENZY, INC., Tiburon...

1. A geocode delivery system, comprising:at least one device including a processor coupled with a memory, wherein the at least one device is constructed and configured for wireless communication and programmed to send a request for geofence information over a network;
at least one geocode linked to the at least one geofence, wherein each of the at least one geocode is assigned an Internet Protocol (IP) address or an Internet Protocol version 6 (IPv6) address;
wherein the at least one geofence includes an anchor point, wherein the anchor point is identifiable via a unique Internet Protocol (IP) address or a unique Internet Protocol version 6 (IPv6) address and wherein one of the at least one geocode is registered as the anchor point;
wherein a domain name is assignable to each unique IP address or each unique IPv6 address for each of the plurality of geocodes and/or the anchor point of the at least one geofence;
wherein the domain name is comprised of a plurality of characters, wherein the plurality of characters is translatable to a location;
wherein the at least one device is operable to receive a Domain Name Service (DNS) response to the request;
wherein each of the at least one geocode and the at least one geofence is assigned at least one subdomain name and/or at least one domain name;
wherein a plurality of metadata are linked to the at least one geofence;
wherein the plurality of metadata includes classes, entitlements, and/or lookup table identifiers, wherein the plurality of metadata are operable to be redefined via the lookup table identifiers;
wherein a search engine is configured to receive the request from the at least one device over the network and identify whether a geocode is within the at least one geofence, wherein the geocode is directly translated to coordinate points through the lookup table or indirectly translated to the coordinate points through an algorithm; and
wherein at least one real estate title and at least one permission are linked to at least one real property boundary, wherein the at least one real property boundary is not defined by a user, wherein the at least one real property boundary includes the at least one geofence or the at least one geocode, wherein the at least one real property boundary is linked to the at least one geofence or is linked to the at least one geocode through the IP address or the IPv6 address associated with the at least one geocode, wherein the at least one real estate title or the at least one permission has at least one owner.

US Pat. No. 10,771,427

SYSTEMS AND METHODS FOR DETERMINING CHARACTER ENTRY DYNAMICS FOR TEXT SEGMENTATION

VERSIGN, INC., Reston, V...

1. A method, implemented by a computer, for determining user-specific word boundaries in a domain name, the method comprising:receiving a string of non-space delimited alphanumeric characters entered by a user, the string of non-space delimited alphanumeric characters comprising a plurality of words, and representing a potential domain name to be registered;
obtaining a time value associated with a time at which each non-space delimited alphanumeric character is entered by the user;
determining one or more possible word boundaries between the plurality of words in the string of non-space delimited alphanumeric characters based at least partially on a segmentation process;
determining, by the computer and for each character in the string of non-space delimited alphanumeric characters, an amount of time taken between each time value associated with the time at which each non-space delimited alphanumeric character is entered by the user, wherein the amount of time is filtered;
determining, by the computer and based on each amount of time between each time value and the one or more possible word boundaries, one or more actual time-specified word boundaries between the plurality of words in the string of non-space delimited alphanumeric characters;
segmenting, by the computer, the string of non-space delimited alphanumeric characters into a time-specified set of words based on the one or more actual time-specified word boundaries between the plurality of words in the string of non-space delimited alphanumeric characters;
determining, by the computer, one or more alternate words for a word from the time-specified set of words, wherein the one or more alternate words have a similar meaning to the word;
creating, by the computer, one or more domain names using the one or more alternate words and the time-specified set of words; and
displaying, to the user, a registration availability of the one or more domain names.

US Pat. No. 10,771,426

ROUTING MESSAGES BASED ON MESSAGE TYPE OF MESSAGES

SAP SE, Walldorf (DE)

1. A computer implemented method comprising:receiving a message from a service provider;
identifying that a message type of the message is not previously determined;
upon identifying that the message type of the message is not previously determined, identifying whether the message is selected for message type determination;
upon identifying that the message is selected for the message type determination, applying a classification rule to determine the message type of the message, wherein the classification rule provides an indication of the message type of the message to be person-to-person (P2P) or application-to-person (A2P);
upon identifying that the message is not selected for the message type determination, determining the message type of the message as the P2P message; and
based upon the determined message type of the message, pre-defined routing rules including a first pre-defined routing rule and a second pre-defined routing rule, and a priority of each of the pre-defined routing rules, routing the message to a corresponding route point to allow particular corresponding processing of the message to be performed based on the determined message type of the message.

US Pat. No. 10,771,425

ELECTRONIC MESSAGE LIFECYCLE MANAGEMENT

HUBSPOT, INC., Cambridge...

1. A method of managing a lifecycle of an electronic message comprising:preparing a message for delivery by adding at least one header value that facilitates identifying the message;
updating at least one link in the message to include metadata that facilitates identifying a recipient of the message, wherein the at least one link in the message include at least one target URL;
tracking and recording life cycle events throughout a delivery phase and an engagement phase of the lifecycle of the message; and
determining at least one of a degree of engagement and a quality of engagement of the recipient with the message based on at least a portion of the tracked and recorded life cycle events,
wherein updating the at least one link in the message comprises rewriting the at least one target URL based at least in part on a type of the message, wherein the type of the message is a plain text email or an HTML email, and
wherein updating the at least one link in the message comprises rewriting the at least one target URL into a short URL that is a link to a resolution server that redirects to a longer URL that provides access to a resource that is consistent with the at least one target URL.

US Pat. No. 10,771,424

USABILITY AND RESOURCE EFFICIENCY USING COMMENT RELEVANCE

Microsoft Technology Lice...

1. A computer-implemented method comprising:for each one of a plurality of user-generated content for an online post on a social networking service, receiving, by at least one hardware processor, corresponding member feature data and corresponding comment feature data, each one of the plurality of user-generated content having been authored by a corresponding commenter, the member feature data comprising professional identity data of a member of the social networking service and indicating at least one of a professional experience of the member and a professional skill of the member, the corresponding comment feature data comprising a length of the corresponding one of the plurality of user-generated content;
for each one of the plurality of-user-generated content, forming a joined set of features including the corresponding comment feature data;
for each one of the plurality of user-generated content, generating, by the at least one hardware processor, a corresponding score based on the corresponding member feature data and the joined set of features, the joined set of features on which the generating of the corresponding score is based including the length of the corresponding user-generated content, the generating of the corresponding score comprises applying a minimum length threshold or applying a maximum length threshold, the applying of the minimum length threshold comprising decreasing the corresponding score based on the corresponding user-generated content having fewer than a minimum number of words, and the applying of the maximum length threshold comprising decreasing the corresponding score based on the corresponding user-generated content having more than a maximum number of words;
ranking, by the at least one hardware processor, the plurality of user-generated content based on the generated scores; and
causing, by the at least one hardware processor, at least one of the plurality of user-generated content to be displayed in a position in a user interface of a computing device of the member based on the ranking of the at least one of the plurality of user-generated content, the position in which the at least one of the plurality of user-generated content is displayed being determined based on, at least in part, the corresponding length of the at least one of the plurality of user-generated content.

US Pat. No. 10,771,423

SYSTEMS AND METHODS TO CONTROL EVENT BASED INFORMATION

Facebook, Inc., Menlo Pa...

1. A computer-implemented method comprising:providing, by a computing system, content items, generated by at least one of connections or a group of a user, relating to an event for presentation in a first section of a page of a social networking system dedicated to the event, wherein the content items are ranked for presentation based on at least one of an affinity between a connection who generated a content item and the user, an affinity between a group that generated a content item and the user, and a value reflecting an extent to which a content item is associated with the event;
providing, by the computing system, a plurality of options to the user to personalize a post of the user to indicate an expression of support by the user for the event, wherein the post includes a narrative;
providing, by the computing system, a live feed of information relating to the event for presentation in a second section of the page, wherein the live feed comprises content items organized and presented by categories, the categories comprising authorities, eyewitness communications, eyewitness media, and metadata;
providing, by the computing system, a summary of segments of the event for presentation on the page, wherein the segments include portions of the event based on intervals of time or occurrence of certain activities; and
appending, by the computing system, a reference to the post of the user related to the event indicating an activity of the event that is contemporaneous with generation of the post.

US Pat. No. 10,771,422

DISPLAYING INTERACTIVE NOTIFICATIONS ON TOUCH SENSITIVE DEVICES

APPLE INC., Cupertino, C...

1. A method, comprising:at an electronic device with one or more processors and memory:
while the electronic device is locked:
receiving a first message; and
displaying a first notification element in a first area of a user interface, the first notification element comprising information about the received first message;
while displaying the first notification element, receiving a user-generated reply to the first message;
after receiving the user-generated reply to the first message, receiving a user input for opening an application associated with the first notification element; and
in response to the user input, displaying the application associated with the first notification element in a second area of the user interface, including maintaining, in the displayed application, information for the user-generated reply that has already been received.

US Pat. No. 10,771,421

SYSTEMS AND METHODS FOR FAIR INFORMATION EXCHANGE USING PUBLISH-SUBSCRIBE WITH BLOCKCHAIN

Intel Corporation, Santa...

1. A first broker apparatus comprising:memory including a distributed ledger to store a message to be relayed from a publisher to a first subscriber; and
a processor to at least:
compute, triggered by receipt of the message, a proof-of-work (PoW) function, the PoW function defined based on a latency value associated with the first broker apparatus, to synchronize timing of a) delivery of the message from the first broker apparatus to the first subscriber with b) delivery of the message from a second broker apparatus to a second subscriber;
verify the computation of the PoW function;
transmit, upon verifying the computation of the PoW function, the message to the first subscriber; and
process feedback to update the PoW function.

US Pat. No. 10,771,420

CREATING AND UPDATING DIGITAL NOTES VIA ELECTRONIC MESSAGES

Microsoft Technology Lice...

1. A system for creating digital notes, the system comprising:an electronic processor configured to:
receive an electronic message from a user to an electronic messaging address, the electronic message including content and accessible via an email application;
determine whether the electronic messaging address is associated with the user;
in response to the electronic messaging address being associated with the user, automatically create a digital note including at least a portion of the content included in the electronic message;
automatically update the content of the electronic message to include a link to the digital note as received by the user, the link selectable by the user to access the digital note within a note-taking application;
receive a reply to the electronic message from the user; and
automatically update the digital note based on the reply.

US Pat. No. 10,771,419

PROVIDING CONTEXT-AWARE VISUAL ELEMENTS IN A COMMUNICATION SETTING

FACEBOOK, INC., Menlo Pa...

1. A method comprising:monitoring real-time device data received from a recipient client device associated with a recipient, wherein the real-time device data is passively obtained from the recipient client device without express input from the recipient;
analyzing the real-time device data to determine a plurality of behavior characteristics associated with the recipient, wherein a behavior characteristic of the plurality of behavior characteristics comprises the recipient being inactive on a communication thread between a first sender associated with a first sender client device and the recipient;
utilizing, by at least one processor, a communication context model to determine a first communication context of the recipient based on the plurality of behavior characteristics associated with the recipient and the first sender;
providing, prior to the first sender client device sending an electronic communication intended for the recipient, the first communication context to the first sender client device to cause the first sender client device to display a first visual element corresponding to the first communication context of the recipient in connection with the communication thread;
utilizing, by the at least one processor, the communication context model to determine a second communication context of the recipient based on the plurality of behavior characteristics associated with the recipient and a second sender associated with a second sender client device, wherein the second communication context differs from the first communication context; and
providing the second communication context to the second sender client device to cause the second sender client device to display a second visual element corresponding to the second communication context.

US Pat. No. 10,771,418

SYSTEM AND METHOD FOR SECURELY PERFORMING MULTIPLE STAGE EMAIL PROCESSING WITH EMBEDDED CODES

Iconix, Inc., San Jose, ...

1. A method, comprising:intercepting an email directed to a recipient;
adding a script with executable instructions into a new header added to the email, the email including a header that remains unchanged, wherein adding further includes adding executable code and data as the script that a device of the recipient extracts from the new header and processes the executable code with the data for authentication of the email, wherein the new header is in addition to and different from the header, the header is an existing email message header for the email message, wherein the executable code when executed on the device of the recipient providing: failure instructions performed on authentication failure that replaces a sender address provided in a from field of the email with a text string relevant to the authentication failure;
providing the new header as an email component that enables custom email tasks to be performed on the email by processing entities in a multi-stage email processing system at different stages along an email delivery chain for the email;
forwarding the email with the new header to an email server for delivery to the recipient; and
receiving, maintaining, and indexing events generated when processing the email and custom email tasks, wherein the events comprising: a first marked event indicating the email was authenticated in a list view of messages, a second marked event indicating the email was authenticated in a message pre-view view of the email, a third marked event indicating the email was authenticated in an individual message viewing of the email, a fourth marked event indicating the email was associated with phishing in the list view of email messages, a fifth event indicating the email was associated with phishing in the pre-view of the email, a sixth marked event indicating the email was associated with phishing in the individual message viewing of the email, a first unmarked event indicating the email was not authenticated in the list view of the messages, a second unmarked event indicating the email was not authenticated in the pre-view view of the email, and a third unmarked event indicating the email was not authenticated in the individual message viewing.

US Pat. No. 10,771,417

CONTROL OF MESSAGES IN PUBLISH/SUBSCRIBE SYSTEM

International Business Ma...

1. A method for allowing a corresponding publishing user to maintain fine-grain control of a message throughout an entire publish/subscribe architecture and for an entire useful life of the message, the method comprising:creating the message and metadata associated with the message, wherein the metadata, as selected by the corresponding publishing user, includes an event marker associated with a public event that occurs at different date ranges in different geographic locations such that the event marker is capable of defining the fine-grain control of the message in the form of date range restrictions on use of the message to be applied differentially by a plurality of subscribing systems in the publish/subscribe architecture; and
publishing the message with the associated metadata to the plurality of subscribing systems,
wherein the receipt of the published metadata with the event marker at each subscribing system causes that subscribing system to look up the date range of the public event at its geographic location and restrict the use of the message by its corresponding subscribing user based on that date range such that fine-grain control of the message is maintained by the publishing user.

US Pat. No. 10,771,416

CONTROL OF MESSAGES IN PUBLISH/SUBSCRIBE SYSTEM

International Business Ma...

1. A system for allowing a corresponding publishing user to maintain fine-grain control of a message throughout an entire publish/subscribe architecture and for an entire useful life of the message, the system comprising:a memory; and
a processor in communication with the memory, the processor configured to obtain program instructions from the memory that cause the processor to perform a method comprising:
creating the message and metadata associated with the message, wherein the metadata, as selected by the corresponding publishing user, includes an event marker associated with a public event that occurs at different date ranges in different geographic locations such that the event marker is capable of defining the fine-grain control of the message in the form of date range restrictions on use of the message to be applied differentially by a plurality of subscribing systems in the publish/subscribe architecture; and
publishing the message with the associated metadata to the plurality of subscribing systems,
wherein the receipt of the published metadata with the event marker at each subscribing system causes that subscribing system to look up the date range of the public event at its geographic location and restrict the use of the message by its corresponding subscribing user based on that date range such that fine-grain control of the message is maintained by the publishing user.

US Pat. No. 10,771,415

COMPUTER SYSTEM AND METHOD FOR ADDING ATTRIBUTES TO AN ELECTRONIC MESSAGE ON BEHALF OF THE MESSAGES SENDER

PF Loop, Inc., Arlington...

1. A method performed by at least one computer processor executing computer program instructions stored on at least one non-transitory computer-readable medium, the method comprising:(A) receiving, via a first medium, an original message created by a message creator, wherein the message encodes first message information and message recipient data representing an identity of the message recipient, wherein receiving the original message comprises receiving the original message over a network via a first communication protocol;
(B) receiving attribute input from the message recipient;
(C) producing a modified message, within a software application and without using the first communication protocol, based on the original message and the attribute input;
(D) prompting the message creator to accept or reject the modified message; and
(E) receiving input from the message creator indicating one of acceptance and rejection of the modified message.

US Pat. No. 10,771,414

AUTHENTICATION IN MESSAGING PLATFORMS FOR WEB CONTENT

International Business Ma...

1. A processor-implemented method for authenticating a user in messaging platforms for web content, the method comprising:ingesting, by a processor, a plurality of electronic messages from a user account;
identifying a user-targeted marketing link within the plurality of electronic messages;
identifying a messaging ID associated with the user account when the user clicks the identified user-targeted marketing link with a uniform resource locator (URL);
verifying the messaging ID associated with the user is correct based on the plurality of electronic messages by analyzing specific information related to a “To” field, a “Name” field, a “Body” field or a “Time” field of the electronic messages;
in response to verifying the messaging ID associated with the user is correct, modifying one of the plurality of electronic messages by appending a personalized token to the URL;
transmitting the modified electronic message to the electronic mailbox associated with the user that includes the personalized token in the URL; and
in response to user interaction with the URL, processing the URL to provide access to promotional content without the user having to log in to websites associated with the promotional content.

US Pat. No. 10,771,413

SYSTEM AND METHOD FOR CUSTOMIZING ELECTRONIC MESSAGES

Wells Fargo Bank, N.A., ...

1. A method comprising:retrieving document details associated with a user from at least one database stored on a storage device, the document details including a user identifier that identifies the user, a due date, and an amount due;
querying, using at least one processor, the at least one database using the user identifier to determine a plurality of values, the plurality of values including a trending value, and a historical value separate from the amount due;
matching the historical value, due date, trending value, and amount due to an electronic message property set from a plurality of message property sets, the electronic message property set including properties of:
a message content;
a number of repetitions for transmission of the electronic message; and
an interval between repetitions of transmission;
applying the electronic message property set to at least one electronic message; and
transmitting the at least one electronic message in accordance with the applied property set.

US Pat. No. 10,771,412

CHARACTER-BY-CHARACTER CHAT FOR AUTONOMOUS VEHICLE SUPPORT

GM GLOBAL TECHNOLOGY OPER...

1. A user interface device disposed within an autonomous vehicle, the user interface device comprising:a display;
a processor in communication with the display; and
memory that stores instructions that, when executed by the processor, cause the processor to perform acts comprising:
establishing a communication link between the user interface device and a remote computing device, wherein the remote computing device is disposed remotely to the autonomous vehicle;
receiving, through the communication link, one or more outputs from the remote computing device, wherein each of the one or more outputs define a character of text, and wherein each of the one or more outputs is cryptographically signed;
authenticating each of the one or more outputs received from the remote computing device as the one or more outputs are received from the remote computing device; and
displaying the text on a character-by-character basis on the display within the autonomous vehicle as each of the one or more outputs is received from the remote computing device and authenticated.

US Pat. No. 10,771,411

DISPLAY METHOD, INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING TERMINAL, DISPLAY PROGRAM

LINE CORPORATION, Tokyo ...

1. A display method of displaying a message on a terminal, comprising:receiving a first message and a second message, the second message being a message received after the first message from another terminal different from the terminal;
associating the first message and a first reception time at which the first message is received and a first storage time at which the first message is received in a storage;
associating the second message and a second reception time at which the second message is received and a second storage time at which the second message is received in the storage; and
displaying the first message and the second message stored in the storage spaced apart at a spacing interval, the spacing interval being proportional to a difference between a first time associated with the first message and a second time associated with the second message, the first time being one of the first reception time and the first storage time and the second time being one of the second reception time and the second storage time.

US Pat. No. 10,771,410

DEVICES, SYSTEMS AND METHODS FOR SUPPORTING A VETERINARY PRACTICE

Zoetis Services LLC, Par...

1. A system for supporting a veterinary practice, the system comprising:an electronic network;
an animal device worn by an animal and in communication with the electronic network, the animal device having a biocompatible sensor, and the animal device being configured to collect wellness data from an animal and transmit the collected wellness data over the electronic network, the wellness data being related to compliance with a veterinarian-prescribed regimen of a prescribed medication for the animal;
at least one veterinarian device in communication with the electronic network, the veterinarian device being configured to receive and display the wellness data received or processed over the electronic network;
a processor in communication with the electronic network and controlled by a plurality of computer executable instructions stored in a memory, the memory being in communication with the processor;
an animal owner device in communication with the electronic network and configured to send wellness data to the processor;
a display device in communication with the processor;
a graphical user interface generated by the processor for display at the display device in response to the execution of the plurality of instructions by the processor;
a plurality of acuatable icons displayed as part of the graphical user interface, the actuatable icons being associated with a plurality of business-related functions for operating a veterinary practice, each icon being actuatable to access an associated portlet and display additional information associated with the respective function of a veterinary practice on the graphical user interface;
an animal segmentation module configured to filter and segment a plurality of individual animal records from an animal records database housing animal wellness data received from animal owner devices;
a messaging module configured to compose and send a message to the animal owner device based on the segmented animal records; and
wherein the processor is configured to generate and send an alert to the at least one veterinarian device when the animal is not in compliance with the veterinarian-prescribed regimen of the prescribed medication for the animal.

US Pat. No. 10,771,409

REAL-TIME TRIGGER FOR EVENT-BASED ELECTRONIC COMMUNICATION SYSTEM MESSAGING

Dropbox, Inc., San Franc...

1. A method performed by a computing system comprising one or more processors and storage media storing one or more programs, the one or more programs comprising instructions executed by the one or more processors to perform the method, the method comprising:queuing an event pertaining to one or more user accounts of an online service;
dequeuing the event and transforming the dequeued event to a trigger, the trigger having a name corresponding to a type of the event;
mapping the trigger to an action, the mapping based on the name of the trigger; and
dispatching the action for the one or more user accounts to an actor configured to carry out the action;
wherein:
the action comprises an identifier of a messaging track, the messaging track represented by a directed graph having nodes and one or more edges between the nodes; and
the actor carries out the action including placing each user account of the one or more user accounts on the messaging track by associating each user account of the one or more user accounts with a node of the nodes.

US Pat. No. 10,771,408

CHATBOT SYSTEM AND SERVICE METHOD THEREOF

ELECTRONICS AND TELECOMMU...

1. A chatbot system comprisinga consumer chatbot, executable by a processor, configured to understand a purpose of conversation of a user, converse with provider chatbots provided by property and service providers, in place of the user, and provide a result of the conversation to the user,
wherein the consumer chatbot comprises:
a consumer chatbot input comprising a user purpose recognizer recognizing a purpose of the user based on a user input conversation, and an information satisfaction determiner determining before provider chatbots are selected whether or not information in said user input conversation, which the consumer chatbot uses to converse with the provider chatbots, is satisfactory according to the recognized purpose of the user;
a chatbot-to-chatbot conversation part comprising an object provider chatbot recognizer selecting provider chatbots supposed to perform conversation, based on the purpose of the user and the satisfied information recognized via the consumer chatbot input, to allow the consumer chatbot to converse with the selected provider chatbots, a consumer chatbot inquiry generator generating an inquiry, for which the consumer chatbot is supposed to converse with the selected provider chatbots, a provider chatbot reply analyzer analyzing replies received from the provider chatbots through the conversation performed, and a purpose completion determiner determining whether or not the purpose of the user has been completed by analyzing final replies of the provider chatbots; and
a consumer chatbot output recognizing a result corresponding to the purpose of the user, from among replies of the provider chatbots, and generates a final consumer chatbot reply.

US Pat. No. 10,771,407

MULTI-LEVEL BOT ARCHITECTURE FOR DATA ACCESS

PAYPAL, INC., San Jose, ...

1. A method for using multi-level bots comprising an integration bot and a plurality of domain bots, the method comprising:accessing, via the integration bot, a chat text provided by a chat application instance, the chat text indicating a user query to a knowledge system, wherein the chat application instance is on a user device remote from the multi-level bots;
accessing, via the integration bot, a user state associated with a user of the chat application instance, the user state indicating previous chat texts associated with the chat application instance and corresponding knowledge queries;
generating, via the integration bot and based on the user state and analysis of the chat text, a knowledge query for the integration bot to access data at the knowledge system that comprises the plurality of domain bots;
determining, via the integration bot and based on the knowledge query, a domain bot from the plurality of domain bots to which the knowledge query will be directed and a communication protocol associated with the domain bot;
determining, via the integration bot, a security level associated with the domain bot;
removing, via the integration bot, text elements from the knowledge query based on the security level of the domain bot;
communicating, from the integration bot to the domain bot, the knowledge query using the communication protocol to obtain a reply from the domain bot;
generating, via the integration bot, a response text for the chat application instance based on the reply from the domain bot and the user state, wherein the response text includes at least one text element that was removed from the knowledge query based on the security level of the domain bot; and
communicating, via the integration bot, the response text to the chat application instance remote from the multi-level bots.

US Pat. No. 10,771,406

PROVIDING AND LEVERAGING IMPLICIT SIGNALS REFLECTING USER-TO-BOT INTERACTION

Microsoft Technology Lice...

1. One or more computing devices for assisting users in interacting with BOTs, comprising:hardware logic circuitry, the hardware logic circuitry corresponding to: (a) one or more hardware processors that perform operations by executing machine-readable instructions stored in a memory, and/or (b) one or more other hardware logic components that perform operations using a task-specific collection of logic gates, the operations including:
detecting a BOT-recommendation event in a course of a transaction performed by a current user;
in response to the BOT-recommendation event, identifying, using a recommendation engine provided by the hardware logic circuitry, at least one recommended BOT in a collection of BOTs, to provide a recommendation result,
said identifying being based, in part, on implicit quality signals provided in a signal data store; and
sending an electronic message to a user computing device associated with the current user, the electronic message conveying the recommendation result provided by the recommendation engine,
the implicit quality signals in the signal data store being provided in a signal-providing process, performed by the hardware logic circuitry, which involves:
providing the implicit quality signals over a span of time that reflect quality of service provided by the collection of BOTs to a group of users in a course of performing transactions; and
storing the implicit quality signals in the signal data store,
the BOTs corresponding to computer-implemented agents that provide respective services to the group of users,
said providing involving capturing transaction information related to transaction-related events that occur over a course of communication between the group of users and the BOTs, and
the implicit quality signals including at least:
one of more user-behavior implicit signals, each of which describes one or more actions taken by a given user in interacting with a given BOT, and each of which has an implicit bearing on quality of service provided by the given BOT; and
one of more BOT-behavior implicit signals, each of which describes one or more actions taken by the given BOT in interacting with the given user, and each of which has an implicit bearing on quality of service provided by the given BOT,
wherein the transaction performed by the current user corresponds to an interaction between the current user and a current BOT,
wherein the current BOT corresponds to a computer-implemented agent that provides a service to the current user, and
wherein the hardware logic circuitry further includes an abandonment-determination component that is configured to:
receive one or more current-transaction implicit quality signals produced in a course of the interaction between the current user and the current BOT, each current-transaction implicit quality signal having an implicit bearing on quality of service provided by the current BOT to the current user; and
use decision logic provided by the hardware logic circuitry to map said one or more current-transaction implicit quality signals to an output result that constitutes the BOT-recommendation event, wherein the BOT-recommendation event indicates that the current user has abandoned the transaction with the current BOT, or is likely to abandon the transaction with the current BOT,
the decision logic generating the output result based, at least in part, on the implicit quality signals provided in the signal data store,
said at least one recommended BOT identified by the recommendation engine being different from the current BOT.

US Pat. No. 10,771,405

SWITCHING AND LOAD BALANCING TECHNIQUES IN A COMMUNICATION NETWORK

Cisco Technology, Inc., ...

1. A method for switching data in a communication network, comprising:obtaining at a source access network device a packet to send to a target access network device, wherein each of the source access network device and the target access network device is coupled to each of a plurality of core network devices;
transmitting by the source access network device the packet to a first core network device for switching to the target access network device, wherein the first core network device is selected from the plurality of core network devices based on a load balancing algorithm configured by a controller;
transmitting by the source access network device at least one copy of the packet to a respective second core network device for switching to the target access network device;
receiving at the target access network device at least one of the packet or the at least one copy of the packet;
generating by the target access network device based on the receiving, at least one metric indicative of a level of traffic congestion at the first and second core network devices;
transmitting by the target access network device information regarding the at least one metric to the controller; and
adjusting by the controller the load balancing algorithm based on the at least one metric.

US Pat. No. 10,771,404

PERFORMANCE MONITORING

Intel Corporation, Santa...

19. A system for process management, the system comprising:memory;
one or more processors; and
an indicator engine configured to:
receive a request message, wherein the request message was communicated over a network that includes a plurality of switches and includes a read trigger, an indicator selector, and a completion trigger;
determine one or more indicators that relate to the indicator selector; and
perform an action when the read trigger is activated.

US Pat. No. 10,771,403

TRANSMITTING MULTI-DESTINATION PACKETS IN OVERLAY NETWORKS

International Business Ma...

1. A method comprising:obtaining, by one or more processors of a hardware network adapter, tunneling endpoint information for each virtual switch of a plurality of virtual switches of a multi-destination group;
encapsulating, by one or more processors of the network adapter, each of a plurality of replicated multi-destination packets corresponding to respective virtual switches of the plurality of virtual switches with a header specific to a respective tunneling protocol identified in the tunneling endpoint information obtained for the respective virtual switch; and
transmitting, by one or more processors of the network adapter, each encapsulated multi-destination packet to a respective receiver hosted on the respective virtual switch corresponding to the encapsulated multi-destination packet, wherein the respective virtual switch determines a destination port for the encapsulated multi-destination packet on the respective virtual switch by identifying the multi-destination group, determined from the encapsulated multi-destination packet, in a port list on the respective virtual switch.

US Pat. No. 10,771,402

LINK AGGREGATED FIBRE CHANNEL OVER ETHERNET SYSTEM

Dell Products L.P., Roun...

1. A link aggregated Fibre Channel over Ethernet system, comprising:a first target device;
a first Fibre Channel Forwarder (FCF) device that is coupled to the first target device and a Link Aggregation Group (LAG), wherein the first FCF device is associated with a common FCF Media Access Control (MAC) address, and wherein the first FCF device is configured to:
receive, through the LAG, first control data traffic;
populate a first FCF device table in the first FCF device based on the first control data traffic, wherein the first FCF device table includes fabric login information and name server registration information generated from the first control traffic;
send, through at least one ICL, first synchronization information that includes the fabric login information and the name server registration information to a second FCF device to cause the synchronization of a second FCF device table in the second FCF device with the first FCF device table;
receive, through the LAG, first Fibre Channel over Ethernet (FCoE) data traffic that is directed to the common FCF MAC address and that includes a first target device destination identifier; and
forward, using the first FCF device table in response to determining that the first target device destination identifier is associated with the first target device, the first FCoE data traffic to the first target device; and
a second FCF device that is coupled to the LAG, and coupled to the first FCF device by at least one Inter-Chassis Link (ICL), wherein the second FCF device is associated with the common FCF MAC address, and wherein the second FCF device is configured to:
receive, through the LAG, second FCoE data traffic that is directed to the common FCF MAC address and that includes the first target device destination identifier; and
forward, through the at least one ICL in response to determining, using the second FCF device table, that the first target device destination identifier is associated with the first target device, the second FCoE data traffic to the first FCF device, wherein the first FCF device is configured to forward the second FCoE data traffic to the first target device based on the first target device destination identifier.

US Pat. No. 10,771,401

FORWARDING ELEMENT DATA PLANE WITH COMPUTING PARAMETER DISTRIBUTOR

Barefoot Networks, Inc., ...

1. A data plane circuit for a forwarding element that forwards data messages in a network connecting a plurality of machines that perform distributed computing operations, the data plane comprising:a plurality of programmable message-processing stages to perform data message forwarding operations on data tuples associated with data messages received by the data-plane circuit in order to forward the data messages within the network, wherein the plurality of programmable message-processing stages comprise a first and second set of programmable message-processing stages;
a parameter extracting circuit to extract, from a subset of the data messages, parameter values computed and distributed by a first set of machines;
a computation circuit to perform computations on the extracted parameter values; and
a parameter forwarding circuit to send results of the computations to a second set of machines, wherein the second set of programmable message-processing stages is to implement the parameter extracting circuit, the computation circuit and the parameter forwarding circuit.

US Pat. No. 10,771,400

RELAY DEVICE

DENSO CORPORATION, Kariy...

1. A relay device which is one of a plurality of relay devices in a communication network, the relay device comprising:a processor, the processor is configured to
determine whether a configuration frame is received, wherein
the configuration frame provides an instruction to transfer a mirror frame from one of the plurality of relay devices to a monitor device via an other one of the plurality of relay devices;
the mirror frame is duplicated by executing a port mirroring in the one of the plurality of relay devices;
the one of the plurality of relay devices executing the port mirroring is defined as an execution relay device;
the other one of the plurality of relay devices disposed in a transfer path between the execution relay device and the monitor device and transferring the mirror frame is defined as a transfer relay device;
each of the execution relay device and the transfer relay device is defined as a target relay device;
one of the target relay devices initially connecting to the monitor device is defined as a first-stage relay device;
the configuration frame is initially input into the first-stage relay device, and propagates through each target relay device;
the configuration frame includes a configuration information region for storing a propagation number information, a total number of the target relay devices, a transfer destination information and a transfer source information;
the propagation number information indicates a numerical number of propagations as a numerical number of target relay devices to which the configuration frame has propagated;
the configuration frame propagates in a propagation order of the target relay devices;
the first-stage relay device has a first order of the propagation order;
the transfer destination information and the transfer source information relates to the target relay devices in the propagation order in association with each propagation order;
the transfer destination information indicates a mirror output port that outputs the mirror frame to be transferred to the monitoring device;
the transfer source information recorded in association with a same order of the propagation order as the total number of the target relay devices indicates a monitor port as an object of the port mirroring;
the transfer source information recorded in association with an order of the propagation order smaller than the total number of the target relay devices indicates a mirror input port to which the mirror frame is input from the other one of the plurality of relay devices;
the processor is further configured to
determine whether the numerical number of propagations at reception time is equal to the total number of the target relay devices in a received configuration frame when the processor determines that the configuration frame is received;
the numerical number of propagations at the reception time is indicated by the propagation number information in the received configuration frame;
when the processor determines that the numerical number of propagations at the reception time is not equal to the total number of the target relay devices; set the relay device to function as the transfer relay device; set a port indicated in the transfer source information to be the mirror input port when the transfer source information and the transfer destination information in the configuration information region of the configuration frame are associated with the same order of the propagation order as the numerical number of propagations at the reception time; and set a port indicated in the transfer destination information to be the mirror output port;
when the processor determines that the numerical number of propagations at the reception time is not equal to the total number of the target relay devices; update the propagation number information in the configuration frame to be new propagation number information indicating the numerical number of propagations incremented by 1 from the numerical number of propagations at the reception time; and output the configuration frame after the propagation number information is updated from the port set as the mirror input port by the processor; and
when the processor determines that the numerical number of propagations at the reception time is equal to the total number of the target relay devices; set the relay device to function as the execution relay device; set a port indicated in the transfer source information to be the monitor port when the transfer source information and the transfer destination information in the configuration information region of the configuration frame are associated with the same order of the propagation order as the numerical number of propagations at the reception time; and set a port indicated in the transfer destination information to be the mirror output port.

US Pat. No. 10,771,399

QUALITY OF SERVICE-AWARE PROCESSING OF DECODING TASKS

Intel Corporation, Santa...

1. A device for processing a plurality of decoding tasks in a network, comprising:an estimator configured to repeatedly estimate a decoder processing usage during decoding the plurality of decoding tasks, wherein the decoder processing usage comprises a decoder usage time indicative of a time the decoder is used in a current time interval for decoding the plurality of decoding tasks, and comprises a plurality of decoder load quantities each indicative of a level of decoder processing done for decoding tasks from a specific agent; and
a task updater configured to update a task execution parameter of a decoding task based on a comparison of the estimated decoder processing usage and a quality of service (QoS) expectation from the network.

US Pat. No. 10,771,398

SYSTEMS AND METHODS FOR QUEUE CONTROL BASED ON CLIENT-SPECIFIC PROTOCOLS

Live Nation Entertainment...

1. A computer-implemented method comprising:generating, at a primary load management system, an interface configured to enable a user device to transmit a request for assignment of one or more access rights to a resource, and wherein the interface is accessible to user devices for which access to the interface has been granted by the primary load management system;
receiving, at the primary load management system, a communication from each of a plurality of user devices, and the communication from each user device including a request to access the interface;
retrieving a plurality of user parameters, each user parameter of the plurality of user parameters being associated with a user device from which a communication was received;
retrieving a protocol specific to the resource, the protocol being defined by a client associated with the resource, and the protocol being configured to determine an ordinal arrangement of the plurality of user devices awaiting access to the interface;
executing the protocol, the execution of the protocol causing the plurality of user parameters to be normalized, wherein normalizing the plurality of user parameters includes modifying at least one user parameter of the plurality of user parameters to bias access to the interface towards a target group of user devices from amongst the plurality of user devices;
assigning a queue position of a digital queue to each of the plurality of user devices, the assignment of the queue positions being based on the plurality of normalized user parameters, and the digital queue representing the ordinal arrangement of the plurality of user devices awaiting access to the interface; and
selecting, at a regular or irregular interval, one or more user devices of the plurality of user devices, the selection being based on the ordinal arrangement of the plurality of user devices, and each user device of the one or more selected user devices being granted access to the interface.

US Pat. No. 10,771,397

UPSTREAM BANDWIDTH ALLOCATION METHOD, APPARATUS, AND SYSTEM

HUAWEI TECHNOLOGIES CO., ...

1. An upstream bandwidth allocation method, comprising:obtaining, by a cable modem termination system (CMTS), a service flow attribute of each online cable modem (CM) of one or more online CMs, wherein the service flow attribute comprises at least one delay-sensitive service and a delay-insensitive service;
allocating, by the CMTS, an upstream bandwidth to each online CM according to a received service request, and obtaining a remaining bandwidth, wherein the remaining bandwidth is a remaining part in a preset total bandwidth other than the upstream bandwidth that is allocated to each online CM according to the service request;
allocating, by the CMTS, a first bandwidth portion of the remaining bandwidth to one or more CMs of the one or more online CMs for enhanced best effort (BE) flow of a delay-sensitive service of the one or more CMs, wherein the first bandwidth portion accounts for 30% to 50% of the remaining bandwidth;
informing, by the CMTS, each online CM of the one or more online CMs of an upstream bandwidth allocation result, so that each online CM performs upstream data transmission according to the allocated bandwidth;
configuring, by the CMTS, as a contention-based bandwidth shared by a delay-sensitive service and a delay-insensitive service, a second bandwidth portion of the remaining bandwidth other than the first bandwidth portion; and
allocating a first part of the second bandwidth portion for one or more contention request CMs of the one or more online CMs in response to each respective contention request CM of the one or more contention request CMs sending the CMTS a respective contention request to handle burst traffic of a flow in the upstream data transmission of the respective contention request CM, wherein the first part of the second bandwidth portion is allocated for the one or more contention request CMs according to a priority of the upstream data transmission for which the respective contention request CM sends the respective connection request.

US Pat. No. 10,771,396

COMMUNICATIONS NETWORK FAILURE DETECTION AND REMEDIATION

Ooma, Inc., Sunnyvale, C...

1. A computer-implemented method for communications network failure detection and remediation comprising:receiving first communications using a network from a first client, the first communications including a telephone number, location, and security credential, the telephone number, location, and security credential each being associated with a first user of the first client;
authenticating the first user of the first client using the telephone number and the security credential;
creating, responsive to the authenticating, a registration for the first client in a registration database, the registration including the location from the first communications from the first client, the registration being used to route second communications directed to the telephone number of the first client from a second client;
establishing, responsive to the authenticating, a connection to the first client within the network;
detecting the connection to the first client has failed, the detecting comprising:
measuring a time period during which the first client does not send communications traffic; and
determining the measured time period exceeds a limit, the limit being an amount of time after which it is unlikely a valid connection is idle, the limit being produced by a statistical model; and
removing, responsive to the detecting, the registration for the first client from the registration database.

US Pat. No. 10,771,395

METHOD OF RELEASING RESOURCE RESERVATION IN NETWORK

HYUNDAI MOTOR COMPANY, S...

1. An operation method performed in a first communication node of a vehicle network, the method comprising:transmitting an advertisement frame, comprising priority information of a first stream, to reserve resource for a first stream;
generating the first frame comprising identification information based on the priority information of the first stream;
transmitting the first frame to a second communication node; and
receiving a second frame configured to indicate a completion of a release of a reserved resource between the first communication node and the second communication node from the second communication node,
wherein the first frame instructs to release the reserved resource,
wherein the second frame includes the identification information of the first stream,
wherein the identification information identifies the first stream transmitting through the reserved resource, and
wherein the identification information further indicates the reserved resource for the first stream among the reserved resources for each stream.

US Pat. No. 10,771,394

MULTI-LEVEL LEARNING FOR CLASSIFYING TRAFFIC FLOWS ON A FIRST PACKET FROM DNS DATA

Silver Peak Systems, Inc....

1. A method of selecting a network path for transmitting data across a network, the method comprising:intercepting, by a network appliance, a DNS response packet from a DNS server to a first computing device;
extracting, by the network appliance, information from the DNS response packet, the extracted information comprising an IP address of the first computing device and a first IP address for a first domain name;
generating a first key representing the IP address of the first computing device and the first IP address for the first domain name extracted from the DNS response packet;
mapping the first key to the first domain name;
receiving, at the network appliance, a first packet of a first flow to be transmitted across a network from the first computing device;
extracting, by the network appliance, the IP address of the first computing device and a destination IP address from a header of the first packet;
generating a second key representing the extracted information from the header of the first packet of the first flow from the first computing device;
querying a data structure at the network appliance for a match to the second key;
determining that the second key matches the first key present in the data structure;
predicting an associated application name for the first flow based on the first domain name mapped to the matched first key;
verifying that the predicted application in the data structure at the network appliance meets a predetermined confidence threshold; and
selecting by the network appliance a network path based on the predicted application.

US Pat. No. 10,771,393

RESOURCE USAGE FOR A REMOTE SESSION USING ARTIFICIAL NETWORK BANDWIDTH SHAPING

Parallels International G...

1. A method, comprising:establishing, by a client computer system, a communication session with a server via a communication channel;
detecting, by the client computer system, an inactive state of the communication session; and
responsive to detecting the inactive state, modifying a network setting of the client computer system to reduce a bandwidth of the communication channel.

US Pat. No. 10,771,392

INCREASING EFFICIENCY TO RATE LIMITING

International Business Ma...

1. A computer-implemented method, comprising, using a processor of a server:receiving a request from a client via a network interface of the server;
utilizing an early stage process to search for a rate-limiting token bucket (TB) using first metadata associated with the request;
responsive to finding the TB using the first metadata, performing a response operation;
responsive to not finding the TB using the first metadata, utilizing a late stage process to search for the rate-limiting TB using server-side session data associated with the request;
responsive to not finding the TB using the session data:
creating the TB and associating with it at least two search indexes comprising the first metadata associated with the request and the session data; and
performing the response operation;
wherein the response operation comprises transmitting, via the network interface, a determined response to the client.

US Pat. No. 10,771,391

POLICY ENFORCEMENT BASED ON HOST VALUE CLASSIFICATION

Hewlett Packard Enterpris...

1. A network appliance comprising:a hardware processor; and
a non-transitory machine-readable storage medium encoded with instructions executable by the hardware processor to:
receive a packet stream;
determine that the packet stream is associated with a proxy connection by:
determining an internet protocol (IP) address in a header of a first packet of the packet stream,
comparing the IP address with a list of known proxy servers, and
based upon matching the IP address with a second IP address in the list of known proxy servers, determining that the packet stream is associated with the proxy connection;
determine a host value for a true end device of the packet stream from a message of the packet stream;
determine a classification associated with the host value; and
enforce a policy to the packet stream based on the classification and the determination that the proxy connection is associated with the packet stream.

US Pat. No. 10,771,390

TECHNIQUES FOR OPTIMIZING EGRESS TUNNEL ROUTER FAILURE SCENARIOS IN INTELLIGENT WIDE AREA NETWORKS

CISCO TECHNOLOGY, INC., ...

1. A method comprising:receiving, at a first network node, traffic from a second network node via a first network that is a Location Identifier Separation Protocol (LISP)-enabled network; and
in response to receiving the traffic, generating and sending, by the first network node to a third network node, a first update including information identifying the second network node, wherein the first and third network nodes are egress tunnel routers that are peer nodes interconnected via a Local Area Network (“LAN”) connection different from the first network and wherein the information identifying the second network node is sent from the first network node to the third network node via the LAN connection,
wherein subsequent to receipt of the information identifying the second network node, the third network node updates a locator table configured using the LISP that is maintained by the third network node to include an entry corresponding to the second network node, wherein the entry includes the information identifying the second network node received by the third network node from the first network node, and
wherein based on receipt by the third network node via the LAN connection of a notification that the first network node has failed, the third network node sends a second update, via the first network, only to network nodes including the second network node, that have a corresponding table entry in the locator table indicating that the first network node has failed and to cease communication therewith.

US Pat. No. 10,771,389

VIRTUAL TUNNEL ENDPOINTS FOR CONGESTION-AWARE LOAD BALANCING

NICIRA, INC., Palo Alto,...

1. A method for a source tunnel endpoint to perform congestion-aware load balancing in a data network that includes the source tunnel endpoint, a destination tunnel endpoint, a source endpoint, a destination endpoint and multiple intermediate network elements, the method comprising:learning, by the source tunnel endpoint based on first packets from the destination tunnel endpoint, congestion state information associated with a plurality of paths provided by respective multiple intermediate network elements connecting the source tunnel endpoint with the destination tunnel endpoint, wherein the congestion state information includes a mapping among the plurality of paths, a plurality of outer source port numbers corresponding to the plurality of paths, and congestion status for the plurality of paths;
receiving, by the source tunnel endpoint, second packets that are sent by the source endpoint and destined for the destination endpoint associated with the destination tunnel endpoint;
selecting, by the source tunnel endpoint, a particular path from the plurality of paths based on the congestion state information;
generating, by the source tunnel endpoint, encapsulated second packets by encapsulating each of the second packets with header information that includes a set of tuples associated with the particular path, wherein the encapsulating each of the second packets comprises:
determining, from the plurality of outer source port numbers, a particular outer source port number associated with the particular path; and
configuring the set of tuples in the header information in each of the second packets to include the particular outer source port number; and
sending, by the source tunnel endpoint, the encapsulated second packets to the destination endpoint such that the encapsulated second packets are forwarded via the particular path based on the set of tuples.

US Pat. No. 10,771,388

MACHINE FOR SMOOTHING AND/OR POLISHING SLABS OF STONE MATERIAL, SUCH AS NATURAL OR AGGLOMERATED STONE, CERAMIC AND GLASS

1. A machine for one or more of grinding and polishing slabs of stone material, such as natural or agglomerated stone, ceramics or glass, comprising:a support bench for the slabs to be machined and being provided above the support bench;
at least one machining station comprising at least one pair of bridge support structures situated opposite each other and arranged transversely on either side of the support bench, a first means for performing a relative movement in the longitudinal direction between the machining station and a slab on the support bench and at least one beam, the two ends of which are supported by said support structures;
a plurality of rotating spindles with a sliding vertical axis mounted on said at least one beam, said beam being movable transversely on said support structures, a bottom end of each of the plurality of spindles being provided with at least one tool-holder support rotating about the axis of rotation of said plurality of spindles and carrying at least one abrasive tool for forming the grinding and/or polishing heads;
characterized in that the machine further comprises:
second means for relative movement of said at least one spindle with respect to the support bench in the longitudinal direction, wherein said second relative movement means perform a movement, in the longitudinal direction along the beam, of the plurality of spindles with respect to the support bench, and wherein the plurality of spindles move in unison in the longitudinal direction along the beam; and
a programmable control unit for adjusting an alternating movement in the transverse direction of the beam and an alternating longitudinal movement due to the second means for relative moment of the at least one spindle to control in a synchronized manner the longitudinal movements so as to obtain trajectories of the machining tools on the slabs being machined, whereby speed of travel and contact time of the tools along the trajectories are variably programmable parameters of the control unit.

US Pat. No. 10,771,387

MULTIPLE PACKET DATA CONTAINER TYPES FOR A PROCESSING PIPELINE

Barefoot Networks, Inc., ...

1. For a match-action stage of a packet processing pipeline, a method comprising:receiving a set of data containers storing input packet data values for a particular packet, the set of data containers comprising a plurality of subsets of data containers of different types;
performing a set of match operations on a first subset of the set of data containers to generate a set of action data values, wherein the first subset of the set of data containers comprises data containers of a first type and data containers of a second type;
based on the set of action data values, using a set of arithmetic logic units (ALUs) to generate a first set of output packet data values to store in a second subset of the set of data containers, wherein the second subset of the set of data containers comprises only data containers of the first type;
based on the set of action data values, generating a second set of output packet data values to store in a third subset of the set of data containers, wherein (i) the second set of output packet data values are generated without the set of ALUs and (ii) the third subset of the set of data containers comprises data containers of the second type and data containers of a third type; and
passing the data containers to a subsequent match-action stage of the packet processing pipeline.

US Pat. No. 10,771,386

IP ROUTING SEARCH

NEW H3C TECHNOLOGIES CO.,...

1. An Internet Protocol (IP) routing search method, comprising:creating a Multibit Trie for routing distribution of IP prefixes in each Virtual Private Network (VPN); and dividing each Multibit Trie into multiple layers according to a predefined search step size;
when routing search is performed for an IP address of a VPN,
generating an input key for each layer respectively, the input key of the layer comprising a VPN identifier of the VPN and bits to be searched, according to the predefined search step size, for all of at least one upper layer in the IP address; performing a calculation for the generated input key of each layer by using a Hash function of the layer; searching for routing according to a data structure information pointer of a Sub_Trie node corresponding to a longest Hash hit result;
preconfiguring multiple Hash functions for each layer; and each Hash function corresponding to a Hash table; Each location in the Hash table uniquely representing a Hash calculation result; and each location being used to store an input key corresponding to the Hash calculation result represented by the location and a data structure information pointer of a Sub_Trie node corresponding to the input key,
wherein performing the calculation for the generated input key of each layer by using the Hash function of the layer comprises:
performing the calculation for the generated input key of each layer by using the multiple Hash functions of the layer, and obtaining multiple Hash calculation results;
for each Hash calculation result corresponding to the Hash function, searching the Hash table corresponding to the Hash function for a location corresponding to the Hash calculation result; if the location is found, comparing an input key stored at the location with the generated input key; if the input key stored at the location is identical with the generated input key, determining the Hash calculation result as a Hash hit result; if the input key stored at the location is different from the generated input key, searching the removed key list of the layer for the generated input key; if the removed key list comprising an input key identical with the generated input key, determining the Hash calculation result as the Hash hit result.

US Pat. No. 10,771,385

PACKET FORWARDING METHOD AND PORT EXTENDER

NEW H3C TECHNOLOGIES CO.,...

1. A method of forwarding a packet, comprising:receiving, by a Port Extender (PE), the packet;
determining, by the PE, a first Virtual Port (vPort) associated to a receiving port through which the packet is received;
adding, by the PE, a first forwarding entry in a forwarding table in response to a forwarding entry adding condition being satisfied, by recording the first vPort as an egress port in the first forwarding entry, recording a source Media Access Control (MAC) address of the packet as a MAC address in the first forwarding entry, and recording a Virtual Local Area Network (VLAN) identifier of a VLAN associated with the first vPort as a VLAN identifier in the first forwarding entry;
searching, by the PE, the forwarding table for a second forwarding entry matching a destination MAC address of the packet and the VLAN identifier of the VLAN to which the packet belongs; and
searching, by the PE, a port associating relationship table for a port which is associated to a second vPort in the second forwarding entry; and
forwarding, by the PE, the packet through the port associated to the second vPort.

US Pat. No. 10,771,384

ROUTING BASED BLOCKCHAIN

1. A method comprising:receiving, from one or more routers, a plurality of valid packets, each valid packet being valid based on having a value that satisfies a match value of an individual packet threshold, the match value being a numerical format of a signature of the valid packet;
determining that the plurality of valid packets satisfies a packet group threshold; and
in response to determining that the plurality of valid packets satisfies the packet group threshold, generating a block in a blockchain.

US Pat. No. 10,771,383

COORDINATING PSEUDOWIRE CONNECTION CHARACTERISTICS AND MULTI-HOMED PROVIDER EDGE DEVICE CAPABILITIES

Juniper Networks, Inc., ...

1. A device, comprising:one or more memories; and
one or more processors to:
store first information regarding a first pseudowire connection with a first device,
wherein the first pseudowire connection provides, via the first device, access to an Ethernet virtual private network (EVPN) to communicate with a host device;
store second information regarding a second pseudowire connection with a second device,
wherein the second pseudowire connection provides, via the second device, access to the EVPN to communicate with the host device;
receive a message that includes a configuration identifier,
wherein the configuration identifier indicates that the first device has a designated forwarder capability for the EVPN;
identify the configuration identifier included in the message;
change a first characteristic of the first pseudowire connection with the first device based on the configuration identifier included in the message;
change a second characteristic of the second pseudowire connection with the second device based on the configuration identifier included in the message; and
receive data from the host device based on changing the first characteristic of the first pseudowire connection and changing the second characteristic of the second pseudowire connection.

US Pat. No. 10,771,382

METHOD AND SYSTEM FOR BALANCING NETWORK LOAD IN A VIRTUAL ENVIRONMENT

Versa Networks, Inc., Sa...

1. A method for automatically balancing network load in a virtual environment managed by at least one hypervisor, the virtual environment comprising a plurality of virtual hosts and a plurality of virtual routers, the plurality of virtual hosts and the plurality of virtual routers running on at least one virtual machine within the virtual environment, the method comprising:establishing a plurality of groups associated with the plurality of virtual routers, the plurality of groups comprising a first group and a second group, the plurality of virtual routers comprising a first virtual router and a second virtual router;
assigning the plurality of virtual hosts to the plurality of groups, wherein one of the plurality of virtual hosts is assigned to the first group and another one of the plurality of virtual hosts is assigned to the second group, wherein each of the plurality of virtual hosts comprises an ARP cache comprising a default gateway MAC address for routing network traffic from the plurality of virtual hosts;
assigning a plurality of priority values for the plurality of groups to the plurality of virtual routers, wherein one of the plurality of virtual routers having a highest priority value for a group in the plurality of groups is a master virtual router for the group, wherein the first virtual router has the highest priority value for the first group and the highest priority value for the second group;
initializing an additional virtual router within the plurality of virtual routers when network traffic load exceeds a defined threshold, wherein the additional virtual router has the highest priority value for the second group;
wherein each of the plurality of virtual routers is in either a master state or a backup state for at least one of the plurality of virtual routers;
wherein each of the plurality of virtual routers is configured to periodically advertise a priority value to other virtual routers that are configured to receive advertised priority values, such that a backup virtual router for at least one group transitions to the master state for the at least one group if the priority value of the backup virtual router for the at least one group is greater than the priority value of the master virtual router for the at least one group, and the master virtual router for the at least one group transitions to a backup virtual router state for the at least one group if the priority value of the backup virtual router for the at least one group is greater than the priority value of the master virtual router for the at least one group;
wherein the master virtual router for the at least one group in the plurality of groups periodically sends a gratuitous ARP packet to the plurality of virtual hosts assigned to the at least one group, and a sender hardware address of the gratuitous ARP packet is an updated gateway MAC address; and
wherein each of the plurality of virtual hosts assigned to the at least one group updates its default gateway MAC address in the ARP cache based on the updated gateway MAC address.

US Pat. No. 10,771,381

VIRTUAL LDP SESSION

Cisco Technology, Inc., ...

1. A method comprising:receiving, by a receiving node, a virtual Label Distribution Protocol initialization (vInit) message from a first node, wherein the vInit message comprises a request to establish a virtual Label Distribution Protocol (vLDP) session between a requesting node in a first network segment and a target node in a second network segment, wherein the vinit message comprises an address for the requesting node and an address for the target node;
extracting a stack of one or more relay labels from the vinit message, wherein the one or more relay labels were provided by one or more relay nodes and define a return path from the target node back to the requesting node for messages transmitted over the vLDP session, and
wherein the one or more relay nodes are located between the requesting node and the target node;
determining, based on the address for the target node, that the receiving node is the target node; and
transmitting a responsive vinit message to the requesting node, wherein:
the vinit message received by the target node comprises a session identifier (ID) that identifies the vLDP session;
the responsive vinit message comprises the session ID; and
the responsive vinit message confirms that the request to establish the vLDP session is accepted;
after transmitting the responsive vinit message, generating a virtual LDP message (“vLDP message”) destined for the first node, wherein the virtual LDP message comprises a LDP label mapping message destined for the requesting node, wherein the virtual LDP message comprises the stack of one or more relay labels; and
transmitting the virtual LDP message to the first node.

US Pat. No. 10,771,380

FAST CONTROL PATH AND DATA PATH CONVERGENCE IN LAYER 2 OVERLAY NETWORKS

Telefonaktiebolaget LM Er...

1. A method for fast convergence in Layer 2 Overlay network, the method comprising:causing a forwarding of Layer 2 (L2) traffic addressed to one or more remote L2 destinations according to a remote L2 (RL2) instance, wherein the RL2 instance identifies a primary path for forwarding the traffic towards the remote L2 destinations, and a provider edge service label (PESL) instance associated with a broadcast domain including one or more network devices for forwarding the L2 traffic towards the L2 destination, and wherein the PESL instance is identified with a unique immutable PESL instance label; and
causing, in response to a network event, an update of the RL2 instance that results in an update of a data plane for forwarding the L2 traffic without necessitating an update of forwarding table entries for each one of the one or more remote L2 destinations.

US Pat. No. 10,771,379

APPARATUS, SYSTEM, AND METHOD FOR DISCOVERING NETWORK PATHS

Juniper Networks, Inc., ...

1. A method comprising:receiving, at a source node, a request to discover a plurality of network paths that each lead from the source node to a destination node; and
simultaneously discovering the plurality of network paths that lead from the source node to the destination node by:
identifying each next hop that resides between the source node and the destination node;
sending, from the source node to each next hop, a path-request probe that prompts the next hop to:
determine each next-closest hop that resides between the next hop and the destination node by directing the next hop to identify, within a routing table of the next hop, an Internet protocol address of each next-closest hop based at least in part on an Internet protocol address of the destination node; and
return, to the source node, a path-response probe that identifies the next-closest hops as residing between the next hop and the destination node by directing the next hop to list the Internet protocol address of each next-closest hop within a type-length-value field of the path-response probe;
receiving, at the source node, the path-response probes from the next hops;
determining, at the source node based at least in part on the path-response probes, that one or more of the plurality of network paths include:
the next hops that reside between the source node and the destination node; and
the next-closest hops that reside between the next hops and the destination node; and
iteratively discovering any subsequent hops that reside between the next-closest hops and the destination node by sending a subsequent path-request probe to each next-closest hop.

US Pat. No. 10,771,378

RADIO FREQUENCY (RF) ETHERNET TRUNKING

Cisco Technology, Inc., ...

1. A system comprising:a first data pathway between a headend and a first node, the first data pathway comprising a fiber optic channel using a first data transport protocol;
a second data pathway between the first node and a second node, the second data pathway comprising a first coaxial cable channel using the first data transport protocol over a first radio frequency spectrum; and
a third data pathway between the second node and a third node, the third data pathway comprising a second coaxial cable channel using the first data transport protocol over the first radio frequency spectrum, wherein the second data pathway and the third data pathway comprise a data trunk using the first data transport protocol for data to and from the first node.

US Pat. No. 10,771,377

SYSTEM AND METHOD FOR REAL-TIME LOAD BALANCING OF NETWORK PACKETS

NetScout Systems, Inc., ...

1. A method for routing data packets at a packet flow switch, comprising:determine if packets received from a monitored network is one of a control packet or one of a user plane packet utilizing a plurality of network probes each configured and operative to generate an ASI data set including key performance indicators and Adaptive Session Records;
responsive to determining the received packet is a control plane packet, causing the control plane packet to be distributed to each of the plurality of network probes;
responsive to identifying that a user plane packet is associated with a new session-instance not already monitored by a network probe, assigning the user plane packet to one of the plurality of network probes and updating a session-instance database to include an identified packet session-instance if determined a new session-instance, the assigning comprising:
selecting one of the network probes;
saving an identifier of the selected network probe and associating a packet session-instance identifier with the saved identifier of the selected network probe; and
sending the user plane packet to the selected network probe; and
purging a control packet from each of the probes it is distributed to contingent upon prescribed criteria; and
purging a packet session-instance from the session-instance database when a control plane packet associated with the packet session-instance is purged from each of the probes.

US Pat. No. 10,771,376

FINANCIAL NETWORK

CFPH, LLC, New York, NY ...

1. A method comprising:controlling, by a first processing device configured to map a local network address and port pair on a first network to a service on a remote second network:
opening a first socket to a first destination on a remote second network and opening a second socket to a second destination on the remote second network;
balancing direction of incoming traffic to the local network address and port pair between the first destination using the first socket and the second destination using the second socket; and
routing incoming traffic to the local network address and port pair to the second destination using the second socket in response to a determination that the first destination is in a fail state; and
controlling, by a second processing device:
accessing a portion of a memory space shared with the first processing device, in which the portion of the memory space includes at least one of a packet header or an entire packet; and
transmitting the at least one of the packet header or the entire packet to an analytics engine while the first processing device routes the entire packet.

US Pat. No. 10,771,375

ROUTING NETWORK TRAFFIC BASED ON DESTINATION

Cisco Technology, Inc., ...

1. A method, comprising:identifying an address within a packet of a traffic flow associated with a network device;
comparing the address within the packet with a stored address, the stored address associated with a route for an alternative traffic path, the alternative traffic path being different from a default route of traffic passing through the network device;
based on the address within the packet matching the stored address, determining that the traffic flow is to be rerouted along the alternative traffic path instead of the default route of traffic;
receiving a Domain Name Server (DNS) query associated with the traffic flow that is determined to be rerouted along the alternative traffic path;
rewriting the DNS query to be routed through the alternative traffic path and to a DNS server associated with the alternative traffic path;
receiving a DNS response from the DNS server, a resource in the DNS response being based on the DNS query; and
rewriting the DNS response to yield a modified DNS response such that the modified DNS response appears to have been one or more of: routed along the default route of traffic or received from a default DNS server associated with the default route of traffic.

US Pat. No. 10,771,374

DELAY MEASUREMENT METHOD AND DEVICE

HUAWEI TECHNOLOGIES CO., ...

1. A delay measurement method, comprising:receiving, by a first physical layer chip of a first physical port of a network device, a packet;
sending, by the first physical layer chip, a first time stamp and the packet to a first Media Access Control (MAC) chip of the first physical port, wherein a value of the first time stamp is a time point at which the packet reaches the first physical layer chip;
adding, by the first MAC chip, the first time stamp to the packet;
sending, by the first MAC chip, the packet to a second MAC chip of a second physical port;
receiving, by the second MAC chip, the packet;
extracting, by the second MAC chip, the first time stamp of the packet;
sending, by the second MAC chip, the packet to a second physical layer chip of the second physical port;
receiving, by the second MAC chip, a second time stamp of the packet from the second physical layer chip, wherein a value of the second time stamp is a time point at which the packet reaches the second physical layer chip; and
calculating, by the network device, a processing delay for the packet by subtracting the first time stamp from the second time stamp.

US Pat. No. 10,771,373

AD HOC NETWORK ROUTE CONSTRUCTION SYSTEM, NODE, AND CENTER NODE

KYOCERA DOCUMENT SOLUTION...

1. An ad hoc network route construction system, comprising:one center node; and
a plurality of next hop nodes, wherein
the center node
generates a request packet including a data part and a header part, a MAC (Media Access Control) address of the center node and position information of the center node being described in the data part, a positive integer value being described in the header part as time to live, and
transmits the request packet to one or more next hop nodes located in an area where the one or more next hop nodes can communicate with the center node,
each of the next hop nodes
receives the request packet,
if determining that a value of the time to live described in the header part of the request packet is 0,
generates a reply packet including a data part, all of MAC addresses and all pieces of position information described in the data part of the received request packet being described in the data part of the reply packet, and
transmits the reply packet to a request source node as a source of the received request packet,
each of the next hop nodes excluding the next hop node being a source of the reply packet further
receives the reply packet from a request destination node, and
transmits the received reply packet to the request source node, and the center node further
receives one or more reply packets from one or more request destination nodes, and then
creates, at regular time intervals, a routing table based on all of MAC addresses and all pieces of position information described in data parts of the received one or more reply packets.

US Pat. No. 10,771,372

TRANSMITTING TEST TRAFFIC ON A COMMUNICATION LINK

Oracle International Corp...

1. A non-transitory computer readable medium comprising instructions which, when executed by one or more hardware processors, causes performance of operations comprising:identifying data traffic being transmitted on a communication link from a first node to a second node;
determining a physical characteristic associated with a physical cable between the first node and the second node;
based at least on the physical characteristic associated with the physical cable, selecting a first level of test traffic to transmit on the communication link from the first node to the second node;
transmitting the first level of test traffic, concurrently with the data traffic being transmitted on the communication link, from the first node to the second node;
while testing using the first level of test traffic remains incomplete:
receiving, by the first node from the second node, a test modification message;
wherein the test modification message comprises a second level of test traffic to be transmitted on the communication link, and the second level of test traffic is determined by the second node based on a change in a characteristic associated with the data traffic transmitted between the first node and the second node;
responsive to receiving the test modification message: transmitting the second level of test traffic, rather than the first level of test traffic, concurrently with the data traffic transmitted between the first node and the second node.

US Pat. No. 10,771,371

DYNAMIC NETWORK MONITORING

INTERNATIONAL BUSINESS MA...

1. A system for monitoring performance in a networked environment, comprising:a hardware CPU, a hardware computer readable memory and a hardware computer readable storage medium;
program instructions to migrate a virtual machine from a first host to a second host having different performance characteristics than the first host;
program instructions to automatically adjust, by the hardware computer device, an initial monitoring threshold of the first host to create an adjusted monitoring threshold for the second host; and
program instructions to determine whether the migration of the virtual machine from the first host to the second host is acceptable based on determining that an angle in a traffic triangle is within an acceptable range,
wherein the traffic triangle includes the first host, the second host and a hardware node in a networked environment, and
wherein the adjusting comprises:
determining a multiplier based on a comparison of performance characteristics of the first host to performance characteristics of, the second host; and
determining the adjusted monitoring threshold for the second host by multiplying the initial monitoring threshold used with the first host by the multiplier,
wherein the program instructions are stored on the hardware computer readable storage medium.