428results about How to "Reduce vulnerability" patented technology

A computer network communication method and system wherein software rendering software is interposed in the data communication path between a browser running on a user computer and the internet data sources (for example, internet-accessible server computers) that the user browser wants to receive information from. The software rendering application gets data from internet data sources, but this data may contain malware. To provide enhanced security, the software rendering application renders this data to form a new browser readable code set (for example, an xml page with CSS layers), and this new and safe browser readable code set is sent along to the browser on the user computer for appropriate presentation to the user. As part of the rendering process, dedicated and distinct virtual machines may be used to render certain portion of the data, such as executable code. These virtual machines may be watched, and quickly destroyed if it is detected that they have encountered some type of malware.

The invention, which is an embodiment of what the inventor calls, “Active Behavior Enhanced Iris Recognition Authentication”, employs a sequential iris imaging process where the authenticating party directs his or her gaze in specific directions, or closes their eyes for each image, so that an “eye state order” can be used to improve authentication security. Authentication security is strengthened based upon the reduced likelihood that a potential intruder would 1.) know what the correct sequence of eye states (i.e. up, down, left, right, camera view and closed) were associated with the control authentication template; 2.) be able to successfully “hack” the authentication server in order to gain access to the iris image information and also the eye state order information which would be required in order to fully compromise the authentication system. The technique embodied by the invention represents an overlay of a known, ordered sequence, over the iris recognition authentication process itself.

A secure authentication process detects and prevents phishing and pharming attacks for specific web sites. The process is based on a dedicated secure hardware store for user sign-in credentials, a database of information about specific web sites, and a private secure browser. All user web activity is monitored by an agent program. The agent program checks to make sure that user attempts to send any sign-in credentials stored in secure hardware store of user sign-in credentials, to any web site accessed by the user, is allowed only if the IP address of the web site accessed by the user matches at least one of the IP addresses stored web site database associated with the sign-in credential the user is attempting to send. The process also detects mismatches between a URL and the actual IP address of the web site associated with the URL.

Improved data transport and management within a network communication system may be achieved by utilizing a transmit timer incorporated within the sender device and exploiting host-level statistics for a plurality of connections between a sender and receiver. The period of the transmit timer may be periodically adjusted based on a ratio of the smoothed round-trip time and the smoothed congestion window, thereby reducing or eliminating bursty data transmission commonly associated with conventional TCP architectures. For applications having a plurality of connections between a sender and a receiver that share a common channel, such as web applications, the congestion window and smoothed round trip time estimates for all active connections may be used to initialize new connections and allocate bandwidth among existing connections. This aspect of the present invention may reduce the destructive interference that may occur as different connections compete with one another to maximize the bandwidth of each connection without regard to other connections serving the same application. Error recovery may also be improved by incorporating a short timer and a long timer that are configured to reduce the size of the congestion window and the corresponding transmission rate in response to a second packet loss with a predefined time period in order to increase resilience to random packet loss.

An internet accessible server permits access management to remote printing devices by remote users. Only users having printing access to a target remote printing device may submit a print job for printing on the target remote printing device. Users having printing access permission are further divided into owner status and user status. Owner status user of a remote printing device may grant or revoke the printing permission of non-owner status users. At least one owner status user is designated a super-owner, and can grant and revoke the owner status of other users. The super-owner user may relinquish its super-owner status to any other user. After submitting a print job for a target printing device, the print job is stored in a storage space on the Internet and is transferred to the target printing device only when the target printing device itself downloads the print job using standard internet protocols similar to those used in the downloading of a web page.

Systems and methods employing authenticated connections to a central server to establish and authenticate a peer-to-peer connection between peer devices. The invention circumvents the potential vulnerability of clear-text transmission of secrets through a series of encrypted data transfers. A secret key is encrypted and then transmitted from one peer device to another using authenticated connections to the server. The secret key is then used to transmit encrypted data over a peer connection between the peer devices for the purpose of authenticating the peer devices on each end of the connection.

A novel and useful apparatus for and method of securely downloading and installing a patch program in a processing device. Each processing device is assigned a unique key embedded therein during manufacture and has knowledge of a shared key. The program patch is encrypted using the shared key and transmitted over a communication link, such as a satellite radio link, to each device. The patch is decrypted using the shared key and re-encrypted using the unique key known only to the device itself. The re-encrypted patch program is stored in nonvolatile memory and upon reset of the device, the encrypted patch contents are read out of the nonvolatile memory, decrypted using the unique key and loaded into patch memory for execution by the processing device.

A computer network risk mitigation system includes a computerized platform configured to utilize gathered contextual data regarding cyber-risk metrics in an operational technology network. The computerized platform is configured to conduct network configuration changes in accordance with the gathered contextual data in order to mitigate cyber-security threats. Methods for refining a network attack graph and for utilizing risk score evaluation are also described.

Hardware and/or software countermeasures are provided to reduce or eliminate vulnerabilities due to the observable and/or predictable states and state transitions of microprocessor components such as instruction cache, data cache, branch prediction unit(s), branch target buffer(s) and other components. For example, for branch prediction units, various hardware and/or software countermeasures are provided to reduce vulnerabilities in the branch prediction unit (BPU) and to protect against the security vulnerabilities due the observable and/or predictable states and state transitions during BPU operations.

One or more relevant scanners used to identify asset vulnerabilities are identified, obtained, and logically arranged for deployment on an asset in accordance with a vulnerability management policy and a scanner deployment policy such that the relevant scanners are deployed at, or before, a determined ideal time to minimize the resources necessary to correct the vulnerabilities, if found. The relevant scanners are then automatically deployed in accordance with the scanner deployment policy and, if a vulnerability is identified, one or more associated remedies or remedy procedures are applied to the asset. At least one of the one or more relevant scanners are then re-deployed on the asset to determine if the identified vulnerability has been corrected and, if the vulnerability is not corrected at, or before, a defined time, protective measures are automatically taken.

A network in which a client receives a network credential, such as a valid network address, following an exchange of messages with a credential server that includes security information. The security information may validate the credential, avoiding rogue devices inadvertently or maliciously distributing credential information that can interfere with clients attempting to connect to the network or with the network itself. If obtaining a network credential requires an exchange of information about the configuration of the client that could reveal security vulnerabilities, the security information may be used to ensure the confidentiality of that configuration information. The security information may be incorporated into messages according to a known protocol, such as by incorporating it into options fields of DHCP messages.

A hook is set for one or more downloading functions. Subsequently, code is executed within an application process. Responsive to the executed code calling one of the hooked functions to download code, a return address of the called function is examined. If the return address is within a memory area not marked executable, the code is permitted to be downloaded and the downloaded code is submitted to a security server for analysis.

A method and system for real-time online search processing over inter-connected computer networks of search requests received from wireless handheld clients, in which a server communicates with a wireless handheld client using an XML-like protocol, and an offline database information is maintained for a plurality of vendor sites from the inter-connected computer networks. The information includes URLs, search form URLS, description of domains, and vendor descriptions which include generalized rules about how product information is organized on each of the vendor sites. A product keyword request from the wireless handheld device client is processed using the information maintained in the offline database. Real-time price and product information are extracted from identified ones of the plurality of vendor sites in a native language of the site; and the extracted price and product information are communicated to the user through the server.

A method for reducing vulnerability of a computer network to a detected virus threat includes receiving an identifier of a network device detected as a source of virus activity. The method also includes relating the identifier to a predetermined account of the detected device and then automatically disabling the device account. Accordingly, the detected device is isolated from the network to prevent infection of the network by the detected device.

A method for controlling and recording the security of an enclosure is disclosed. A mobile electronic control device, such as an electronic key, is used to access or otherwise control the operations of a field device, such as an appliance, power tool, shipping container, and the like. In a control event in which the mobile control device interacts with the field device via wired or wireless communications, the control device obtains the current location and the field device ID. The communications between the mobile control device and the field device may be secured with encryption. The location information is used by the mobile control device to determine whether the field device should be accessed or enabled. Alternatively, the location information may be stored separately in a location sensing device, and the control event data recorded by the key and the location information recorded by the location sensing device are later combined when they are downloaded into a management system for auditing. Moreover, an electronic access control device is disclosed comprising two microprocessors.

A payment system implemented on a mobile device authorizes and processes transactions. The mobile device generates a public-private key pair and receives payment information. The private key and the payment information are split into a local and a remote fragment. The public key, a private key fragment, and a payment information fragment are sent to a secure payment system, and the other fragments are stored on the mobile device. When a transaction is received by the mobile device to authorize, the mobile device sends a payment fragment to the secure payment system and receives a private key fragment from the secure payment system. The mobile device authorizes the transaction using the private key, recovered from the private key fragments. The secure payment system verifies the transaction using the public key and processes the transaction using the recovered payment information. Additional techniques to process transactions using data splitting are disclosed.