[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

US20060075506A1 - Systems and methods for enhanced electronic asset protection - Google Patents

Systems and methods for enhanced electronic asset protection Download PDF

Info

Publication number
US20060075506A1
US20060075506A1 US11/167,837 US16783705A US2006075506A1 US 20060075506 A1 US20060075506 A1 US 20060075506A1 US 16783705 A US16783705 A US 16783705A US 2006075506 A1 US2006075506 A1 US 2006075506A1
Authority
US
United States
Prior art keywords
client device
data store
server
local data
indication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/167,837
Inventor
Frank Sanda
Naohisa Fukuda
Edward Laves
Robert Johnston
Justin Tidwell
Raymond Gurgone
David Robins
Laura Worthington
Karlton Zeitz
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Japan Communications Inc
Original Assignee
Japan Communications Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Japan Communications Inc filed Critical Japan Communications Inc
Priority to US11/167,837 priority Critical patent/US20060075506A1/en
Assigned to JAPAN COMMUNICATIONS, INC. reassignment JAPAN COMMUNICATIONS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SANDA, FRANK SEIJI, FUKUDA, NAOHISA, ZEITZ, KARLTON MARK, JOHNSTON, ROBERT L., LAVES, EDWARD W., ROBINS, DAVID S., GURGONE, RAYMOND T., TIDWELL, JUSTIN OWEN, WORTHINGTON, LAURA J.
Publication of US20060075506A1 publication Critical patent/US20060075506A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5003Managing SLA; Interaction between SLA and QoS
    • H04L41/5009Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5061Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the interaction between service providers and their network customers, e.g. customer relationship management
    • H04L41/5067Customer-centric QoS measurements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • H04L43/045Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/11Identifying congestion
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/22Traffic shaping
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/04Protocols specially adapted for terminals or networks with limited capabilities; specially adapted for terminal portability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/61Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources taking into account QoS or priority requirements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0681Configuration of triggering conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5003Managing SLA; Interaction between SLA and QoS
    • H04L41/5009Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF]
    • H04L41/5012Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF] determining service availability, e.g. which services are available at a certain point in time
    • H04L41/5016Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF] determining service availability, e.g. which services are available at a certain point in time based on statistics of service availability, e.g. in percentage or over a given time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/508Network service management, e.g. ensuring proper service fulfilment according to agreements based on type of value added network service under agreement
    • H04L41/509Network service management, e.g. ensuring proper service fulfilment according to agreements based on type of value added network service under agreement wherein the managed service relates to media content delivery, e.g. audio, video or TV
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/18Selecting a network or a communication service

Definitions

  • the present invention relates generally to computer data security and, more particularly systems and methods for enhanced electronic asset protection.
  • a stolen or lost laptop may provide an opportunity for someone to access valuable confidential data or attempt to breach the corporate network and access data and systems that are available only to an enterprise's users via the enterprise's private network.
  • the enterprise may be able to protect the corporate network by, for example, disabling the user account associated with the laptop. However, it may be difficult or impossible to protect the data on the stolen or lost laptop.
  • PDA personal digital assistants
  • PDA's provide some facilities for dealing with stolen or lost equipment.
  • some PDA's include a facility for destroying all of the data on the PDA if the enterprise determines that the PDA is lost or stolen. If the PDA is later recovered or discovered not to have been lost or stolen in the first place, the PDA can typically be recovered by synchronizing the PDA with a user's personal computer.
  • PDA personal digital assistants
  • Embodiments of the present invention provide systems and methods for enhanced electronic asset protection.
  • One aspect of one described embodiment includes a client device receiving an indication to activate asset protection, the client device having a local data store; and activating asset protection in response to the indication, wherein asset protection comprises disabling the local data store and disabling the client device.
  • a computer-readable medium such as, for example random access memory or a computer disk
  • code for carrying out such a method includes code for carrying out such a method.
  • FIG. 1 is a block diagram showing an illustrative environment for implementation of one embodiment of the present invention
  • FIG. 2 is a block diagram illustrating the modules present on a client device 102 in one embodiment of the present invention
  • FIG. 3 is a block diagram illustrating the modules present on a security server 104 in one embodiment of the present invention
  • FIG. 4 is a block diagram illustrating the modules present on an enterprise server 106 in one embodiment of the present invention.
  • FIG. 5 is a flowchart illustrating a process for generating and distributing an indication to activate asset protection in one embodiment of the present invention
  • FIG. 6 is a flowchart illustrating a process for activating asset protection in one embodiment of the present invention.
  • FIG. 7 is a flowchart illustrating a process for disabling the client device 102 in one embodiment of the present invention.
  • FIG. 8 is a flowchart illustrating a process for disabling the local data store in one embodiment of the present invention.
  • FIG. 9 is a flowchart illustrating a process for recovering the client device 102 in one embodiment of the present invention.
  • Embodiments of the present invention provide systems and methods for enhanced electronic asset protection. There are multiple embodiments of the present invention.
  • one illustrative embodiment of the present invention provides a method for protecting data stored on a laptop after the laptop is stolen.
  • the user reports the fact that the laptop was stolen to an administrator.
  • the administrator sets an indicator in a policy data store that the laptop should execute an asset protection procedure the next time it connects to a network.
  • the laptop When the laptop is next powered up, it automatically connects to a network, and the asset protection indicator is transmitted to the laptop.
  • the hard drive on the laptop is encrypted using an encryption key. While the hard drive is encrypted, the laptop begins shutting down devices, such as the network interface card, wireless access card, serial and parallel ports, keyboard, and monitor. In one embodiment, the network interface card continues to accept traffic from the policy data store so that it can receive additional instructions, such as a recovery indication. The laptop also shuts off all or most ports in the firewall and will not execute some or all applications. The laptop may also shut down.
  • devices such as the network interface card, wireless access card, serial and parallel ports, keyboard, and monitor.
  • the network interface card continues to accept traffic from the policy data store so that it can receive additional instructions, such as a recovery indication.
  • the laptop also shuts off all or most ports in the firewall and will not execute some or all applications. The laptop may also shut down.
  • the laptop If the laptop is not recovered, the data on the laptop is protected from discovery by the user who has stolen or found the laptop. If the laptop is recovered, a recover indication is sent to the laptop. When the laptop receives the recover indication, it uses the encryption key to decrypt the hard drive and enables all the devices, ports, and applications.
  • FIG. 1 is a block diagram showing an illustrative environment for implementation of one embodiment of the present invention.
  • the system shown in FIG. 1 includes a client 102 .
  • the network 108 may comprise a public or private network and may include the Internet.
  • the network may also comprise a plurality of networks, including, for example, dedicated phone lines between the various components.
  • the client 102 communicates with the security server 104 via a virtual private network (“VPN”) established over the Internet.
  • VPN virtual private network
  • the security server 104 is also in communication with an enterprise server 106 via a network.
  • the network 108 may comprise various elements, both wired and wireless.
  • the communication between the security server 104 and enterprise server 106 occurs over a static VPN established over dedicated communication lines.
  • a user connects a client device 102 to the network 108 using a network access user interface.
  • the network access user interface is always on and only allows the user to connect to the network 108 via the interface.
  • the network access user interface automatically causes the client 102 to connect to the security server 104 through the network 108 .
  • the security server 104 provides value added services to the client 102 and to one or more enterprises. Access to other services, such as the Internet, may be provided via the security server 104 .
  • FIG. 1 includes only a single client 102 , security server 104 , and enterprise server 106 , an embodiment of the present invention will typically include a plurality of clients 102 and may include a plurality of security servers 104 and enterprise servers 106 .
  • FIG. 2 is a block diagram illustrating the modules present on a client device 102 in one embodiment of the present invention.
  • client device 102 are personal computers, digital assistants, personal digital assistants, cellular phones, mobile phones, smart phones, pagers, digital tablets, laptop computers, Internet appliances, and other processor-based devices.
  • a client device 102 may be any suitable type of processor-based platform that is connected to the network 108 , and that interacts with one or more application programs.
  • the client device 102 can contain a processor coupled to a computer-readable medium, such as RAM.
  • Client device 102 may operate on any operating system, such as Microsoft® Windows® or Linux.
  • the client device 102 is, for example, a laptop computer executing a network access user interface.
  • the modules shown in FIG. 2 represent functionality of the client 102 .
  • the modules may be implemented as one or more computer programs that include one or more modules. For instance, in one embodiment, all the modules shown in FIG. 2 are contained within a single network access application.
  • the functionality shown on the client 102 may be implemented on a server in other embodiments of the present invention.
  • functionality shown in FIGS. 3 and 4 as being on a server may be implemented on the client 102 in some embodiments of the present invention.
  • the client 102 shown in FIG. 2 comprises a VPN client 202 .
  • the VPN client 202 allows the client 102 to connect to the enterprise server 106 .
  • the VPN client 202 is used to determine whether or not the VPN client 202 is active and whether or not the VPN client 202 is connected to a VPN server. For instance, an embodiment of the present invention may determine whether or not to connect to a particular service based on whether or not the VPN client 202 is enabled.
  • the VPN client 202 is used for four purposes: (1) to manage policy files, which include information, such as a gateway Internet Protocol (IP) address, secrecy and authentication level, and hash; (2) automatically connecting a VPN; (3) automatically disconnecting the VPN; and (4) monitoring the status of the VPN.
  • IP Internet Protocol
  • Each of these four purposes may be affected by other modules, including, for example, the connection manager 210 .
  • the client 102 also comprises a secure vault 204 .
  • the secure vault 204 protects content on the client 102 .
  • the secure vault 204 is responsible for storing encrypted content on the client 102 and allowing access to the encrypted content based on a set of permissions or policies.
  • a content creator can provide access via a viewer to secured content and allow a recipient of the content read-only access or allow the recipient to perform other tasks, such as modifying the content and forwarding it to other users.
  • the secure vault 204 allows the user to create and distribute secure content to other clients 102 , the content creator can decide to send a document to several users and allow two of the users full access and one of the users read-only access.
  • the client 102 shown in FIG. 2 also comprises a firewall 206 .
  • the firewall 206 allows port blocking via predefined policies. For instance, in one embodiment, an information technology (“IT”) manager specifies port blocking based on two zones, a safe zone and a dangerous zone. The IT manager specifies one of these two zones for each of the network interface devices installed on the client 102 . The IT manager is then able to set port-blocking rules by zone on the firewall 206 .
  • IT information technology
  • the IT manager may classify a Wireless Fidelity (“Wi-Fi”) network interface as dangerous since it has traditionally been considered fairly unsafe. And the IT manager may apply more restrictive port-blocking rules to the dangerous zone than to the safe zone and network interface devices, such as those used to connect to a wired Local Area Network (“LAN”) or a Personal Handyphone System (“PHS”) cellular connection.
  • the PHS standard is a TDD-TDMA based microcellular wireless communications technology and has been traditionally considered relatively safer than Wi-Fi connections.
  • the PHS cellular connection may also be referred to as a wireless wide area network (“WWAN”) as opposed to a dial-up connection providing access to a wide area network (“WAN”).
  • WWAN wireless wide area network
  • WAN wide area network
  • the port-blocking rules of the firewall 206 may be based on time of day, client IP address, terminating IP address, terminating and originating port, protocol, and other variables. In one embodiment, the port-blocking rules are based on policy data associated with individual users logged into the client 102 .
  • the port-blocking rules of the firewall 206 include a blacklist.
  • the blacklist allows an IT manager to prevent an application from executing on the client 102 .
  • an IT manager may blacklist a DVD player so that a user is unable to view DVD's on the client 102 .
  • the firewall 206 may provide a message to the user informing the user that an application is unavailable.
  • the firewall 206 implements a white list.
  • the white list is somewhat more restrictive than the blacklist described above.
  • the white list allows only specified applications to execute. For example, an IT manager may allow only MS Word, Excel, PowerPoint, and Outlook to execute. No other applications will be permitted to execute.
  • the firewall 206 may be a custom firewall or a third-party firewall integrated into an embodiment of the present invention.
  • the embodiment shown in FIG. 2 also includes an antivirus module 208 .
  • the antivirus module 208 shown determines whether policy files, virus dictionary, or other virus-related resources are out of date and provides the client 102 with a mechanism for updating the files or data.
  • the antivirus module 208 may restrict access to various connections, applications, and other functionality when the policy files are out of date. For instance, the antivirus module 208 may restrict the client 102 to connecting to a single gateway through which the policy files are available.
  • the antivirus module 208 comprises a third-party antivirus product that is integrated with the other modules on the client 102 .
  • the client 102 also comprises a connection manager 210 , which includes a rules processor.
  • the connection manager 210 assigns a priority number to every connection, e.g., one to one hundred, and selects the connection with the highest number to connect to.
  • connection manager 210 may provide a connection to a variety of networks, including, for example, dial-up, LAN, digital subscriber line (“DSL”), cable modem, Wi-Fi, wireless local area network (“WLAN”), PHS, and satellite.
  • networks including, for example, dial-up, LAN, digital subscriber line (“DSL”), cable modem, Wi-Fi, wireless local area network (“WLAN”), PHS, and satellite.
  • connection manager 210 differentiates between public and private connections.
  • a public connection is a connection provided by a service provider who has a relationship with the administrator of the security server 104 , which allows the security server 104 to authenticate the connection.
  • the security server 104 administrator may have a business arrangement with a hotspot provider.
  • the client 102 connects to a local access point and the authentication of the user occurs automatically at the security server 104 .
  • a private connection requires that all aspects of the authentication mechanism for a connection are managed in the absence of the security server 104 , although the connection manager may provide certain facilities to allow for automated authentication where possible.
  • connection manager 210 makes connections available or unavailable to the client 102 based on policies present on the client 102 .
  • the connection manager 210 may also download changes to policy data and transmit quality of service (“QoS”) and other data to the security server 104 or the enterprise server 106 .
  • QoS quality of service
  • the connection manager 210 determines the type of connections that are available based on signals provided by hardware associated with the client 102 . For example, when the client 102 passes near a hotspot, a Wi-Fi card in the client 102 senses the hotspot and sends a signal to the connection manager 210 . For instance, the Wi-Fi card may sense a broadcast service set identifier (“SSID”). Once the signal exceeds a threshold, the connection manager 210 provides a signal to a user of the client 102 that the network is available or may automatically connect to the hotspot. Alternatively, the Wi-Fi card may poll for a non-broadcast SSID. The connection manager 210 may provide a single connection to the client 102 at one time or may provide multiple connections to the client 102 .
  • SSID broadcast service set identifier
  • the client 102 shown in FIG. 2 also comprises a QoS collector 212 .
  • the QoS collector 212 collects data values, including, for example, the number of bytes sent and received, the average transfer rate, the average signal strength at connection, termination cause, failed connections, and a network identifier. In another embodiment, the QoS collector 212 collects data during the session to determine when a connection provides inconsistent performance.
  • the QoS collector 212 collects data regarding a connection during a session but does not send the data for a session until the next session. Thus, if a session is terminated abnormally, the QoS data will still be collected and transferred successfully. In another embodiment, the QoS collector 212 transfers data only when a particular type of connection is detected, such as a high-speed or low cost connection.
  • the client 102 also comprises a session statistics module 214 .
  • the session statistics module stores data representing user characteristics. For instance, the session statistic module 214 may store a list of the applications a user generally accesses, how often the user is connected, the typical CPU and memory utilization measure, keyboard sequences, and other characteristics of a user. If a particular user deviates from the expected characteristics by greater than a threshold, such as N standard deviations, and the significance of the statistic is more than a specified amount, the session statistics module 214 can identify the current user as a potential unauthorized user.
  • a threshold such as N standard deviations
  • the session statistics module 214 may perform other tasks as well. For instance, in one embodiment, the session statistics module 214 pre-loads applications based on a user's general usage patterns.
  • the client 102 shown in FIG. 2 also comprises a policy reader 216 .
  • a company's policies are housed on the enterprise server 106 . For instance, individual groups and users within an enterprise are identified and associated with policies, such as what types of connections they are able to access and what a user's VPN profile is. The user may also be able to specify a VPN policy on the client 102 .
  • the policy reader 216 downloads the policy rules from the enterprise server 106 and accesses local user policies and reconciles any conflicts between the two.
  • an IT manager may establish a VPN profile to be used by a user when connecting to a Wi-Fi network. However, the user may wish to create a secondary VPN profile to be used if the first VPN becomes unavailable.
  • the policy reader 216 loads both local and enterprise VPN profiles, resolving any conflict between the two VPN profiles.
  • the policy reader 216 accesses data at an enterprise, department, and user level. In such an embodiment, some of the policy rules may be stored in a lightweight directory access protocol (“LDAP”) server on the client 102 , security server 104 , or enterprise server 106 . In another embodiment, the policy reader 216 receives only changes to policy data and does not typically download all of the policy data at once. Policies downloaded by the policy reader 216 may be provided to the rules processor of the connection manager 210 .
  • LDAP lightweight directory access protocol
  • the client 102 may also comprises a client security module 216 .
  • the client security module 216 implements a client asset protection process.
  • the client security module 216 may, for example, disable devices and interfaces on the client device 102 and may, in some embodiments, encrypt the hard drive of the client device 102 so that the files stored on the drive are not easily accessible.
  • the client 102 may also comprise a user interface 220 .
  • the user interface 220 may control the underlying operating environment or the user's view of the underlying environment.
  • the user interface 220 supplants the Microsoft® Windows operating system interface from the user's perspective. In other words, the user is unable to access many of the standard Windows features.
  • Such a user interface may be implemented to limit the applications and configuration setting a user is able to access.
  • PDA personal digital assistant
  • no user interface is provided by an embodiment of the present invention; the standard PDA user interface is utilized.
  • the client 102 shown in FIG. 2 also comprises a security agent 222 .
  • the security agent 222 is also referred to as a “bomb.”
  • an IT manager indicates that the security agent 222 should be activated when the client 102 next connects to the enterprise server 106 . The IT manager may do so because the client 102 has been reported stolen. Subsequently, the client 102 connects to the enterprise server 106 , either directly or indirectly and receives the message to initiate the security agent 222 .
  • the security agent 222 when the security agent 222 activates, it stops all applications from being able to run and encrypts the data on the hard drive of the client 102 .
  • the security agent 222 may implement a white list as described above and then implement a secure vault for all data on the client 102 .
  • the connection manager 210 may also be configured so that no connections are possible.
  • the data since the data is merely encrypted by security agent 222 , rather than erased, the data may be recovered if the client 102 is subsequently recovered. For instance, the enterprise may retain the key needed for decrypting the local drive. The client 102 is returned to the enterprise, which then decrypts the drive. In another embodiment, the data on the local drive of the client is rendered inaccessible by, for example, writing over the data multiple times.
  • the client 102 shown in FIG. 2 also comprises an out-of-band communication receiver 224 .
  • the out-of-band communication receiver 224 allows the client to receive communications other than through a network-based connection.
  • the connection manager 210 may manage the out-of-band communication. For instance, the command to activate the security agent 222 may be transferred via a short messaging service (“SMS”) communication received by the out-of-band communication receiver 224 .
  • SMS short messaging service
  • FIG. 3 is a block diagram illustrating the modules present on a security server 104 in one embodiment of the present invention.
  • the security server 104 shown in FIG. 3 comprises a remote authentication dial-in user service (“RADIUS”) server 302 , which may also be referred to as an AAA (authentication, authorization, and accounting) server.
  • RADIUS is the standard by which applications and devices communicate with an AAA server.
  • the RADIUS server 302 provides authentication services on the security server 104 .
  • the RADIUS server 302 proxies to a RADIUS server on the enterprise server 106 .
  • the RADIUS server 302 provides mutual authentication for the client 102 using Extensible Authentication Protocol Transport Layer Security (“EAP-TLS”).
  • EAP-TLS itself is strictly an 802.1 ⁇ authentication protocol, designed primarily for WiFi connections, the underlying TLS authentication protocol may be deployed in both wired and wireless networks.
  • EAP-TLS performs mutual secured sockets layer (“SSL”) authentication. This requires both the client device 102 and the RADIUS server 302 to have a certificate. In mutual authentication, each side may prove its identity to the other using its certificate and its private key.
  • SSL mutual secured sockets layer
  • the security server shown in FIG. 3 also comprises an LDAP server 304 .
  • the LDAP server 304 uses the LDAP protocol, which provides a mechanism for locating users, organizations, and other resources on the network.
  • the LDAP server 304 provides access control at the network layer to various components that an enterprise customer may or may not purchase. For example, a customer may choose to implement a secure vault as described in relation to FIG. 1 . In such a case, the customer or users or groups associated with the customer are also associated with the firewall module. The LDAP entry is then used to determine that the firewall is to be enabled on a client.
  • the LDAP server 304 is implemented as a list of user identifiers not using the LDAP protocol.
  • data in the LDAP server 304 is propagated from data present in the enterprise server 106 .
  • the security server 104 shown in FIG. 3 also comprises a session manager 306 .
  • the session manager 306 controls sessions, including sessions between the client 102 and enterprise server 106 .
  • the session manager 306 also determines how to route data requests. For instance, the session manager 306 may determine that a particular data request should be routed to the Internet rather than to the enterprise server 106 . This may be referred to as “splitting the pipe” and provides a mechanism to replace “split tunneling” (a traditional configuration option with most standard VPN clients) at the client device by the more secure split of traffic not intended for the enterprise at the security server, allowing monitoring of all traffic without the enterprise incurring the expense of the extra bandwidth required.
  • the client 102 and enterprise server 106 establish a VPN for communication.
  • the session manager 306 may be unable to route requests to any location other than the enterprise—the packets are encrypted and thus, cannot be separately evaluated.
  • the session manager 306 performs automated authentication of a client device 102 or user. For example, if the session manager 306 determines that a client 102 is approaching a Wi-Fi hotspot, the session manager 306 is able to pre-populate the hotspot with the certificate that the hotspot requires to authenticate the user. In this manner, the authentication appears very fast to the user.
  • the session manager 306 may also control the manner in which data is queued for download to the client device 102 .
  • the session manager 306 provides two modes for data queuing. In a first mode, the session manager 306 determines that the network down time will be brief, e.g., the user is moving through a tunnel, which interferes with network access. In such a case, the session manager queues a minimal amount of data. In a second mode, the session manager 306 determines that the network down time will be of a longer duration, e.g., the user is boarding a plane from New York to Tokyo. In such a case, the session manager 306 may queue a larger amount of data. In one such embodiment, the session manager 306 determines the mode by querying the user for the downtime interval. When the user reconnects to the security server 104 , the session manager 306 determines the best manner of downloading the queued data and begins the download.
  • the session manager 306 comprises a packet shaper (not shown).
  • the packet shaper provides various functional capabilities to the session manager 306 .
  • the packet shaper provides a mechanism for prioritizing packets sent between the enterprise server 106 and the client 102 .
  • the packet shaper utilizes Multiprotocol Label Switching (“MPLS”).
  • MPLS allows a specific path to be specified for a given sequence of packets.
  • MPLS allows most packets to be forwarded at the switching (layer 2) level rather than at the (routing) layer 3 level.
  • MPLS provides a means for providing QoS for data transmissions, particularly as networks begin to carry more varied traffic.
  • the session manager 306 may also provide session persistence capabilities. For instance, in one embodiment, when a user drops a connection or moves from one provider network coverage area to another, the connection manager 306 persists a virtual connection as the first connection is terminated and the second is initiated.
  • the session manager 306 may include a server-side rules engine.
  • the server-side rules engine may use historical information, such as the session statistics described above, for statistical attack determination. For instance, session manager 306 may access a stored statistic regarding a client device 102 and based on monitoring of the current statistics for the client device 102 determine that an unauthorized user is using the client device 102 .
  • the security server 104 shown in FIG. 3 also comprises a real-time monitor 308 .
  • the real-time monitor 308 monitors the status of communications, such as which clients and users are logged on, the amount of data being transferred, ongoing QoS measures, ports in use, and other information.
  • the real-time monitor 308 When the real-time monitor 308 detects a problem, it may issue an alert to network support.
  • data from the real-time monitor 308 is provided to users via a portal available on the security server 308 .
  • the real-time portal 308 transfers information to the enterprise server 106 , from which users access the data.
  • the embodiment shown in FIG. 3 also comprises a historical monitor 310 .
  • the historical monitor 310 provides information similar to the real-time monitor 310 .
  • the underlying data is historical in nature.
  • the historical monitor 310 provides audit information for making intelligent business decisions and for dealing with regulatory compliance issues.
  • the information available via the historical monitor 310 may include, for example, historical QoS data, registration compliance data, and metrics consistency data.
  • the historical data monitor 310 may be used to determine that certain clients are not performing optimally by comparing metrics of various clients over time. For instance, by evaluating information available via the historical data monitor 310 , a support person may be able to determine that a radio tuner on a specific client device 102 is failing. If the user of one client device 102 is complaining about the availability of service, but other users are able to successfully access service, then the client device's radio may be the problem.
  • the historical data monitor 310 may also be used to reconcile information captured on the security server 104 regarding connections and data provided by telecommunication carriers.
  • the data may be used to determine when certain resources need to be increased and when a certain carrier is not performing adequately.
  • the security server also comprises a database 312 .
  • the database 312 may be any type of database, including, for example, MySQL, Oracle, or Microsoft SQL Server relational databases. Also, although the database 312 is shown as a single database in FIG. 2 , the database 312 may actually comprise multiple databases, multiple schemas within one or more databases, and multiples tables within one or more schemas. The database 312 may also be present on one or more other machines, e.g., database servers.
  • the database 312 stores customer information regarding enterprises served by the security server 104 , such as a list of valid users, a list of valid cellular cards, the relationships between the individual users and groups within the enterprise, and other customer information.
  • the database 312 stores an association between users and cellular data cards.
  • the enterprise may allocate a single user to a specific data card.
  • the enterprise may associate a group of users with a group of cellular data cards.
  • Other types of data may also be stored in the database 312 , such as billing data.
  • the security server 104 shown in FIG. 3 also comprises a QoS server 314 .
  • the QoS server 314 uploads information from the QoS collector 212 on the client device 102 and stores the QoS data.
  • the QoS server 314 can collect data from multiple clients and store it in the database 312 .
  • the security server also comprises a QoS tools engine 316 .
  • the QoS tools engine 316 displays data made available by the QoS server 314 and other processes, such as the real-time monitor 308 .
  • the QoS tools engine 316 provides an aggregation of QoS data in a spreadsheet. In another embodiment, the QoS tools engine 316 provides data using map views, pie charts, and graphs. The QoS tools engine 316 may also provide the capability for setting QoS-based alarms and may provide data to users via a portal.
  • the security server 104 also comprises a portal server 318 .
  • the portal server 318 may be, for example, a web server. Any standard web server application may be utilized, including Microsoft® Internet Information Server (“IIS”) or Apache.
  • IIS Internet Information Server
  • Apache Apache
  • the security server 104 shown in FIGS. 1 and 3 is illustrated as a single server, it may comprise multiple servers.
  • the security server 104 comprises multiple regional servers.
  • the description above suggests that data is provided to and queried from the security server 104 by the client 102 , i.e., the client pulls the data.
  • the client 102 also comprises a listener (not shown) so that the security server 104 can push data to the client 102 .
  • FIG. 4 is a block diagram illustrating the modules present on an enterprise server 106 in one embodiment of the present invention.
  • the enterprise server 106 may also be referred to herein as a customer server and may comprise one or more servers for one or more enterprises linked to one or more security servers 104 .
  • the enterprise server 106 shown in FIG. 4 comprises a policy server 402 .
  • the policy server 402 provides a means for managing the policy rules, including, for example, available VPN profiles, available transports (e.g. WiFi, LAN, PHS, Dialup), firewall rules, such as blacklists and white lists, connection rules, and antivirus rules.
  • the policy server 402 may include other rules as well, such as the level of data throttling to perform for each client or group of clients. Data throttling limits the data transfer rate to a particular client 102 so that connection resources can be optimized.
  • the policies may be managed at one or more levels. For example, an IT manager may wish to create a VPN profile for the enterprise as a whole, but a different VPN profile for an engineering group since the engineering group needs access to various unique applications.
  • the policy server 412 may also provide a mechanism for configuring the location of various servers that the client 102 will utilize. For instance, the policy server 412 may allow an IT manager to specify the IP address of an acceleration server 404 or a vault server 406
  • the policy server also allows the IT manager to specify which users receive updates for various components on the client 102 .
  • the policy server 402 may also allow the IT manager to perform connection configuration. For instance, the IT manager may use the policy server to specify phone numbers for PHS connections, Wi-Fi SSID's for private connections, and other connection configuration information.
  • the enterprise server 106 shown in FIG. 4 also comprises an acceleration server 404 .
  • the acceleration server 404 performs processes to improve the performance of data transfer. For instance, the acceleration server 404 may automatically compress images that are to be transferred to a client 102 .
  • the acceleration server 404 communicates with the policy server 402 .
  • An IT manager sets acceleration rules using the policy server 402 , and the acceleration server 404 uses these rules to determine what level of acceleration to use for a particular communication.
  • the IT manager sets a default level of acceleration for all communication and a specific level of acceleration for one group of users. The specific level of acceleration may be referred to as an override.
  • the enterprise server 106 also comprises a vault server 406 .
  • the vault server comprises two components, an automatic component and an administration component.
  • the automatic component integrates with an enterprise's mail server (not shown) and performs operations on emails to and from the mail server.
  • the vault server 406 may quarantine an email, automatically encrypt the email before it is sent, add a legal disclaimer to an email, or perform other functions on the email.
  • the automatic component of the vault server 406 searches an email based on words or based on the domain or specific address to which the email is addressed or from which the email originated. Using this information, the user can perform functions on the email, such as those described above.
  • the administration component of the vault server 406 allows a user to terminate access to secure content, either by a specific user or by all users. It also logs activity. Using one embodiment of the vault server 406 , a user can indicate that a set of users whose employment has been terminated will no longer have access to any secure content. In an alternative embodiment of the vault server 406 , a user can indicate that a given element of secure content, say a price list, is now out of date, and so that piece of secure content will no longer be viewable by any user. When each user accesses the secure content, the vault server 406 logs the event. So for each secure content element, the vault server 406 creates a log of all activity on the secure content.
  • the vault server 406 also compresses data. For instance, one embodiment utilizes standard PKZIP compression to compress all content. In another embodiment, an IT manager may identify three types of images and specify a different level of compression for each type of image based on the level of resolution necessary for each type of image.
  • the enterprise server 108 also comprises a RADIUS server 408 and LDAP server 410 , which are similar to those described above in relation to the security server 104 .
  • the RADIUS server 302 on the security server 104 may proxy to the RADIUS server 408 on the enterprise server 106 .
  • data in the LDAP server 410 may be propagated to the LDAP server 204 on the security server 104 .
  • the enterprise server 106 also comprises a one-time password (“OTP”) server 412 .
  • OTP one-time password
  • the OTP server 412 provides a mechanism for authentication.
  • the enterprise server 106 uses the OTP server 412 to perform a mutual authentication process.
  • the enterprise server 106 also comprises a concentrator 414 .
  • the concentrator 414 provides remote access capability to the client 102 .
  • the concentrator 414 may serve as a means for terminating a VPN between the client 102 and enterprise server 106 .
  • the enterprise server 104 shown in FIG. 4 also comprises a portal server 416 .
  • the portal server 416 may comprise a standard web server, such as IIS or Apache.
  • the portal server 416 may provide one or more portals.
  • the portal server 416 provides two portals, portal one and portal two.
  • Portal one provides a configuration interface for managing the various elements shown in FIGS. 2 and 3 , including, for example, the policy server 402 and LDAP server 410 .
  • Portal two provides an interface for accessing data, such as QoS data and session data.
  • a user may use historical QoS data on portal two to determine how a particular provider is performing in terms of throughput, user connections, and other QoS metrics.
  • Portal two may also provide real-time information, such as how many users are currently connected.
  • an IT manager determines that twenty users have been rejected by a carrier in the last three minutes due to authentication failure and five users with the same user identifier are currently logged on to five different devices. The IT manager uses this information to detect a potential security problem. Portal two may also be used to set alerts as described above.
  • first authentication server 118 and final authentication server 126 may be combined in a single server.
  • the system 100 shown in FIG. 1 is merely illustrative, and is used to help explain the illustrative systems and processes discussed below.
  • FIG. 5 is a flowchart illustrating a process for generating and distributing an indication to activate asset protection in one embodiment of the present invention.
  • a security server 104 automatically determines whether to send an indication to a client device 102 to invoke asset protection 502 . The determination may be based on a variety of factors. For example, in one embodiment, a user reports that a laptop has been lost or stolen. In another embodiment, the security server 104 monitors the duration between connections between the security server 104 and the laptop, and if the duration exceeds a threshold, determines that the indication should be sent.
  • the security server 104 performs a statistical analysis on the probability that the laptop has been lost or stolen, and if the probability exceeds a predetermined threshold, activates asset protection. For instance, in one embodiment, the security server 104 determines that 15 failed login attempts have occurred from a client device 102 . Based on this number of failed login attempts, the security server 104 determines a 90% probability that an unauthorized user is using the client device 102 . If the 90% probability exceeds the threshold set for that measure, the security server 104 sends the asset protection indication to the client 102 . In another embodiment, through a similar statistical mechanism, the client device 102 generates the indication without connecting to the network.
  • the security server 104 if the determination is made to invoke asset protection, the security server 104 generates an encryption key 504 and delivers it, along with an indication to activate asset protection, securely to the client device 102 .
  • the client device 102 uses the encryption key to encrypt data on the hard drive.
  • the client device 102 may use any conventional encryption routine to encrypt the data.
  • the encryption key can be used to recover the data on the hard drive.
  • the data on the hard drive or other storage medium is erased or otherwise destroyed; in such an embodiment, the encryption key may not be sent to the client 102 .
  • data present on the client device 102 may not be available anywhere else. For instance, a confidential customer list or proposal may be stored on the client device 102 .
  • an embodiment of the present invention avoids the loss of this data should the laptop subsequently be found or returned.
  • the encryption key will be stored locally 506 , for instance, in a database on the security server 104 .
  • the client device 102 does not have to store an encryption key, which could decrypt data on its local data store.
  • the encryption key will be sent with the indication to activate asset protection 508 .
  • the security server 104 may transmit the key and indication in a secure manner via a network, such as network 108 .
  • the network may comprise a wired or wireless network.
  • the key and indication are transmitted over a wired or wireless transmission control protocol/internet protocol (TCP/IP) link.
  • TCP/IP transmission control protocol/internet protocol
  • the security server 104 transmits the key and indication through an out-of-band communication channel, e.g., transmitting an SMS message to the client.
  • the client device 102 receives the encryption key and asset protection indication 508 .
  • the client device 102 may receive the key and indication via network 106 .
  • the client device 102 initiates all network connections through the security server 104 .
  • the security server 104 is able to detect when the client device 102 connects.
  • the client device receives the key and indication as part of an SMS message. The client device 102 extracts the key and indicator from the SMS message.
  • the client device 102 executes an asset protection component 510 .
  • the client device shown in FIG. 2 comprises a security agent 222 .
  • the security agent 222 is responsible for carrying out the asset protection steps illustrated in FIGS. 6-9 on the client device.
  • processes on the security server 104 or enterprise server 106 may also be executed. For instance, access to the enterprise's VPN may be disabled if a client device 102 is thought to have been stolen, lost, or otherwise compromised.
  • FIG. 6 is a flowchart illustrating a process for activating asset protection in one embodiment of the present invention.
  • the client device 102 first receives an indication to activate asset protection 602 .
  • the indication contains an encryption key.
  • Asset protection may comprise a variety of security mechanisms. These security mechanism may be software, firmware, or hardware based or may be a combination of software, firmware, and/or hardware.
  • the security agent 222 disables the client device ( 102 ) 606 .
  • the security agent 222 may disable the client in various ways. For instance, the security agent 222 may disable communications, input/output, or even disrupt the power supply. Other methods of disabling the client device 102 are described in reference to FIG. 7 .
  • the security agent 222 also disables the local data store 608 . Disabling of the data store and client device 102 may occur simultaneously or sequentially. In one embodiment, portions of the client device 102 are disabled, such as the network adapter or adapters, the data store is disabled, and then the rest of the client device is disabled. As with disabling the client device 102 , disabling the data store may be accomplished in various ways. For instance, the security agent 222 may preserve the data on the data store but make the data inaccessible. In one embodiment, the security agent 222 destroys all the data on the data store.
  • the local data store is made unavailable by implementing a “file system filter driver” that redirects all read/write attempts to local data stores to a location that does not exist or to a single location that contains a security message. Other methods of disabling the local data store are described in relation to FIG. 8 .
  • FIG. 7 is a flowchart illustrating a process for disabling the client device 102 in one embodiment of the present invention.
  • the security agent 222 first blocks network access from the client device ( 102 ) 702 . For instance, in one embodiment, once asset protection is activated, the client device 102 is no longer able to connect to any wired or wireless networks except to check whether or not an indication to recover the device has been sent.
  • the security agent 222 also blocks execution of one or more applications on the client device 102 .
  • the security client 102 may block access of an application that would allow a user to modify registry entries or to examine the file system.
  • the security agent 222 implements a white list, allowing the client device 102 to execute only specified applications.
  • the security agent 222 destroys the BIOS, rendering the client device 102 unusable.
  • the security agent 222 also blocks input and output ports on the client device 706 .
  • the security agent 222 stops a user from transferring information off of the client device 102 .
  • the blocked ports may be virtual or real. For instance, in one embodiment, blocking the ports comprises revising setting on a firewall. In another embodiment, blocking ports comprises turning off access to serial, parallel, USB, and other physical ports.
  • the security agent 222 may also shut off access to CD or DVD burners. For instance, in one embodiment, blocking a physical port may stop the user from printing information, storing information on a USB drive, or otherwise moving information from the client device 102 to another device or medium.
  • the security agent 222 stops a user from loading utility programs or data on the client device 102 .
  • a user may attempt to load a program from a web site to disable the security agent 222 .
  • the security agent 222 thwarts this threat.
  • the security agent 222 next verifies that no indication to recover the client device has been received 708 . For example, in one embodiment, if an administrator determines that the client device 102 has been disabled inadvertently, the administrator can transmit a recovery indication, e.g., by sending an out-of-band communication. When the client device 102 receives the recover indication, the security agent 222 may stop the process of disabling the client device 102 and may reopen ports and allow access to applications automatically. In one embodiment, the client device 102 is returned to an administrative facility to be recovered.
  • the security agent 222 shuts the client device 102 down 710 .
  • the security agent 222 executes the normal shut down procedure for the client device 102 .
  • the security agent 222 causes the client device to immediately power down without executing the normal operating system shut down procedure.
  • the steps shown in FIG. 7 may occur in a different order and may occur sequentially or concurrently.
  • the security agent 222 disables the client device 102 and disables a local data store.
  • FIG. 8 is a flowchart illustrating a process for disabling the local data store in one embodiment of the present invention.
  • the security agent 222 receives an asset protection indication 802 . For instance, if the client device 102 is stolen, the network administrator may set a flag in the policy server 402 , indicating that the asset protection indication is to be sent to the client device 102 .
  • the security agent 222 encrypts the local data store 804 .
  • the local data store may comprise a hard drive, flash memory, or any other medium capable of storing data.
  • the security agent 222 may encrypt he data using an encryption key transmitted with the asset protection indication.
  • the encryption key is not stored on the local data store, decreasing the chances of discovery of the key and decryption of the data store.
  • the encryption key is stored on the local data store, facilitating automated recovery of the local data store.
  • the security agent 222 next permanently deletes the contents of the local data store 806 .
  • the security agent 222 may repeatedly write over the local data store with random pieces of information.
  • the security agent 222 may also corrupt the file allocation table of the local data store, such that the data cannot be accessed without rebuilding the file allocation table.
  • the security agent 222 encrypts the local data store and sets an expiration date two days after the encryption takes place. On the expiration date, the security agent 222 permanently deletes the local data store unless a recover indication is received.
  • FIG. 9 is a flowchart illustrating a process for recovering the client device 102 in one embodiment of the present invention.
  • the client device 102 receives an indication to recover 902 .
  • the client device 102 may receive the recover indication in various ways. For instance, in one embodiment, a port in a firewall remains open after the remaining ports are blocked. A recover indication is transmitted over the open port. In another embodiment, a network administrator takes physical possession of the client device 102 and recovers it manually.
  • the security agent 222 then enables the client device ( 102 ) 904 .
  • the security agent 222 enables the client device by reversing the process shown in FIG. 7 .
  • the security agent 222 also enables the local data store 906 . Enabling the local data store may occur before, after, or concurrently with enabling the client device 102 in various embodiments of the present invention.
  • the client device 102 enables the local data store by decrypting the data.
  • the security agent 222 may perform this task automatically. For example, the security agent 222 may use an encryption key stored on the local data store to perform the encryption or may receive the encryption key from the security server with the recover indication.
  • the security agent 222 is also able to report a position of the client device 102 .
  • the client device 102 may comprise a global positioning (“GPS”) card that provides the capability of providing a position, or the client device 102 may use signals from multiple signal towers to determine a position by triangulation. The position of the client device 102 may then be used to help determine whether the client device 102 and/or local data store are to be disabled.
  • GPS global positioning

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • General Business, Economics & Management (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • Virology (AREA)
  • Social Psychology (AREA)
  • Environmental & Geological Engineering (AREA)
  • Databases & Information Systems (AREA)
  • Bioethics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Stored Programmes (AREA)
  • User Interface Of Digital Computer (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Systems and methods for enhanced electronic asset protection are described. One aspect of one described embodiment includes receiving an indication to activate asset protection, the client device having a local data store; and activating asset protection in response to the indication, wherein asset protection comprises disabling the local data store and disabling the client device. In another embodiment, a computer-readable medium (such as, for example random access memory or a computer disk) includes code for carrying out such a method.

Description

    RELATED APPLICATIONS
  • This application claims priority to Application Ser. No. 60/583,765, filed on Jun. 28, 2004, titled “Controlling Use of a Mobile Work Station Based on Network Environment,” Application Ser. No. 60/598,364, filed on Aug. 3, 2004, titled “Systems and Methods for Enhancing and Optimizing a User's Experience on an Electronic Device,” Application Ser. No. 60/652,121, filed on Feb. 11, 2005, titled “Remote Access Services,” and Application Ser. No. 60/653,411, filed on Feb. 16, 2005, titled “Creating an Environment for Secure Mobile Access Anywhere,” the entirety of all of which are incorporated herein by reference.
    • FIELD OF THE INVENTION
  • The present invention relates generally to computer data security and, more particularly systems and methods for enhanced electronic asset protection.
    • BACKGROUND
  • As the workforce becomes more mobile, enterprises often have equipment and data stored remotely, outside of the office. Unfortunately, mobile equipment, such as laptop computers, is sometimes lost or stolen.
  • A stolen or lost laptop may provide an opportunity for someone to access valuable confidential data or attempt to breach the corporate network and access data and systems that are available only to an enterprise's users via the enterprise's private network.
  • When a laptop is stolen, the enterprise may be able to protect the corporate network by, for example, disabling the user account associated with the laptop. However, it may be difficult or impossible to protect the data on the stolen or lost laptop.
  • Conventional hand held devices, such as personal digital assistants (PDA's) provide some facilities for dealing with stolen or lost equipment. For instance, some PDA's include a facility for destroying all of the data on the PDA if the enterprise determines that the PDA is lost or stolen. If the PDA is later recovered or discovered not to have been lost or stolen in the first place, the PDA can typically be recovered by synchronizing the PDA with a user's personal computer. However, when a laptop is stolen, it may be difficult to protect confidential data on the laptop. And if the data is protected by, for example deleting it, recovery of data on the laptop is difficult at best.
    • SUMMARY
  • Embodiments of the present invention provide systems and methods for enhanced electronic asset protection. One aspect of one described embodiment includes a client device receiving an indication to activate asset protection, the client device having a local data store; and activating asset protection in response to the indication, wherein asset protection comprises disabling the local data store and disabling the client device. In another embodiment, a computer-readable medium (such as, for example random access memory or a computer disk) includes code for carrying out such a method.
  • This illustrative embodiment is mentioned not to limit or define the invention, but to provide one example to aid understanding thereof. Illustrative embodiments are discussed in the Detailed Description, and further description of the invention is provided there. Advantages offered by the various embodiments of the present invention may be further understood by examining this specification.
    • FIGURES
  • These and other features, aspects, and advantages of the present invention are better understood when the following Detailed Description is read with reference to the accompanying drawings, wherein:
  • FIG. 1 is a block diagram showing an illustrative environment for implementation of one embodiment of the present invention;
  • FIG. 2 is a block diagram illustrating the modules present on a client device 102 in one embodiment of the present invention;
  • FIG. 3 is a block diagram illustrating the modules present on a security server 104 in one embodiment of the present invention;
  • FIG. 4 is a block diagram illustrating the modules present on an enterprise server 106 in one embodiment of the present invention;
  • FIG. 5 is a flowchart illustrating a process for generating and distributing an indication to activate asset protection in one embodiment of the present invention;
  • FIG. 6 is a flowchart illustrating a process for activating asset protection in one embodiment of the present invention;
  • FIG. 7 is a flowchart illustrating a process for disabling the client device 102 in one embodiment of the present invention;
  • FIG. 8 is a flowchart illustrating a process for disabling the local data store in one embodiment of the present invention; and
  • FIG. 9 is a flowchart illustrating a process for recovering the client device 102 in one embodiment of the present invention.
    • DETAILED DESCRIPTION
  • Embodiments of the present invention provide systems and methods for enhanced electronic asset protection. There are multiple embodiments of the present invention. By way of introduction and example, one illustrative embodiment of the present invention provides a method for protecting data stored on a laptop after the laptop is stolen.
  • The user reports the fact that the laptop was stolen to an administrator. The administrator sets an indicator in a policy data store that the laptop should execute an asset protection procedure the next time it connects to a network. When the laptop is next powered up, it automatically connects to a network, and the asset protection indicator is transmitted to the laptop.
  • In response to the asset protection indicator, the hard drive on the laptop is encrypted using an encryption key. While the hard drive is encrypted, the laptop begins shutting down devices, such as the network interface card, wireless access card, serial and parallel ports, keyboard, and monitor. In one embodiment, the network interface card continues to accept traffic from the policy data store so that it can receive additional instructions, such as a recovery indication. The laptop also shuts off all or most ports in the firewall and will not execute some or all applications. The laptop may also shut down.
  • If the laptop is not recovered, the data on the laptop is protected from discovery by the user who has stolen or found the laptop. If the laptop is recovered, a recover indication is sent to the laptop. When the laptop receives the recover indication, it uses the encryption key to decrypt the hard drive and enables all the devices, ports, and applications.
  • This introduction is given to introduce the reader to the general subject matter of the application. By no means is the invention limited to such subject matter. Illustrative embodiments are described below.
    • System Architecture
  • Various systems in accordance with the present invention may be constructed. Referring now to the drawings in which like numerals indicate like elements throughout the several figures, FIG. 1 is a block diagram showing an illustrative environment for implementation of one embodiment of the present invention. The system shown in FIG. 1 includes a client 102.
  • Communication with the security server 104 occurs via a network 108. The network 108 may comprise a public or private network and may include the Internet. The network may also comprise a plurality of networks, including, for example, dedicated phone lines between the various components. In one embodiment, the client 102 communicates with the security server 104 via a virtual private network (“VPN”) established over the Internet.
  • The security server 104 is also in communication with an enterprise server 106 via a network. The network 108 may comprise various elements, both wired and wireless. In one embodiment, the communication between the security server 104 and enterprise server 106 occurs over a static VPN established over dedicated communication lines.
  • In one embodiment, a user connects a client device 102 to the network 108 using a network access user interface. The network access user interface is always on and only allows the user to connect to the network 108 via the interface. The network access user interface automatically causes the client 102 to connect to the security server 104 through the network 108. The security server 104 provides value added services to the client 102 and to one or more enterprises. Access to other services, such as the Internet, may be provided via the security server 104.
  • Although FIG. 1 includes only a single client 102, security server 104, and enterprise server 106, an embodiment of the present invention will typically include a plurality of clients 102 and may include a plurality of security servers 104 and enterprise servers 106.
    • Client Devices
  • FIG. 2 is a block diagram illustrating the modules present on a client device 102 in one embodiment of the present invention. Examples of client device 102 are personal computers, digital assistants, personal digital assistants, cellular phones, mobile phones, smart phones, pagers, digital tablets, laptop computers, Internet appliances, and other processor-based devices. In general, a client device 102 may be any suitable type of processor-based platform that is connected to the network 108, and that interacts with one or more application programs. The client device 102 can contain a processor coupled to a computer-readable medium, such as RAM. Client device 102 may operate on any operating system, such as Microsoft® Windows® or Linux. The client device 102 is, for example, a laptop computer executing a network access user interface.
  • The modules shown in FIG. 2 represent functionality of the client 102. The modules may be implemented as one or more computer programs that include one or more modules. For instance, in one embodiment, all the modules shown in FIG. 2 are contained within a single network access application. Also, the functionality shown on the client 102 may be implemented on a server in other embodiments of the present invention. Likewise, functionality shown in FIGS. 3 and 4 as being on a server may be implemented on the client 102 in some embodiments of the present invention.
  • The client 102 shown in FIG. 2 comprises a VPN client 202. The VPN client 202 allows the client 102 to connect to the enterprise server 106. In one embodiment of the present invention, the VPN client 202 is used to determine whether or not the VPN client 202 is active and whether or not the VPN client 202 is connected to a VPN server. For instance, an embodiment of the present invention may determine whether or not to connect to a particular service based on whether or not the VPN client 202 is enabled.
  • In another embodiment of the present invention, the VPN client 202 is used for four purposes: (1) to manage policy files, which include information, such as a gateway Internet Protocol (IP) address, secrecy and authentication level, and hash; (2) automatically connecting a VPN; (3) automatically disconnecting the VPN; and (4) monitoring the status of the VPN. Each of these four purposes may be affected by other modules, including, for example, the connection manager 210.
  • The client 102 also comprises a secure vault 204. The secure vault 204 protects content on the client 102. In one embodiment, the secure vault 204 is responsible for storing encrypted content on the client 102 and allowing access to the encrypted content based on a set of permissions or policies. In such an embodiment, a content creator can provide access via a viewer to secured content and allow a recipient of the content read-only access or allow the recipient to perform other tasks, such as modifying the content and forwarding it to other users. In another embodiment, the secure vault 204 allows the user to create and distribute secure content to other clients 102, the content creator can decide to send a document to several users and allow two of the users full access and one of the users read-only access.
  • The client 102 shown in FIG. 2 also comprises a firewall 206. The firewall 206 allows port blocking via predefined policies. For instance, in one embodiment, an information technology (“IT”) manager specifies port blocking based on two zones, a safe zone and a dangerous zone. The IT manager specifies one of these two zones for each of the network interface devices installed on the client 102. The IT manager is then able to set port-blocking rules by zone on the firewall 206.
  • For example, the IT manager may classify a Wireless Fidelity (“Wi-Fi”) network interface as dangerous since it has traditionally been considered fairly unsafe. And the IT manager may apply more restrictive port-blocking rules to the dangerous zone than to the safe zone and network interface devices, such as those used to connect to a wired Local Area Network (“LAN”) or a Personal Handyphone System (“PHS”) cellular connection. The PHS standard is a TDD-TDMA based microcellular wireless communications technology and has been traditionally considered relatively safer than Wi-Fi connections. The PHS cellular connection may also be referred to as a wireless wide area network (“WWAN”) as opposed to a dial-up connection providing access to a wide area network (“WAN”).
  • In various other embodiments, the port-blocking rules of the firewall 206 may be based on time of day, client IP address, terminating IP address, terminating and originating port, protocol, and other variables. In one embodiment, the port-blocking rules are based on policy data associated with individual users logged into the client 102.
  • In one embodiment, the port-blocking rules of the firewall 206 include a blacklist. The blacklist allows an IT manager to prevent an application from executing on the client 102. For instance, an IT manager may blacklist a DVD player so that a user is unable to view DVD's on the client 102. The firewall 206 may provide a message to the user informing the user that an application is unavailable.
  • In another embodiment, the firewall 206 implements a white list. The white list is somewhat more restrictive than the blacklist described above. The white list allows only specified applications to execute. For example, an IT manager may allow only MS Word, Excel, PowerPoint, and Outlook to execute. No other applications will be permitted to execute. The firewall 206 may be a custom firewall or a third-party firewall integrated into an embodiment of the present invention.
  • The embodiment shown in FIG. 2 also includes an antivirus module 208. The antivirus module 208 shown determines whether policy files, virus dictionary, or other virus-related resources are out of date and provides the client 102 with a mechanism for updating the files or data. The antivirus module 208 may restrict access to various connections, applications, and other functionality when the policy files are out of date. For instance, the antivirus module 208 may restrict the client 102 to connecting to a single gateway through which the policy files are available. In one embodiment, the antivirus module 208 comprises a third-party antivirus product that is integrated with the other modules on the client 102.
  • The client 102 also comprises a connection manager 210, which includes a rules processor. In one embodiment, the connection manager 210 assigns a priority number to every connection, e.g., one to one hundred, and selects the connection with the highest number to connect to.
  • The connection manager 210 may provide a connection to a variety of networks, including, for example, dial-up, LAN, digital subscriber line (“DSL”), cable modem, Wi-Fi, wireless local area network (“WLAN”), PHS, and satellite.
  • In one embodiment, the connection manager 210 differentiates between public and private connections. A public connection is a connection provided by a service provider who has a relationship with the administrator of the security server 104, which allows the security server 104 to authenticate the connection. For instance, the security server 104 administrator may have a business arrangement with a hotspot provider. In order to connect, the client 102 connects to a local access point and the authentication of the user occurs automatically at the security server 104. In contrast, a private connection requires that all aspects of the authentication mechanism for a connection are managed in the absence of the security server 104, although the connection manager may provide certain facilities to allow for automated authentication where possible.
  • In one embodiment, the connection manager 210 makes connections available or unavailable to the client 102 based on policies present on the client 102. The connection manager 210 may also download changes to policy data and transmit quality of service (“QoS”) and other data to the security server 104 or the enterprise server 106.
  • In one embodiment, the connection manager 210 determines the type of connections that are available based on signals provided by hardware associated with the client 102. For example, when the client 102 passes near a hotspot, a Wi-Fi card in the client 102 senses the hotspot and sends a signal to the connection manager 210. For instance, the Wi-Fi card may sense a broadcast service set identifier (“SSID”). Once the signal exceeds a threshold, the connection manager 210 provides a signal to a user of the client 102 that the network is available or may automatically connect to the hotspot. Alternatively, the Wi-Fi card may poll for a non-broadcast SSID. The connection manager 210 may provide a single connection to the client 102 at one time or may provide multiple connections to the client 102.
  • The client 102 shown in FIG. 2 also comprises a QoS collector 212. The QoS collector 212 collects data values, including, for example, the number of bytes sent and received, the average transfer rate, the average signal strength at connection, termination cause, failed connections, and a network identifier. In another embodiment, the QoS collector 212 collects data during the session to determine when a connection provides inconsistent performance.
  • In one embodiment, the QoS collector 212 collects data regarding a connection during a session but does not send the data for a session until the next session. Thus, if a session is terminated abnormally, the QoS data will still be collected and transferred successfully. In another embodiment, the QoS collector 212 transfers data only when a particular type of connection is detected, such as a high-speed or low cost connection.
  • The client 102 also comprises a session statistics module 214. The session statistics module stores data representing user characteristics. For instance, the session statistic module 214 may store a list of the applications a user generally accesses, how often the user is connected, the typical CPU and memory utilization measure, keyboard sequences, and other characteristics of a user. If a particular user deviates from the expected characteristics by greater than a threshold, such as N standard deviations, and the significance of the statistic is more than a specified amount, the session statistics module 214 can identify the current user as a potential unauthorized user.
  • The session statistics module 214 may perform other tasks as well. For instance, in one embodiment, the session statistics module 214 pre-loads applications based on a user's general usage patterns.
  • The client 102 shown in FIG. 2 also comprises a policy reader 216. In one embodiment, a company's policies are housed on the enterprise server 106. For instance, individual groups and users within an enterprise are identified and associated with policies, such as what types of connections they are able to access and what a user's VPN profile is. The user may also be able to specify a VPN policy on the client 102. In such an embodiment, the policy reader 216 downloads the policy rules from the enterprise server 106 and accesses local user policies and reconciles any conflicts between the two.
  • For example, an IT manager may establish a VPN profile to be used by a user when connecting to a Wi-Fi network. However, the user may wish to create a secondary VPN profile to be used if the first VPN becomes unavailable. The policy reader 216 loads both local and enterprise VPN profiles, resolving any conflict between the two VPN profiles.
  • In one embodiment, the policy reader 216 accesses data at an enterprise, department, and user level. In such an embodiment, some of the policy rules may be stored in a lightweight directory access protocol (“LDAP”) server on the client 102, security server 104, or enterprise server 106. In another embodiment, the policy reader 216 receives only changes to policy data and does not typically download all of the policy data at once. Policies downloaded by the policy reader 216 may be provided to the rules processor of the connection manager 210.
  • The client 102 may also comprises a client security module 216. In one embodiment, the client security module 216 implements a client asset protection process. When the client security module 216 receives a signal indicating that the client asset protection process is to be executed, the client security module 216 may, for example, disable devices and interfaces on the client device 102 and may, in some embodiments, encrypt the hard drive of the client device 102 so that the files stored on the drive are not easily accessible.
  • The client 102 may also comprise a user interface 220. The user interface 220 may control the underlying operating environment or the user's view of the underlying environment. For example, in one embodiment, the user interface 220 supplants the Microsoft® Windows operating system interface from the user's perspective. In other words, the user is unable to access many of the standard Windows features. Such a user interface may be implemented to limit the applications and configuration setting a user is able to access. In some embodiments, such as a personal digital assistant (“PDA”), no user interface is provided by an embodiment of the present invention; the standard PDA user interface is utilized.
  • The client 102 shown in FIG. 2 also comprises a security agent 222. In some embodiments, the security agent 222 is also referred to as a “bomb.” In one embodiment, an IT manager indicates that the security agent 222 should be activated when the client 102 next connects to the enterprise server 106. The IT manager may do so because the client 102 has been reported stolen. Subsequently, the client 102 connects to the enterprise server 106, either directly or indirectly and receives the message to initiate the security agent 222.
  • In one embodiment, when the security agent 222 activates, it stops all applications from being able to run and encrypts the data on the hard drive of the client 102. For instance, the security agent 222 may implement a white list as described above and then implement a secure vault for all data on the client 102. The connection manager 210 may also be configured so that no connections are possible.
  • In one such embodiment, since the data is merely encrypted by security agent 222, rather than erased, the data may be recovered if the client 102 is subsequently recovered. For instance, the enterprise may retain the key needed for decrypting the local drive. The client 102 is returned to the enterprise, which then decrypts the drive. In another embodiment, the data on the local drive of the client is rendered inaccessible by, for example, writing over the data multiple times.
  • The client 102 shown in FIG. 2 also comprises an out-of-band communication receiver 224. The out-of-band communication receiver 224 allows the client to receive communications other than through a network-based connection. The connection manager 210 may manage the out-of-band communication. For instance, the command to activate the security agent 222 may be transferred via a short messaging service (“SMS”) communication received by the out-of-band communication receiver 224.
    • Security Server
  • FIG. 3 is a block diagram illustrating the modules present on a security server 104 in one embodiment of the present invention. The security server 104 shown in FIG. 3 comprises a remote authentication dial-in user service (“RADIUS”) server 302, which may also be referred to as an AAA (authentication, authorization, and accounting) server. RADIUS is the standard by which applications and devices communicate with an AAA server.
  • The RADIUS server 302 provides authentication services on the security server 104. In some embodiments of the present invention, the RADIUS server 302 proxies to a RADIUS server on the enterprise server 106. In one embodiment, the RADIUS server 302 provides mutual authentication for the client 102 using Extensible Authentication Protocol Transport Layer Security (“EAP-TLS”). Although EAP-TLS itself is strictly an 802.1× authentication protocol, designed primarily for WiFi connections, the underlying TLS authentication protocol may be deployed in both wired and wireless networks. EAP-TLS performs mutual secured sockets layer (“SSL”) authentication. This requires both the client device 102 and the RADIUS server 302 to have a certificate. In mutual authentication, each side may prove its identity to the other using its certificate and its private key.
  • The security server shown in FIG. 3 also comprises an LDAP server 304. The LDAP server 304 uses the LDAP protocol, which provides a mechanism for locating users, organizations, and other resources on the network. In one embodiment of the present invention, the LDAP server 304 provides access control at the network layer to various components that an enterprise customer may or may not purchase. For example, a customer may choose to implement a secure vault as described in relation to FIG. 1. In such a case, the customer or users or groups associated with the customer are also associated with the firewall module. The LDAP entry is then used to determine that the firewall is to be enabled on a client.
  • In some embodiments, the LDAP server 304 is implemented as a list of user identifiers not using the LDAP protocol. In another embodiment, data in the LDAP server 304 is propagated from data present in the enterprise server 106.
  • The security server 104 shown in FIG. 3 also comprises a session manager 306. The session manager 306 controls sessions, including sessions between the client 102 and enterprise server 106. In some embodiments, the session manager 306 also determines how to route data requests. For instance, the session manager 306 may determine that a particular data request should be routed to the Internet rather than to the enterprise server 106. This may be referred to as “splitting the pipe” and provides a mechanism to replace “split tunneling” (a traditional configuration option with most standard VPN clients) at the client device by the more secure split of traffic not intended for the enterprise at the security server, allowing monitoring of all traffic without the enterprise incurring the expense of the extra bandwidth required.
  • In some embodiments, the client 102 and enterprise server 106 establish a VPN for communication. In such an embodiment, the session manager 306 may be unable to route requests to any location other than the enterprise—the packets are encrypted and thus, cannot be separately evaluated.
  • In one embodiment, the session manager 306 performs automated authentication of a client device 102 or user. For example, if the session manager 306 determines that a client 102 is approaching a Wi-Fi hotspot, the session manager 306 is able to pre-populate the hotspot with the certificate that the hotspot requires to authenticate the user. In this manner, the authentication appears very fast to the user. The session manager 306 may also control the manner in which data is queued for download to the client device 102.
  • In one such embodiment, the session manager 306 provides two modes for data queuing. In a first mode, the session manager 306 determines that the network down time will be brief, e.g., the user is moving through a tunnel, which interferes with network access. In such a case, the session manager queues a minimal amount of data. In a second mode, the session manager 306 determines that the network down time will be of a longer duration, e.g., the user is boarding a plane from New York to Tokyo. In such a case, the session manager 306 may queue a larger amount of data. In one such embodiment, the session manager 306 determines the mode by querying the user for the downtime interval. When the user reconnects to the security server 104, the session manager 306 determines the best manner of downloading the queued data and begins the download.
  • In one embodiment, the session manager 306 comprises a packet shaper (not shown). The packet shaper provides various functional capabilities to the session manager 306. For example, in one embodiment, the packet shaper provides a mechanism for prioritizing packets sent between the enterprise server 106 and the client 102. In one embodiment, the packet shaper utilizes Multiprotocol Label Switching (“MPLS”). MPLS allows a specific path to be specified for a given sequence of packets. MPLS allows most packets to be forwarded at the switching (layer 2) level rather than at the (routing) layer 3 level. MPLS provides a means for providing QoS for data transmissions, particularly as networks begin to carry more varied traffic.
  • The session manager 306 may also provide session persistence capabilities. For instance, in one embodiment, when a user drops a connection or moves from one provider network coverage area to another, the connection manager 306 persists a virtual connection as the first connection is terminated and the second is initiated.
  • The session manager 306 may include a server-side rules engine. The server-side rules engine may use historical information, such as the session statistics described above, for statistical attack determination. For instance, session manager 306 may access a stored statistic regarding a client device 102 and based on monitoring of the current statistics for the client device 102 determine that an unauthorized user is using the client device 102.
  • The security server 104 shown in FIG. 3 also comprises a real-time monitor 308. The real-time monitor 308 monitors the status of communications, such as which clients and users are logged on, the amount of data being transferred, ongoing QoS measures, ports in use, and other information.
  • When the real-time monitor 308 detects a problem, it may issue an alert to network support. In one embodiment, data from the real-time monitor 308 is provided to users via a portal available on the security server 308. In another embodiment, the real-time portal 308 transfers information to the enterprise server 106, from which users access the data.
  • The embodiment shown in FIG. 3 also comprises a historical monitor 310. The historical monitor 310 provides information similar to the real-time monitor 310. However, the underlying data is historical in nature. For instance, in one embodiment, the historical monitor 310 provides audit information for making intelligent business decisions and for dealing with regulatory compliance issues.
  • The information available via the historical monitor 310 may include, for example, historical QoS data, registration compliance data, and metrics consistency data. The historical data monitor 310 may be used to determine that certain clients are not performing optimally by comparing metrics of various clients over time. For instance, by evaluating information available via the historical data monitor 310, a support person may be able to determine that a radio tuner on a specific client device 102 is failing. If the user of one client device 102 is complaining about the availability of service, but other users are able to successfully access service, then the client device's radio may be the problem.
  • The historical data monitor 310 may also be used to reconcile information captured on the security server 104 regarding connections and data provided by telecommunication carriers. The data may be used to determine when certain resources need to be increased and when a certain carrier is not performing adequately.
  • The security server also comprises a database 312. In embodiments of the present invention, the database 312 may be any type of database, including, for example, MySQL, Oracle, or Microsoft SQL Server relational databases. Also, although the database 312 is shown as a single database in FIG. 2, the database 312 may actually comprise multiple databases, multiple schemas within one or more databases, and multiples tables within one or more schemas. The database 312 may also be present on one or more other machines, e.g., database servers.
  • In one embodiment of the present invention, the database 312 stores customer information regarding enterprises served by the security server 104, such as a list of valid users, a list of valid cellular cards, the relationships between the individual users and groups within the enterprise, and other customer information.
  • For example, in one embodiment, the database 312 stores an association between users and cellular data cards. The enterprise may allocate a single user to a specific data card. Alternatively, the enterprise may associate a group of users with a group of cellular data cards. Other types of data may also be stored in the database 312, such as billing data.
  • The security server 104 shown in FIG. 3 also comprises a QoS server 314. The QoS server 314 uploads information from the QoS collector 212 on the client device 102 and stores the QoS data. The QoS server 314 can collect data from multiple clients and store it in the database 312.
  • The security server also comprises a QoS tools engine 316. The QoS tools engine 316 displays data made available by the QoS server 314 and other processes, such as the real-time monitor 308.
  • In one embodiment, the QoS tools engine 316 provides an aggregation of QoS data in a spreadsheet. In another embodiment, the QoS tools engine 316 provides data using map views, pie charts, and graphs. The QoS tools engine 316 may also provide the capability for setting QoS-based alarms and may provide data to users via a portal.
  • In the embodiment shown in FIG. 3, the security server 104 also comprises a portal server 318. The portal server 318 may be, for example, a web server. Any standard web server application may be utilized, including Microsoft® Internet Information Server (“IIS”) or Apache.
  • Although the security server 104 shown in FIGS. 1 and 3 is illustrated as a single server, it may comprise multiple servers. For example, in one embodiment of the present invention, the security server 104 comprises multiple regional servers.
  • Also, the description above suggests that data is provided to and queried from the security server 104 by the client 102, i.e., the client pulls the data. However, in some embodiments, the client 102 also comprises a listener (not shown) so that the security server 104 can push data to the client 102.
    • Enterprise Server
  • FIG. 4 is a block diagram illustrating the modules present on an enterprise server 106 in one embodiment of the present invention. The enterprise server 106 may also be referred to herein as a customer server and may comprise one or more servers for one or more enterprises linked to one or more security servers 104.
  • The enterprise server 106 shown in FIG. 4 comprises a policy server 402. The policy server 402 provides a means for managing the policy rules, including, for example, available VPN profiles, available transports (e.g. WiFi, LAN, PHS, Dialup), firewall rules, such as blacklists and white lists, connection rules, and antivirus rules. The policy server 402 may include other rules as well, such as the level of data throttling to perform for each client or group of clients. Data throttling limits the data transfer rate to a particular client 102 so that connection resources can be optimized.
  • The policies may be managed at one or more levels. For example, an IT manager may wish to create a VPN profile for the enterprise as a whole, but a different VPN profile for an engineering group since the engineering group needs access to various unique applications.
  • The policy server 412 may also provide a mechanism for configuring the location of various servers that the client 102 will utilize. For instance, the policy server 412 may allow an IT manager to specify the IP address of an acceleration server 404 or a vault server 406
  • In one embodiment, the policy server also allows the IT manager to specify which users receive updates for various components on the client 102. The policy server 402 may also allow the IT manager to perform connection configuration. For instance, the IT manager may use the policy server to specify phone numbers for PHS connections, Wi-Fi SSID's for private connections, and other connection configuration information.
  • The enterprise server 106 shown in FIG. 4 also comprises an acceleration server 404. The acceleration server 404 performs processes to improve the performance of data transfer. For instance, the acceleration server 404 may automatically compress images that are to be transferred to a client 102.
  • In one embodiment, the acceleration server 404 communicates with the policy server 402. An IT manager sets acceleration rules using the policy server 402, and the acceleration server 404 uses these rules to determine what level of acceleration to use for a particular communication. In one embodiment, the IT manager sets a default level of acceleration for all communication and a specific level of acceleration for one group of users. The specific level of acceleration may be referred to as an override.
  • The enterprise server 106 also comprises a vault server 406. The vault server comprises two components, an automatic component and an administration component. In one embodiment, the automatic component integrates with an enterprise's mail server (not shown) and performs operations on emails to and from the mail server. For instance, the vault server 406 may quarantine an email, automatically encrypt the email before it is sent, add a legal disclaimer to an email, or perform other functions on the email.
  • In one embodiment, the automatic component of the vault server 406 searches an email based on words or based on the domain or specific address to which the email is addressed or from which the email originated. Using this information, the user can perform functions on the email, such as those described above.
  • The administration component of the vault server 406 allows a user to terminate access to secure content, either by a specific user or by all users. It also logs activity. Using one embodiment of the vault server 406, a user can indicate that a set of users whose employment has been terminated will no longer have access to any secure content. In an alternative embodiment of the vault server 406, a user can indicate that a given element of secure content, say a price list, is now out of date, and so that piece of secure content will no longer be viewable by any user. When each user accesses the secure content, the vault server 406 logs the event. So for each secure content element, the vault server 406 creates a log of all activity on the secure content.
  • In one embodiment, the vault server 406 also compresses data. For instance, one embodiment utilizes standard PKZIP compression to compress all content. In another embodiment, an IT manager may identify three types of images and specify a different level of compression for each type of image based on the level of resolution necessary for each type of image.
  • The enterprise server 108 also comprises a RADIUS server 408 and LDAP server 410, which are similar to those described above in relation to the security server 104. The RADIUS server 302 on the security server 104 may proxy to the RADIUS server 408 on the enterprise server 106. Similarly, data in the LDAP server 410 may be propagated to the LDAP server 204 on the security server 104.
  • The enterprise server 106 also comprises a one-time password (“OTP”) server 412. The OTP server 412 provides a mechanism for authentication. For instance, in one embodiment of the present invention, the enterprise server 106 uses the OTP server 412 to perform a mutual authentication process.
  • The enterprise server 106 also comprises a concentrator 414. The concentrator 414 provides remote access capability to the client 102. For instance, the concentrator 414 may serve as a means for terminating a VPN between the client 102 and enterprise server 106.
  • The enterprise server 104 shown in FIG. 4 also comprises a portal server 416. The portal server 416 may comprise a standard web server, such as IIS or Apache. The portal server 416 may provide one or more portals. For example, in one embodiment, the portal server 416 provides two portals, portal one and portal two.
  • Portal one provides a configuration interface for managing the various elements shown in FIGS. 2 and 3, including, for example, the policy server 402 and LDAP server 410. Portal two provides an interface for accessing data, such as QoS data and session data.
  • For instance, a user may use historical QoS data on portal two to determine how a particular provider is performing in terms of throughput, user connections, and other QoS metrics. Portal two may also provide real-time information, such as how many users are currently connected.
  • For instance, in one embodiment, an IT manager determines that twenty users have been rejected by a carrier in the last three minutes due to authentication failure and five users with the same user identifier are currently logged on to five different devices. The IT manager uses this information to detect a potential security problem. Portal two may also be used to set alerts as described above.
  • It should be noted that the present invention may comprise systems having a different architecture than that which is shown in FIG. 1. For example, in some systems according to the present invention, first authentication server 118 and final authentication server 126 may be combined in a single server. The system 100 shown in FIG. 1 is merely illustrative, and is used to help explain the illustrative systems and processes discussed below.
    • Illustrative Methods of Enhanced Electronic Asset Protection
  • Various methods for electronic asset protection may be implemented in embodiments of the present invention. FIG. 5 is a flowchart illustrating a process for generating and distributing an indication to activate asset protection in one embodiment of the present invention. In the embodiment shown in FIG. 5, a security server 104 automatically determines whether to send an indication to a client device 102 to invoke asset protection 502. The determination may be based on a variety of factors. For example, in one embodiment, a user reports that a laptop has been lost or stolen. In another embodiment, the security server 104 monitors the duration between connections between the security server 104 and the laptop, and if the duration exceeds a threshold, determines that the indication should be sent. In yet another embodiment, the security server 104 performs a statistical analysis on the probability that the laptop has been lost or stolen, and if the probability exceeds a predetermined threshold, activates asset protection. For instance, in one embodiment, the security server 104 determines that 15 failed login attempts have occurred from a client device 102. Based on this number of failed login attempts, the security server 104 determines a 90% probability that an unauthorized user is using the client device 102. If the 90% probability exceeds the threshold set for that measure, the security server 104 sends the asset protection indication to the client 102. In another embodiment, through a similar statistical mechanism, the client device 102 generates the indication without connecting to the network.
  • In the embodiment shown in FIG. 5, if the determination is made to invoke asset protection, the security server 104 generates an encryption key 504 and delivers it, along with an indication to activate asset protection, securely to the client device 102. The client device 102 uses the encryption key to encrypt data on the hard drive. The client device 102 may use any conventional encryption routine to encrypt the data. Subsequently, the encryption key can be used to recover the data on the hard drive. In other embodiments, the data on the hard drive or other storage medium is erased or otherwise destroyed; in such an embodiment, the encryption key may not be sent to the client 102.
  • In some cases, data present on the client device 102 may not be available anywhere else. For instance, a confidential customer list or proposal may be stored on the client device 102. By providing a recoverable method of disabling the client device, an embodiment of the present invention avoids the loss of this data should the laptop subsequently be found or returned.
  • If the security administrator decides to generate an encryption key, the encryption key will be stored locally 506, for instance, in a database on the security server 104. By generating and storing the encryption key on the security server 104, the client device 102 does not have to store an encryption key, which could decrypt data on its local data store. Once the encryption key is stored locally 506, the encryption key will be sent with the indication to activate asset protection 508.
  • The security server 104 may transmit the key and indication in a secure manner via a network, such as network 108. The network may comprise a wired or wireless network. In one embodiment, the key and indication are transmitted over a wired or wireless transmission control protocol/internet protocol (TCP/IP) link. In another embodiment, the security server 104 transmits the key and indication through an out-of-band communication channel, e.g., transmitting an SMS message to the client.
  • The client device 102 receives the encryption key and asset protection indication 508. The client device 102 may receive the key and indication via network 106. For instance, in one embodiment, the client device 102 initiates all network connections through the security server 104. In such an embodiment, the security server 104 is able to detect when the client device 102 connects. In another embodiment, the client device receives the key and indication as part of an SMS message. The client device 102 extracts the key and indicator from the SMS message.
  • In response to receiving the indication, the client device 102 executes an asset protection component 510. The client device shown in FIG. 2 comprises a security agent 222. The security agent 222 is responsible for carrying out the asset protection steps illustrated in FIGS. 6-9 on the client device. In some embodiments of the present invention, processes on the security server 104 or enterprise server 106 may also be executed. For instance, access to the enterprise's VPN may be disabled if a client device 102 is thought to have been stolen, lost, or otherwise compromised.
  • FIG. 6 is a flowchart illustrating a process for activating asset protection in one embodiment of the present invention. In the embodiment shown the client device 102 first receives an indication to activate asset protection 602. As described above, in some embodiments, the indication contains an encryption key.
  • The security agent 222 then activates asset protection 604. Asset protection may comprise a variety of security mechanisms. These security mechanism may be software, firmware, or hardware based or may be a combination of software, firmware, and/or hardware.
  • In the embodiment shown in FIG. 6, the security agent 222 disables the client device (102) 606. The security agent 222 may disable the client in various ways. For instance, the security agent 222 may disable communications, input/output, or even disrupt the power supply. Other methods of disabling the client device 102 are described in reference to FIG. 7.
  • The security agent 222 also disables the local data store 608. Disabling of the data store and client device 102 may occur simultaneously or sequentially. In one embodiment, portions of the client device 102 are disabled, such as the network adapter or adapters, the data store is disabled, and then the rest of the client device is disabled. As with disabling the client device 102, disabling the data store may be accomplished in various ways. For instance, the security agent 222 may preserve the data on the data store but make the data inaccessible. In one embodiment, the security agent 222 destroys all the data on the data store. In another embodiment, the local data store is made unavailable by implementing a “file system filter driver” that redirects all read/write attempts to local data stores to a location that does not exist or to a single location that contains a security message. Other methods of disabling the local data store are described in relation to FIG. 8.
  • FIG. 7 is a flowchart illustrating a process for disabling the client device 102 in one embodiment of the present invention. In the embodiment shown, the security agent 222 first blocks network access from the client device (102) 702. For instance, in one embodiment, once asset protection is activated, the client device 102 is no longer able to connect to any wired or wireless networks except to check whether or not an indication to recover the device has been sent.
  • In the embodiment shown in FIG. 7, the security agent 222 also blocks execution of one or more applications on the client device 102. For instance, the security client 102 may block access of an application that would allow a user to modify registry entries or to examine the file system. In one embodiment, the security agent 222 implements a white list, allowing the client device 102 to execute only specified applications. In another embodiment, the security agent 222 destroys the BIOS, rendering the client device 102 unusable.
  • The security agent 222 also blocks input and output ports on the client device 706. By blocking output ports, the security agent 222 stops a user from transferring information off of the client device 102. The blocked ports may be virtual or real. For instance, in one embodiment, blocking the ports comprises revising setting on a firewall. In another embodiment, blocking ports comprises turning off access to serial, parallel, USB, and other physical ports. The security agent 222 may also shut off access to CD or DVD burners. For instance, in one embodiment, blocking a physical port may stop the user from printing information, storing information on a USB drive, or otherwise moving information from the client device 102 to another device or medium. By blocking input ports, the security agent 222 stops a user from loading utility programs or data on the client device 102. For instance, if a user determines that the security agent 222 is disabling the client device 102, a user may attempt to load a program from a web site to disable the security agent 222. By disabling the input ports, the security agent 222 thwarts this threat.
  • In the embodiment shown in FIG. 7, the security agent 222 next verifies that no indication to recover the client device has been received 708. For example, in one embodiment, if an administrator determines that the client device 102 has been disabled inadvertently, the administrator can transmit a recovery indication, e.g., by sending an out-of-band communication. When the client device 102 receives the recover indication, the security agent 222 may stop the process of disabling the client device 102 and may reopen ports and allow access to applications automatically. In one embodiment, the client device 102 is returned to an administrative facility to be recovered.
  • If no recover indication is received, the security agent 222 shuts the client device 102 down 710. For instance, in one embodiment, the security agent 222 executes the normal shut down procedure for the client device 102. In another embodiment, the security agent 222 causes the client device to immediately power down without executing the normal operating system shut down procedure. As with the previously described processes, the steps shown in FIG. 7 may occur in a different order and may occur sequentially or concurrently.
  • In the embodiment shown in FIG. 6, the security agent 222 disables the client device 102 and disables a local data store. FIG. 8 is a flowchart illustrating a process for disabling the local data store in one embodiment of the present invention. In the embodiment shown, the security agent 222 receives an asset protection indication 802. For instance, if the client device 102 is stolen, the network administrator may set a flag in the policy server 402, indicating that the asset protection indication is to be sent to the client device 102.
  • In response to receiving the asset protection indication, the security agent 222 encrypts the local data store 804. The local data store may comprise a hard drive, flash memory, or any other medium capable of storing data. The security agent 222 may encrypt he data using an encryption key transmitted with the asset protection indication. In such an embodiment, the encryption key is not stored on the local data store, decreasing the chances of discovery of the key and decryption of the data store. In another embodiment, the encryption key is stored on the local data store, facilitating automated recovery of the local data store.
  • In the embodiment shown in FIG. 8, the security agent 222 next permanently deletes the contents of the local data store 806. For example, the security agent 222 may repeatedly write over the local data store with random pieces of information. The security agent 222 may also corrupt the file allocation table of the local data store, such that the data cannot be accessed without rebuilding the file allocation table.
  • In one embodiment, the security agent 222 encrypts the local data store and sets an expiration date two days after the encryption takes place. On the expiration date, the security agent 222 permanently deletes the local data store unless a recover indication is received.
  • One advantage of an embodiment of the present invention is the ability to recover data after asset protection has been executed. FIG. 9 is a flowchart illustrating a process for recovering the client device 102 in one embodiment of the present invention.
  • In the embodiment shown in FIG. 9, the client device 102 receives an indication to recover 902. The client device 102 may receive the recover indication in various ways. For instance, in one embodiment, a port in a firewall remains open after the remaining ports are blocked. A recover indication is transmitted over the open port. In another embodiment, a network administrator takes physical possession of the client device 102 and recovers it manually.
  • The security agent 222 then enables the client device (102) 904. In one embodiment, the security agent 222 enables the client device by reversing the process shown in FIG. 7.
  • The security agent 222 also enables the local data store 906. Enabling the local data store may occur before, after, or concurrently with enabling the client device 102 in various embodiments of the present invention. The client device 102 enables the local data store by decrypting the data. The security agent 222 may perform this task automatically. For example, the security agent 222 may use an encryption key stored on the local data store to perform the encryption or may receive the encryption key from the security server with the recover indication.
  • In one embodiment of the present invention, the security agent 222 is also able to report a position of the client device 102. For instance, the client device 102 may comprise a global positioning (“GPS”) card that provides the capability of providing a position, or the client device 102 may use signals from multiple signal towers to determine a position by triangulation. The position of the client device 102 may then be used to help determine whether the client device 102 and/or local data store are to be disabled.
    • General
  • The foregoing description of the embodiments, including preferred embodiments, of the invention has been presented only for the purpose of illustration and description and is not intended to be exhaustive or to limit the invention to the precise forms disclosed. Numerous modifications and adaptations thereof will be apparent to those skilled in the art without departing from the spirit and scope of the present invention.

Claims (17)

1. A method comprising:
receiving an indication to activate asset protection on a client device, the client device having a local data store; and
activating asset protection in response to receiving the indication to activate the asset protection module, wherein asset protection comprises disabling the local data store and disabling the client device.
2. The method of claim 1, wherein disabling the local data store comprises encrypting the local data store.
3. The method of claim 1, wherein disabling the local data store comprises permanently deleting contents stored on the local data store.
4. The method of claim 1, wherein the local data store comprises a magnetic drive.
5. The method of claim 1, wherein the local data store comprises an optical drive.
6. The method of claim 1, wherein the local data store comprises a random access memory.
7. The method of claim 1, wherein disabling the client device comprises block network access from the client device.
8. The method of claim 1, wherein disabling the client device comprises blocking execution of an application on the client device.
9. The method of claim 1, wherein disabling the client device comprises blocking input/output port access on the client device.
10. The method of claim 1, wherein disabling the client device comprises:
verifying that no indication to recover the client device has been received; and
shutting down the client device.
11. The method of claim 1, further comprising:
receiving an indication to recover the client device;
enabling the local data store; and
enabling the client device.
12. The method of claim 11, wherein receiving an indication to recover the client device comprises receiving the indication from a remote device.
13. The method of claim 11, wherein enabling the local data store comprises decrypting the local data store.
14. The method of claim 1, wherein receiving an indication to activate asset protection on a client device comprises receiving an out-of-band communication.
15. The method of claim 14, wherein the out-of-band communication comprises an SMS message.
16. A computer-readable medium on which is encoded program code, the program code comprising:
program code for receiving an indication to activate asset protection on a client device, the client device having a local data store; and
program code for activating asset protection in response to receiving the indication to active the asset protection module, wherein asset protection comprises disabling the local data store and disabling the client device.
17. A system comprising:
a communications receiver operable to receive an indication to activate asset protection on a client device, the client device having a local data store; and
a security agent in communication with the communications receiver and operable to receive the indication to activate the asset protection module form the communications receiver, and in response disable the local data store and disable the client device.
US11/167,837 2004-06-28 2005-06-27 Systems and methods for enhanced electronic asset protection Abandoned US20060075506A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/167,837 US20060075506A1 (en) 2004-06-28 2005-06-27 Systems and methods for enhanced electronic asset protection

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US58376504P 2004-06-28 2004-06-28
US59836404P 2004-08-03 2004-08-03
US65212105P 2005-02-11 2005-02-11
US65341105P 2005-02-16 2005-02-16
US11/167,837 US20060075506A1 (en) 2004-06-28 2005-06-27 Systems and methods for enhanced electronic asset protection

Publications (1)

Publication Number Publication Date
US20060075506A1 true US20060075506A1 (en) 2006-04-06

Family

ID=35044584

Family Applications (6)

Application Number Title Priority Date Filing Date
US11/154,800 Active 2028-09-04 US7760882B2 (en) 2004-06-28 2005-06-16 Systems and methods for mutual authentication of network nodes
US11/167,747 Abandoned US20060075467A1 (en) 2004-06-28 2005-06-27 Systems and methods for enhanced network access
US11/167,744 Abandoned US20060075472A1 (en) 2004-06-28 2005-06-27 System and method for enhanced network client security
US11/167,837 Abandoned US20060075506A1 (en) 2004-06-28 2005-06-27 Systems and methods for enhanced electronic asset protection
US11/167,745 Abandoned US20060072583A1 (en) 2004-06-28 2005-06-27 Systems and methods for monitoring and displaying performance metrics
US11/170,608 Abandoned US20060023738A1 (en) 2004-06-28 2005-06-28 Application specific connection module

Family Applications Before (3)

Application Number Title Priority Date Filing Date
US11/154,800 Active 2028-09-04 US7760882B2 (en) 2004-06-28 2005-06-16 Systems and methods for mutual authentication of network nodes
US11/167,747 Abandoned US20060075467A1 (en) 2004-06-28 2005-06-27 Systems and methods for enhanced network access
US11/167,744 Abandoned US20060075472A1 (en) 2004-06-28 2005-06-27 System and method for enhanced network client security

Family Applications After (2)

Application Number Title Priority Date Filing Date
US11/167,745 Abandoned US20060072583A1 (en) 2004-06-28 2005-06-27 Systems and methods for monitoring and displaying performance metrics
US11/170,608 Abandoned US20060023738A1 (en) 2004-06-28 2005-06-28 Application specific connection module

Country Status (4)

Country Link
US (6) US7760882B2 (en)
EP (4) EP1766927A1 (en)
JP (4) JP2008504792A (en)
WO (7) WO2006012058A1 (en)

Cited By (73)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070083913A1 (en) * 2004-04-28 2007-04-12 Jonathan Griffin Propagation of malicious code through an information technology network
US20070118653A1 (en) * 2005-11-22 2007-05-24 Sabre Inc. System, method, and computer program product for throttling client traffic
US20090180619A1 (en) * 2006-05-29 2009-07-16 Nec Corporation System for disabling unauthorized person, encryption device, encryption method, and program
US20100188287A1 (en) * 2008-08-12 2010-07-29 Madsen John J Global positioning satellite [GPS] based recovery device and risk management system for portable computing devices and data
US20110084799A1 (en) * 2009-10-13 2011-04-14 Pitney Bowes Inc. Lock system including an electronic key and a passive lock
US20130110935A1 (en) * 2005-10-04 2013-05-02 Samsung Electronics Co., Ltd. Data push service method and system using data pull model
US20130198274A1 (en) * 2012-01-26 2013-08-01 Matthew Nicholas Papakipos Social Hotspot
US20130312097A1 (en) * 2012-05-21 2013-11-21 Fortinet, Inc. Detecting malicious resources in a network based upon active client reputation monitoring
US8600405B2 (en) 2008-08-12 2013-12-03 Apogee Technology Consultants, Llc Location-based recovery device and risk management system for portable computing devices and data
US8856330B2 (en) 2013-03-04 2014-10-07 Fmr Llc System for determining whether to block internet access of a portable system based on its current network configuration
US20140359457A1 (en) * 2013-05-30 2014-12-04 NextPlane, Inc. User portal to a hub-based system federating disparate unified communications systems
US20150052188A1 (en) * 2013-08-16 2015-02-19 Fujitsu Limited Demand response event dissemination system and method
US20150141005A1 (en) * 2013-11-20 2015-05-21 Qualcomm Incorporated Using Sensor Data to Provide Information For Proximally-Relevant Group Communications
US20150223100A1 (en) * 2009-01-28 2015-08-06 Headwater Partners I Llc Device-Assisted Services for Protecting Network Capacity
US9215159B2 (en) 2009-01-28 2015-12-15 Headwater Partners I Llc Data usage monitoring for media data services used by applications
US9225797B2 (en) 2009-01-28 2015-12-29 Headwater Partners I Llc System for providing an adaptive wireless ambient service to a mobile device
US9232403B2 (en) 2009-01-28 2016-01-05 Headwater Partners I Llc Mobile device with common secure wireless message service serving multiple applications
US9247450B2 (en) 2009-01-28 2016-01-26 Headwater Partners I Llc Quality of service for device assisted services
US9253663B2 (en) 2009-01-28 2016-02-02 Headwater Partners I Llc Controlling mobile device communications on a roaming network based on device state
US9351193B2 (en) 2009-01-28 2016-05-24 Headwater Partners I Llc Intermediate networking devices
US20160149998A1 (en) * 2007-12-31 2016-05-26 Genesys Telecommunications Laboratories, Inc. Federated uptake throttling
US9386165B2 (en) 2009-01-28 2016-07-05 Headwater Partners I Llc System and method for providing user notifications
US9392462B2 (en) 2009-01-28 2016-07-12 Headwater Partners I Llc Mobile end-user device with agent limiting wireless data communication for specified background applications based on a stored policy
US9491199B2 (en) 2009-01-28 2016-11-08 Headwater Partners I Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
AU2013334718B2 (en) * 2012-10-24 2016-11-24 Facebook, Inc. Network access based on social-networking information
US9532261B2 (en) 2009-01-28 2016-12-27 Headwater Partners I Llc System and method for wireless network offloading
US20170013008A1 (en) * 2015-07-10 2017-01-12 vThreat, Inc. System and method for simulating network security threats and assessing network security
US9557889B2 (en) 2009-01-28 2017-01-31 Headwater Partners I Llc Service plan design, user interfaces, application programming interfaces, and device management
US9565543B2 (en) 2009-01-28 2017-02-07 Headwater Partners I Llc Device group partitions and settlement platform
US9565707B2 (en) 2009-01-28 2017-02-07 Headwater Partners I Llc Wireless end-user device with wireless data attribution to multiple personas
US9571559B2 (en) 2009-01-28 2017-02-14 Headwater Partners I Llc Enhanced curfew and protection associated with a device group
US9572019B2 (en) 2009-01-28 2017-02-14 Headwater Partners LLC Service selection set published to device agent with on-device service selection
US9578182B2 (en) 2009-01-28 2017-02-21 Headwater Partners I Llc Mobile device and service management
US9591474B2 (en) 2009-01-28 2017-03-07 Headwater Partners I Llc Adapting network policies based on device service processor configuration
US9609510B2 (en) 2009-01-28 2017-03-28 Headwater Research Llc Automated credential porting for mobile devices
US9647918B2 (en) 2009-01-28 2017-05-09 Headwater Research Llc Mobile device and method attributing media services network usage to requesting application
US20170171203A1 (en) * 2015-12-14 2017-06-15 International Business Machines Corporation Preventative enterprise change management
US9705840B2 (en) 2013-06-03 2017-07-11 NextPlane, Inc. Automation platform for hub-based system federating disparate unified communications systems
US9706061B2 (en) 2009-01-28 2017-07-11 Headwater Partners I Llc Service design center for device assisted services
US9755842B2 (en) 2009-01-28 2017-09-05 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US9769207B2 (en) 2009-01-28 2017-09-19 Headwater Research Llc Wireless network service interfaces
US9819808B2 (en) 2009-01-28 2017-11-14 Headwater Research Llc Hierarchical service policies for creating service usage data records for a wireless end-user device
US9858559B2 (en) 2009-01-28 2018-01-02 Headwater Research Llc Network service plan design
US9955332B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Method for child wireless device activation to subscriber account of a master wireless device
US9954975B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Enhanced curfew and protection associated with a device group
US9980146B2 (en) 2009-01-28 2018-05-22 Headwater Research Llc Communications device with secure data path processing agents
US10057775B2 (en) 2009-01-28 2018-08-21 Headwater Research Llc Virtualized policy and charging system
US10064055B2 (en) 2009-01-28 2018-08-28 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US10070305B2 (en) 2009-01-28 2018-09-04 Headwater Research Llc Device assisted services install
CN108764907A (en) * 2018-05-30 2018-11-06 招商银行股份有限公司 Assets method for retrieving, system and computer readable storage medium
US10171474B2 (en) 2012-01-26 2019-01-01 Facebook, Inc. Network access based on social-networking information
US10200541B2 (en) 2009-01-28 2019-02-05 Headwater Research Llc Wireless end-user device with divided user space/kernel space traffic policy system
US10237757B2 (en) 2009-01-28 2019-03-19 Headwater Research Llc System and method for wireless network offloading
US10248996B2 (en) 2009-01-28 2019-04-02 Headwater Research Llc Method for operating a wireless end-user device mobile payment agent
US10264138B2 (en) 2009-01-28 2019-04-16 Headwater Research Llc Mobile device and service management
US10326800B2 (en) 2009-01-28 2019-06-18 Headwater Research Llc Wireless network service interfaces
US10395040B2 (en) 2016-07-18 2019-08-27 vThreat, Inc. System and method for identifying network security threats and assessing network security
US10454762B2 (en) 2011-03-31 2019-10-22 NextPlane, Inc. System and method of processing media traffic for a hub-based system federating disparate unified communications systems
US10492102B2 (en) 2009-01-28 2019-11-26 Headwater Research Llc Intermediate networking devices
US10715342B2 (en) 2009-01-28 2020-07-14 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US10779177B2 (en) 2009-01-28 2020-09-15 Headwater Research Llc Device group partitions and settlement platform
US10783581B2 (en) 2009-01-28 2020-09-22 Headwater Research Llc Wireless end-user device providing ambient or sponsored services
US10798252B2 (en) 2009-01-28 2020-10-06 Headwater Research Llc System and method for providing user notifications
US10841839B2 (en) 2009-01-28 2020-11-17 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US11218854B2 (en) 2009-01-28 2022-01-04 Headwater Research Llc Service plan design, user interfaces, application programming interfaces, and device management
US11412366B2 (en) 2009-01-28 2022-08-09 Headwater Research Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US11722459B1 (en) * 2021-06-07 2023-08-08 Wells Fargo Bank, N.A. Cumulative sum model for IP deny lists
US11863588B2 (en) * 2019-08-07 2024-01-02 Cisco Technology, Inc. Dynamically tailored trust for secure application-service networking in an enterprise
US11966464B2 (en) 2009-01-28 2024-04-23 Headwater Research Llc Security techniques for device assisted services
US11973804B2 (en) 2009-01-28 2024-04-30 Headwater Research Llc Network service plan design
US11985155B2 (en) 2009-01-28 2024-05-14 Headwater Research Llc Communications device with secure data path processing agents
US12137004B2 (en) 2009-01-28 2024-11-05 Headwater Research Llc Device group partitions and settlement platform
US12143909B2 (en) 2022-01-03 2024-11-12 Headwater Research Llc Service plan design, user interfaces, application programming interfaces, and device management

Families Citing this family (220)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7146176B2 (en) 2000-06-13 2006-12-05 Shared Spectrum Company System and method for reuse of communications spectrum for fixed and mobile applications with efficient method to mitigate interference
US10031885B2 (en) * 2010-02-01 2018-07-24 Netmotion Wireless, Inc. Public wireless network performance management system with mobile device data collection agents
AU2003260071A1 (en) * 2002-08-27 2004-03-19 Td Security, Inc., Dba Trust Digital, Llc Enterprise-wide security system for computer devices
US7801171B2 (en) 2002-12-02 2010-09-21 Redknee Inc. Method for implementing an Open Charging (OC) middleware platform and gateway system
US7457865B2 (en) * 2003-01-23 2008-11-25 Redknee Inc. Method for implementing an internet protocol (IP) charging and rating middleware platform and gateway system
US7703128B2 (en) 2003-02-13 2010-04-20 Microsoft Corporation Digital identity management
US7409010B2 (en) * 2003-06-10 2008-08-05 Shared Spectrum Company Method and system for transmitting signals with reduced spurious emissions
US7440441B2 (en) * 2003-06-16 2008-10-21 Redknee Inc. Method and system for Multimedia Messaging Service (MMS) rating and billing
US7873347B2 (en) * 2003-06-19 2011-01-18 Redknee Inc. Method for implementing a Wireless Local Area Network (WLAN) gateway system
US8635661B2 (en) * 2003-12-23 2014-01-21 Mcafee, Inc. System and method for enforcing a security policy on mobile devices using dynamically generated security profiles
JP4748774B2 (en) * 2004-06-02 2011-08-17 キヤノン株式会社 Encrypted communication system and system
US20060041515A1 (en) * 2004-08-13 2006-02-23 Sbc Knowledge Ventures, L.P. On-site point-of-sale billing system which manages public use of wired or wireless access network
US7602748B2 (en) * 2004-08-13 2009-10-13 Verizon Business Global Llc Fixed-mobile communications with mid-session mode switching
US8417814B1 (en) * 2004-09-22 2013-04-09 Symantec Corporation Application quality of service envelope
US9917819B2 (en) * 2005-01-13 2018-03-13 International Business Machines Corporation System and method for providing a proxied contact management system
US8572676B2 (en) * 2008-11-06 2013-10-29 Mcafee, Inc. System, method, and device for mediating connections between policy source servers, corporate repositories, and mobile devices
US8495700B2 (en) * 2005-02-28 2013-07-23 Mcafee, Inc. Mobile data security system and methods
US8677125B2 (en) * 2005-03-31 2014-03-18 Alcatel Lucent Authenticating a user of a communication device to a wireless network to which the user is not associated with
US7603696B2 (en) * 2005-06-10 2009-10-13 Intel Corporation Hybrid distributed firewall apparatus, systems, and methods
US20100180321A1 (en) * 2005-06-29 2010-07-15 Nxp B.V. Security system and method for securing the integrity of at least one arrangement comprising multiple devices
US7836306B2 (en) * 2005-06-29 2010-11-16 Microsoft Corporation Establishing secure mutual trust using an insecure password
EP1934743A4 (en) 2005-09-07 2012-02-22 Ibm Automated deployment of protection agents to devices connected to a distributed computer network
US8607045B2 (en) * 2005-09-09 2013-12-10 Emc Corporation Tokencode exchanges for peripheral authentication
GB2430580B (en) * 2005-09-13 2008-04-09 Roke Manor Research A method of authenticating access points on a wireless network
US20090254997A1 (en) * 2005-09-21 2009-10-08 Fathy Fouad Yassa Method and apparatus for content rights management
ES2352427T3 (en) 2005-10-13 2011-02-18 Markport Limited SUPERVISION OF THE STATE OF A USER TERMINAL IN A MOBILE NETWORK.
US9055093B2 (en) * 2005-10-21 2015-06-09 Kevin R. Borders Method, system and computer program product for detecting at least one of security threats and undesirable computer files
US20070124485A1 (en) * 2005-11-30 2007-05-31 Microsoft Corporation Computer system implementing quality of service policy
US7979549B2 (en) * 2005-11-30 2011-07-12 Microsoft Corporation Network supporting centralized management of QoS policies
US7710896B2 (en) * 2005-12-21 2010-05-04 Sri International Ad-hoc network routing metric optimization
US7775427B2 (en) * 2005-12-31 2010-08-17 Broadcom Corporation System and method for binding a smartcard and a smartcard reader
US8285850B1 (en) * 2006-01-19 2012-10-09 Symantec Operating Corporation Configuration and dynamic detection of connection-based backup policies
WO2007085175A1 (en) * 2006-01-24 2007-08-02 Huawei Technologies Co., Ltd. Authentication method, system and authentication center based on end to end communication in the mobile network
US20070180499A1 (en) * 2006-01-31 2007-08-02 Van Bemmel Jeroen Authenticating clients to wireless access networks
US8533338B2 (en) 2006-03-21 2013-09-10 Japan Communications, Inc. Systems and methods for providing secure communications for transactions
US8326313B2 (en) * 2006-05-12 2012-12-04 Shared Spectrum Company Method and system for dynamic spectrum access using detection periods
US8027249B2 (en) 2006-10-18 2011-09-27 Shared Spectrum Company Methods for using a detector to monitor and detect channel occupancy
US8997170B2 (en) * 2006-12-29 2015-03-31 Shared Spectrum Company Method and device for policy-based control of radio
US8055204B2 (en) * 2007-08-15 2011-11-08 Shared Spectrum Company Methods for detecting and classifying signals transmitted over a radio frequency spectrum
US7564816B2 (en) * 2006-05-12 2009-07-21 Shared Spectrum Company Method and system for determining spectrum availability within a network
US8155649B2 (en) * 2006-05-12 2012-04-10 Shared Spectrum Company Method and system for classifying communication signals in a dynamic spectrum access system
US9538388B2 (en) * 2006-05-12 2017-01-03 Shared Spectrum Company Method and system for dynamic spectrum access
US8184653B2 (en) * 2007-08-15 2012-05-22 Shared Spectrum Company Systems and methods for a cognitive radio having adaptable characteristics
US7814191B2 (en) * 2006-05-26 2010-10-12 The Pnc Financial Services Group, Inc. Methods and systems for network management using periodic status messages
US7761550B2 (en) * 2006-05-26 2010-07-20 The Pnc Financial Services Group, Inc. Network management for a plurality of agents using periodic status messages
US7752306B2 (en) * 2006-05-26 2010-07-06 The Pnc Financial Services Group, Inc. Network management for automated teller machines
US8943573B2 (en) 2006-06-16 2015-01-27 Fmt Worldwide Pty Ltd Authentication system and process
US7719427B2 (en) * 2006-08-18 2010-05-18 Chung Yuan Christian University Wireless pH measurement system
US8782745B2 (en) * 2006-08-25 2014-07-15 Qwest Communications International Inc. Detection of unauthorized wireless access points
US8457594B2 (en) * 2006-08-25 2013-06-04 Qwest Communications International Inc. Protection against unauthorized wireless access points
US8775621B2 (en) * 2006-08-31 2014-07-08 Redknee Inc. Policy services
US7907938B2 (en) * 2006-08-31 2011-03-15 Alcatel-Lucent Usa Inc. Apparatus and method for data transmission in a wireless communications network
US8150933B2 (en) 2006-09-08 2012-04-03 Research In Motion Limited Apparatus and method for delivering messages over multiple mediums
EP1898557B1 (en) * 2006-09-08 2009-10-21 Research In Motion Limited Apparatus and method for delivering messages over multiple mediums
US20080064442A1 (en) * 2006-09-11 2008-03-13 Utstarcom, :Inc. Identity and payment modem module for handsets
US20080070544A1 (en) * 2006-09-19 2008-03-20 Bridgewater Systems Corp. Systems and methods for informing a mobile node of the authentication requirements of a visited network
US8095124B2 (en) * 2006-10-20 2012-01-10 Verizon Patent And Licensing Inc. Systems and methods for managing and monitoring mobile data, content, access, and usage
US8259568B2 (en) 2006-10-23 2012-09-04 Mcafee, Inc. System and method for controlling mobile device access to a network
US8719431B2 (en) 2006-10-26 2014-05-06 Blackberry Limited Transient WLAN connection profiles
US7942740B2 (en) 2006-11-15 2011-05-17 Cfph, Llc Verifying a first device is in communications with a server by storing a value from the first device and accessing the value from a second device
US7942739B2 (en) 2006-11-15 2011-05-17 Cfph, Llc Storing information from a verification device and accessing the information from a gaming device to verify that the gaming device is communicating with a server
US7942741B2 (en) * 2006-11-15 2011-05-17 Cfph, Llc Verifying whether a device is communicating with a server
US10068421B2 (en) 2006-11-16 2018-09-04 Cfph, Llc Using a first device to verify whether a second device is communicating with a server
US7942738B2 (en) 2006-11-15 2011-05-17 Cfph, Llc Verifying a gaming device is in communications with a gaming server
US8012015B2 (en) 2006-11-15 2011-09-06 Cfph, Llc Verifying whether a gaming device is communicating with a gaming server
US7942742B2 (en) * 2006-11-15 2011-05-17 Cfph, Llc Accessing identification information to verify a gaming device is in communications with a server
US7924793B2 (en) * 2006-11-20 2011-04-12 At&T Intellectual Property I, L.P. Methods and apparatus to manage bandwidth in a wireless network
CA2670033C (en) * 2006-11-21 2016-03-15 Research In Motion Limited Saving a connection profile when unable to connect to a wireless local area network
US20080229382A1 (en) * 2007-03-14 2008-09-18 Motorola, Inc. Mobile access terminal security function
US10237217B1 (en) * 2013-08-02 2019-03-19 Sprint Communications Company L.P. Controlling access to content based on access network type
US8954745B2 (en) * 2007-04-03 2015-02-10 Alcatel Lucent Method and apparatus for generating one-time passwords
US8331987B2 (en) * 2007-04-19 2012-12-11 Apple Inc. Personal area network systems and devices and methods for use thereof
US8364139B2 (en) * 2007-04-19 2013-01-29 Apple Inc. Personal area network systems and devices and methods for use thereof
WO2008130511A1 (en) * 2007-04-19 2008-10-30 Apple Inc. Personal area network systems and devices and methods for use thereof
US8369846B2 (en) * 2007-04-19 2013-02-05 Apple Inc. Personal area network systems and devices and methods for use thereof
WO2008139126A1 (en) * 2007-05-15 2008-11-20 Educentric Limited Connecting to the internet
US8311513B1 (en) 2007-06-27 2012-11-13 ENORCOM Corporation Automated mobile system
US8495020B1 (en) 2007-06-27 2013-07-23 ENORCOM Corporation Mobile information system
US8200978B2 (en) * 2007-07-06 2012-06-12 Gong Ling LI Security device and method incorporating multiple varying password generator
EP2112842B1 (en) * 2007-07-27 2013-08-21 Research In Motion Limited Wireless communication systems
US20090037735A1 (en) * 2007-08-01 2009-02-05 O'farrell David Method and system for delivering secure messages to a computer desktop
EP2201508A4 (en) * 2007-09-13 2011-08-31 Redknee Inc Billing profile manager
FI20075667A (en) * 2007-09-25 2009-04-09 Teliasonera Ab Improved access request management
US8600964B2 (en) * 2007-09-28 2013-12-03 Avaya Inc. Methods and apparatus for providing customer treatment information over a network
US9167505B2 (en) * 2007-10-08 2015-10-20 Qualcomm Incorporated Access management for wireless communication
US9055511B2 (en) * 2007-10-08 2015-06-09 Qualcomm Incorporated Provisioning communication nodes
US9775096B2 (en) * 2007-10-08 2017-09-26 Qualcomm Incorporated Access terminal configuration and access control
US8140919B2 (en) * 2007-10-15 2012-03-20 International Business Machines Corporation Display of data used for system performance analysis
US9177313B1 (en) 2007-10-18 2015-11-03 Jpmorgan Chase Bank, N.A. System and method for issuing, circulating and trading financial instruments with smart features
EP2215747B1 (en) * 2007-11-29 2014-06-18 Jasper Wireless, Inc. Method and devices for enhanced manageability in wireless data communication systems
WO2009082806A1 (en) 2007-12-27 2009-07-09 Redknee Inc. Policy-based communication system and method
US20090178131A1 (en) * 2008-01-08 2009-07-09 Microsoft Corporation Globally distributed infrastructure for secure content management
WO2009121884A1 (en) 2008-04-01 2009-10-08 Novo Nordisk A/S Insulin albumin conjugates
EP2134063B1 (en) 2008-05-12 2013-10-02 BlackBerry Limited Methods and apparatus for use in facilitating access to a communication service via WLAN hotspot
US8910255B2 (en) * 2008-05-27 2014-12-09 Microsoft Corporation Authentication for distributed secure content management system
US8141129B2 (en) * 2008-05-29 2012-03-20 Microsoft Corporation Centrally accessible policy repository
JP4903754B2 (en) * 2008-06-23 2012-03-28 Necシステムテクノロジー株式会社 Unauthorized terminal access control system, management terminal, management server, unauthorized terminal access control method, management terminal control method, management server control method, and program
US20100017889A1 (en) * 2008-07-17 2010-01-21 Symantec Corporation Control of Website Usage Via Online Storage of Restricted Authentication Credentials
WO2010022156A2 (en) * 2008-08-19 2010-02-25 Shared Spectrum Company Method and system for dynamic spectrum access using specialty detectors and improved networking
US20100115600A1 (en) * 2008-11-05 2010-05-06 Appsware Wireless, Llc Method and system for securing data from an external network to a point of sale device
US20100115127A1 (en) * 2008-11-05 2010-05-06 Appsware Wireless, Llc Method and system for securing data from a non-point of sale device over a lan
US20100115624A1 (en) * 2008-11-05 2010-05-06 Appsware Wireless, Llc Method and system for securing data from a point of sale device over a lan
US8966610B2 (en) * 2008-11-05 2015-02-24 Apriva, Llc Method and system for securing data from a non-point of sale device over an external network
US20100115599A1 (en) * 2008-11-05 2010-05-06 Appsware Wireless, Llc Method and system for securing data from a point of sale device over an external network
US20100125897A1 (en) * 2008-11-20 2010-05-20 Rahul Jain Methods and apparatus for establishing a dynamic virtual private network connection
WO2010087845A1 (en) * 2009-01-30 2010-08-05 Hewlett-Packard Development Company, L.P. Dynamically applying a control policy to a network
US8527774B2 (en) * 2009-05-28 2013-09-03 Kaazing Corporation System and methods for providing stateless security management for web applications using non-HTTP communications protocols
US20100319004A1 (en) * 2009-06-16 2010-12-16 Microsoft Corporation Policy Management for the Cloud
US8904519B2 (en) * 2009-06-18 2014-12-02 Verisign, Inc. Shared registration system multi-factor authentication
US7685629B1 (en) 2009-08-05 2010-03-23 Daon Holdings Limited Methods and systems for authenticating users
US7865937B1 (en) 2009-08-05 2011-01-04 Daon Holdings Limited Methods and systems for authenticating users
US8443202B2 (en) 2009-08-05 2013-05-14 Daon Holdings Limited Methods and systems for authenticating users
WO2011041464A2 (en) * 2009-09-29 2011-04-07 Oracle International Corporation Agentless data collection
US8296403B2 (en) * 2009-10-23 2012-10-23 Novell, Inc. Network address allocation using a user identity
US8769614B1 (en) * 2009-12-29 2014-07-01 Akamai Technologies, Inc. Security framework for HTTP streaming architecture
US9197420B2 (en) * 2010-01-06 2015-11-24 International Business Machines Corporation Using information in a digital certificate to authenticate a network of a wireless access point
US20110185166A1 (en) * 2010-01-28 2011-07-28 Microsoft Corporation Slider Control for Security Grouping and Enforcement
US8996649B2 (en) 2010-02-05 2015-03-31 Qualcomm Incorporated Utilizing policies for offload and flow mobility in wireless communications
US8819208B2 (en) 2010-03-05 2014-08-26 Solidfire, Inc. Data deletion in a distributed data storage system
US8424072B2 (en) * 2010-03-09 2013-04-16 Microsoft Corporation Behavior-based security system
US8826030B2 (en) * 2010-03-22 2014-09-02 Daon Holdings Limited Methods and systems for authenticating users
JP5510000B2 (en) * 2010-03-31 2014-06-04 ソニー株式会社 Content transmission apparatus, content reproduction system, content transmission method, and program
US8935384B2 (en) 2010-05-06 2015-01-13 Mcafee Inc. Distributed data revocation using data commands
US9274842B2 (en) 2010-06-29 2016-03-01 Microsoft Technology Licensing, Llc Flexible and safe monitoring of computers
US8396828B2 (en) * 2010-09-14 2013-03-12 Microsoft Corporation Providing lightweight multidimensional online data storage for web service usage reporting
WO2012066471A1 (en) * 2010-11-19 2012-05-24 Nagravision S.A. Method to detect cloned software
US8914841B2 (en) * 2010-11-24 2014-12-16 Tufin Software Technologies Ltd. Method and system for mapping between connectivity requests and a security rule set
WO2012106330A1 (en) 2011-01-31 2012-08-09 Synchronoss Technologies, Inc. System and method for host and os agnostic management of connected devices through network controlled state alteration
US20120230189A1 (en) * 2011-03-08 2012-09-13 Medium Access Systems Private Limited System and method of transferring Wi-Fi clients between SSIDs
US8593967B2 (en) * 2011-03-08 2013-11-26 Medium Access Systems Private Limited Method and system of intelligently load balancing of Wi-Fi access point apparatus in a WLAN
US8554912B1 (en) * 2011-03-14 2013-10-08 Sprint Communications Company L.P. Access management for wireless communication devices failing authentication for a communication network
EP2509265B1 (en) * 2011-04-08 2013-12-04 Siemens Aktiengesellschaft Access protection device for an automation network
CN102149085B (en) * 2011-04-21 2014-01-15 惠州Tcl移动通信有限公司 Mobile terminal and multi-access point management method
US8806192B2 (en) * 2011-05-04 2014-08-12 Microsoft Corporation Protected authorization for untrusted clients
US8775533B2 (en) * 2011-05-20 2014-07-08 Microsoft Corporation Auto connect in peer-to-peer network
US8806023B2 (en) 2011-05-20 2014-08-12 Microsoft Corporation Auto-connect in a peer-to-peer network
US9565708B2 (en) 2011-05-20 2017-02-07 Microsoft Technology Licensing, Llc Auto-connect in a peer-to-peer network
US8751306B2 (en) * 2011-06-20 2014-06-10 Microsoft Corporation Virtual identity manager
US8989740B2 (en) * 2011-12-17 2015-03-24 Motorola Solutions, Inc. Method and apparatus for selecting one of a plurality of networks for an application service based upon performance metrics for the application service
US9054992B2 (en) 2011-12-27 2015-06-09 Solidfire, Inc. Quality of service policy sets
US9838269B2 (en) 2011-12-27 2017-12-05 Netapp, Inc. Proportional quality of service based on client usage and system metrics
US9838287B2 (en) * 2012-01-27 2017-12-05 Microsoft Technology Licensing, Llc Predicting network data consumption relative to data usage patterns
US11469914B2 (en) * 2012-08-10 2022-10-11 Viasat, Inc. System, method and apparatus for subscriber user interfaces
US9088891B2 (en) 2012-08-13 2015-07-21 Wells Fargo Bank, N.A. Wireless multi-factor authentication with captive portals
US9143498B2 (en) * 2012-08-30 2015-09-22 Aerohive Networks, Inc. Internetwork authentication
CA2885199A1 (en) * 2012-10-16 2014-04-24 The Ultimate Software Group Of Canada, Inc. System, apparatus, and method for providing workforce management
US9769803B2 (en) * 2012-11-29 2017-09-19 Nokia Technologies Oy Methods for device-to-device connection re-establishment and related user equipments and radio access node
US8990883B2 (en) * 2013-01-02 2015-03-24 International Business Machines Corporation Policy-based development and runtime control of mobile applications
US20160014127A1 (en) * 2013-01-16 2016-01-14 Behzad Mohebbi Methods and apparatus for hybrid access to a core network based on proxied authentication
US8875295B2 (en) * 2013-02-22 2014-10-28 Bitdefender IPR Management Ltd. Memory introspection engine for integrity protection of virtual machines
US9769056B2 (en) 2013-03-15 2017-09-19 Aerohive Networks, Inc. Gateway using multicast to unicast conversion
US9762679B2 (en) 2013-03-15 2017-09-12 Aerohive Networks, Inc. Providing stateless network services
CN104219218B (en) * 2013-06-04 2018-05-08 新华三技术有限公司 A kind of method and device of active safety defence
US9979751B2 (en) 2013-09-20 2018-05-22 Open Text Sa Ulc Application gateway architecture with multi-level security policy and rule promulgations
EP2851833B1 (en) 2013-09-20 2017-07-12 Open Text S.A. Application Gateway Architecture with Multi-Level Security Policy and Rule Promulgations
US10824756B2 (en) 2013-09-20 2020-11-03 Open Text Sa Ulc Hosted application gateway architecture with multi-level security policy and rule promulgations
US9578005B2 (en) * 2013-10-01 2017-02-21 Robert K Lemaster Authentication server enhancements
CN103533600A (en) * 2013-10-23 2014-01-22 华为技术有限公司 Method and terminal for accessing network
US9973534B2 (en) * 2013-11-04 2018-05-15 Lookout, Inc. Methods and systems for secure network connections
US9565164B2 (en) * 2013-11-12 2017-02-07 Facebook, Inc. Techniques to rate-adjust data usage with a virtual private network
WO2015094372A1 (en) * 2013-12-20 2015-06-25 Mcafee, Inc. Intelligent firewall access rules
US20150188949A1 (en) * 2013-12-31 2015-07-02 Lookout, Inc. Cloud-based network security
WO2015102055A1 (en) * 2014-01-06 2015-07-09 富士通株式会社 Communication management system, communication management method, and management apparatus
US20150244795A1 (en) 2014-02-21 2015-08-27 Solidfire, Inc. Data syncing in a distributed system
KR102144509B1 (en) * 2014-03-06 2020-08-14 삼성전자주식회사 Proximity communication method and apparatus
US9762458B2 (en) * 2014-10-13 2017-09-12 Belkin International Inc. Mesh network transmission decisions based on node performance metrics
CN104065652B (en) * 2014-06-09 2015-10-14 北京石盾科技有限公司 A kind of auth method, device, system and relevant device
US9992619B2 (en) 2014-08-12 2018-06-05 Aerohive Networks, Inc. Network device based proximity beacon locating
US10411958B2 (en) * 2014-09-08 2019-09-10 Intel Corporation Automatic device configuration
JP2016057876A (en) * 2014-09-10 2016-04-21 富士通株式会社 Information processing apparatus, input/output control program, and input/output control method
SE542460C2 (en) 2014-10-09 2020-05-12 Kelisec Ab Improved security through authenticaton tokens
SE538304C2 (en) 2014-10-09 2016-05-03 Kelisec Ab Improved installation of a terminal in a secure system
SE540133C2 (en) * 2014-10-09 2018-04-10 Kelisec Ab Improved system for establishing a secure communication channel
SE539271C2 (en) 2014-10-09 2017-06-07 Kelisec Ab Mutual authentication
SE539602C2 (en) 2014-10-09 2017-10-17 Kelisec Ab Generating a symmetric encryption key
US10278054B2 (en) * 2015-04-21 2019-04-30 Electronics And Telecommunications Research Institute Method and apparatus for communicating in wireless personal area network communication system
US10031831B2 (en) 2015-04-23 2018-07-24 International Business Machines Corporation Detecting causes of performance regression to adjust data systems
US10298563B2 (en) * 2015-04-29 2019-05-21 Hewlett Packard Enterprise Development Lp Multi-factor authorization for IEEE 802.1x-enabled networks
US9917753B2 (en) * 2015-06-12 2018-03-13 Level 3 Communications, Llc Network operational flaw detection using metrics
US11593075B2 (en) 2015-11-03 2023-02-28 Open Text Sa Ulc Streamlined fast and efficient application building and customization systems and methods
US11290425B2 (en) * 2016-02-01 2022-03-29 Airwatch Llc Configuring network security based on device management characteristics
US11388037B2 (en) 2016-02-25 2022-07-12 Open Text Sa Ulc Systems and methods for providing managed services
US10291612B2 (en) * 2016-03-22 2019-05-14 Go Daddy Operating Company, LLC Bi-directional authentication between a media repository and a hosting provider
US10929022B2 (en) 2016-04-25 2021-02-23 Netapp. Inc. Space savings reporting for storage system supporting snapshot and clones
US10791093B2 (en) * 2016-04-29 2020-09-29 Avago Technologies International Sales Pte. Limited Home network traffic isolation
US10440053B2 (en) 2016-05-31 2019-10-08 Lookout, Inc. Methods and systems for detecting and preventing network connection compromise
US10642763B2 (en) 2016-09-20 2020-05-05 Netapp, Inc. Quality of service policy sets
FR3057689A1 (en) * 2016-10-14 2018-04-20 Safran Identity and Security METHOD AND SYSTEM FOR PROVIDING TOKEN IN A HOST CARD EMULATION SYSTEM HAVING A FIRST AND A SECOND DEVICE
KR102391746B1 (en) * 2016-11-03 2022-04-28 인터디지탈 패튼 홀딩스, 인크 Efficient power saving method for wake-up radio
US10382203B1 (en) * 2016-11-22 2019-08-13 Amazon Technologies, Inc. Associating applications with Internet-of-things (IoT) devices using three-way handshake
KR101862861B1 (en) * 2017-01-11 2018-07-04 주식회사 코인플러그 Method for providing payment gateway service in use of unspent transaction output based protocol and servers using the same
US10432730B1 (en) 2017-01-25 2019-10-01 United States Of America As Represented By The Secretary Of The Air Force Apparatus and method for bus protection
US10296477B2 (en) 2017-03-30 2019-05-21 United States of America as represented by the Secretary of the AirForce Data bus logger
US10218697B2 (en) 2017-06-09 2019-02-26 Lookout, Inc. Use of device risk evaluation to manage access to services
CA3067427A1 (en) * 2017-06-22 2018-12-27 Jpmorgan Chase Bank, N.A. System and method for implementing an interbank information network
WO2019084524A1 (en) * 2017-10-27 2019-05-02 Cleverdome, Inc. Software defined network for creating a trusted network system
US10943749B2 (en) 2018-03-15 2021-03-09 Crestron Electronics, Inc. Wall mounted control device with interchangeable buttons
US11233696B1 (en) * 2018-03-23 2022-01-25 Amazon Technologies, Inc. Preconfiguring a device for a network
CN108768694A (en) * 2018-04-25 2018-11-06 安徽展航信息科技发展有限公司 A kind of campus hot spot autonomous management platform
US11025413B2 (en) 2018-09-04 2021-06-01 International Business Machines Corporation Securing a storage network using key server authentication
US10833856B2 (en) 2018-09-04 2020-11-10 International Business Machines Corporation Automatic re-authentication of links using a key server
US10764291B2 (en) 2018-09-04 2020-09-01 International Business Machines Corporation Controlling access between nodes by a key server
US11038698B2 (en) 2018-09-04 2021-06-15 International Business Machines Corporation Securing a path at a selected node
US10833860B2 (en) 2018-09-04 2020-11-10 International Business Machines Corporation Shared key processing by a host to secure links
US11991273B2 (en) 2018-09-04 2024-05-21 International Business Machines Corporation Storage device key management for encrypted host data
US11088829B2 (en) 2018-09-04 2021-08-10 International Business Machines Corporation Securing a path at a node
US11038671B2 (en) 2018-09-04 2021-06-15 International Business Machines Corporation Shared key processing by a storage device to secure links
US10917840B2 (en) * 2018-09-13 2021-02-09 International Business Machines Corporation Selecting a communication service provider according to constraint criteria
US10949322B2 (en) 2019-04-08 2021-03-16 Hewlett Packard Enterprise Development Lp Collecting performance metrics of a device
US10708770B1 (en) * 2019-06-06 2020-07-07 NortonLifeLock Inc. Systems and methods for protecting users
CN110798456A (en) * 2019-10-22 2020-02-14 北京天融信网络安全技术有限公司 SSLVPN authentication method and intranet resource access and data acquisition method
US11523282B2 (en) * 2020-02-05 2022-12-06 Lookout Inc. Use of geolocation to improve security while protecting privacy
US11336438B2 (en) * 2020-03-31 2022-05-17 EMC IP Holding Company LLC Remote approval and execution of restricted operations
US20230156003A1 (en) * 2020-04-10 2023-05-18 Nec Corporation Authentication server, authentication system, control method of authentication server, and storage medium
JP7375917B2 (en) * 2020-04-10 2023-11-08 日本電気株式会社 Authentication server, authentication system, authentication server control method and program
US12028323B1 (en) * 2020-06-30 2024-07-02 United Services Automobile Association (Usaa) Layered authentication and priority access systems and methods
US11561917B2 (en) * 2020-09-23 2023-01-24 Hewlett Packard Enterprise Development Lp USB connection management
US20230006880A1 (en) * 2021-06-30 2023-01-05 Microsoft Technology Licensing, Llc Local edge authority platform
JP2023141050A (en) * 2022-03-23 2023-10-05 富士フイルムビジネスイノベーション株式会社 Information processing device and information processing program
US11956293B1 (en) * 2023-03-29 2024-04-09 Adeia Guides Inc. Selection of CDN and access network on the user device from among multiple access networks and CDNs

Citations (94)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5406261A (en) * 1993-01-11 1995-04-11 Glenn; James T. Computer security apparatus and method
US5500517A (en) * 1994-09-02 1996-03-19 Gemplus Card International Apparatus and method for data transfer between stand alone integrated circuit smart card terminal and remote computer of system operator
US5627886A (en) * 1994-09-22 1997-05-06 Electronic Data Systems Corporation System and method for detecting fraudulent network usage patterns using real-time network monitoring
US5748084A (en) * 1996-11-18 1998-05-05 Isikoff; Jeremy M. Device security system
US5835737A (en) * 1996-05-10 1998-11-10 Apple Computer, Inc. Method and apparatus for arbitrating access to selected computer system devices
US5864757A (en) * 1995-12-12 1999-01-26 Bellsouth Corporation Methods and apparatus for locking communications devices
US5936526A (en) * 1998-01-13 1999-08-10 Micron Electronics, Inc. Apparatus for generating an alarm in a portable computer system
US5953536A (en) * 1996-09-30 1999-09-14 Intel Corporation Software-implemented tool for monitoring power management in a computer system
US5958058A (en) * 1997-07-18 1999-09-28 Micron Electronics, Inc. User-selectable power management interface with application threshold warnings
US6070240A (en) * 1997-08-27 2000-05-30 Ensure Technologies Incorporated Computer access control
US6085084A (en) * 1997-09-24 2000-07-04 Christmas; Christian Automated creation of a list of disallowed network points for use in connection blocking
US6181925B1 (en) * 1997-04-09 2001-01-30 Cellco Partnership Method and apparatus for fraud control in a cellular telephone switch
US6198920B1 (en) * 1995-06-01 2001-03-06 Padcom, Inc. Apparatus and method for intelligent routing of data between a remote device and a host system
US6272112B1 (en) * 1997-11-13 2001-08-07 Fujitsu Limited Repeating unit testing system and communication apparatus as well as communication method
US20020039359A1 (en) * 1997-12-31 2002-04-04 At&T Corporation Hybrid fiber twisted pair local loop network service architecture
US20020052968A1 (en) * 2000-01-31 2002-05-02 Rudy Bonefas Messaging method and apparatus for routing messages in a client server environment over multiple wireless and wireline networks
US6418533B2 (en) * 1997-08-29 2002-07-09 Compaq Information Technologies Group, L.P. “J” system for securing a portable computer which optionally requires an entry of an invalid power on password (POP), by forcing an entry of a valid POP
US20020099957A1 (en) * 2001-01-24 2002-07-25 Michael Kramer Establishing a secure connection with a private corporate network over a public network
US20020133584A1 (en) * 2001-01-17 2002-09-19 Greuel James R. Method and apparatus for customizably calculating and displaying health of a computer network
US20020186845A1 (en) * 2001-06-11 2002-12-12 Santanu Dutta Method and apparatus for remotely disabling and enabling access to secure transaction functions of a mobile terminal
US20030005331A1 (en) * 1998-08-06 2003-01-02 Cryptek Secure Communications, Llc Multi-level security network system
US20030051140A1 (en) * 2001-09-13 2003-03-13 Buddhikot Milind M. Scheme for authentication and dynamic key exchange
US20030056116A1 (en) * 2001-05-18 2003-03-20 Bunker Nelson Waldo Reporter
US6542729B1 (en) * 1999-04-27 2003-04-01 Qualcomm Inc. System and method for minimizing fraudulent usage of a mobile telephone
US6546425B1 (en) * 1998-10-09 2003-04-08 Netmotion Wireless, Inc. Method and apparatus for providing mobile and other intermittent connectivity in a computing environment
US20030084350A1 (en) * 2001-11-01 2003-05-01 International Business Machines Corporation System and method for secure configuration of sensitive web services
US6564047B1 (en) * 2000-08-28 2003-05-13 Motorola Inc. Advanced air time management
US20030188162A1 (en) * 2002-03-29 2003-10-02 Brant Candelore Locking a hard drive to a host
US20030212548A1 (en) * 2002-05-13 2003-11-13 Petty Norman W. Apparatus and method for improved voice activity detection
US20030217166A1 (en) * 2002-05-17 2003-11-20 Mario Dal Canto System and method for provisioning universal stateless digital and computing services
US20030221039A1 (en) * 2002-05-22 2003-11-27 International Business Machines Corporation Data caching on bridge following disconnect
US6657956B1 (en) * 1996-03-07 2003-12-02 Bull Cp8 Method enabling secure access by a station to at least one server, and device using same
US6662023B1 (en) * 2000-07-06 2003-12-09 Nokia Mobile Phones Ltd. Method and apparatus for controlling and securing mobile phones that are lost, stolen or misused
US20030235307A1 (en) * 2002-06-13 2003-12-25 Kazuhiro Miyamoto Encryption and decryption program
US20030236827A1 (en) * 2002-06-24 2003-12-25 Cisco Technology, Inc. Adaptive feedback technique implemented in Mobile IP networks
US20040030887A1 (en) * 2002-08-07 2004-02-12 Harrisville-Wolff Carol L. System and method for providing secure communications between clients and service providers
US20040039807A1 (en) * 2002-04-25 2004-02-26 Angel Boveda De Miguel Methods and arrangements in a telecommunication network
US20040052259A1 (en) * 2002-09-16 2004-03-18 Agilent Technologies, Inc. Measuring network operational parameters as experienced by network operational traffic
US20040064293A1 (en) * 2002-09-30 2004-04-01 Hamilton David B. Method and system for storing and reporting network performance metrics using histograms
US6725379B1 (en) * 1999-08-11 2004-04-20 Dell Products L.P. Stolen computer detection and protection
US20040082351A1 (en) * 2002-06-28 2004-04-29 Ilkka Westman User group creation
US20040087213A1 (en) * 2002-08-16 2004-05-06 Chi-Lei Kao Plug used for connection with a usb receptacle
US20040107360A1 (en) * 2002-12-02 2004-06-03 Zone Labs, Inc. System and Methodology for Policy Enforcement
US20040110488A1 (en) * 2002-12-10 2004-06-10 Nokia Corporation System and method for performing security functions of a mobile station
US20040123150A1 (en) * 2002-12-18 2004-06-24 Michael Wright Protection of data accessible by a mobile device
US20040127196A1 (en) * 2002-12-31 2004-07-01 Dabbish Ezzat A. Methods and apparatus for managing secured software for a wireless device
US20040137964A1 (en) * 2002-09-13 2004-07-15 Steven Lynch Wireless communication device and method for responding to solicitations
US20040143470A1 (en) * 1999-08-20 2004-07-22 Myrick Conrad B. Structure and method of modeling integrated business and information technology frameworks and architecture in support of a business
US20040193694A1 (en) * 1999-11-10 2004-09-30 Randy Salo Application gateway systems
US20040199545A1 (en) * 2001-08-14 2004-10-07 Frederico Wagner Networked disposal and replenishment apparatus
US20040205749A1 (en) * 2003-03-26 2004-10-14 Lockheed Martin Corporation System for enabling application software of data acquisition devices
US6813498B1 (en) * 2000-10-27 2004-11-02 Lucent Technologies Inc. Apparatus, method and system for detection and recovery of missing wireless devices in communication systems
US20040218605A1 (en) * 2003-04-30 2004-11-04 Telefonaktiebolaget Lm Ericsson (Publ) Method for access selection
US20040218587A1 (en) * 2003-04-29 2004-11-04 Sung-Hoon Kim Private EV-DO system sharing public network data location register and data service method
US20040235514A1 (en) * 2001-07-18 2004-11-25 Stephen Bloch Data security device
US20040235522A1 (en) * 2003-05-21 2004-11-25 Alan Lin Card facility for freely communicating with network systems
US20040259538A1 (en) * 2001-10-16 2004-12-23 Victor Agbegnenou Wireless multipurpose communication system
US20040268240A1 (en) * 2003-06-11 2004-12-30 Vincent Winchel Todd System for normalizing and archiving schemas
US20050020315A1 (en) * 2003-07-22 2005-01-27 Robertson Ian M. Security for mobile communications device
US20050025184A1 (en) * 1998-10-07 2005-02-03 Dowling Eric Morgan Virtual connection of a remote unit to a server
US6865162B1 (en) * 2000-12-06 2005-03-08 Cisco Technology, Inc. Elimination of clipping associated with VAD-directed silence suppression
US20050073389A1 (en) * 2003-10-01 2005-04-07 Chandley Adrian Mark Systems and methods for deterring theft of electronic devices
US20050125474A1 (en) * 2003-12-05 2005-06-09 International Business Machines Corporation Method and structure for transform regression
US6910135B1 (en) * 1999-07-07 2005-06-21 Verizon Corporate Services Group Inc. Method and apparatus for an intruder detection reporting and response system
US20050160280A1 (en) * 2003-05-15 2005-07-21 Caslin Michael F. Method and system for providing fraud detection for remote access services
US20050186989A1 (en) * 2002-04-02 2005-08-25 Keith Cocita Cell phone feature
US20050198491A1 (en) * 2004-03-03 2005-09-08 Cisco Technology, Inc., A Corporation Of California Network security enhancement methods and devices
US6947755B1 (en) * 2001-03-16 2005-09-20 Gould Lawrence A Systems and methods for distributed processing of location information associated with emergency 911 wireless transmissions
US20050262361A1 (en) * 2004-05-24 2005-11-24 Seagate Technology Llc System and method for magnetic storage disposal
US6973576B2 (en) * 2000-12-27 2005-12-06 Margent Development, Llc Digital content security system
US20050273592A1 (en) * 2004-05-20 2005-12-08 International Business Machines Corporation System, method and program for protecting communication
US6996728B2 (en) * 2002-04-26 2006-02-07 Hewlett-Packard Development Company, L.P. Managing power consumption based on utilization statistics
US7003282B1 (en) * 1998-07-07 2006-02-21 Nokia Corporation System and method for authentication in a mobile communications system
US20060059265A1 (en) * 2002-08-27 2006-03-16 Seppo Keronen Terminal connectivity system
US20060073820A1 (en) * 2002-10-10 2006-04-06 Craswell Ronald J Method and apparatus for remote control and updating of wireless mobile devices
US7051236B2 (en) * 2002-06-13 2006-05-23 Dell Products L.P. Wirelessly network-connected, battery-powered information handling system featuring prevention of data corruption after wake-up by a network event
US20060149414A1 (en) * 2004-12-30 2006-07-06 Carrier Corporation Remote web access control of multiple home comfort systems
US7089425B2 (en) * 2003-03-18 2006-08-08 Ci4 Technologies, Inc. Remote access authorization of local content
US7089553B1 (en) * 2000-10-12 2006-08-08 International Business Machines Corporation Method, system, computer program product, and article of manufacture for downloading a remote computer program according to a stored configuration
US7107349B2 (en) * 2002-09-30 2006-09-12 Danger, Inc. System and method for disabling and providing a notification for a data processing device
US20060294219A1 (en) * 2003-10-03 2006-12-28 Kazuki Ogawa Network system based on policy rule
US7170999B1 (en) * 2002-08-28 2007-01-30 Napster, Inc. Method of and apparatus for encrypting and transferring files
US20070125620A1 (en) * 2003-06-03 2007-06-07 Sorenson Timothy N Methods and systems for providing products, such as digital content including games, ring tones, and/or graphics; and services, such as computer network service including internet service
US7239862B1 (en) * 2002-09-19 2007-07-03 Cellco Partnership Method of and system for processing prepaid wireless data communications
US7272230B2 (en) * 2001-04-18 2007-09-18 Pumpkin House Incorporated Encryption system and control method thereof
US7299349B2 (en) * 2002-01-31 2007-11-20 Microsoft Corporation Secure end-to-end notification
US7305548B2 (en) * 2001-10-22 2007-12-04 Microsoft Corporation Using atomic messaging to increase the security of transferring data across a network
US20070280109A1 (en) * 2004-03-03 2007-12-06 Jussi Jaatinen Method, a Device and a System for Transferring Data
US7370349B2 (en) * 2002-01-18 2008-05-06 Peoplechart Corporation Method and system for protecting information on a computer system
US7389123B2 (en) * 2003-04-29 2008-06-17 Sony Ericsson Mobile Communications Ab Mobile apparatus with remote lock and control function
US7392390B2 (en) * 2001-12-12 2008-06-24 Valve Corporation Method and system for binding kerberos-style authenticators to single clients
US7395049B2 (en) * 2003-03-03 2008-07-01 Nokia Corporation Security element commanding method and mobile terminal
US7409061B2 (en) * 2000-11-29 2008-08-05 Noatak Software Llc Method and system for secure distribution of subscription-based game software
US20080233919A1 (en) * 2004-02-20 2008-09-25 Nokia Corporation System and Method for Limiting Mobile Device Functionality.

Family Cites Families (65)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IE872626L (en) 1987-09-29 1988-04-01 Smithkline Beckman Corp Affinity adsorbents for glycopeptide antibiotics.
JPH06253308A (en) * 1993-03-01 1994-09-09 Fujitsu Ltd Video communication control system
US5473692A (en) * 1994-09-07 1995-12-05 Intel Corporation Roving software license for a hardware agent
JP4086259B2 (en) * 1995-08-04 2008-05-14 株式会社東芝 Communications system
US5974237A (en) 1996-12-18 1999-10-26 Northern Telecom Limited Communications network monitoring
JPH10303880A (en) 1997-05-01 1998-11-13 Digital Vision Lab:Kk Service providing system
CA2295150A1 (en) 1997-06-26 1999-01-07 Michael John Kenning Data communications
US6118324A (en) * 1997-06-30 2000-09-12 Xilinx, Inc. Output driver with reduced ground bounce
US6608676B1 (en) * 1997-08-01 2003-08-19 Kla-Tencor Corporation System for detecting anomalies and/or features of a surface
US6529834B1 (en) * 1997-12-04 2003-03-04 Baker Hughes Incorporated Measurement-while-drilling assembly using gyroscopic devices and methods of bias removal
US6168522B1 (en) * 1998-03-31 2001-01-02 Walker Digital, Llc Method and apparatus for operating a gaming device to dispense a specified amount
EP1112544A4 (en) 1998-07-20 2007-05-02 Easynet Access Inc Internet billing
JP2000155796A (en) * 1998-10-30 2000-06-06 Becton Dickinson & Co Management system for medical supply and sample
US6683852B2 (en) * 1998-12-15 2004-01-27 Lucent Technologies Inc. Call admission control methods and apparatus for improving route selection in packet networks
US6490679B1 (en) * 1999-01-18 2002-12-03 Shym Technology, Inc. Seamless integration of application programs with security key infrastructure
EP1059782A3 (en) 1999-06-10 2004-02-04 Lucent Technologies Inc. Method and apparatus for dynamically allocating bandwidth utilization in a packet telephony network
US6678835B1 (en) * 1999-06-10 2004-01-13 Alcatel State transition protocol for high availability units
US6965948B1 (en) 1999-11-12 2005-11-15 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for selective network access
US6643701B1 (en) * 1999-11-17 2003-11-04 Sun Microsystems, Inc. Method and apparatus for providing secure communication with a relay in a network
US7437550B2 (en) * 1999-12-02 2008-10-14 Ponoi Corp. System for providing session-based network privacy, private, persistent storage, and discretionary access control for sharing private data
GB2359220A (en) * 2000-02-03 2001-08-15 Orange Personal Comm Serv Ltd Handover in accordance with a network policy
US6386894B2 (en) * 2000-04-28 2002-05-14 Texas Instruments Incorporated Versatile interconnection scheme for beverage quality and control sensors
DE10024584A1 (en) 2000-05-19 2002-01-17 Deutsche Telekom Mobil Method for operating a dual or multi-band mobile radio terminal and mobile radio terminal
AU2001289010A1 (en) 2000-09-12 2002-03-26 Netmotion Wireless, Inc. Method and apparatus for providing mobile and other intermittent connectivity ina computing environment
WO2002041580A1 (en) 2000-11-14 2002-05-23 Siemens Aktiengesellschaft Device and method for selecting network accesses
JP2002158985A (en) * 2000-11-17 2002-05-31 Hitachi Ltd Digital contents distribution system, digital contents distributing method, digital contents distributor, information processor, and digital contents recording medium
US20020087623A1 (en) * 2000-12-30 2002-07-04 Eatough David A. Method and apparatus for determining network topology and/or managing network related tasks
JP2002238067A (en) * 2001-02-07 2002-08-23 Mitsubishi Electric Corp Mobile communication system, hands-off method, and program for making computer execute the method
JP3744361B2 (en) * 2001-02-16 2006-02-08 株式会社日立製作所 Security management system
WO2002077816A1 (en) 2001-03-21 2002-10-03 Bot, Inc. Intelligent software agent system architecture
US7096269B2 (en) * 2001-03-30 2006-08-22 Hitachi, Ltd. Path selection methods for storage based remote copy
US7421083B2 (en) * 2001-04-05 2008-09-02 General Instrument Corporation System for seamlessly updating service keys with automatic recovery
US7603703B2 (en) 2001-04-12 2009-10-13 International Business Machines Corporation Method and system for controlled distribution of application code and content data within a computer network
US20030088517A1 (en) * 2001-04-13 2003-05-08 Xyleco, Inc. System and method for controlling access and use of private information
US7975139B2 (en) 2001-05-01 2011-07-05 Vasco Data Security, Inc. Use and generation of a session key in a secure socket layer connection
US7546629B2 (en) * 2002-03-06 2009-06-09 Check Point Software Technologies, Inc. System and methodology for security policy arbitration
US6829158B2 (en) * 2001-08-22 2004-12-07 Motorola, Inc. Magnetoresistive level generator and method
US7681034B1 (en) 2001-12-12 2010-03-16 Chang-Ping Lee Method and apparatus for securing electronic data
US20040019786A1 (en) 2001-12-14 2004-01-29 Zorn Glen W. Lightweight extensible authentication protocol password preprocessing
KR100909617B1 (en) 2002-02-26 2009-07-27 노키아 코포레이션 Method and apparatus for adapting configuration of an application of a mobile terminal to an accessible data connection
US6880079B2 (en) * 2002-04-25 2005-04-12 Vasco Data Security, Inc. Methods and systems for secure transmission of information using a mobile device
US20030204748A1 (en) 2002-04-30 2003-10-30 Tom Chiu Auto-detection of wireless network accessibility
US20040017360A1 (en) * 2002-05-02 2004-01-29 Emerson Harry E. Computer keyboard having a single key providing a shift-tab function
US7240366B2 (en) * 2002-05-17 2007-07-03 Microsoft Corporation End-to-end authentication of session initiation protocol messages using certificates
AU2003242944A1 (en) 2002-07-10 2004-02-02 Koninklijke Philips Electronics N.V. Interface selection from multiple networks
JP2004062416A (en) * 2002-07-26 2004-02-26 Nippon Telegr & Teleph Corp <Ntt> Method for preventing illegal access, method for downloading security policy, personal computer, and policy server
US7042867B2 (en) * 2002-07-29 2006-05-09 Meshnetworks, Inc. System and method for determining physical location of a node in a wireless network during an authentication check of the node
US6754193B2 (en) 2002-08-01 2004-06-22 Motorola, Inc. Method and base station controller for operating in accordance with a wireless communication protocol
TW537466U (en) * 2002-08-01 2003-06-11 Handlink Technologies Inc Portable network transmission device
US20040028069A1 (en) * 2002-08-07 2004-02-12 Tindal Glen D. Event bus with passive queuing and active routing
AU2003260071A1 (en) 2002-08-27 2004-03-19 Td Security, Inc., Dba Trust Digital, Llc Enterprise-wide security system for computer devices
EP1396980A1 (en) * 2002-09-05 2004-03-10 Hewlett-Packard Company A system for managing user profile data
EP1547299B1 (en) 2002-09-17 2012-11-14 Broadcom Corporation Method and system for providing multiple encryption in a multi-band multi-protocol hybrid wired/wireless network
US7448067B2 (en) * 2002-09-30 2008-11-04 Intel Corporation Method and apparatus for enforcing network security policies
JP4274770B2 (en) * 2002-10-01 2009-06-10 株式会社エヌ・ティ・ティ・ドコモ Authentication settlement method, service providing apparatus, and authentication settlement system
JP4509931B2 (en) * 2002-10-17 2010-07-21 ヴォウダフォン・グループ・ピーエルシー Facilitating and authenticating transactions
US7020476B2 (en) * 2002-12-23 2006-03-28 Steelcloud, Inc. Wireless network security
US7421503B1 (en) * 2003-01-17 2008-09-02 Cisco Technology, Inc. Method and apparatus for providing multiple authentication types using an authentication protocol that supports a single type
US7295119B2 (en) * 2003-01-22 2007-11-13 Wireless Valley Communications, Inc. System and method for indicating the presence or physical location of persons or devices in a site specific representation of a physical environment
US7506161B2 (en) * 2003-09-02 2009-03-17 Authernative, Inc. Communication session encryption and authentication system
US7549048B2 (en) * 2004-03-19 2009-06-16 Microsoft Corporation Efficient and secure authentication of computing systems
US7574600B2 (en) * 2004-03-24 2009-08-11 Intel Corporation System and method for combining user and platform authentication in negotiated channel security protocols
EP1638368B1 (en) * 2004-04-06 2008-07-09 Phonak AG Method for activating a hearing device
US7444517B2 (en) * 2004-06-03 2008-10-28 International Business Machines Corporation Method for protecting a user's password
US7725716B2 (en) * 2004-06-28 2010-05-25 Japan Communications, Inc. Methods and systems for encrypting, transmitting, and storing electronic information and files

Patent Citations (97)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5406261A (en) * 1993-01-11 1995-04-11 Glenn; James T. Computer security apparatus and method
US5500517A (en) * 1994-09-02 1996-03-19 Gemplus Card International Apparatus and method for data transfer between stand alone integrated circuit smart card terminal and remote computer of system operator
US5627886A (en) * 1994-09-22 1997-05-06 Electronic Data Systems Corporation System and method for detecting fraudulent network usage patterns using real-time network monitoring
US6198920B1 (en) * 1995-06-01 2001-03-06 Padcom, Inc. Apparatus and method for intelligent routing of data between a remote device and a host system
US6418324B1 (en) * 1995-06-01 2002-07-09 Padcom, Incorporated Apparatus and method for transparent wireless communication between a remote device and host system
US5864757A (en) * 1995-12-12 1999-01-26 Bellsouth Corporation Methods and apparatus for locking communications devices
US6657956B1 (en) * 1996-03-07 2003-12-02 Bull Cp8 Method enabling secure access by a station to at least one server, and device using same
US5835737A (en) * 1996-05-10 1998-11-10 Apple Computer, Inc. Method and apparatus for arbitrating access to selected computer system devices
US5953536A (en) * 1996-09-30 1999-09-14 Intel Corporation Software-implemented tool for monitoring power management in a computer system
US5748084A (en) * 1996-11-18 1998-05-05 Isikoff; Jeremy M. Device security system
US6181925B1 (en) * 1997-04-09 2001-01-30 Cellco Partnership Method and apparatus for fraud control in a cellular telephone switch
US5958058A (en) * 1997-07-18 1999-09-28 Micron Electronics, Inc. User-selectable power management interface with application threshold warnings
US6070240A (en) * 1997-08-27 2000-05-30 Ensure Technologies Incorporated Computer access control
US6418533B2 (en) * 1997-08-29 2002-07-09 Compaq Information Technologies Group, L.P. “J” system for securing a portable computer which optionally requires an entry of an invalid power on password (POP), by forcing an entry of a valid POP
US6085084A (en) * 1997-09-24 2000-07-04 Christmas; Christian Automated creation of a list of disallowed network points for use in connection blocking
US6272112B1 (en) * 1997-11-13 2001-08-07 Fujitsu Limited Repeating unit testing system and communication apparatus as well as communication method
US20020039359A1 (en) * 1997-12-31 2002-04-04 At&T Corporation Hybrid fiber twisted pair local loop network service architecture
US5936526A (en) * 1998-01-13 1999-08-10 Micron Electronics, Inc. Apparatus for generating an alarm in a portable computer system
US7003282B1 (en) * 1998-07-07 2006-02-21 Nokia Corporation System and method for authentication in a mobile communications system
US20030005331A1 (en) * 1998-08-06 2003-01-02 Cryptek Secure Communications, Llc Multi-level security network system
US20050025184A1 (en) * 1998-10-07 2005-02-03 Dowling Eric Morgan Virtual connection of a remote unit to a server
US6546425B1 (en) * 1998-10-09 2003-04-08 Netmotion Wireless, Inc. Method and apparatus for providing mobile and other intermittent connectivity in a computing environment
US6542729B1 (en) * 1999-04-27 2003-04-01 Qualcomm Inc. System and method for minimizing fraudulent usage of a mobile telephone
US6910135B1 (en) * 1999-07-07 2005-06-21 Verizon Corporate Services Group Inc. Method and apparatus for an intruder detection reporting and response system
US6725379B1 (en) * 1999-08-11 2004-04-20 Dell Products L.P. Stolen computer detection and protection
US20040143470A1 (en) * 1999-08-20 2004-07-22 Myrick Conrad B. Structure and method of modeling integrated business and information technology frameworks and architecture in support of a business
US20040193694A1 (en) * 1999-11-10 2004-09-30 Randy Salo Application gateway systems
US20020052968A1 (en) * 2000-01-31 2002-05-02 Rudy Bonefas Messaging method and apparatus for routing messages in a client server environment over multiple wireless and wireline networks
US6662023B1 (en) * 2000-07-06 2003-12-09 Nokia Mobile Phones Ltd. Method and apparatus for controlling and securing mobile phones that are lost, stolen or misused
US6564047B1 (en) * 2000-08-28 2003-05-13 Motorola Inc. Advanced air time management
US7089553B1 (en) * 2000-10-12 2006-08-08 International Business Machines Corporation Method, system, computer program product, and article of manufacture for downloading a remote computer program according to a stored configuration
US6813498B1 (en) * 2000-10-27 2004-11-02 Lucent Technologies Inc. Apparatus, method and system for detection and recovery of missing wireless devices in communication systems
US7409061B2 (en) * 2000-11-29 2008-08-05 Noatak Software Llc Method and system for secure distribution of subscription-based game software
US6865162B1 (en) * 2000-12-06 2005-03-08 Cisco Technology, Inc. Elimination of clipping associated with VAD-directed silence suppression
US6973576B2 (en) * 2000-12-27 2005-12-06 Margent Development, Llc Digital content security system
US20020133584A1 (en) * 2001-01-17 2002-09-19 Greuel James R. Method and apparatus for customizably calculating and displaying health of a computer network
US20020099957A1 (en) * 2001-01-24 2002-07-25 Michael Kramer Establishing a secure connection with a private corporate network over a public network
US6947755B1 (en) * 2001-03-16 2005-09-20 Gould Lawrence A Systems and methods for distributed processing of location information associated with emergency 911 wireless transmissions
US7272230B2 (en) * 2001-04-18 2007-09-18 Pumpkin House Incorporated Encryption system and control method thereof
US20030056116A1 (en) * 2001-05-18 2003-03-20 Bunker Nelson Waldo Reporter
US20020186845A1 (en) * 2001-06-11 2002-12-12 Santanu Dutta Method and apparatus for remotely disabling and enabling access to secure transaction functions of a mobile terminal
US20040235514A1 (en) * 2001-07-18 2004-11-25 Stephen Bloch Data security device
US7054594B2 (en) * 2001-07-18 2006-05-30 Data Transfer & Communication Limited Data security device
US20040199545A1 (en) * 2001-08-14 2004-10-07 Frederico Wagner Networked disposal and replenishment apparatus
US20030051140A1 (en) * 2001-09-13 2003-03-13 Buddhikot Milind M. Scheme for authentication and dynamic key exchange
US20040259538A1 (en) * 2001-10-16 2004-12-23 Victor Agbegnenou Wireless multipurpose communication system
US7305548B2 (en) * 2001-10-22 2007-12-04 Microsoft Corporation Using atomic messaging to increase the security of transferring data across a network
US20030084350A1 (en) * 2001-11-01 2003-05-01 International Business Machines Corporation System and method for secure configuration of sensitive web services
US7392391B2 (en) * 2001-11-01 2008-06-24 International Business Machines Corporation System and method for secure configuration of sensitive web services
US7392390B2 (en) * 2001-12-12 2008-06-24 Valve Corporation Method and system for binding kerberos-style authenticators to single clients
US7370349B2 (en) * 2002-01-18 2008-05-06 Peoplechart Corporation Method and system for protecting information on a computer system
US7299349B2 (en) * 2002-01-31 2007-11-20 Microsoft Corporation Secure end-to-end notification
US20030188162A1 (en) * 2002-03-29 2003-10-02 Brant Candelore Locking a hard drive to a host
US20050186989A1 (en) * 2002-04-02 2005-08-25 Keith Cocita Cell phone feature
US20040039807A1 (en) * 2002-04-25 2004-02-26 Angel Boveda De Miguel Methods and arrangements in a telecommunication network
US6996728B2 (en) * 2002-04-26 2006-02-07 Hewlett-Packard Development Company, L.P. Managing power consumption based on utilization statistics
US20030212548A1 (en) * 2002-05-13 2003-11-13 Petty Norman W. Apparatus and method for improved voice activity detection
US20030217166A1 (en) * 2002-05-17 2003-11-20 Mario Dal Canto System and method for provisioning universal stateless digital and computing services
US20030221039A1 (en) * 2002-05-22 2003-11-27 International Business Machines Corporation Data caching on bridge following disconnect
US20030235307A1 (en) * 2002-06-13 2003-12-25 Kazuhiro Miyamoto Encryption and decryption program
US7051236B2 (en) * 2002-06-13 2006-05-23 Dell Products L.P. Wirelessly network-connected, battery-powered information handling system featuring prevention of data corruption after wake-up by a network event
US20030236827A1 (en) * 2002-06-24 2003-12-25 Cisco Technology, Inc. Adaptive feedback technique implemented in Mobile IP networks
US20040082351A1 (en) * 2002-06-28 2004-04-29 Ilkka Westman User group creation
US20040030887A1 (en) * 2002-08-07 2004-02-12 Harrisville-Wolff Carol L. System and method for providing secure communications between clients and service providers
US20040087213A1 (en) * 2002-08-16 2004-05-06 Chi-Lei Kao Plug used for connection with a usb receptacle
US20060059265A1 (en) * 2002-08-27 2006-03-16 Seppo Keronen Terminal connectivity system
US7170999B1 (en) * 2002-08-28 2007-01-30 Napster, Inc. Method of and apparatus for encrypting and transferring files
US20040137964A1 (en) * 2002-09-13 2004-07-15 Steven Lynch Wireless communication device and method for responding to solicitations
US20040052259A1 (en) * 2002-09-16 2004-03-18 Agilent Technologies, Inc. Measuring network operational parameters as experienced by network operational traffic
US7239862B1 (en) * 2002-09-19 2007-07-03 Cellco Partnership Method of and system for processing prepaid wireless data communications
US7107349B2 (en) * 2002-09-30 2006-09-12 Danger, Inc. System and method for disabling and providing a notification for a data processing device
US20040064293A1 (en) * 2002-09-30 2004-04-01 Hamilton David B. Method and system for storing and reporting network performance metrics using histograms
US20060073820A1 (en) * 2002-10-10 2006-04-06 Craswell Ronald J Method and apparatus for remote control and updating of wireless mobile devices
US20040107360A1 (en) * 2002-12-02 2004-06-03 Zone Labs, Inc. System and Methodology for Policy Enforcement
US20040110488A1 (en) * 2002-12-10 2004-06-10 Nokia Corporation System and method for performing security functions of a mobile station
US20040123150A1 (en) * 2002-12-18 2004-06-24 Michael Wright Protection of data accessible by a mobile device
US20040127196A1 (en) * 2002-12-31 2004-07-01 Dabbish Ezzat A. Methods and apparatus for managing secured software for a wireless device
US7395049B2 (en) * 2003-03-03 2008-07-01 Nokia Corporation Security element commanding method and mobile terminal
US7089425B2 (en) * 2003-03-18 2006-08-08 Ci4 Technologies, Inc. Remote access authorization of local content
US20040205749A1 (en) * 2003-03-26 2004-10-14 Lockheed Martin Corporation System for enabling application software of data acquisition devices
US20040218587A1 (en) * 2003-04-29 2004-11-04 Sung-Hoon Kim Private EV-DO system sharing public network data location register and data service method
US7389123B2 (en) * 2003-04-29 2008-06-17 Sony Ericsson Mobile Communications Ab Mobile apparatus with remote lock and control function
US20040218605A1 (en) * 2003-04-30 2004-11-04 Telefonaktiebolaget Lm Ericsson (Publ) Method for access selection
US20050160280A1 (en) * 2003-05-15 2005-07-21 Caslin Michael F. Method and system for providing fraud detection for remote access services
US20040235522A1 (en) * 2003-05-21 2004-11-25 Alan Lin Card facility for freely communicating with network systems
US20070125620A1 (en) * 2003-06-03 2007-06-07 Sorenson Timothy N Methods and systems for providing products, such as digital content including games, ring tones, and/or graphics; and services, such as computer network service including internet service
US20040268240A1 (en) * 2003-06-11 2004-12-30 Vincent Winchel Todd System for normalizing and archiving schemas
US20050020315A1 (en) * 2003-07-22 2005-01-27 Robertson Ian M. Security for mobile communications device
US20050073389A1 (en) * 2003-10-01 2005-04-07 Chandley Adrian Mark Systems and methods for deterring theft of electronic devices
US20060294219A1 (en) * 2003-10-03 2006-12-28 Kazuki Ogawa Network system based on policy rule
US20050125474A1 (en) * 2003-12-05 2005-06-09 International Business Machines Corporation Method and structure for transform regression
US20080233919A1 (en) * 2004-02-20 2008-09-25 Nokia Corporation System and Method for Limiting Mobile Device Functionality.
US20070280109A1 (en) * 2004-03-03 2007-12-06 Jussi Jaatinen Method, a Device and a System for Transferring Data
US20050198491A1 (en) * 2004-03-03 2005-09-08 Cisco Technology, Inc., A Corporation Of California Network security enhancement methods and devices
US20050273592A1 (en) * 2004-05-20 2005-12-08 International Business Machines Corporation System, method and program for protecting communication
US20050262361A1 (en) * 2004-05-24 2005-11-24 Seagate Technology Llc System and method for magnetic storage disposal
US20060149414A1 (en) * 2004-12-30 2006-07-06 Carrier Corporation Remote web access control of multiple home comfort systems

Cited By (189)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070083913A1 (en) * 2004-04-28 2007-04-12 Jonathan Griffin Propagation of malicious code through an information technology network
US9143524B2 (en) * 2004-04-28 2015-09-22 Hewlett-Packard Development Company, L.P. Propagation of malicious code through an information technology network
US9401885B2 (en) * 2005-10-04 2016-07-26 Samsung Electronics Co., Ltd. Data push service method and system using data pull model
US20130110935A1 (en) * 2005-10-04 2013-05-02 Samsung Electronics Co., Ltd. Data push service method and system using data pull model
US20070118653A1 (en) * 2005-11-22 2007-05-24 Sabre Inc. System, method, and computer program product for throttling client traffic
US20090180619A1 (en) * 2006-05-29 2009-07-16 Nec Corporation System for disabling unauthorized person, encryption device, encryption method, and program
US8270613B2 (en) * 2006-05-29 2012-09-18 Nec Corporation System for disabling unauthorized person, encryption device, encryption method, and program
US20160149998A1 (en) * 2007-12-31 2016-05-26 Genesys Telecommunications Laboratories, Inc. Federated uptake throttling
US9866627B2 (en) * 2007-12-31 2018-01-09 Genesys Telecommunications Laboratories, Inc. Federated uptake throttling
US8600405B2 (en) 2008-08-12 2013-12-03 Apogee Technology Consultants, Llc Location-based recovery device and risk management system for portable computing devices and data
US9392401B2 (en) 2008-08-12 2016-07-12 Apogee Technology Consultants, Llc Portable computing device with data encryption and destruction
US9686640B2 (en) 2008-08-12 2017-06-20 Apogee Technology Consultants, Llc Telemetric tracking of a portable computing device
US9679154B2 (en) 2008-08-12 2017-06-13 Apogee Technology Consultants, Llc Tracking location of portable computing device
US9674651B2 (en) 2008-08-12 2017-06-06 Apogee Technology Consultants, Llc Portable computing device with data encryption and destruction
US9699604B2 (en) 2008-08-12 2017-07-04 Apogee Technology Consultants, Llc Telemetric tracking of a portable computing device
US9026170B2 (en) 2008-08-12 2015-05-05 Apogee Technology Consultants, Llc Location-based recovery device and risk management system for portable computing devices and data
US9253308B2 (en) 2008-08-12 2016-02-02 Apogee Technology Consultants, Llc Portable computing device with data encryption and destruction
US9380415B2 (en) 2008-08-12 2016-06-28 Apogee Technology Consultants, Llc Portable computing device with data encryption and destruction
US8427305B2 (en) * 2008-08-12 2013-04-23 John J. Madsen Global positioning satellite [GPS] based recovery device and risk management system for portable computing devices and data
US9380416B2 (en) 2008-08-12 2016-06-28 Apogee Technology Consultants, Llc Portable computing device with data encryption and destruction
US9369836B2 (en) 2008-08-12 2016-06-14 Apogee Technology Consultants, Llc Portable computing device with data encryption and destruction
US9369834B2 (en) 2008-08-12 2016-06-14 Apogee Technology Consultants, Llc Portable computing device with data encryption and destruction
US20100188287A1 (en) * 2008-08-12 2010-07-29 Madsen John J Global positioning satellite [GPS] based recovery device and risk management system for portable computing devices and data
US10848330B2 (en) 2009-01-28 2020-11-24 Headwater Research Llc Device-assisted services for protecting network capacity
US10171990B2 (en) 2009-01-28 2019-01-01 Headwater Research Llc Service selection set publishing to device agent with on-device service selection
US9247450B2 (en) 2009-01-28 2016-01-26 Headwater Partners I Llc Quality of service for device assisted services
US9253663B2 (en) 2009-01-28 2016-02-02 Headwater Partners I Llc Controlling mobile device communications on a roaming network based on device state
US12137004B2 (en) 2009-01-28 2024-11-05 Headwater Research Llc Device group partitions and settlement platform
US9258735B2 (en) 2009-01-28 2016-02-09 Headwater Partners I Llc Device-assisted services for protecting network capacity
US9270559B2 (en) 2009-01-28 2016-02-23 Headwater Partners I Llc Service policy implementation for an end-user device having a control application or a proxy agent for routing an application traffic flow
US9271184B2 (en) 2009-01-28 2016-02-23 Headwater Partners I Llc Wireless end-user device with per-application data limit and traffic control policy list limiting background application traffic
US9277433B2 (en) 2009-01-28 2016-03-01 Headwater Partners I Llc Wireless end-user device with policy-based aggregation of network activity requested by applications
US9277445B2 (en) 2009-01-28 2016-03-01 Headwater Partners I Llc Wireless end-user device with differential traffic control policy list and applying foreground classification to wireless data service
US9319913B2 (en) 2009-01-28 2016-04-19 Headwater Partners I Llc Wireless end-user device with secure network-provided differential traffic control policy list
US9351193B2 (en) 2009-01-28 2016-05-24 Headwater Partners I Llc Intermediate networking devices
US9225797B2 (en) 2009-01-28 2015-12-29 Headwater Partners I Llc System for providing an adaptive wireless ambient service to a mobile device
US9220027B1 (en) 2009-01-28 2015-12-22 Headwater Partners I Llc Wireless end-user device with policy-based controls for WWAN network usage and modem state changes requested by specific applications
US9215613B2 (en) * 2009-01-28 2015-12-15 Headwater Partners I Llc Wireless end-user device with differential traffic control policy list having limited user control
US9215159B2 (en) 2009-01-28 2015-12-15 Headwater Partners I Llc Data usage monitoring for media data services used by applications
US20150223100A1 (en) * 2009-01-28 2015-08-06 Headwater Partners I Llc Device-Assisted Services for Protecting Network Capacity
US9386121B2 (en) 2009-01-28 2016-07-05 Headwater Partners I Llc Method for providing an adaptive wireless ambient service to a mobile device
US9386165B2 (en) 2009-01-28 2016-07-05 Headwater Partners I Llc System and method for providing user notifications
US12101434B2 (en) 2009-01-28 2024-09-24 Headwater Research Llc Device assisted CDR creation, aggregation, mediation and billing
US9392462B2 (en) 2009-01-28 2016-07-12 Headwater Partners I Llc Mobile end-user device with agent limiting wireless data communication for specified background applications based on a stored policy
US11985155B2 (en) 2009-01-28 2024-05-14 Headwater Research Llc Communications device with secure data path processing agents
US9491564B1 (en) 2009-01-28 2016-11-08 Headwater Partners I Llc Mobile device and method with secure network messaging for authorized components
US9491199B2 (en) 2009-01-28 2016-11-08 Headwater Partners I Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US11973804B2 (en) 2009-01-28 2024-04-30 Headwater Research Llc Network service plan design
US11966464B2 (en) 2009-01-28 2024-04-23 Headwater Research Llc Security techniques for device assisted services
US9521578B2 (en) 2009-01-28 2016-12-13 Headwater Partners I Llc Wireless end-user device with application program interface to allow applications to access application-specific aspects of a wireless network access policy
US9532161B2 (en) 2009-01-28 2016-12-27 Headwater Partners I Llc Wireless device with application data flow tagging and network stack-implemented network access policy
US9532261B2 (en) 2009-01-28 2016-12-27 Headwater Partners I Llc System and method for wireless network offloading
US9544397B2 (en) 2009-01-28 2017-01-10 Headwater Partners I Llc Proxy server for providing an adaptive wireless ambient service to a mobile device
US11968234B2 (en) 2009-01-28 2024-04-23 Headwater Research Llc Wireless network service interfaces
US9557889B2 (en) 2009-01-28 2017-01-31 Headwater Partners I Llc Service plan design, user interfaces, application programming interfaces, and device management
US9565543B2 (en) 2009-01-28 2017-02-07 Headwater Partners I Llc Device group partitions and settlement platform
US9565707B2 (en) 2009-01-28 2017-02-07 Headwater Partners I Llc Wireless end-user device with wireless data attribution to multiple personas
US9571559B2 (en) 2009-01-28 2017-02-14 Headwater Partners I Llc Enhanced curfew and protection associated with a device group
US9572019B2 (en) 2009-01-28 2017-02-14 Headwater Partners LLC Service selection set published to device agent with on-device service selection
US9578182B2 (en) 2009-01-28 2017-02-21 Headwater Partners I Llc Mobile device and service management
US9591474B2 (en) 2009-01-28 2017-03-07 Headwater Partners I Llc Adapting network policies based on device service processor configuration
US9609510B2 (en) 2009-01-28 2017-03-28 Headwater Research Llc Automated credential porting for mobile devices
US9609544B2 (en) 2009-01-28 2017-03-28 Headwater Research Llc Device-assisted services for protecting network capacity
US9609459B2 (en) 2009-01-28 2017-03-28 Headwater Research Llc Network tools for analysis, design, testing, and production of services
US9615192B2 (en) 2009-01-28 2017-04-04 Headwater Research Llc Message link server with plural message delivery triggers
US9641957B2 (en) 2009-01-28 2017-05-02 Headwater Research Llc Automated device provisioning and activation
US9647918B2 (en) 2009-01-28 2017-05-09 Headwater Research Llc Mobile device and method attributing media services network usage to requesting application
US11923995B2 (en) 2009-01-28 2024-03-05 Headwater Research Llc Device-assisted services for protecting network capacity
US11757943B2 (en) 2009-01-28 2023-09-12 Headwater Research Llc Automated device provisioning and activation
US9674731B2 (en) 2009-01-28 2017-06-06 Headwater Research Llc Wireless device applying different background data traffic policies to different device applications
US11750477B2 (en) 2009-01-28 2023-09-05 Headwater Research Llc Adaptive ambient services
US11665592B2 (en) 2009-01-28 2023-05-30 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US11665186B2 (en) 2009-01-28 2023-05-30 Headwater Research Llc Communications device with secure data path processing agents
US11589216B2 (en) 2009-01-28 2023-02-21 Headwater Research Llc Service selection set publishing to device agent with on-device service selection
US11582593B2 (en) 2009-01-28 2023-02-14 Head Water Research Llc Adapting network policies based on device service processor configuration
US11570309B2 (en) 2009-01-28 2023-01-31 Headwater Research Llc Service design center for device assisted services
US9706061B2 (en) 2009-01-28 2017-07-11 Headwater Partners I Llc Service design center for device assisted services
US9705771B2 (en) 2009-01-28 2017-07-11 Headwater Partners I Llc Attribution of mobile device data traffic to end-user application based on socket flows
US9749899B2 (en) 2009-01-28 2017-08-29 Headwater Research Llc Wireless end-user device with network traffic API to indicate unavailability of roaming wireless connection to background applications
US9749898B2 (en) 2009-01-28 2017-08-29 Headwater Research Llc Wireless end-user device with differential traffic control policy list applicable to one of several wireless modems
US9755842B2 (en) 2009-01-28 2017-09-05 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US9769207B2 (en) 2009-01-28 2017-09-19 Headwater Research Llc Wireless network service interfaces
US9819808B2 (en) 2009-01-28 2017-11-14 Headwater Research Llc Hierarchical service policies for creating service usage data records for a wireless end-user device
US11563592B2 (en) 2009-01-28 2023-01-24 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US9858559B2 (en) 2009-01-28 2018-01-02 Headwater Research Llc Network service plan design
US11538106B2 (en) 2009-01-28 2022-12-27 Headwater Research Llc Wireless end-user device providing ambient or sponsored services
US9866642B2 (en) 2009-01-28 2018-01-09 Headwater Research Llc Wireless end-user device with wireless modem power state control policy for background applications
US9942796B2 (en) 2009-01-28 2018-04-10 Headwater Research Llc Quality of service for device assisted services
US9955332B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Method for child wireless device activation to subscriber account of a master wireless device
US9954975B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Enhanced curfew and protection associated with a device group
US9973930B2 (en) 2009-01-28 2018-05-15 Headwater Research Llc End user device that secures an association of application to service policy with an application certificate check
US9980146B2 (en) 2009-01-28 2018-05-22 Headwater Research Llc Communications device with secure data path processing agents
US11533642B2 (en) 2009-01-28 2022-12-20 Headwater Research Llc Device group partitions and settlement platform
US10028144B2 (en) 2009-01-28 2018-07-17 Headwater Research Llc Security techniques for device assisted services
US10057141B2 (en) 2009-01-28 2018-08-21 Headwater Research Llc Proxy system and method for adaptive ambient services
US10057775B2 (en) 2009-01-28 2018-08-21 Headwater Research Llc Virtualized policy and charging system
US10064055B2 (en) 2009-01-28 2018-08-28 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US10064033B2 (en) 2009-01-28 2018-08-28 Headwater Research Llc Device group partitions and settlement platform
US10070305B2 (en) 2009-01-28 2018-09-04 Headwater Research Llc Device assisted services install
US10080250B2 (en) 2009-01-28 2018-09-18 Headwater Research Llc Enterprise access control and accounting allocation for access networks
US11516301B2 (en) 2009-01-28 2022-11-29 Headwater Research Llc Enhanced curfew and protection associated with a device group
US10165447B2 (en) 2009-01-28 2018-12-25 Headwater Research Llc Network service plan design
US11494837B2 (en) 2009-01-28 2022-11-08 Headwater Research Llc Virtualized policy and charging system
US10171681B2 (en) 2009-01-28 2019-01-01 Headwater Research Llc Service design center for device assisted services
US11477246B2 (en) 2009-01-28 2022-10-18 Headwater Research Llc Network service plan design
US10171988B2 (en) 2009-01-28 2019-01-01 Headwater Research Llc Adapting network policies based on device service processor configuration
US9232403B2 (en) 2009-01-28 2016-01-05 Headwater Partners I Llc Mobile device with common secure wireless message service serving multiple applications
US11425580B2 (en) 2009-01-28 2022-08-23 Headwater Research Llc System and method for wireless network offloading
US10200541B2 (en) 2009-01-28 2019-02-05 Headwater Research Llc Wireless end-user device with divided user space/kernel space traffic policy system
US10237146B2 (en) 2009-01-28 2019-03-19 Headwater Research Llc Adaptive ambient services
US10237757B2 (en) 2009-01-28 2019-03-19 Headwater Research Llc System and method for wireless network offloading
US10237773B2 (en) 2009-01-28 2019-03-19 Headwater Research Llc Device-assisted services for protecting network capacity
US10248996B2 (en) 2009-01-28 2019-04-02 Headwater Research Llc Method for operating a wireless end-user device mobile payment agent
US10264138B2 (en) 2009-01-28 2019-04-16 Headwater Research Llc Mobile device and service management
US10320990B2 (en) 2009-01-28 2019-06-11 Headwater Research Llc Device assisted CDR creation, aggregation, mediation and billing
US10321320B2 (en) 2009-01-28 2019-06-11 Headwater Research Llc Wireless network buffered message system
US10326800B2 (en) 2009-01-28 2019-06-18 Headwater Research Llc Wireless network service interfaces
US10326675B2 (en) 2009-01-28 2019-06-18 Headwater Research Llc Flow tagging for service policy implementation
US11412366B2 (en) 2009-01-28 2022-08-09 Headwater Research Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US11405224B2 (en) 2009-01-28 2022-08-02 Headwater Research Llc Device-assisted services for protecting network capacity
US11405429B2 (en) 2009-01-28 2022-08-02 Headwater Research Llc Security techniques for device assisted services
US10462627B2 (en) 2009-01-28 2019-10-29 Headwater Research Llc Service plan design, user interfaces, application programming interfaces, and device management
US10492102B2 (en) 2009-01-28 2019-11-26 Headwater Research Llc Intermediate networking devices
US10536983B2 (en) 2009-01-28 2020-01-14 Headwater Research Llc Enterprise access control and accounting allocation for access networks
US10582375B2 (en) 2009-01-28 2020-03-03 Headwater Research Llc Device assisted services install
US10681179B2 (en) 2009-01-28 2020-06-09 Headwater Research Llc Enhanced curfew and protection associated with a device group
US10694385B2 (en) 2009-01-28 2020-06-23 Headwater Research Llc Security techniques for device assisted services
US10715342B2 (en) 2009-01-28 2020-07-14 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US10716006B2 (en) 2009-01-28 2020-07-14 Headwater Research Llc End user device that secures an association of application to service policy with an application certificate check
US10749700B2 (en) 2009-01-28 2020-08-18 Headwater Research Llc Device-assisted services for protecting network capacity
US10771980B2 (en) 2009-01-28 2020-09-08 Headwater Research Llc Communications device with secure data path processing agents
US10779177B2 (en) 2009-01-28 2020-09-15 Headwater Research Llc Device group partitions and settlement platform
US10783581B2 (en) 2009-01-28 2020-09-22 Headwater Research Llc Wireless end-user device providing ambient or sponsored services
US10791471B2 (en) 2009-01-28 2020-09-29 Headwater Research Llc System and method for wireless network offloading
US10798252B2 (en) 2009-01-28 2020-10-06 Headwater Research Llc System and method for providing user notifications
US10798254B2 (en) 2009-01-28 2020-10-06 Headwater Research Llc Service design center for device assisted services
US10798558B2 (en) 2009-01-28 2020-10-06 Headwater Research Llc Adapting network policies based on device service processor configuration
US10803518B2 (en) 2009-01-28 2020-10-13 Headwater Research Llc Virtualized policy and charging system
US11363496B2 (en) 2009-01-28 2022-06-14 Headwater Research Llc Intermediate networking devices
US10834577B2 (en) 2009-01-28 2020-11-10 Headwater Research Llc Service offer set publishing to device agent with on-device service selection
US11337059B2 (en) 2009-01-28 2022-05-17 Headwater Research Llc Device assisted services install
US10841839B2 (en) 2009-01-28 2020-11-17 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US11228617B2 (en) 2009-01-28 2022-01-18 Headwater Research Llc Automated device provisioning and activation
US10855559B2 (en) 2009-01-28 2020-12-01 Headwater Research Llc Adaptive ambient services
US10869199B2 (en) 2009-01-28 2020-12-15 Headwater Research Llc Network service plan design
US10985977B2 (en) 2009-01-28 2021-04-20 Headwater Research Llc Quality of service for device assisted services
US11039020B2 (en) 2009-01-28 2021-06-15 Headwater Research Llc Mobile device and service management
US11096055B2 (en) 2009-01-28 2021-08-17 Headwater Research Llc Automated device provisioning and activation
US11134102B2 (en) 2009-01-28 2021-09-28 Headwater Research Llc Verifiable device assisted service usage monitoring with reporting, synchronization, and notification
US11219074B2 (en) 2009-01-28 2022-01-04 Headwater Research Llc Enterprise access control and accounting allocation for access networks
US11190545B2 (en) 2009-01-28 2021-11-30 Headwater Research Llc Wireless network service interfaces
US11190427B2 (en) 2009-01-28 2021-11-30 Headwater Research Llc Flow tagging for service policy implementation
US11190645B2 (en) 2009-01-28 2021-11-30 Headwater Research Llc Device assisted CDR creation, aggregation, mediation and billing
US11218854B2 (en) 2009-01-28 2022-01-04 Headwater Research Llc Service plan design, user interfaces, application programming interfaces, and device management
US20110084799A1 (en) * 2009-10-13 2011-04-14 Pitney Bowes Inc. Lock system including an electronic key and a passive lock
US10454762B2 (en) 2011-03-31 2019-10-22 NextPlane, Inc. System and method of processing media traffic for a hub-based system federating disparate unified communications systems
US8904013B2 (en) * 2012-01-26 2014-12-02 Facebook, Inc. Social hotspot
AU2016250450B2 (en) * 2012-01-26 2017-11-23 Facebook, Inc. Social hotspot
US10171474B2 (en) 2012-01-26 2019-01-01 Facebook, Inc. Network access based on social-networking information
US20130198274A1 (en) * 2012-01-26 2013-08-01 Matthew Nicholas Papakipos Social Hotspot
US20130312097A1 (en) * 2012-05-21 2013-11-21 Fortinet, Inc. Detecting malicious resources in a network based upon active client reputation monitoring
US9692782B2 (en) 2012-05-21 2017-06-27 Fortinet, Inc. Detecting malicious resources in a network based upon active client reputation monitoring
US9667647B2 (en) 2012-05-21 2017-05-30 Fortinet, Inc. Detecting malicious resources in a network based upon active client reputation monitoring
US9497212B2 (en) * 2012-05-21 2016-11-15 Fortinet, Inc. Detecting malicious resources in a network based upon active client reputation monitoring
US10009361B2 (en) 2012-05-21 2018-06-26 Fortinet, Inc. Detecting malicious resources in a network based upon active client reputation monitoring
AU2013334718B2 (en) * 2012-10-24 2016-11-24 Facebook, Inc. Network access based on social-networking information
US8856330B2 (en) 2013-03-04 2014-10-07 Fmr Llc System for determining whether to block internet access of a portable system based on its current network configuration
US10171995B2 (en) 2013-03-14 2019-01-01 Headwater Research Llc Automated credential porting for mobile devices
US11743717B2 (en) 2013-03-14 2023-08-29 Headwater Research Llc Automated credential porting for mobile devices
US10834583B2 (en) 2013-03-14 2020-11-10 Headwater Research Llc Automated credential porting for mobile devices
US20140359457A1 (en) * 2013-05-30 2014-12-04 NextPlane, Inc. User portal to a hub-based system federating disparate unified communications systems
US9705840B2 (en) 2013-06-03 2017-07-11 NextPlane, Inc. Automation platform for hub-based system federating disparate unified communications systems
US11283903B2 (en) 2013-08-16 2022-03-22 Fujitsu Limited Demand response event dissemination system and method
US10432753B2 (en) * 2013-08-16 2019-10-01 Fujitsu Limited Demand response event dissemination system and method
US20150052188A1 (en) * 2013-08-16 2015-02-19 Fujitsu Limited Demand response event dissemination system and method
US9226119B2 (en) * 2013-11-20 2015-12-29 Qualcomm Incorporated Using sensor data to provide information for proximally-relevant group communications
US20150141005A1 (en) * 2013-11-20 2015-05-21 Qualcomm Incorporated Using Sensor Data to Provide Information For Proximally-Relevant Group Communications
US20170013008A1 (en) * 2015-07-10 2017-01-12 vThreat, Inc. System and method for simulating network security threats and assessing network security
US10826928B2 (en) * 2015-07-10 2020-11-03 Reliaquest Holdings, Llc System and method for simulating network security threats and assessing network security
US20170171203A1 (en) * 2015-12-14 2017-06-15 International Business Machines Corporation Preventative enterprise change management
US10171505B2 (en) * 2015-12-14 2019-01-01 International Business Machines Corporation Preventative enterprise change management
US11151258B2 (en) 2016-07-18 2021-10-19 Reliaquest Holdings, Llc System and method for identifying network security threats and assessing network security
US10395040B2 (en) 2016-07-18 2019-08-27 vThreat, Inc. System and method for identifying network security threats and assessing network security
US11709945B2 (en) 2016-07-18 2023-07-25 Reliaquest Holdings, Llc System and method for identifying network security threats and assessing network security
CN108764907A (en) * 2018-05-30 2018-11-06 招商银行股份有限公司 Assets method for retrieving, system and computer readable storage medium
US11863588B2 (en) * 2019-08-07 2024-01-02 Cisco Technology, Inc. Dynamically tailored trust for secure application-service networking in an enterprise
US12021834B2 (en) 2021-06-07 2024-06-25 Wells Fargo Bank, N.A. Cumulative sum model for IP deny lists
US11722459B1 (en) * 2021-06-07 2023-08-08 Wells Fargo Bank, N.A. Cumulative sum model for IP deny lists
US12143909B2 (en) 2022-01-03 2024-11-12 Headwater Research Llc Service plan design, user interfaces, application programming interfaces, and device management

Also Published As

Publication number Publication date
WO2006004930A1 (en) 2006-01-12
EP1766928A2 (en) 2007-03-28
WO2006012346A1 (en) 2006-02-02
US7760882B2 (en) 2010-07-20
JP2008504631A (en) 2008-02-14
EP1766927A1 (en) 2007-03-28
US20060023738A1 (en) 2006-02-02
JP2008505400A (en) 2008-02-21
WO2006004784A1 (en) 2006-01-12
JP2008504792A (en) 2008-02-14
US20060075472A1 (en) 2006-04-06
EP1766926A1 (en) 2007-03-28
US20060064588A1 (en) 2006-03-23
WO2006012058A1 (en) 2006-02-02
EP1766931A1 (en) 2007-03-28
US20060072583A1 (en) 2006-04-06
JP2008504630A (en) 2008-02-14
WO2006004785A1 (en) 2006-01-12
US20060075467A1 (en) 2006-04-06
WO2006004786A1 (en) 2006-01-12
WO2006004928A2 (en) 2006-01-12
WO2006004928A3 (en) 2006-05-18

Similar Documents

Publication Publication Date Title
US20060075506A1 (en) Systems and methods for enhanced electronic asset protection
US11950097B2 (en) System and method for controlling mobile device access to a network
US9609460B2 (en) Cloud based mobile device security and policy enforcement
US11880490B2 (en) Context-based access control and revocation for data governance and loss mitigation
US9306976B2 (en) Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer
US9906527B2 (en) Device blocking tool
CA2577504C (en) Secure method of termination of service notification
US20140026179A1 (en) Dynamic user identification and policy enforcement in cloud-based secure web gateways
US20070143408A1 (en) Enterprise to enterprise instant messaging
US8370630B2 (en) Client device, mail system, program, and recording medium
US20080155645A1 (en) Network-implemented method using client&#39;s geographic location to determine protection suite
US20170034208A1 (en) Device blocking tool
US9628480B2 (en) Device blocking tool
Dalwadi Network And Data Security

Legal Events

Date Code Title Description
AS Assignment

Owner name: JAPAN COMMUNICATIONS, INC., JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SANDA, FRANK SEIJI;FUKUDA, NAOHISA;LAVES, EDWARD W.;AND OTHERS;REEL/FRAME:017109/0571;SIGNING DATES FROM 20050912 TO 20060119

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION