Organization: Public

WLAN Access Point and Client Station


Drawings

Brief Description:

illustrates an example simplified block diagram of a WLAN Access Point (AP), according to some embodiments

Detailed Description:

 Figure 1 illustrates an exemplary block diagram of an access point 102 (AP) 102. It is noted that the block diagram of the AP of Figure 1 is merely one example of a possible system. As shown, the access point 102 may include processor(s) 110 which may execute program instructions for the access point 102. The processor(s) 110 may also be coupled to memory management unit (MMU) 212, which may be configured to receive addresses from the processor(s) 110 and translate those addresses to locations in memory (e.g., memory 104 and read only memory (ROM) 108) or to other circuits or devices

The access point 102 may include at least one network port 118. The network port 118 may be configured to couple to a wired network and provide a plurality of devices, such as client stations 212, access to the internet. For example, the network port 118 (or an additional network port) may be configured to couple to a local network, such as a home network or an enterprise network. For examplenetwork port 118 may be an ethernet port. The local network may provide connectivity to additional networks, such as the internet

The access point 102 may include at least one antenna116. The at least one antenna116 may be configured to operate as a wireless transceiver and may be further configured to communicate with client station 212 via wireless communication circuitry 112 (or radio). The antenna116 communicates with the wireless communication circuitry 112 via communication chain 114. Communication chain 114 may comprise one or more receive chains, one or more tran112smit chains or both. The wireless communication circuitry 112 may be configured to communicate via Wi-Fi or WLAN, e.g., 802.11. Any 802.11 protocol may be used, including 802.11a, b, g, n, ac, and ax. The wireless communication circuitry 112 may also, or alternatively, be configured to communicate via various other wireless communication technologies, including, but not limited to, Long-Term Evolution (LTE), LTE Advanced (LTE-A), Global System for mobile (GSM), Wideband Code Division Multiple Access (WCDMA), CDMA2000, etc., for example when the AP is co-located with a base station in case of a small cell, or in other instances when it may be desirable for the access point 102 to communicate via various different wireless communication technologies

Brief Description:

illustrates an example simplified block diagram of a client station, according to some embodiments

Detailed Description:

Figure 2 illustrates an example simplified block diagram of a client station 212. According to embodiments, client station 212 may be a user equipment device (UE), a mobile device or wireless station, and/or a wireless device, client station, or wireless station. As shown, the client station 212 may include a system on chip (SOC) 220, which may include portions for various purposes. The SOC 220 may be coupled to various other circuits of the client station 212. For example, the client station 212 may include various types of memory (e.g., including NAND flashmemory 214), a connector interface (i/f) 222 (or dock) (e.g., for coupling to a computer system, dock, charging station, etc.), the display 218, cellular communication circuitry 226 such as for LTE, GSM, etc., and short to medium range wireless communication circuitry 224 (e.g., Bluetooth.TM. and WLAN circuitry). The client station 212 may further comprise one or more NAND flashmemory 214 that comprise SIM (Subscriber Identity Module) functionality, such as one or more UICC(s) (Universal Integrated Circuit Card(s) 216 ) cards. The cellular communication circuitry 226 may couple to one or more antennas, such as antenna228 and antenna230 as shown. The short to medium range wireless communication circuitry 224 may also couple to one or more antennas, such as antenna232 and antenna234 as shown. Alternatively, the short to medium range wireless communication circuitry 224 may couple to the antenna228 and antenna230 in addition to, or instead of, coupling to the antenna232 and antenna234. The short to medium range wireless communication circuitry 224 may comprise multiple receive chains and/or multiple transmit chains for receiving and/or transmitting multiple spatial streams, such as in a multiple-input multiple output (MIMO) configuration. 

As shown, the SOC 220 may include processor(s) 208 which may execute program instructions for the client station 212 and display circuitry 210 which may perform graphics processing and provide display signals to the display 218. The processor(s) 208 may also be coupled to memory management unit (MMU) 204, which may be configured to receive addresses from the processor(s) 208 and translate those addresses to locations in memory (e.g., memory 202, read only memory (ROM) 206, NAND flashmemory 214) and/or to other circuits or devices, such as the display circuitry 210, cellular communication circuitry 226, short rangewireless communication circuitry 224, connector interface (i/f) 222, and/or display 218. The MMU 204 may be configured to perform memory protection and page table translation or set up. In some embodiments, the MMU 204 may be included as a portion of the processor(s) 208.

As noted above, the client station 212 may be configured to communicate wirelessly directly with one or more neighboring client stations. The client station 212 may be configured to communicate according to a WLAN RAT for communication in a WLAN network.

As described herein, the client station 212 may include hardware and software components for implementing the features described herein. For example, the processor 208 of the client station 212 may be configured to implement part or all of the features described herein, e.g., by executing program instructions stored on a memory medium (e.g., a non-transitory computer-readable memory medium). Alternatively (or in addition), processor 208 may be configured as a programmable hardware element, such as an FPGA (field Programmable Gate Array), or as an ASIC (Application Specific Integrated Circuit). Alternatively (or in addition) the processor 208 of the UE 212, in conjunction with one or more of the other components 220, 210, 202, 214, 222, 226, 228, 204, 216, 206, 218 may be configured to implement part or all of the features described herein. 

In addition, as described herein, processor 208 may be comprised of one or more processing elements. In other words, one or more processing elements may be included in processor 208. Thus, processor 208 may include one or more integrated circuits (ICs) that are configured to perform the functions of processor 208. In addition, each integrated circuit may include circuitry (e.g., first circuitry, second circuitry, etc.) configured to perform the functions of processor(s) 110

Further, as described herein, cellular communication circuitry 226 and short rangewireless communication circuitry 224 may each be comprised of one or more processing elements. In other words, one or more processing elements may be included in cellular communication circuitry 226 and short rangewireless communication circuitry 224. Thus, each of cellular communication circuitry 226 and short rangewireless communication circuitry 224 may include one or more integrated circuits (ICs) that are configured to perform the functions of cellular communication circuitry 226 and short rangewireless communication circuitry 224, respectively. In addition, each integrated circuit may include circuitry (e.g., first circuitry, second circuitry, etc.) configured to perform the functions of cellular communication circuitry 226 and short range  wireless communication circuitry 224. 

Wi-Fi Peer to Peer Communication Protocol 

In some embodiments, Wi-Fi devices (e.g., client station 212) may be able to communicate with each other in a peer-to-peer manner, i.e., without the communications going through an access point. There are currently two types of Wi-Fi Peer to peernetworking protocols in the Wi-Fi Alliance. In one type of peer to peerprotocol, when two Wi-Fi devices (e.g., client stations) communicate with each other, one of the Wi-Fi devices essentially acts as a pseudo access point and the other acts as a client device. In a second type of Wi-Fi Peer to peerprotocol, referred to as neighbor awareness networking (NAN), the two Wi-Fi client devices (client stations or wireless stations) act as similar peer devices in communicating with each other, i.e., neither one behaves as an access point


Parts List

102

access point

104

memory

106

memory management unit (MMU)

108

read only memory (ROM)

110

processor(s)

112

wireless communication circuitry

114

communication chain

116

118

network port

202

memory

204

memory management unit (MMU)

206

read only memory (ROM)

208

processor(s)

210

display circuitry

212

client station

214

nand

216

Universal Integrated Circuit Card(s)

218

display

220

SOC

222

connector interface (i/f)

224

short to medium range wireless communication circuitry

226

cellular communication circuitry

228

230

232

234


Terms/Definitions

locations

display circuitry

protocol

system

access

peer

WLAN Access Point

base station

two Wi-Fi client devices

communication circuitry

various purposes

couple

case

home network

SOC

connector interface (i/f)

Application Specific Integrated Circuit

WLAN circuitry

mobile

block diagram

client device

dock

other circuits or devices

conjunction

neighbor awareness networking

second type

various different wireless communication technologies

FPGA

possible system

integrated circuit

wireless stations

Wi-Fi Alliance

program instructions

two types

plurality

memory medium

small cell

Long-Term Evolution

network port

Subscriber Identity Module

wireless device

Wi-Fi Peer

memory

WLAN network

memory management unit (MMU)

computer system

one type

connectivity

Wi-Fi devices

features

two Wi-Fi devices

networking protocols

chip (SOC)

wireless station

elements

other words

example

802.11 protocol

NAND flash

Bluetooth.TM

cellular communication circuitry

merely one example

short range

embodiments

exemplary block diagram

peer-to-peer manner

second circuitry

example port

display signals

client stations

Global System

multiple transmit chains

communication

Peer Communication Protocol

access point

enterprise network

multiple spatial streams

various types

addition

other components

functions

processor

client station

user equipment device

various other wireless communication technologies

ASIC

chains

communication chain

3–Client Station Block Diagram

local network

additional networks

WLAN RAT

wireless transceiver

additional network port

MIMO

communications

antenna

display

station

non-transitory computer-readable memory medium

field

WCDMA

part or all

pseudo access point

wired network

read only memory (ROM)

multiple-input multiple output

portions

ethernet port

various other circuits

Gate Array

mobile device

CDMA

Wi-Fi or WLAN

memory protection and page table translation

hardware and software components

first circuitry

LTE Advanced

addresses

radio

internet

circuitry

example simplified block diagram

wireless communication circuitry

short to medium range wireless communication circuitry

Universal Integrated Circuit Card(s)

Wideband Code Division Multiple Access

similar peer devices

devices

other acts

other, i.e.

other instances

programmable hardware element

portion

processor(s)

FIG. 2–Access Point Block Diagram

graphics processing

Wireless Audio Output Devices


Drawings

Brief Description:

illustrates an example wireless ear bud case according to some embodiments of the present technology

Detailed Description:

Figure 1 illustrates an example wireless ear bud case 100 according to some embodiments of the present technology. The wireless ear bud case 100 houses a pair of wireless ear buds 104 and connects the wireless ear buds 104 to each other while housed within the wireless ear bud case 100. The wireless ear bud case 100 can include a cover 102 that closes to cover the wireless ear buds within the wireless ear bud case 100, and the wireless ear bud case 100 can include a sensor 108 that detects when the cover 102 of the wireless ear bud case 100 is opened and/or closed. 

The wireless ear bud case 100 also includes a processor 112, memory 116, and a communication interface 114. As explained in greater detail below, the wireless ear buds 104 also include a communication interface, and the wireless ear bud case 100 can be used to create a communication link 110 between the wireless ear buds 104 via the communication interface 114 of the wireless ear bud case 100.

In some embodiments, the communication link 110 is used as a physical communication link between the wireless ear buds 104, and a shared secret is sent between the wireless ear buds 104 during a secure wireless communicative coupling to each other to prevent a bad actor from maliciously communicatively coupling to either of the wireless ear buds 104 over the air.

The wireless ear bud case 100 includes a battery 118 for re-charging the wireless ear buds 104 and a charging interface 120 for connecting the battery 118 to a power source. The wireless ear bud case 100 can also include an indicator 106 to show a charge status of the wireless ear buds 104 and/or of the wireless ear bud case 100. The wireless ear bud case 100 also can include an input mechanism 122, such as a button. As explained in greater detail below, the input mechanism 122 can be used to communicatively couple together the pair of wireless ear buds 104 housed within the wireless ear bud case 100

Brief Description:

illustrates an example wireless ear bud that can communicatively couple with another wireless ear bud to form a pair of untethered, wireless ear buds according to some embodiments of the present technology

Detailed Description:

Figure 2 illustrates an example wireless ear bud 104 that can communicatively couple with another wireless ear bud to form a pair of untethered, wireless ear buds according to some embodiments of the present technology. The wireless ear bud 104 includes a communication interface 206 used to communicatively couple with another wireless ear bud and to pair with a source device, e.g., a companion communication device that can provide audio data that the wireless ear bud(s) 104 can reproduce as audio signals for a user of the wireless ear bud(s) 104. In some embodiments, a process of pairing the wireless ear bud 104 is initiated when the wireless ear bud 104 is contained within a housing/case, e.g., the wireless ear bud case 100. In some circumstances, once a pairing mode is enabled for the wireless ear bud 104, the wireless ear bud 104 remains in the enabled pairing mode until one or more of the following occurs: (i) the wireless ear bud 104 pairs with a companion communication device, (ii) a pairing mode of the wireless ear bud 104 times out (e.g., the wireless ear bud 104 does not pair with a companion communication device within a fixed time period, such as thirty seconds), (iii) the wireless ear bud 104 and/or another wireless ear bud with which the wireless ear bud 104 is paired is removed from the wireless ear bud case 100, (iv) the wireless ear bud case 100 commands one or more both of the wireless ear buds 104 to exit the pairing mode, or (v) the companion communication device commands the wireless ear bud 104 to exit the pairing mode. The wireless ear bud 104 can also include a battery 212 and one or more sensors 202 for detecting a wearing status of the wireless ear bud 104, e.g., when the wireless ear bud 104 is placed in and/or removed from an ear, whether the wireless ear bud 104 is in a user‘s ear, e.g., an in-ear wearing status, or is not in a user‘s ear, e.g., an out-of-ear wearing status

Additionally, the wireless ear bud 104 includes an audio output 204 for converting a received signal, e.g., which can include audio data, into audible sound. The signal can be received from a paired companion communication device (not shown) via the communication interface 206. The wireless ear bud 104 also includes a processor 208 and memory 210. The memory 210 in the wireless ear bud 104 stores firmware for operating the wireless ear bud 104 as well as data for coupling with other wireless ear buds and for pairing the wireless ear bud 104 with companion communication devices. For example, the memory 210 in the wireless ear bud 104 can store a connection history for companion communication devices with which the wireless ear bud 104 has previously paired. The connection history can include data for automatically pairing the wireless ear bud 104 with the companion communication device without having to configure a connection between the wireless ear bud 104 and the companion communication device (e.g., enter a password, exchange shared secrets, etc.). For example, the connection history can include one or more link keys for connecting to a wireless network (e.g., bluetooth link keys). The memory 210 of the wireless ear bud 104 can also store a MAC address that uniquely identifies the wireless ear bud 104 as well as store a paired partner MAC address of another wireless ear bud that has previously coupled with the wireless ear bud 104. The memory 210 also storesinstructions that, when executed by the processor, causes the wireless ear bud 104 to communicatively couple with another wireless ear bud


Parts List

100

wireless ear bud case

102

cover

104

wireless ear buds

106

indicator

108

sensor

110

communication link

112

processor

114

communication interface

116

memory

118

battery

120

charging interface

122

input mechanism

202

one or more sensors

204

audio output

206

communication interface

208

processor

210

memory

212

battery


Terms/Definitions

wireless ear bud case

audible sound

wearing status

audio data

wireless network

cover

figure

exchange

audio signals

bad actor

user

physical communication link

housing/case

battery

present technology

couple

companion communication device

in-ear wearing status

indicator

one or more link keys

instructions

password

maliciously communicatively coupling

coupling

paired partner MAC address

enabled pairing mode

communicatively couple

source device

bluetooth link keys

pairs

pairing mode

wireless ear bud(s)

out-of-ear wearing status

fixed time period

processor

companion communication devices

example

button

connection

wireless ear bud

MAC address

input mechanism

charge status

memory

thirty seconds

paired companion communication device

signal

process

secrets

greater detail

secure wireless communicative coupling

received signal, e.g.

other wireless ear buds

times

sensor

charging interface

untethered, wireless ear buds

store

pair

stores

circumstances

embodiments

data

audio output

connection history

communication interface

one or more sensors

detects

shared secret

communication link

example wireless ear bud case

wireless ear buds

example wireless ear bud

power source

Transactions CDX Service and Matchmaker Service


Drawings

Brief Description:

Figure 1 illustrates transactions between one embodiment of a Connection Data exchange (CDX) service

.

Detailed Description:

Turning now to Figure 1, in one embodiment, the mobile device A 102 and mobile device B 106 can be executing a collaborative application such as a multi-player game or a collaborative chat session which requires a P2P connection with one or more other computing devices. At NAT traversal request 110, mobile device A 102 transmits a CDX Hole-Punch Request to the CDX server 104. The CDX server 104 then responds with the CDX Hole-Punch Data at nat traversal response 112. In one embodiment, the hole punch data includes the public IP address and port of mobile device A and/or any other data needed to punch a hole through mobile device A‘s NAT (e.g., NAT type data defining mobile device A‘s NAT type). similar transactions are performed for mobile device B at NAT traversal request 116 and nat traversal response 118, respectively. 

 

At match request 116 and match request 120, mobile devices A and B then send match requests including the CDX Hole-Punch Data to the matchmaking service, along with any additional matching criteria (described below). At this stage, mobile devices A and B may begin to construct the Connection Data needed to establish a P2P connection. This may be accomplished, for example, using a transaction such as a standard Internet Connectivity Establishment (“ICE”) transaction (e.g., by a NAT traversal service). However, the underlying principles of the invention are not limited to any particular mechanism for determining Connection Data

 

In one embodiment, once the matchmaking service 108 has found a set of client devices with matching criteria, it may generate a unique CDX Session ID, a unique CDX Ticket for each member of the CDX Session, and a unique Session Key. In one embodiment, the matchmaking service 108 may encrypt the CDX Hole-Punch Data for the CDX Ticket using a unique CDX ticket key. At Ticket A 122 and Ticket B 124, the matchmaking service then may then send each of the mobile devices A and B their CDX Ticket and the Session Key

 

Mobile device A receives the CDX Ticket and Session Key and encrypts its previously determined Connection Data using the Session Key, making a payload. In one embodiment, mobile device A constructs a CDX Request by appending the constructed Payload to the CDX Ticket. At Ticket A with Connection Data 126, mobile device A sends the CDX Request to the CDX server 104. Mobile device B could also performs the same operations and transmit a request to the CDX server at 138. 

 

At authenticate Ticket A 128, the CDX server 104 receives the CDX Request, examines the ticket to ensure that it is valid and authentic (e.g., based on the Message Authentication Code 307). If the CDX Ticket is invalid, the request is dropped. In one embodiment, the CDX server then decrypts the CDX Hole-Punch Data set that is contained in the CDX Ticket using the CDX Ticket Key. In one embodiment, the CDX Ticket Key can include an expiration time/date which may also be transmitted with the tickets. The CDX service 104 and the matchmaker service 108 can store two (or more) different CDX ticket keys for encryption/decryption–a first which is currently active and a second which will become active upon reaching the expiration time/date of the first. Upon receiving a ticket, the CDX service 104 can read the expiration time/date to determine which ticket key to use. When a CDX Ticket Key has expired, both the CDX service 104 and the matchmaker service 108 can each generate a new ticket key (which will be the next key to be used after the current ticket key expires). In one embodiment, the CDX service 104 and matchmaker service 108 execute the same key generation algorithm to ensure consistency with the two ticket keys. For example, techniques such as those used for the well-known RSA SecurID authentication mechanism may be used in which a new authentication code is generated at fixed intervals. In one embodiment, a new CDX ticket key is generated on a daily basis. However, the underlying principles of the invention are not limited to any particular mechanism for generating CDX ticket keys

 

The same operations could be performed as shown at 136 for mobile device B. The CDX server constructs a CDX Response from the CDX Request and then uses the CDX Hole-Punch Data to send the CDX Response to the participants in the CDX Session (sending to mobile device B at 130 and to mobile device A at 140). 

 

mobile device B receives the CDX Response 130 from the CDX server. Client Device B examines the CDX Ticket Stub to ensure that the Session ID matches the Session ID of its own CDX Ticket. Mobile device B may then decrypt the payload using the Session Key, yielding the Connection Data from Mobile device A. Mobile device B then uses the Connection Data from mobile device A to begin the process of establishing the P2P session. In one embodiment, these involve standard ICE transactions. However, the underlying principles of the invention are not limited to any particular mechanism for establishing P2P communication

 

As mentioned above, in one embodiment, mobile device A and B establish Hypertext Transfer Protocol Secure (“HTTPS”) sessions to communicate with the matchmaker service 108 (e.g., using HTTPS request/response transactions) and establish UDP sockets to communicate with the CDX service. The match requestsTicket A 122, Ticket B 124 can include the NAT type and the hole punch data (e.g., the public IP address and port) previously determined for each respective mobile device. In an embodiment which involves a multi-player game, each match request can identify the player on each mobile device (e.g., using a unique player ID code), the game that each user wishes to play, the number of players to participate in the game, and/or other game configuration variables associated with the desired game. By way of example, and not limitation, the game configuration variables associated with a game may include a level of difficulty (e.g., easy, normal, difficult), a user’s age (e.g., “under 13”), a sub-region of the game (e.g., “level 2”), and/or a level of player expertise (e.g., expert, beginner, intermediate). As described in detail below, these variables are sometimes referred to as a game “bucket” and are identified using a unique “bucket ID.” Each game may include different sets of bucket IDs to identify different game configuration variables

 

In one embodiment, mobile device B sends and acknowledgement 132 and 134. Similarly, mobile device A‘s acknowledgement is transmitted at 146 and 144. If mobile device A‘s or B’s acknowledgements are not received after a specified period of time, then the Connection Data 130 may be resent to mobile device B 212. Either the CDX service 104 may initiate the retry and/or mobile device A 102 may initiate the retry

 

Brief Description:

Figure 2 illustrates transactions between one embodiment of a matchmaker service.

Detailed Description:

 

Figure 2 illustrates a more detailed example in which three different mobile devices 102-122 negotiate for P2P connections using the CDX service and matchmaker service 108. Figure 2 also illustrates two additional services used by the mobile devices 102-122 to establish a connection: a NAT traversal service 206 for determining NAT type and a NAT traversal service 204 for determining the full connection data for each mobile device (e.g., utilizing an ICE connection data transaction). It should be noted, however, that separate services are not required to comply with the underlying principles of the invention. For example, in an alternate embodiment, the NAT traversal functions performed by each of these services 204-206 may be integrated directly within the CDX service 104 and/or matchmaker service 108. Similarly, the functions performed by the both NAT traversal services 204-206 may be integrated within a single NAT traversal service. In summary, the specific functional separation shown in Figure 2 is not required for complying with the underlying principles of the invention

 

Turning now to the specific details of Figure 2, at 214, mobile device A transmits a NAT type request to the NAT traversal service 206. In response, the NAT traversal service 206 may use various known techniques including implementing a series of transactions to determine the NAT type used by mobile device A. For example, the NAT traversal service 206 may attempt to open different IP addresses and ports on mobile device A‘s NAT and communicate with mobile device A through those ports using different IP/port combinations. In this manner, the NAT employed by mobile device A may be classified as one of the NAT types described above (e.g., full cone, restricted cone, port restricted cone, symmetric) or an alternative NAT type. This information may then be provided to mobile device A 102 as illustrated. 

 

At 210, mobile device A 102 initiates a NAT traversal request with the CDX service 104. In response, the CDX service 104 can read the public IP address and public port number used for the request and transmits this information back to mobile device A 102. As described above, if a device is behind a NAT, its public port and IP address will be different from its private port and IP address, respectively. Thus, depending on the type of NAT being used, the public IP address and port may be used to “punch a hole” through the NAT device to reach the mobile device

 

At 216, mobile device A 102 transmits a match request 216 to the matchmaker service 108. As described above, in one embodiment, mobile device A communicates to the matchmaker service 108 using Hypertext Transfer Protocol Secure (“HTTPS”) sessions (e.g., using HTTPS request/response transactions). The match request can include the NAT type and the hole punch data (e.g., the public IP address and port) previously determined for mobile device A 102. In an embodiment which involves a multi-player game, the match request can identify the player on mobile device A (e.g., using a unique player ID code), the game that the user wishes to play, the number of players to participate in the game, and/or other game configuration variables associated with the desired game (as previously described with respect to Figure 1). 

 

At 212-220 a set of transactions corresponding to transactions 214-216 are performed for mobile device B 106 and at 222-226 a set of transactions corresponding to transactions 214-216 are performed for mobile device C 122. Thus, following transaction 226, the matchmaker service 108 has received match requests for all three of the mobile devices 102-122. In this specific example, the match requests result in mobile devices 102-122 being matched for a particular collaborative session such as a multi-player game (e.g., the users of these mobile devices may have selected the same game with the same, or similar, sets of variables, thereby resulting in a match by the matchmaker service 108). 

 

The matchmaker service 108 uses the data contained in each of the match requests to generate Ticket A, which it transmits to mobile device A at 228; Ticket B, which it transmits to mobile device B at 230; and Ticket C, which it transmits to mobile device C at 246. Although not shown in Figure 2, the matchmaker service 108 may utilize a push notification service to pushTickets A, B and C to mobile devices A, B, and C, respectively.

 

At 232, mobile devicemobile device A 102communicates with NAT traversal service 204 to determine its own connection data. In one embodiment, this can include a standard ICE connection data transaction. As previously mentioned, the Connection Data may include public/private IP address, port and NAT type for mobile device A 102

 

Mobile device A 102 appends its connection data to Ticket A and, at 244, transmits Ticket A with the Connection Data to the CDX service 104. In one embodiment, the CDX service 104 processes Ticket A as described above and, at 234, transmits the Connection Data (which may be encrypted) to mobile device B 106 and mobile device C 122. For these transactions, the CDX service 104 can utilize the NAT traversal data for mobile devices B and C included with Ticket A

 

At 236-238, a set of transactions corresponding to transactions 232-234 are performed using Ticket B and at 238-240 a set of transactions corresponding to transactions 232-234 are performed for Ticket C. Thus, following transaction 240, Connection Data has been shared between each of the mobile devices 102-122. Using the Connection Data, P2P sessions are established between mobile devices A and B, mobile devices A and C, and mobile devices A and C. 

 


Parts List

102

mobile device A

104

CDX service

106

mobile device B

108

matchmaker service

110

undefined

112

undefined

114

undefined

116

undefined

118

undefined

120

undefined

122

undefined

124

undefined

126

undefined

128

authenticate Ticket A

130

undefined

132

undefined

134

undefined

136

authenticate Ticket B

138

undefined

140

undefined

142

undefined

144

undefined

146

undefined

202

204

NAT traversal P2P service

206

NAT traversal service

208

mobile device C

210

nat traversal r/r

212

nat type r/r

214

nat type r/r

216

match request

218

nat traversal r/r

220

match request

222

nat type r/r

224

nat traversal r/r

226

match request

228

Ticket A

230

Ticket B

232

get a conn data

234

device a conn data

236

Ticket B with conn data

238

get c conn data

240

device c conn data

242

get b conn data

244

Ticket A w/ conn data

246

Ticket C

248

device b conn data

250

p2p connections

252

Ticket C w/ conn data


Terms/Definitions

invitation requests

NAT type request

game-specific player ID codes

tokens

multi-player game

NAT traversal functions

password

unique session

authenticated multicast reflector

cases

exchanged connection data

cone

user ID

standard Internet Connectivity Establishment

response

collaborative chat session

authorized entities

invention

involve standard ICE transactions

number

CDX service

hole”

well-known RSA SecurID authentication mechanism

exemplary series

transactions

mobile device B

CDX server

one or more other computing devices

same operations

level

telephone number

mobile devices B

acknowledgements

Push Notification Application

manner

NAT traversal service

unique CDX Session ID

Ticket A

embodiment

CDX Response

ticket

directory

ICE connection data transaction

clients

their CDX Ticket

NAT types

CDX Ticket Key

single NAT traversal service

NAT device

retry

services 290

Connection Data

hole

similar, sets

particular collaborative session

two parts

sub-region

other game configuration variables

limitation

part

message

identification codes

techniques

mobile devices

ports

specific functional separation

large integer

members

HTTPS request/response transactions

same key generation algorithm

match requests

public port number

forgery or tampering

constructed Payload

stage

client device

opaque data blob

participants

push notification service

specific mobile devices and/or users

player

device

connection

different IP addresses

bucket IDs

separate services

P2P session

game

alternate embodiment

new authentication code

lieu

difficulty

P2P communication

audio/video chat session

underlying principles

public IP address

participant

players

Hole-Punch Data

two additional services

push tokens

additional matching criteria

CDX ticket keys

Hypertext Transfer Protocol Secure

mobile device

encrypted “ticket”

Ticket C

encrypted ticket

push notifications

CDX Ticket Stub

registration directory associates

matching criteria

NAT type

data structures

stateless service

UDP sockets

fixed intervals

mobile device A

their individual CDX Tickets

device B’s

invitation session

CDX Request

respective mobile device

notification service

specific details

unique ID codes

three different mobile devices 120-122 negotiate

matchmaking service

data

push token

lookup

other information identifying mobile device B

full connection data

similar transactions

specific example

invitation service

unique CDX Ticket

NAT traversal P2P service

users

group

new ticket key

same types

one particular embodiment

encrypted list

daily basis

unique player ID code

user’s

CDX Hole-Punch Request

direct P2P connection

operation

alternative NAT type

public IP address and port

requesting device

member

arbitrary data

CDX Tickets

port restricted cone

game “bucket”

current ticket key

individual session

hole punch data

NAT traversal request

Session Key

collaborative application

Apple Push Notification Service

summary

one or more other users/devices–in

new CDX ticket key

CDX Hole-Punch Data set

Peer-To-Peer Session

process

P2P connections

type

different game configuration variables

invitation request

P2P sessions

encryption/decryption–a first

next key

full cone

other data

Message Authentication Code

information

Tickets A, B and C

expiration time/date

detail

given CDX Request

additional details

communicates

particular example

index

phone numbers

P2P connection

different IP/port combinations

push

one embodiment

relay service

Ticket B

unique CDX ticket key

and B, mobile devices

push service

CDX Hole-Punch Data

invitation response

two ticket keys

ticket key

CDX Ticket

unique “bucket ID

NAT traversal data

port

matchmaker service

case

associated text

match request

IP address

client

different sets

specified period

transaction

standard ICE connection data transaction

user

particular mechanism

communication

consistency

Session ID

same game

game configuration variables

various known techniques

assignee

central registration directory

one or more users

time

match

identification code

service

registration database

example

code

addition

CDX Session

wireless devices

second part

ID code

greater detail

two (or more) different CDX ticket keys

functions

other devices

more detailed example

public IP address/port

unique Session Key

current state

tickets A, B, and C

series

embodiments

potential peers

session

NAT type data

tickets

devices

Client Device B

request

player expertise

client devices

mobile device C

public/private IP address

payload

network

mechanism

present application

one embodiment, mobile device

variables

FIGS

ticket data structure

Threat Management System


Drawings

Brief Description:

illustrates an environment for threat management

Detailed Description:

Figure 1 illustrates an environment for threat management. Specifically, Figure 1 depicts a block diagram of a threat management facility 168 providing protection to one or more enterprises, networks, locations, users, businesses, etc. against a variety of threats–a context in which the techniques disclosed herein may usefully be deployed. The threat management facility 168 may be used to protect devices and assets (e.g., IoT devices or other devices) from computer-generated and human-generated threats. For example, a corporation, school, web site, homeowner, network administrator, or other entity may institute and enforce one or more policies that control or prevents certain network users (e.g. employees, residents, users, guests, etc.) from accessing certain types of applications, devices, resources generally or in a particular manner. Policies may be created, deployed and managed, for example, through the threat management facility 168, which may update and monitor network devices, users, and assets accordingly. 

The threat of malware or other compromise may be present at various points within a network 170 such as laptops, desktops, servers, gateways, communication ports, handheld or mobile devices, IoT devices, firewalls. In addition to controlling or stopping malicious code, a threat management facility 168 may provide policy management to controldevices, applications, or users that might otherwise undermine productivity and network performance within the network 170

The threat management facility 168 may provide protection to network 170 from computer-based malware, including viruses, spyware, adware, trojans, intrusion, spam, policy abuse, advanced persistent threats, uncontrolled access, and the like. In general, the network 170 may be any networked computer-based infrastructure or the like managed by the threat management facility 168, such as an organization, association, institution, or the like, or a cloud-based facility that is available for subscription by individuals. For example, the network 170 may be a corporate, commercial, educational, governmental, or other network 170, and may include multiple networks, computing resources, and other facilities, may be distributed among more than one geographical locations, and may include an administration facility 108, a firewall 110, an appliance 144, a server 136, network devices 132-B, clients 114-D, such as IoT devices or other devices. It will be understood that any reference herein to a client or client facilities may include the clients 114-D shown in Figure 1 and vice-versa. Further, the recitation of an element number ending with a letter should be understood to refer to a particular instance of the element, and the recitation of an element number without a letter should be understood to refer to any one or more instances of the element. Thus, for example, the recitation of the client 114 should be understood to refer only to the specific instance of the client labeled 114 in Figure 1, while the recitation of the clients 144 should be understood to refer to any one or more instances of the client labeled 114, 116, 118, 128, 126, 130, 120 in Figure 1, unless otherwise specified or made clear from the context.

The threat management facility 168 may include computers, software, or other computing facilities supporting a plurality of functions, such as one or more of a security management facility 102, a policy management facility 146, an update facility 150, a definitions management facility 156, a network access rules facility 106, a remedial action facility 152, a detection techniques facility 148, a testing facility 164, a threat research facility 104, and the like. In embodiments, the threat protection provided by the threat management facility 400 may extend beyond the network boundaries of the network 170 to include clients 128 (or client facilities) that have moved into network connectivity not directly associated with or controlled by the network 170. Threats to client facilities may come from a variety of sources, such as from network threats 154, physical proximity threats 158, a secondary location threat network 162, and the like. Clients 114-D may be protected from threats even when the client 114-D is not directly connected to or in association with the network 170, such as when a client 126-F moves in and out of the network 170, for example when interfacing with an unprotected server 138 through the internet 160, when a client 130 is moving into the secondary location threat network 162 such as interfacing with components that are not protected (e.g., the appliance 166, the server 142, the network devices 122, 124, and the like). 

The threat management facility 168 may use or may be included in an integrated system approach to provide the network 170 with protection from a plurality of threats to device resources in a plurality of locations and network configurations. The threat management facility 168 may also or instead be deployed as a stand-alone solution. For example, some or all of the threat management facility 168components may be integrated into a server or servers at a remote location, for example in a cloud computing facility. For example, some or all of the threat management facility 168components may be integrated into a firewall, gateway, or access point within or at the border of the network 170. In some embodiments, the threat management facility 168 may be integrated into a product, such as a third-party product (e.g., through an application programming interface), which may be deployed on endpoints, on remote servers, on internal servers or gateways for a network, or some combination of these. 

The security management facility 102 may include a plurality of elements that provide protection from malware to device resources of the network 170 in a variety of ways, including endpoint security and control, email security and control, web security and control, reputation-based filtering, control of unauthorized users, control of guest and non-compliant computers, and the like. The security management facility 102 may include a local software application that provides protection to one or more device resources of the network 402. The security management facility 102 may have the ability to scan client facility files for malicious code, remove or quarantine certain applications and files, prevent certain actions, perform remedial actions and perform other security measures. This may include scanning some or all of the files stored on the client facility or accessed by the client facility on a periodic basis, scanning an application when the application is executed, scanning data (e.g., files or other communication) in transit to or from a device, etc. The scanning of applications and files may be performed to detect known or unknown malicious code or unwanted applications

The security management facility 102 may provide email security and control. The security management facility 102 may also or instead provide for web security and control, such as by helping to detect or block viruses, spyware, malware, unwanted applications, and the like, or by helping to controlweb browsing activity originating from client devices. In certain embodiments, the security management facility 102 may provide for network access control, which may provide control over network connections. In addition, network access control may controlaccess to virtual private networks (VPN) that provide communications networks tunneled through other networks. The security management facility 102 may provide host intrusion prevention through behavioral based analysis of code, which may guard against known or unknown threats by analyzing behavior before or while code executes. Further, or instead, the security management facility 102 may provide reputation filtering, which may target or identify sources of code

In embodiments, the security management facility 102 may use wireless characteristics to identify a device on the network 170. For example, the security management facility 102 may determine a reliability index value of any one or more devices (e.g., the servers 142, the clients 144, and combinations thereof) connected via a wireless link to the network 170, for example, an IoT device. Through one or more access points (e.g., the firewall 110) or other sensor (e.g., the appliance 144) in the network 170, the security management facility 102 may monitor RF characteristics of the IoT device to obtain current RF characteristics. The security management facility 102 may compare the current RF characteristics to baseline RF characteristics, and when there is a match between the current RF characteristics and the baseline RF characteristics based on the comparison, adjust the reliability index value to indicate greater reliability, and when there is not a match between the current RF characteristics and the baseline RF characteristics based on the comparison, adjusting the reliability index value to indicate lesser reliability, and when the reliability index value exceeds a threshold value, performing an action to reduce a potential threat of the IoT device to the network. This aspect of the security management facility 102 may also take place on the firewall 110 (e.g., an access point) or appliance 144

In general, the security management facility 102 may support overall security of the network 170 using the various techniques described above, optionally as supplemented by updates of malicious code information and so forth for distribution across the network 170

The administration facility 108 may provide control over the security management facility 102 when updates are performed. Information from the security management facility 102 may also be sent from the enterprise back to a third party, a vendor, or the like, which may lead to improved performance of the threat management facility 168

The policy management facility 146 of the threat management facility 168 may be configured to take actions, such as to block applications, users, communications, devices, and so on based on determinations made. The policy management facility 146 may employ a set of rules or policies that determine network 170access permissions for one or more of the clients 144. In some embodiments, a policy database may include a block list, a black list, an allowed list, a white list, or the like, or combinations of the foregoing, that may provide a list of resources internal or external to the network 170 that may or may not be accessed by the clients 144. The policy management facility 146 may also or instead include rule-based filtering of access requests or resource requests, or other suitable techniques for controlling access to resources consistent with a corresponding policy

In embodiments, the policy management facility 146 may include reliability index thresholds for devices, such as IoT devices. The policy management facility 146 may include policies to permit or deny access, to take remedial action, to issue alerts, and so on based on particular reliability index determinations

The policy management facility 146 may also or instead provide configuration policies to be used to compare and control the configuration of applications, operating systems, hardware, devices, and the like associated with the network 170. An evolving threat environment may dictate timely updates, and thus the update management facility 150 may also be provided by the threat management facility 168. In addition, the policy management facility 146 may require update management (e.g., as provided by the update facility 150 herein described). In embodiments, the update management facility 150 may provide for patch management or other software updating, version control, and so forth. 

The security facility 102 and policy management facility 146 may push information to the network 170 and/or to a given one or more of the clients 144. The network 170 and/or one or more of the clients 114-F may also or instead request information from the security facility 102 and/or from the policy management facility 146, the servers 136-C, or there may be a combination of pushing and pulling of information. In some embodiments, the policy management facility 146 and the security facility 102 management update modules may work in concert to provide information to the network 170 and/or to one or more of the clients 114 facility for control of applications, devices, users, and so on. 

As threats are identified and characterized, the threat management facility 168 may create updates that may be used to allow the threat management facility 168 to detect and remediate malicious software, unwanted applications, configuration and policy changes, and the like. The definitions management facility 156 may contain threat identification updates, also referred to as definition files. A definition file may be a virus identity file that may include definitions of known or potential malicious code. The virus identity definition files may provide information that may identify malicious code within files, applications, or the like. The definition files may be accessed by the security management facility 102 when scanningfiles or applications within the client facility for the determination of malicious code that may be within the file or application. The definitions management facility 156 may include a definition for a neural network or other recognition engine. The definitions management facility 156 may provide timely updates of definition files information to the network, client facilities, and the like

In embodiments, the definitions management facility 156 may include default values or baseline values for RF characteristics of devices, such as IoT devices. For example, the definitions management facility 156 may include a baseline value for particular RF characteristics of a particular IoT device

The security management facility 102 may be used to scan an outgoing file and verify that the outgoing file is permitted to be transmitted per rules and policies of the network 170. By checking outgoing files, the security management facility 102 may be able to discover malicious code infected files that were not detected as incoming files

The threat management facility 168 may provide controlled access to the network 170. For example, the network access rules facility 106 may be responsible for determining if an application running on a given one or more of the clients 144 should be granted access to a requested network resource. In some embodiments, the network access rules facility 106 may verify access rights for one or more of the client facilities to or from the network 170 or may verify access rights of computer facilities to or from external networks. When network access for a client facility is denied, the network access rules facility 106 may send an information file to the client facility (e.g., a command or command file that the remedial action facility 428 may access and take action upon). The network access rules facility 106 may include one or more databases including one or more of a block list, a black list, an allowed list, a white list, a reputation list, an unacceptable network resource database, an acceptable network resource database, a network resource reputation database, or the like. The network access rules facility 106 may incorporate rule evaluation. Rule evaluation may, for example, parse network access requests and apply the parsed information to network accessrules. The network access rule facility 106 may also or instead provide updated rules and policies to the network 170

When a threat or policy violation is detected by the threat management facility 168, the threat management facility 168 may perform or initiate remedial action through the remedial action facility 152. Remedial action may take a variety of forms, such as terminating or modifying an ongoing process or interaction, issuing an alert, sending a warning (e.g., to a client or to the administration facility 108) of an ongoing process or interaction, executing a program or application to remediate against a threat or violation, record interactions for subsequent evaluation, and so forth. The remedial action may include one or more of blocking some or all requests to a network location or resource, performing a malicious code scan on a device or application, performing a malicious code scan on one or more of the clients 144, quarantining a related application (or files, processes or the like), terminating the application or device, isolating the application or device, moving a process or application code to a sandbox for evaluation, isolating one or more of the clients 144 to a location or status within the network that restricts network access, blocking a network access port from one or more of the clients 144, reporting the application to the administration facility 108, or the like, as well as any combination of the foregoing

In embodiments, remedial action may be taken based on a reliability index determination based on RF characteristics of a wireless device

Remedial action may be provided as a result of a detection of a threat or violation. The detection techniques facility 148 may include tools for monitoring the network 170 or managed devices within the network 170. The detection techniques facility 148 may provide functions such as monitoring activity and stored files on computing facilities. Detection techniques, such as scanning a computer’sstored files, may provide the capability of checking files for stored threats, either in the active or passive state. Detection techniques such as streaming file management may be used to check files received at the network 170, a gateway facility, a client facility, and the like

Verifying that the threat management facility 168 detects threats and violations to established policy, may require the ability to test the system, either at the system level or for a particular computing component. The testing facility 164 may allow the administration facility 108 to coordinate the testing of the security configurations of computing facilities of the clients 144 on the network 170. For example, the administration facility 108 may be able to send test files to a set of computing facilities of the clients 144 to test the ability of a given client facility to determine acceptability of the test file. After the test file has been transmitted, a recording facility may record the actions taken by one or more of the clients 144 in reaction to the test file. The recording facility may aggregate the testing information from the clients 144 and report the testing information to the administration facility 108. The administration facility 108 may be able to determine the level of preparedness of the respective clients 144 based on the reported information. Remedial action may be taken for any of the clients 144 as determined by the administration facility 108

The threat management facility 168 may provide threat protection across the network 170 to devices such as the clients 144, the servers 142, the administration facility 108, the firewall 138, a gateway, one or more of the network devices 148 (e.g., hubs and routers), one or more of the appliances 140 (e.g., a threat management appliance), any number of desktop or mobile users, and the like. As used herein, the term endpoint may refer to any compute instance running on a device that can source data, receive data, evaluate data, buffer data, process data or the like (such as a user’sdesktop computer, laptop, IoT device, server, etc.). This may, for example, include any client devices as well as other network devices and the like within the network 170, such as a firewall or gateway (as a data evaluation endpoint computer system), a laptop (as a mobile endpoint computer), a tablet (as a hand-held endpoint computer), a mobile phone, or the like. The term endpoint may also or instead refer to any final or intermediate source or destination for data within a network 170. An endpoint computer security facility 112 may be an application locally loaded onto any corresponding computer platform or computer support component, either for local security functions or for management by the threat management facility 168 or other remote resource, or any combination of these. 

The network 170 may include a plurality of client facility computing platforms (e.g., the clients 144) on which the endpoint computer security facility 112 is installed. A client facility computing platform may be a computer system that is able to access a service on another computer, such as one or more of the servers 142, via a network. The endpoint computer security facility 112 may, in corresponding fashion, provide security in any suitable context such as among a plurality of networked applications, for a client facility connecting to an application server facility, for a web browser client facility connecting to a web server facility, for an e-mail client facility retrieving e-mail from an internet 160service provider’smail storage servers or web site, and the like, as well as any variations or combinations of the foregoing. As used herein, any one or more of the application server facility, the web server facility, and the mail storage servers should be understood to include one or more of the servers 142. 

The network 170 may include one or more of the servers 142, such as application servers, communications servers, file servers, database servers, proxy servers, mail servers, fax servers, game servers, web servers, and the like. The servers 142, which may also be referred to as server facilities 142, server facility 142 applications, server facility 142 operating systems, server facility 142 computers, or the like, may be any device(s), application program(s), operating system(s), or combination of the foregoing that accepts client facility connections to service requests from the clients 144. In embodiments, the threat management facility 168 may provide threat protection to server facilities 142 within the network 170 as load conditions and application changes are made. 

The server facilities 142 may include an appliance facility 140, where the appliance facility 140 provides specific services to other devices on the network 170. The server facilities may also include simple appliances utilized across the network 170infrastructure, such as switches, routers, hubs, gateways, print servers, modems, and the like. These appliances may provide interconnection services within the network 170, and therefore may advance the spread of a threat if not properly protected. 

The clients 144 may be protected from threats from within the network 170 using a local or personal firewall, which may be a hardware firewall, software firewall, or a combination thereof, that controlsnetwork traffic to and from a client. The local firewall may permit or deny communications based on a security policy. The endpoint computer security facility 112 may additionally protect the firewall 110, which may include hardware or software, in a standalone device or integrated with another network component, that may be configured to permit, deny, or proxy data through the network 170

The interface between the threat management facility 168 and the network 170, and through the appliance 140 to embedded endpoint computer security facilities, may include a set of tools that may be the same or different for various implementations, and may allow each network administrator to implement custom controls. In embodiments, these controls may include both automatic actions and managed actions. The administration facility 108 may configure policy rules that determine interactions. The administration facility 108 may also establish license management, which in turn may further determine interactions associated with licensed applications. In embodiments, interactions between the threat management facility 168 and the network 170 may provide threat protection to the network 170 by managing the flow of network data into and out of the network 170 through automatic actions that may be configured by the threat management facility 168 for example by action or configuration of the administration facility 108

The clients 144 within the network 170 may be connected to the network 170 by way of the network devices 132-B, which may be wired devices or wireless facilities. The clients 144 may be mobile wireless facilities and, because of their ability to connect to a wireless network access point, may connect to the internet 160 outside the physical boundary of the network 170, and therefore outside the threat-protected environment of the network 170. Such mobile wireless facilities, if not for the presence of a locally-installed endpoint computer security facility 112, may be exposed to a malware attack or perform actions counter to policies of the network 170. Thus, the endpoint computer security facility 112 may provide local protection against various threats and policy violations. The threat management facility 168 may also or instead be configured to protect the out-of-enterprise facility mobile client facility (e.g., the clients 144) through interactions over the internet 160 (or other network) with the locally-installed endpoint computer security facility 112. Thus, mobile client facilities that are components of the network 170 but temporarily outside connectivity with the network 170 may be provided with the same or similar threat protection and policy control provided to the clients 144 inside the network 170. In addition, mobile client facilities (e.g., the clients 444) may receive the same interactions to and from the threat management facility 168 as client facilities 144 inside the enterprise facility 102, such as by receiving the same or equivalent services via an embedded endpoint computer security facility 112. 

Interactions between the threat management facility 168 and the components of the network 170, including mobile client facility extensions of the network 170, may ultimately be connected through the internet 160 or any other network or combination of networks. Security-related or policy-related downloads and upgrades to the network 170 may be passed from the threat management facility 168 through to components of the network 170 equipped with the endpoint computer security facility 112. In turn, the endpoint computer security facilities 112 of the enterprise facility 102 may upload policy and access requests back across the internet 160 and through to the threat management facility 168. The internet 160, however, is also the path through which threats may be transmitted from their source, and one or more of the endpoint computer security facilities 112 may be configured to protect a device outside the network 170 through locally-deployed protective measures and through suitable interactions with the threat management facility 168

Thus, if the mobile client facility were to attempt to connect into an unprotected connection point, such as at the secondary location threat network 162 that is not a part of the network 170, the mobile client facility, such as one or more of the clients 144, may be required to request network interactions through the threat management facility 168, where contacting the threat management facility 168 may be performed prior to any other network action. In embodiments, the endpoint computer security facility 112 of the client 144 may manage actions in unprotected network environments such as when the client facility (e.g., the client 130) is in a secondary location 162, where the endpoint computer security facility 112 may dictate which applications, actions, resources, users, etc. are allowed, blocked, modified, or the like

The secondary location threat network 162 may have no endpoint computer security facilities 112 as a part of its components, such as the firewall 140, the server 142, the client 120, the network devices 448C-D (e.g., hubs and routers), and the like. As a result, the components of the secondary location threat network 162 may be open to threat attacks, and may become potential sources of threats, as well as any mobile enterprise facility clients (e.g., the clients 116-F) that may be connected to the secondary location threat network 162. In such instances, these components may now unknowingly spread a threat to other devices connected to the network 170

Some threats do not come directly from the internet 160. For example, one or more physical proximity threats 158 may be deployed on a client device while that device is connected to an unprotected network connection outside the network 170 and, when the client device is subsequently connected to one or more of the clients 144 on the network 402, the device can deploy malware or otherwise pose a threat. In embodiments, the endpoint computer security facility 112 may protect the network 170 against these types of physical proximity threats 158, for instance, through scanning any device prior to allowing data transfers, through security validation certificates, through establishing a safe zone within the network 170 to receive data for evaluation, and the like

Brief Description:

illustrates a computer system 200 in accordance with one embodiment.

Detailed Description:

Figure 2 illustrates a computer system. In general, the computer system 200 may include a computing device 206 connected to a network 202, for example, through an external device 204. The computing device 206 may be or may include any type of network endpoint or endpoints as described herein such as, for example, the network endpoints described above with reference to Figure 1. For example, the computing device 206 may include a desktop computer workstation. The computing device 206 may also or instead be any suitable device that has processes and communicates over the network 202 including, without limitation, a laptop computer, a desktop computer, a personal digital assistant, a tablet, a mobile phone, a television, a set top box, a wearable computer (e.g., watch, jewelry, or clothing), a home device (e.g., a thermostat or a home appliance controller), just as some examples. The computing device 206 may also or instead include a server, or it may be disposed on a server

The computing device 206 may be used for any of the entities described in the threat management environment described above with reference to Figure 1. For example, the computing device 206 may be a server, a client an enterprise facility, a threat management facility, or any of the other facilities or computing devices described therein. In certain aspects, the computing device 206 may be implemented using hardware (e.g., in a desktop computer), software (e.g., in a virtual machine or the like), or a combination of software and hardware, and the computing device 206 may be a standalone device, a device integrated into another entity or device, a platform distributed across multiple entities, or a virtualized device executing in a virtualization environment

The network 202 may include any network described above, e.g., data network(s) or internetwork(s) suitable for communicating data and control information among participants in the computer system 200. This may include public networks such as the internet, private networks, and telecommunications networks such as the Public Switched Telephone Network or cellular networks using third generation cellular technology (e.g., 3G or IMT-2000), fourth generation cellular technology (e.g., 4G, LTE. MT-Advanced, E-UTRA, etc.) or WiMax-Advanced (IEEE 802.16m)) and/or other technologies, as well as any of a variety of corporate area, metropolitan area, campus or other local area networks or enterprise networks, along with any switches, routers, hubs, gateways, and the like that might be used to carry data among participants in the computer system 200. The network 202 may also include a combination of data networks, and need not be limited to a strictly public or private network

The external device 204 may be any computer or other remote resource that connects to the computing device 206 through the network 202. This may include threat management resources such as any of those contemplated above, gateways or other network devices, remote servers or the like containing content requested by the computing device 206, a network storage device or resource, a device hostingmalicious content, or any other resource or device that might connect to the computing device 206 through the network 202

The computing device 206 may include a processor 208, a memory 210, a network interface 212, a data store 214, and one or more input/output interface 216. The computing device 206 may further include or be in communication with peripherals 218 and other external input/output interface 216

The processor 208 may be any as described herein, and in general may be capable of processing instructions for execution within the computing device 206or computer systemcomputer system 200. The processor 208 may include a single-threaded processor or a multi-threaded processor. The processor 208 may be capable of processing instructions stored in the memory 210 or on the data store 214

The memory 210 may store information within the computing device 206or computer systemcomputer system 200. The memory 210 may include any volatile or non-volatile memory or other computer-readable medium, including without limitation a Random-Access Memory (RAM), a flash memory, a read Only memory (ROM), a Programmable Read-only Memory (PROM), an Erasable PROM (EPROM), registers, and so forth. The memory 210 may store program instructions, program data, executables, and other software and data useful for controlling operation of the computing device 200 and configuring the computing device 200 to perform functions for a user. The memory 210 may include a number of different stages and types for different aspects of operation of the computing device 206. For example, a processor (e.g., the processor 208) may include on-board memory and/or cache for faster access to certain data or instructions, and a separate, main memory or the like may be included to expand memory capacity as desired. 

The memory 210 may, in general, include a non-volatile computer readable medium containing computer code that, when executed by the computing device 200 creates an execution environment for a computer program in question (e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, or a combination of the foregoing, and/or code that performs some or all of the steps set forth in the various flow charts and other algorithmic descriptions set forth herein). While the memory 210 is depicted as a single memory, it will be understood that any number of memories may be usefully incorporated into the computing device 206. For example, a first memory may provide non-volatile storage such as a disk drive for permanent or long-term storage of files and code even when the computing device 206 is powered down. A second memory such as a Random-Access Memory may provide volatile (but higher speed) memory for storing instructions and data for executing processes. A third memory may be used to improve performance by providing even higher speed memory physically adjacent to the processor 208 for registers, caching and so forth. 

The network interface 212 may include any hardware and/or software for connecting the computing device 206 in a communicating relationship with other resources through the network 202. This may include remote resources accessible through the internet, as well as local resources available using short range communicationsprotocols using, e.g., physical connections (e.g., ethernet), radio frequency communications (e.g., WiFi), optical communications, (e.g., fiber optics, infrared, or the like), ultrasonic communications, or any combination of these or other media that might be used to carry data between the computing device 206 and other devices. The network interface 212 may, for example, include a router, a modem, a network card, an infrared transceiver, a radio frequency (RF) transceiver, a near field communications interface, a radio-frequency identification (RFID) tag reader, or any other data reading or writing resource or the like

More generally, the network interface 212 may include any combination of hardware and software suitable for coupling the components of the computing device 206 to other computing or communications resources and, thus, may typically include one or more communication channels 222 and be connected to one or more networks (e.g., the network 202). By way of example and not limitation, this may include electronics for wired or wireless transmission of information over the network 202 either wirelessly or through a physical connection, depending on the needs of a specific implementation. As an example, the communication may be via an ethernet connection operating according to the IEEE 802.11 standard (or any variation thereof), or any other short or long range wireless networking components or the like. This may include hardware for short range data communications such as bluetooth or an infrared transceiver, which may be used to couple to other local devices, or to connect to a local area network or the like that is in turn coupled to a data network 202 such as the internet. This may also or instead include hardware/software for a WiMax connection or a cellular network connection (using, e.g., CDMA, GSM, LTE, or any other suitable protocol or combination of protocols). The network interface 212 may be included as part of the input/output interface 216 or vice-versa

The data store 214 may be any internal memory store providing a computer-readable medium such as a disk drive, an optical drive, a magnetic drive, a flash drive, or other device capable of providing mass storage for the computing device 206. The data store 214 may store computer readable instructions, data structures, program modules, and other data for the computing device 206or computer systemcomputer system 200 in a non-volatile form for subsequent retrieval and use. For example, the data store 214 may store without limitation one or more of the operating system, application programs, program data, databases, files, and other program modules or other software objects and the like

The input/output interface 216 may support input from and output to other devices that might couple to the computing device 206. This may, for example, include serial ports (e.g., RS-226 ports), universal serial bus (USB) ports, optical ports, ethernet ports, telephone ports, audio jacks, component audio/video inputs, HDMI ports, and so forth, any of which might be used to form wired connections to other local devices. This may also or instead include an infrared interface, RF interface, magnetic card reader, or other input/output system for coupling in a communicating relationship with other local devices. It will be understood that, while the network interface 212 for network communications is described separately from the input/output interface 216 for local device communications, these two interfaces may be the same, or may share functionality, such as where a USB port is used to attach to a WiFi accessory, or where an ethernet connection is used to couple to a local network attached storage

A peripheral 218 may include any device used to provide information to or receive information from the computing device 200. This may include human input/output (I/O) devices such as a keyboard, a mouse, a mouse pad, a track ball, a joystick, a microphone, a foot pedal, a camera, a touch screen, a scanner, or other device that might be employed by the user 224 to provide input to the computing device 206. This may also or instead include a display, a speaker, a printer, a projector, a headset or any other audiovisual device for presenting information to a user. The peripheral 218 may also or instead include a digital signal processing device, an actuator, or other device to support control or communication to other devices or components. Other I/O devices suitable for use as a peripheral 218 include haptic devices, three-dimensional rendering systems, augmented-reality displays, magnetic card readers, and so forth. In one aspect, the peripheral 218 may serve as the network interface 212, such as with a USB device configured to provide communications via short range (e.g., bluetooth, WiFi, infrared, RF, or the like) or long range (e.g., cellular data or WiMax) communicationsprotocols. In another aspect, the peripheral 218 may provide a device to augment operation of the computing device 206, such as a global positioning system (GPS) device, a security dongle, or the like. In another aspect, the peripheral may be a storage device such as a flash card, USB drive, or other solid-state device, or an optical drive, a magnetic drive, a disk drive, or other device or combination of devices suitable for bulk storage. More generally, any device or combination of devices suitable for use with the computing device 200 may be used as the peripheral 218 as contemplated herein

Other hardware 220 may be incorporated into the computing device 200. Examples of the other hardware 220 include a co-processor, a digital signal processing system, a math co-processor, a graphics engine, a video driver, and so forth. The other hardware 220 may also or instead include expanded input/output ports, extra memory, additional drives (e.g., a DVD drive or other accessory), and so forth. 

A bus 226 or combination of busses may serve as an electromechanical platform for interconnecting components of the computing device 200, such as the processor 208, the memory 210, the network interface 212, the other hardware 220, the data store 214, and an input/output interface. As shown in the figure, each of the components of the computing device 206 may be interconnected using the bus 226 or other communication mechanism for communicating information

Methods and systems described herein can be realized using the processor 208 of the computer system 200 to execute one or more sequences of instructions contained in the memory 210 to perform predetermined tasks. In embodiments, the computing device 200 may be deployed as a number of parallel processors synchronized to execute code together for improved performance, or the computing device 200 may be realized in a virtualized environment where software on a hypervisor or other virtualization management facility emulates components of the computing device 200 as appropriate to reproduce some or all of the functions of a hardware instantiation of the computing device 200. 

Brief Description:

illustrates a threat management system 300 in accordance with one embodiment.

Detailed Description:

Figure 3 illustrates an exemplary threat management system 300 as contemplated herein. In general, the threat management system may include an endpoint 302 for example, a laptop, or a device such as an IoT device, an access point 304, a server 306 and a threat management facility 308 in communication with one another directly or indirectly through a data network 316, for example, as generally described above. Each of the entities depicted in Figure 3, may, for example, be implemented on one or more computing devices such as the computing device described above with reference to Figure 2

A number of systems may be distributed across these various components to support threat management, for example, including a coloring system 310, a key management system 312 and a heartbeat system 314, each of which may include software components executing on any of the foregoing system components, and each of which may communicate with the threat management facility 308 or an endpoint threat protection agent 318 executing on an endpoint 302, on an access point or a firewall 304, or on a server 306 to support improved threat detection and remediation

The coloring system 310 may be used to label or `color` software objects for improved tracking and detection of potentially harmful activity. The coloring system 310 may, for example, label files, executables, processes, network communications, data sources and so forth with any suitable label. A variety of techniques may be used to select static and/or dynamic labels for any of these various objects, and to manage the mechanics of applying and propagatingcoloring information as appropriate. For example, a process may inherit a color from an application that launches the process. Similarly, a file may inherit a color from a device when it is created or opened by a device, and/or a process may inherit a color from a file that the process has opened. More generally, any type of labeling, as well as rules for propagating, inheriting, changing, or otherwise manipulating such labels, may be used by the coloring system 310 as contemplated herein. A color may be or may be based on one or more reliability index values, the meeting of one or more reliability index thresholds, the rate of change of one or more reliability index values, etc. A color of a device may be used in a security policy. A color of a process, a file, a network request, and so on may be based on a color of a device, and that color may be used in a security policy

The key management system 312 may support management of keys for the endpoint 302 in order to selectively permit or prevent access to content on the endpoint 302 on a file-specific basis, a process-specific basis, an application-specific basis, a user-specific basis, or any other suitable basis in order to prevent data leakage, and in order to support more fine-grained and immediate control over access to content on the endpoint 302 when a security compromise is detected. Thus, for example, if a particular process executing on the endpoint is compromised, or potentially compromised or otherwise under suspicion, keys to that process may be revoked in order to prevent, for example, data leakage or other malicious activity. In embodiments, keys on device may be revoked based on one or more reliability index values, the meeting of one or more reliability index thresholds, the rate of change of one or more reliability index values, etc. 

The heartbeat system 314 may be used to provide periodic or aperiodic information from an endpoint about system health, security, status, etc. A heartbeat may be encrypted or plaintext, or some combination of these, and may be communicated unidirectionally (e.g., from the endpoint 302 to the threat management facility 308) or bidirectionally (e.g., between the endpoint 302 and the server 306, or any other pair of system components) on a useful schedule

In implementations, the access point or firewall 304 may use the heartbeat 314 to report a potential or actual compromise of a device based, for example, on a color of the device, or based on one or more reliability index values, the meeting of one or more reliability index thresholds, the rate of change of one or more reliability index values, etc. The heartbeat 314 from the access point 304 may be communicated to the server 306, for example, and administrative server or directly or indirectly to a threat management facility 308. If the endpoint device 302 has an endpoint threat protection facility 318, the endpoint threat protection facility 318 may be used to investigate further the status, or to take remedial measures, again by communication using the secure heartbeat 314. 

In general, these various monitoring and management systems may cooperate to provide improved threat detection and response. For example, the coloring system 310 may be used to evaluate when a particular device is potentially compromised, and a potential threat may be confirmed based on an interrupted heartbeat from the heartbeat system 314 or by information communicated in a heartbeat. The key management system 312 may then be used to revoke keys to a process so that no further files can be opened, deleted or otherwise modified. More generally, the cooperation of these systems enables a wide variety of reactive measures that can improve detection and remediation of potential threats to an endpoint


Parts List

102

security management facility

104

threat research facility

106

network access rules facility

108

administration facility

110

firewall

112

security facility

114

clients

116

clients

118

clients

120

clients

122

network devices

124

network devices

126

clients

128

clients

130

clients

132

network devices

134

network devices

136

server

138

server

140

firewall

142

server

144

appliance

146

policy management

148

detection techniques

150

updates

152

remedial actions

154

network threats

156

definitions

158

physical proximity threats

160

internet

162

secondary location threat network

164

testing

166

appliance

168

threat management facility

170

network

200

computer system

202

network

204

external device

206

computing device

208

processor

210

memory

212

network interface

214

data store

216

input/output interface

218

peripherals

220

other hardware

222

224

user

226

bus

300

threat management system

302

endpoint

304

access point or firewall

306

server

308

threat management facility

310

coloring system

312

key management system

314

heartbeat system

316

data network

318

endpoint threat protection facility


Terms/Definitions

various points

local security functions

list

wireless characteristics

application code

network connectivity

hardware instantiation

interfacing

peripheral

volatile or non-volatile memory

threat research facility

incoming files

e-mail

security dongle

perform actions

malicious content

heartbeat

E-UTRA

reaction

unprotected network environments

other suitable basis

other local area networks

hand-held endpoint computer

data networks

letter

testing facility

load conditions and application changes

stored threats

remote servers

types

local area network

policy management facility

service

allowed list

memory

remedial action

server a

protocol stack

suspicion

computer program

unauthorized users

stand-alone solution

access point

actuator

FIG. 1 and vice-versa

single-threaded processor

update management

remote resources

particular device

virtual machine

potential threats

network

network component

threshold value

guest

strictly public

long range

laptop

application servers, communications servers

applications

permanent or long-term storage

resources

RS-232 ports

data store

definitions

administration facility

black list

magnetic card reader

one or more databases

virus identity file

EPROM

transit

unprotected server

reputation list

embodiments

devices and assets

interactions

information file

mouse

memories

proxy data

particular computing component

software objects

rule evaluation

foregoing

techniques

known or potential malicious code

information

e.g. employees

related application (or files

suitable label

other software updating, version control

functionality

RF characteristics

or other media

executables

threat identification updates

local device communications

path

coupling

policies

camera

hubs and routers

detection techniques facility

connectivity

specific implementation

actual compromise

internal servers or gateways

execution

touch screen

electromechanical platform

ethernet

users

data sources

clients

devices

communication

cloud-based facility

security

checking files

propagating

sources

server

coloring system

appliance

endpoint security and control

network access rule facility

software firewall

transmitted per rules

mouse pad

alerts

mobile wireless facilities

unprotected connection point

hubs

action or configuration

databases

universal serial bus

device

couple

buffer data

element

institution

ways

short range data communications

guests

remedial actions

various monitoring

servers

ethernet connection operating

third generation cellular technology

application-specific basis

definitions management facility

addition

magnetic drive

communications networks

scanning

one or more enterprises

graphics engine

forms

behavioral based analysis

execution environment

virus identity definition files

update management facility

detection and remediation

optical drive

testing information

security policy

switches

operating systems

interconnecting components

network administrator

math co-processor

aperiodic information

improved threat detection and remediation

threats

multiple networks

detection

enterprise networks

other software and data

network resource reputation database

other suitable techniques

overall security

predetermined tasks

aspect

USB drive

respective clients

service requests

endpoint device

RF interface

input

endpoint threat protection agent

particular reliability index determinations

web site

patch management

computer facilities

desktops

particular instance

security validation certificates

digital signal processing device

test files

policy control

reputation filtering

data structures

second memory

malicious code

hardware and/or software

Other I/O devices

file-specific basis

certain embodiments

other communication

ethernet connection

neural network

wide variety

even higher speed memory

definition

block list

label files

license management

terminating

behavior

modems

storage device

improved tracking and detection

network connections

mobile users

home appliance controller

gateways

infrared

track ball

persistent threats

flash memory

reference

client facility connections

threat management environment

mass storage

management update modules

Erasable PROM

policy violations

data

non-compliant computers

near field communications interface

wireless device

user

USB port

file servers

input/output interface

other devices

other solid-state device

secondary location

passive state

bus

appliance 140B

hypervisor

uncontrolled access

level

appliances

secondary location threat network

part

configuration and policy changes

process data

instance

security-related or policy-related downloads

telecommunications networks

locally-deployed protective measures

potential threat

laptop computer

router

scanning data

client facility

network data

improved performance

functions

bluetooth

certain actions

preparedness

comparison

faster access

fourth generation cellular technology

hardware and software

e-mail client facility

unknown malicious code

potentially harmful activity

computing facilities

other communication mechanism

two interfaces

sandbox

fiber optics

limitation

code

one or more instances

other technologies

disk drive

expanded input/output ports

management systems

one or more reliability index thresholds

desktop computer

storage

outgoing files

spread

endpoint computer security facility

computer’s

other computing

network boundaries

locally-installed endpoint computer security facility

similar threat protection

television

wearable computer

viruses

exemplary threat management system

application program(s)

foot pedal

suitable device

computing resources

one or more networks

radio frequency (RF) transceiver

hardware/software

system

non-volatile form

appliance 140A

outgoing file

local resources

monitoring activity

program instructions

service provider’s

communicating relationship

malware

facilities

remote location

application programming interface

non-volatile storage

other pair

various flow charts

policy and access requests

file

various implementations

fashion

process-specific basis

one or more policies

evaluation

peripherals

color

determination

client labeled

trojans

heartbeat system

other malicious activity

single memory

serial ports

other network or combination

greater reliability

steps set

exemplary computer system

intermediate source

web browser client facility

virtualized device

program modules

computer-readable medium

WiFi accessory

controls

database servers

security facility

radio-frequency identification

virtual private networks

given client facility

parallel processors

security configurations

product

ability

key management system

client facility computing platform

spam

out-of-enterprise facility mobile client facility

Public Switched Telephone Network

haptic devices

endpoint computer security facilities

MT-Advanced

rules or policies

threats and violations

networking components

distribution

other compromise

rules

data leakage

threat or policy violation

client device

malicious software

other sensor

update facility

software

network communications

general

plurality

access permissions

malicious code scan

certain applications and files

infrared interface

ports

reported information

configuration policies

optical communications

place

server facility

network interface

malware attack

certain data or instructions

combinations

cooperation

input/output devices

Random-Access Memory

mail servers

handheld or mobile devices

application

network traffic

remedial action facility

recording facility

processes and communicates

unacceptable network resource database

headset

operating system(s)

IoT devices

policy rules

cloud computing facility

mobile client facilities

threat

subsequent retrieval and use

tablet

its components

subscription

digital signal processing system

client facilities

cellular data

change

files or applications

files

definition file

augmented-reality displays

fax servers

plaintext

reliability index value

IoT device

IEEE 802.16m

internal memory store

external networks

various threats

particular manner

client

custom controls

components

WiMax connection

user’s

other local devices

third memory

data transfers

device resources

one or more devices

location or status

rate

detection techniques

data evaluation endpoint computer system

improved threat detection and response

hardware or software

computing device

bulk storage

microphone

magnetic card readers

constitutes processor firmware

simple appliances

physical proximity threats

communication ports

test file

other audiovisual device

computer code

one or more computing devices

network access

their source

flash card

caching

controlled access

multi-threaded processor

standalone device

local software application

resource requests

network endpoints

evolving threat environment

electronics

modem

more fine-grained and immediate control

computing devices

device hosting

private network

thermostat

presence

appropriate

component audio/video inputs

lesser reliability

further the status

other data reading

email security and control

different stages and types

contemplated herein

networked computer-based infrastructure

CDMA

automatic actions

web security and control

border

locations and network configurations

system components

wired or wireless transmission

threat management appliance

physical boundary

third party

warning

entity or device

threat or violation

application or device

other recognition engine

type

enterprise

radio frequency communications

joystick

physical connection

rule-based filtering

read

ultrasonic communications

local network

intrusion

other resource or device

other remote resource

more than one geographical locations

useful schedule

management

access rights

memory capacity

specific instance

keyboard

user-specific basis

instructions

unprotected network connection

network request

baseline RF characteristics

additional drives

platforms

short range

subsequent evaluation

busses

RFID

locations

USB device

human input/output

writing resource

dynamic labels

network endpoint or endpoints

file or application

ongoing process

metropolitan area

scanner

executables, processes, network communications

such labels

firewall

parsed information

higher speed

corporate area

physical connections

video driver

wireless facilities

result

particular IoT device

acceptable network resource database

other input/output system

various objects

ethernet ports

threat management system

white list

mobile client facility

one aspect

destination

malicious code information

endpoint threat protection facility

network devices

network access rules facility

integrated system approach

third-party product

number

other computer-readable medium

figure

output

context

entities

personal digital assistant

systems

other device

device or combination

record interactions

WiMax

mechanics

such mobile wireless facilities

combination

interaction

block diagram

recitation

interface

external device

like, or combinations

foregoing, and/or code

other accessory

other network action

laptops

firewalls

computer system

command or command file

watch

display

policy database

other hardware

testing

remedial measures

device or application

such instances

control

access

variations or combinations

other program modules

determinations

suitable context

periodic basis

device(s)

mobile enterprise facility clients

timely updates

acceptability

infrastructure

gateway facility

licensed applications

mobile phone

limitation one or more

print servers

desktop computer workstation

registers

vice-versa

other facilities

mail storage servers

processes

particular RF characteristics

or computer system

processor

computer-generated and human-generated threats

web servers

other external input/output devices

IEEE 802.11 standard

instructions and data

policy abuse

client or client facilities

turn

computer-based malware

corporation

local protection

audio jacks

on-board memory

potential sources

jewelry

safe zone

process

reliability index determination

server or servers

certain network users

first memory

content

action

parse network access requests

public networks

endpoint

streaming file management

variation

other security measures

specific services

unwanted applications

telephone ports

threat management facility

other device or combination

element number

organization

WiMax-Advanced

businesses

term endpoint

status

other resources

protection

updates

reliability index thresholds

other data

hardware

interconnection services

other software objects

various techniques

computer

actions

virtualization environment

host intrusion prevention

security compromise

variety

clothing

labeling

participants

network storage device or resource

network devices, users

embedded endpoint computer security facility

one or more sequences

implementations

database management system

requested network resource

wireless network access point

infrared transceiver

optical ports

client devices

definition files information

platform

network card

endpoints

operation

environment

suitable interactions

network location or resource

default values

extra memory

facility

PROM

reputation-based filtering

baseline value

mobile endpoint computer

local firewall

private networks

software and hardware

server facilities

homeowner

one or more input/output devices

printer

other network

computers

baseline values

threat attacks

web browsing activity

networks

tools

non-volatile computer

access point or firewall

network interactions

certain aspects

one or more device resources

needs

interrupted heartbeat

operating system

concert

like

spyware

elements

data and control information

example

match

software components

projector

web server facility

equivalent services

other networks

foregoing system components

coloring information

threat-protected environment

program data

processing instructions

flash drive

program

stored files

assets

cellular network connection

upgrades

data network(s) or internetwork(s)

threat management

performs

flow

same interactions

adware

policy management

communications resources

internet

managed actions

multiple entities

certain types

school

cellular networks

access rules

co-processor

threat protection

residents

data network

access requests

virtualized environment

applications, devices, users

Programmable Read-only Memory

system health

WiFi

vendor

enterprise facility

productivity and network performance

speaker

global positioning system

mobile client facility extensions

further files

individuals

personal firewall

hardware firewall

particular process

different aspects

protocols

appliance facility

reactive measures

security management facility

examples

network access control

three-dimensional rendering systems

game servers

home device

compute instance

routers

like containing content

DVD drive

system level

updated rules

files and code

current RF characteristics

other suitable protocol or combination

definition files

short range communications

corresponding policy

association

administrative server

capability

client facility files

gateway

unknown threats

connections

communications

question

other entity

wireless link

other devices or components

other algorithmic descriptions

one or more physical proximity threats

keys

medium

various components

performance

application programs

other network devices

application server facility

configuration

other virtualization management facility

networked applications

other computing facilities

meeting

campus

network access port

applications and files

firewall or gateway

threat management resources

proxy servers

one or more reliability index values

corresponding computer platform or computer support component

separate, main memory

established policy

network threats

Targeted Scanning to Verify Security Certificates


Drawings

Brief Description:

Figure 1 illustrates a simplified block diagram of a communication system for providing rate adaptation in adaptive streaming environments in accordance with one embodiment of the present disclosure

Detailed Description:

Turning to Figure 1, Figure 1 is a simplified block diagram of a communication system 100 configured for providing rate adaptation for a plurality of HAS client(s) in accordance with one embodiment of the present disclosure. Communication system 100 may include a plurality of servers 102, a media storage 106, a network 108, a transcoder 104, a plurality of HAS client(s) 112, and a plurality of intermediate nodes 110. Note that the originating video source may be a transcoder that takes a single encoded source and “transcodes” it into multiple rates, or it could be a “Primary” encoder that takes an original non-encoded video source and directly produces the multiple rates. Therefore, it should be understood that transcoder 104 is representative of any type of multi-rate encoder, transcoder, etc. 

Servers 102 are configured to deliver requested content to HAS client(s) 112-c. The content may include any suitable information and/or data that can propagate in the network (e.g., video, audio, media, any type of streaming information, etc.). certain content may be stored in media storage 106, which can be located anywhere in the network. Media storage 106 may be a part of any web server, logically connected to one of servers 102, suitably accessed using network 108, etc. In general, communication system 100 can be configured to provide downloading and streaming capabilities associated with various data services. Communication system 100 can also offer the ability to manage content for mixed-media offerings, which may combine video, audio, games, applications, channels, and programs into digital media bundles

In accordance with the techniques of the present disclosure, the architecture of Figure 1 can provide a new rate adaptation framework that includes several significant mechanisms. First, the architecture can use an algorithm to adjust a flow’saverage throughput to match the available bandwidth. Second, the architecture can fine-tune the intervals between consecutive segment downloads. Additionally, the framework can offer an enhancement (via a new time discount addition) to an additive-increase/multiplicative-decrease (AIMD) equation, as detailed below. It can also make use of the fine-tuned interval between consecutive segment downloads, where the rate adaptation achieves weighted bandwidth sharing regardless of the underlying transport protocol’s (e.g., TCP, SCTP, MP-TCP, etc.) Behavior

In certain example embodiments, the proposed rate adaptation algorithm can effectively mitigate the frequent rate shifts (e.g., rate oscillation) problems commonly experienced by typical HAS client(s), especially when multipleHAS client(s) compete for bandwidth at one or more network bottleneck links. Typical HAS client(s) simply rely on the underlying TCP’sbandwidth sharing behavior to choose a bitrate. By contrast, the framework discussed herein is able to decouple the bitrate selection from its underlying TCP’sbandwidth sharing behavior. Many existing HAS client(s) implement a symmetric rate upshift/downshift. Embodiments of the present disclosure are able to achieve downshifts more responsively than the upshifts

One significant aspect of example embodiments of the present disclosure includes an algorithm for proactively probing for available network bandwidth by requesting higher-bitrate video segments. In addition, certain embodiments of the present disclosure can apply to both the streaming of stored and live contents. Additionally, in implementing the probe-adapt principle and the fine-tuning of inter-request intervals, certain embodiments of the present disclosure can achieve both high video rates and excellent video rate stability

Before detailing these activities in more explicit terms, it is important to understand some of the bandwidth challenges encountered in a network that includes HAS client(s). The following foundational information may be viewed as a basis from which the present disclosure may be properly explained. Adaptive streaming video systems make use of multi-rate video encoding and an elastic IP transport protocol suite (typically hypertext transfer protocol/transmission control protocol/Internet protocol (HTTP/TCP/IP), but could include other transports such as HTTP/SPDY/IP, etc.) to deliver high-quality streaming video to a multitude of simultaneous users under widely varying network conditions. These systems are typically employed for “over-the-top” video services, which accommodate varying quality of service over network paths

In adaptive streaming, the source video is encoded such that the same content is available for streaming at a number of different rates (this can be via either multi-rate coding, such as H.264 AVC, or layered coding, such as H.264 SVC). The video can be divided into “chunks” of one or more group-of-pictures (GOP) (e.g., typically two (2) to ten (10) seconds of length). HAS client(s) can accesschunks stored on servers (or produced in near real-time for live streaming) using a web paradigm (e.g., HTTP GET operations over a TCP/IP transport), and they depend on the reliability, congestion control, and flow control features of TCP/IP for data delivery. HAS client(s) can indirectly observe the performance of the fetch operations by monitoring the delivery rate and/or the fill level of their buffers and, further, either upshift to a higher encoding rate to obtain better quality when bandwidth is available, or downshift in order to avoid buffer underruns and the consequent video stalls when available bandwidth decreases, or stay at the same rate if available bandwidth does not change. Compared to inelastic systems such as classic cable TV or broadcast services, adaptive streaming systems use significantly larger amounts of buffering to absorb the effects of varying bandwidth from the network

In a typical scenario, HAS client(s) would fetch content from a network server in segments. Each segment can contain a portion of a program, typically comprising a few seconds of program content. [Note that the term `segment` and `chunk` are used interchangeably in this disclosure.] For each portion of the program, there are different segments available with higher and with lower encoding bitrates: segments at the higher encoding rates require more storage and more transmission bandwidth than the segments at the lower encoding rates. HAS client(s) adapt to changing network conditions by selecting higher or lower encoding rates for each segment requested, requesting segments from the higher encoding rates when more networkbandwidth is available (and/or the client buffer is close to full), and requesting segments from the lower encoding rates when less network bandwidth is available (and/or the client buffer is close to empty). 

With most adaptive streaming technologies, it is common practice to have every segment represent the same, or very nearly the same, interval of program time. For example, in the case of one streaming protocol, it is common practice to have every segment (referred to as a `fragment`) of a program represent almost exactly 2 seconds worth of content for the program. With HTTP Live Streaming (HLS), it is quite common practice to have every segment of a program represent almost exactly 10 seconds worth of content. Although it is also possible to encode segments with different durations (e.g., using 6-second segments for HLS instead of 10-second segments), even when this is done, it is nevertheless common practice to keep all segments within a program at the same duration

Brief Description:

 Figure 2 illustrates a simplified block diagram illustrating a possible adaptive streaming scenario

Detailed Description:

Turning to Figure 2, Figure 2 is a simplified block diagram illustrating an environment 200 for providing adaptive videostreaming over HTTP. This particular system can include a media player, a client buffer, multiple service providers, multiple content providers, and a network over which content can be exchanged. A client can download the segments in any order using plain HTTP GETs, measure the available bandwidth based on the download history, and select the video bitrate of the next segment on-the-fly. Typically, tens of seconds of downloaded video segments are buffered at the client to absorb unexpected bandwidth fluctuation. A viable rate adaptation algorithm should generally yield a high average video quality, a low variation of video quality, and offer a low chance of video playout stall caused by buffer underruns

Certain embodiments of the present disclosure can provide a new rate adaptation algorithm for adaptive streaming that achieves several potential benefits. First, typical HAS client(s) estimate the available bandwidth by equating it to the measured throughput of downloading the previous several segments (i.e., historical data, which is inclusive of any information associated with previous media activity). When two or more HAS client(s) compete for bandwidth at some network bottleneck link, this turns out to be an inappropriate way of estimating bandwidth and, further, doing so results in frequent shifts and oscillations of the video bitrate requested. Example embodiments of the present disclosure can offer a new rate adaptation algorithm to solve these (and potentially other) problems. The HAS client(s) implementing such an approach would not suffer from the rate shifts/oscillation when they compete for bandwidth at network bottleneck links

Second, when competing for bandwidth at a network bottleneck link, typical HAS client(s) rely on their underlying TCPs’bandwidth sharing behavior. This may sometimes be undesirable. For example, the resulting bitrate may be unfairly biased against clients with long Round-Trip Times (RTTs). As another example, when a High-Definition (HD) video stream sharesbandwidth with a Standard Definition (SD) stream, the HD stream should purposely have access to more bitrate. Certain embodiments of the present disclosure are able to decouple the stream bitrate selection behavior from the underlying TCP’s. This can enable any number of application scenarios including, but are not limited to, the examples described herein. 

Third, in adaptive streaming scenarios, the objective of avoiding video playout stall is generally associated with the responsiveness of downshifting, but not upshifting. Stated in different terms, there is an asymmetry between the two. Therefore, it is desirable to have an asymmetric rate shift behavior, where the downshift ought to be more responsive (or more aggressive in reducing its bandwidth use than upshift is in increasing it) than the upshift. Certain embodiments of the present disclosure are able to achieve this property. It should also be noted that in certain example implementations, the activities outlined herein can be accommodated entirely by a client-side modification to current HAS solutions, and it would not require changes to the network, to the server, etc. 

Brief Description:

Figure 3 illustratese a simplified block diagram illustrating possible example details associated with one embodiment of the present disclosure

Detailed Description:

Turning to Figure 3, Figure 3 is a simplified block diagram illustrating one possible set of details associated with communication system 100. This particular configuration includesHAS client(s) 112 being provisioned with a buffer 302, a processor 304, a memory 306, a rate control function 308, and a target delay controller 310. Buffer 302 can be configured to buffercontent received at a receiver (e.g., HAS client(s) 112). rate control function 308 can be configured to monitor buffer 302 and determine a status of buffer 302. Target delay controller 310 can be configured to monitor the state of the content stream that the receiver (e.g., HAS client(s) 112) is receiving. 

In operation, the elements of HAS client(s) 112 can provide a rate adaptationalgorithm that incorporates an additive-increase/multiplicative-decrease (AIMD) mechanism to gradually adjust the average throughput to match the available bandwidth. It should be noted that the AIMD algorithm does not directly adjust the (discrete) video bitrate; instead, it adjusts the average throughput used, which is equal to the segment size divided by the time interval between the beginning of downloading the current segment and the next segment. In addition, it should be noted that, in using such a framework, congestion would be inferred by the reduction of segment downloading throughput (or equivalently, the increase in segment downloading duration). By contrast, in comparable systems, congestion is generally inferred by packet losses. Additionally, the mechanisms of HAS client(s) 112 can fine-tune the interval between consecutive videosegmentdownloads (e.g., using a proportional-integral (PI) controller, which is being represented by target delay controller 310 in Figure 3). 

In at least one example, a controller is used for determining the interval between consecutive segment downloads. For example, a proportional-integral controller (PI controller) (associated with control theory) is a special case of a PID controller in which the derivative (D) of the error is not used. Hence, a PI controller would be an optional module for scheduling the segment downloading. Other controllers could also be used without departing from the scope of the present disclosure. Note that any such controller is entirely optional and, accordingly, certain embodiments do not make use of this controller in order to achieve the operations discussed herein. The following equation can be part of such an implementation

T [ n ^ ] = r [ n ] .tau. y ^ [ n ] + .beta. ( B [ n – 1 ] – B 0 ) ##EQU00001## 

This equation is reflected in 408 of FIG. 4. In this instance, beta is positive real number that can control the convergence rate of buffer B[n-1] towards the reference buffer B.sub.0. Additionally, the notations of the equations discussed herein are defined as follows: [0033] x_hat[n]: The target average throughput at downloading cycle n. [0034] x_tilde[n]: The measured downloading throughput of segment n, defined as the segment’sdata size divided by the segment downloading duration (excluding the *off* interval between downloads). [0035] T[n]–The actual inter-download time of cycle n (i.e., the interval between the beginning of downloading segment n and the beginning of downloading segment n+1) [0036] k–The convergence rate in AIMD algorithm. [0037] .tau. (greek letter tau)–the nominal duration of each segment. [0038] w–The AI weight in AIMD. [0039] T_hat[n]–The target inter-download time of cycle n, which may be less or equal to T[n]. [0040] B[n]–The duration of video buffered at the client (in video seconds). [0041] K.sub.P–The proportional gain in PI controller. [0042] K.sub.I–The integral gain in PI controller. [0043] B.sub.0–The referencebuffer duration that the client tries to maintain. 

Separately, the framework of HAS client(s) 112 makes use of the additional degree of freedom introduced by the fine-tuning of the download interval to achieve a weighted bandwidth sharing among HAS client(s) that are competing for bandwidth at some bottleneck link (regardless of the fair or unfair sharing of the clients’ underlying TCP behaviors). Intuitively, an HAS client(s)with less bandwidth (for the same video bitrate) would have a longer download interval and vice versa. Additional details associated with these activities are discussed below with reference to several equations, scenarios, and activities that are illustrative of at least some of the embodiments of the present disclosure


Parts List

100

communication system

102

servers

104

transcoder

106

media storage

108

network

110

intermediate nodes

112

HAS client(s)

200

adaptive streaming environments

302

buffer

304

processor

306

memory

308

rate control function

310

target delay contoller


Terms/Definitions

particular configuration includes

originating video source

property

few seconds

service

coding

stored and live contents

application scenarios

web server

rate

longer download interval

beginning

results

different segments

stream

state

certain embodiments

different terms

target average throughput

broadcast services

live streaming

algorithm

bitrate selection

upshifts

nominal duration

mixed-media offerings

better quality

PI controller

source video

requested content

PID controller

bitrate

activities

reference

segments

adaptive streaming systems

`fragment

downloading cycle n

buffer

downloaded video segments

fetch operations

simplified block diagram

downshifting

adaptive video

such controller

client

next segment

following equation

several equations

video

streaming capabilities

other controllers

rate control function

example

HTTP/TCP/IP

instance

communication system

program

higher-bitrate video segments

significantly larger amounts

multitude

certain example embodiments

function

its bandwidth use

nearly the same, interval

high average video quality

low chance

video quality

reference buffer B

TCP behaviors

network bottleneck link

widely varying network conditions

resulting bitrate

such an approach

additive-increase/multiplicative-decrease

new rate adaptation framework

fine-tuning

at least one example

type

inelastic systems

multi-rate video encoding

bandwidth sharing behavior

download interval

enhancement

content

examples

downshifts

possible adaptive streaming scenario

HD stream

receiver

downloads

new rate adaptation algorithm

classic cable TV

varying bandwidth

K.sub.I–The integral gain

systems

such an implementation

cycle n

freedom

download history

additional details

measured throughput

chunks

buffering

servers

frequent shifts and oscillations

long Round-Trip Times

bottleneck link

particular system

greek letter

HTTP/SPDY/IP

high-quality streaming video

HAS client(s)

example embodiments

framework

AIMD algorithm

rate shifts/oscillation

asymmetry

solutions

measured downloading throughput

intervals

upshift

several significant mechanisms

several potential benefits

positive real number

memory

video seconds

plurality

segment n

objective

bandwidth

common practice

downshift

controller

client-side modification

length

web paradigm

other transports

congestion control

portion

operations

intermediate nodes

high video rates

target delay contoller

network paths

vice versa

various data services

same content

network bottleneck links

basis

interval

clients

different durations

equation

embodiments

plain HTTP GETs

content stream

responsiveness

stream bitrate selection behavior

following foundational information

architecture

effects

notations

HTTP Live Streaming

details

segment

fine-tuned interval

symmetric rate upshift/downshift

reliability

available network bandwidth

streaming information

video playout stall

varying quality

original non-encoded video source

suitable information and/or data

techniques

their underlying TCPs’

same rate

downloading

unfair sharing

client buffer

tens

disclosure

seconds

Standard Definition

access

same duration

part

data size

viable rate adaptation algorithm

rate adaptation

less network bandwidth

RTTs

processor

previous media activity

segment downloading

inappropriate way

program content

different rates

frequent rate shifts

single encoded source

excellent video rate stability

adaptive streaming environments

proportional-integral controller

previous several segments

multiple service providers

segment’s

contrast

media storage

certain example implementations

information

asymmetric rate shift behavior

its underlying TCP’s

transcoder

weighted bandwidth sharing

lower encoding bitrates

unexpected bandwidth fluctuation

probe-adapt principle

scope

figure

low variation

inter-request intervals

typical scenario

High-Definition (HD) video stream shares

performance

data delivery

one embodiment

consecutive segment downloads

available bandwidth

certain content

error

scenarios

elastic IP transport protocol suite

proposed rate adaptation algorithm

programs

additional degree

higher encoding rates

equations

audio, games, applications, channels

average throughput

most adaptive streaming technologies

optional module

possible example details

TCP/IP transport

program time

quite common practice

underlying TCP’s

flow control features

adaptive streaming scenarios

adaptive streaming

term `segment` and `chunk

near real-time

weight

historical data

adaptive streaming video systems

follows

higher encoding rate

same video bitrate

delivery rate

buffer underruns

behavior

case

number

their buffers

multi-rate encoder

multiple

segment downloading duration

convergence rate

AIMD

lower encoding rates

flow’s

underlying transport protocol’s

less bandwidth

clients’

higher or lower encoding rates

multi-rate coding

consequent video stalls

digital media bundles

control theory

fill level

bandwidth challenges

downloading segment n

simultaneous users

environment

multiple content providers

changes

status

T[n]–The actual inter-download time

beta

network

special case

addition

present disclosure

order

changing network conditions

rate oscillation

media player

detailed below

streaming

SCTP

typically hypertext transfer protocol/transmission control protocol/Internet protocol

network server

multiple rates

video bitrate

new time discount addition

server

Remedial Action Request Architecture


Drawings

Brief Description:

Figure 1 shows an embodiment of a remedial action architecture for a client facility, a gateway facility, and external computer devices

Detailed Description:

Referring to Figure 1, a remedial action request architecture that may include a client computing facility 102 and a gateway facility 104 is shown. In an embodiment, a client computing facility 102 may be any type of computing device that may reside on a network 106 and may include the capability of requesting access to other internal or external client computing facilities. The client computing facility 102 may be any type of computing device that may include a desktop computer, a laptop computer, a tablet computer, a handheld computer, a smart phone computing device, or the like. The client computing facility 102 resident network 106 may be any type of network 106 that may include a LAN, WAN, Peer-to-Peer network, intranet, internet, or the like and the network access requests may be to other client computing facilities 102 within the network 106 or to an external network; the external network may include a LAN, WAN, Peer-to-Peer network, intranet, internet, or the like. The network 106 may be a wired network, wireless network, a combination of wired and wireless network, or the like. In an embodiment, the network access request may be to a URL, an FTP access, a peer-to-peer access request, a request within the network 106, a request to another network 106, or the like. 

A gateway facility 104, may be any network computing device that may controlaccess of client computing facilities from one network to another network or within a network. Access control of the network 106 may include controlling network 106access request from client computing facilities 102 from within the network 106 to computing facilities external to the network 106, controlling access request from external computing facilities external to the network 106 to client computing facilities, or the like. The gateway may include at least one protocol to determine if the network 106access request is to be allowed such as using a block list, a black list, an allow list, a white list, a rules data base, a policy database, or the like. Based on the protocol, the gateway facility 104 may allow or block a network access request from an internal client computing facility 102, an external computing facility, or the like. When a request is blocked by the gateway facility 104, information regarding the block may be transmitted to a client computing facility 102. In an embodiment, the information may be a data file, a command file, a combination of a data file and command file, or the like. The data file may contain a number of commands, definitions, or instructions to be parsed and acted upon, or the like. In an embodiment the data file may include address information on the requested network site, an application requesting the requested network site interaction, a file requesting the requested network site interaction, a rule that blocked the requested network site interaction, or the like.

A security facility 108 may be a software application that may provide malicious code and malicious application protection to the client computing facility 102. The security facility may have the ability to scan the client computing facility 102 files for malicious code, remove or quarantinecertain applications and files, prevent certain actions, perform remedial actions (e.g. as described herein) and perform other security measures. In embodiments, scanning the client computing facility 102 may include scanning some or all of the files stored to the client computing facility 102 on a periodic basis, may scan applications once the application has been requested to execute, may scan files as the files are transmitted to or from the client computing facility 102, or the like. The scanning of the applications and files may be to detect known malicious code or known malicious applications. In an embodiment, new malicious code and malicious applications may be continually developed and distributed and updates to the known malicious code file may be provided on a periodic basis, on a demand basis, on an alert basis, or the like. 

A network control facility 110 may provide the network access capability to the client computing facility 102; the network access may be to other client computing facilities 102 within the network 106, the network access may be to other computer facilities external to the client computing facility 102 network 106, or the like. The network control facility 110 may be a software application (e.g. a web browser), hardware (e.g. a network access device), a firmware application, a combination of software, hardware, and firmware, or the like. In an embodiment, the network control facility 110 may interface with the security facility 108, any associated malicious code files, and a policy facility 118 to determine network 106access rights and permissions. Additionally, once the client computing facility 102 network control facility 110 determines and provides network 106access, the gateway facility 104 may make a determination of what connectivity may be made to other client computing facilities and networks

In an embodiment, an application 112 may be any software file that may be executed on the client computing facility 102. The application 112 may be an application 112 that is executed at a user request to perform some work on the client computing facility 102, an application 112 that requests network access to another computing facility either within the same network 106 as the client computing facility 102 or external to the client computing facility 102, or the like. In embodiments, the application access request may be user requested, may be auto-requested, or the like. Depending on policies for network access requests, a user network access request may be allowed or denied. If an access request is denied, the user may or may not be notified, the access request denial may just fail to connect to the desired network location. In embodiments, the auto-requested network request may be a result of a legitimate application 112 requesting information from another client computing facility 102 or network, a malicious application requesting network access, or the like. The malicious application network access may be an attempt to corrupt the client computer facility 102, an attempt to corrupt the gateway facility 104, an attempt to corrupt the network 106 on which the client computing facility 102 resides, an attempt to accessexternal networks or computer facilities, or the like. 

An IDE 114 may be a virus identity file that may include definitions of known or potential malicious code. The IDE 114 may provide information that may identify malicious code within files, applications, or the like. The IDE 114 may be accessed by the security facility 108 when scanning files or applications 112 within the client computing facility 102 for the determination of malicious code that may be within the file or application 112. In an embodiment, when the information regarding a blocked access is received from the gateway facility 104, the security facility 108 may access the IDE 114 to parse the data file and determine an action to be taken on an application requesting access to a denied network location. The IDE 114 may contain a number of commands, definitions, or instructions, to be parsed and acted upon, or the like. In embodiments, the client computing facility 102 may be updated with new IDE 114 files periodically to provide the client computing facility 102 with the most recent malicious code definitions; the updating may be performed on a set time period, may be updated on demand from the client computing facility 102, may be updated on demand from the network 106, may be updated on a received malicious code alert, or the like. In an embodiment, the client computing facility 102 may request an update to the IDE 114 files from an update facility within the network 106, may request updated IDE 114 files from a computing facility external to the network 106, updated IDE 114 files may be provided to the client computing facility 102 from within the network 106, IDE 114 files may be provided to the client computing facility 102 from an external computing facility from an external network, or the like. 

In an embodiment, the policy facility 118 may be a set of rules or policies that may indicate network access permissions for a client computing facility 102. The policy facility 118 may include a database, a text file, a combination of databases and text files, or the like. In an embodiment, the policy database may be a block list, a black list, an allowed list, a white list, or the like that may provide a list of network locations that may or may not be accessed by the client computing facility 102. The policy facility 118 may include rules that may be interpreted with respect to the network access request to determine if the request should be allowed. The rules may provide a generic rule for the type of access that may be granted; the rules may be related to the policies of an enterprise for access rights for the enterprise’sclient computer facilities 102. For example, there may be a rule that does not permit access to sporting websites. When a website is requested by the client computing facility 102, the security facility 108 may access the rules within the policy facility 118 to determine if the requested access is related to a sporting website. In an embodiment, the security facility 108 may analyze the requested website to determine if the website matches with any of the policy facility 118rules

In an embodiment, a remedial action facility 120 may be an application that may respond to information from the gateway facility 104 when a client computing facility 102 network access request has been denied. In an embodiment, when the data file is received from the gateway facility 104, the remedial action facility 120 may parse the data file, interpret the various aspects of the data file, and act on the parsed datafile information to determine actions to be taken on an application requesting access to a denied network location. In an embodiment, when the data file may be received from the gateway facility 104, the remedial action facility 120 may access the IDE to parse the data file and determine an action to be taken on an application requesting access to a denied network location. In an embodiment, the information received from the gateway facility 104 may be a command or a command file. The remedial action facility 120 may carry out any commands that are received or parsed from a data file from the gateway facility 120 without performing any interpretation of the commands. In an embodiment, the remedial action facility may interact with the received information and may perform various actions on an application requesting access to a denied network location. The action may be one or more of continuing to block all requests to a denied network location, a malicious code scan on the application, a malicious code scan on the client computer facility 102, quarantine of the application, terminating the application, isolation of the application, isolation of the client computer facility 102 to a location within the network that restricts network access, blocking a network access port from a client computer facility 102, reporting the application to a system administrator, or the like. 

In an embodiment, a network access control 122 may be responsible for determining if a client computing facility 102 application should be granted access to a requested network location. The network location may be on the same network 106 as the gateway facility 104 or may be on another network. In an embodiment, the network access control 122 may verify access rights for client computing facilities from within the network 106 or may verify access rights of computer facilities from external networks. When network access for a client computing facility 102 is denied, the network access control 122 may send an information file to the client computing facility 102, the information file may contain data or commands that may provide instructions for the remedial action facility 120. The information sent by the network access control 122 may be a data file. The data file may contain a number of commands, definitions, instructions, commands to be parsed and acted upon by the remedial action facility, or the like. The information sent by the network access control 122 may be a command or command file that the remedial action facility may access and take action upon

In an embodiment, the network access rules 124 may provide an information store to be accessed by the network access control 122. The network access rules 124 may include databases such as a block list, a black list, an allowed list, a white list, an unacceptable network site database, an acceptable network site database, a network site reputation database, or the like of network access locations that may or may not be accessed by the client computing facility 102. Additionally, the network access rules may incorporate rule evaluation, the rule evaluation may parse network access requests and apply the parsed information to network access rules. The network access rules may a generic set of rules that may be in support of an enterprise’snetwork access policies such as denying access to certain types of websites, controlling instant messenger access, or the like. The rule evaluation may include regular expression rule evaluation, virus description language (VDL) evaluation, or other rule evaluation method for interpreting the network access request and comparing the interpretation to the established rules for network 106access. In an embodiment, the network access rules 124 may receive a rules evaluation request from the network access control 122 and may return the rules evaluation to the network access control 122

Referring again to Figure 1, protecting the client computing facility 102 from threats caused by malicious code and malicious applications may include more than one level. In an embodiment, malicious code may imbed itself into applications that may already be stored on the client computing facility 102, such as within a document application or document file. The threats may be received from other client computing facilities 102 on the same network as files are shared, received from external networks as the client computing facility 102 connects with other networks, or the like. 

For protecting the individual client computing facility 102 the security facility may interact with the IDE file114 and policy facility 118 as files are received at the client computing facility 102. The security facility 108 may attempt to determine if the incoming file may include malicious code or if the file is a malicious application by comparing the contents of the file with the IDE 114file information. For malicious code and malicious applications that are previously defined within the IDE file this may provide adequate protection for the client computer facility 102 by cleaning the incoming file, denying the incoming file from being stored on the client computing facility 102, or the like. 

In a similar manner, both the IDE file114 and policy facility 118 may be used to scan an outgoing file and verify that the outgoing file is permitted to be transmitted per the enterprise rules and policies. By checking outgoing files, the security facility may be able discover malicious code infected files that were not detected as incoming files as a result of the client computing facility having been updated with either new IDE 114 files or policy facility 118information. The IDE file114 may discover the malicious code infectedfile by having received updates of developing malicious code from the system administrator, updates from an IDE provider, or the like. The policy facility 118 may discover the malicious code infectedfile by having received new updates from the system administrator, from a rules provider, or the like. 

Once a client computing facility 102 has become infected with malicious code or a malicious application, the user of the client computing facility 102 may be unaware that the application is attempting to connect to another network location in an attempt to receive additional malicious code. Additionally, the malicious code or malicious application may have deactivated some or all of the security facility 108 leaving the client computing facility 102 with the inability to determine that a malicious file is attempting to access another network. Once infected, the user may not be aware that the client computing facility 102 application 112 is attempting to connect with another network

Once a client computing facility 102 has become infected with malicious code, the malicious code may use the application 112 and network control facility 110 to attempt to connect to a network location where additional malicious code and/or malicious applications may be downloaded to the client computing facility 102. If the malicious code is not yet defined in the IDE file114 or if at least part of the security facility 108 has been disabled, the malicious code may be successful in using the application 112 and network control facility 110 to request a network access from the gateway facility 104

The client computing facility 102 network access request may be received at the gateway facility 104network access control 122. The network access control 122 may act as a second level of defense against malicious code and malicious applications from accessing other network locations. The network access control 122 may be associated with the network access rules 124 that may provide all the rules for accessing other networks for the network 106. As previously described herein, the network access rules may include access databases, access rules that may be interpreted, a combination of databases and access rules, or the like. 

In an embodiment, the network access request may be an attempt to connect to any type of computer facility on another network such as a server 126, desktop computer, laptop computer 128, smart device 130, database 116, or the like. 

Once received at the network access control 122, the network access request may be analyzed, parsed, reviewed, or the like to determine if the network access request is allowed by the defined access rules stored within the network access rules 124. If the network access request is for a network location that is not allowed as defined by the rules within the network access rules 124, the network access request may be denied. 

In a first embodiment, the denied network access request may be reported back to the client computing facility 102 as a denied access and the malicious code infected may continue attempts to access the same network location or a different access location with the possibility that the second network location may not be within the deny access rules. In an embodiment, the malicious code infectedapplication 112 may try a plurality of different network locations in an attempt for a successful network access request

In a second embodiment, with the denied network access request, the network access control 122 may return a file to the client computing facility 102 that may include information for investigating the source of the denied network access request. In an embodiment, the information file that is received at a client computing facility 102 may be accessed by the remedial action facility 120 to determine actions that the remedial action facility 120 and the security facility 108 may take to determine the source of the denied network access request. In embodiments, the sending of file information to the client computing facility 102 may comprise an attempt to find the source application of the denied network access request, the remedial action facility 120 may take action against the application 112 attempting the network accesses to prevent additional attempts to connect with network locations that are not permitted per the network access rules 124. In an embodiment, the information file may be stored on the client computing facility 102 and the storing of the information file may provide an indication for the remedial action facility 120 to analyze the information file

In an embodiment, the information file may include commands determined by the network access control 122 to locate the source of the network access request. The remedial action facility 120 may parse the information file to at least one command. In an embodiment, the commands may be executed as the information file is parsed, the commands may be stored to a file from which the commands may be executed, or the like. In an embodiment, there may be more than one command, with a second command being executed based on the outcome of a first command. For example, the first command may include instructing the security facility 108 to scan all executing applications on the client computing facility 102 to determine the application 112 that requested the denied network access. The second command may include instructions to terminate executing applications 112 if the first command is not able to determine the application 112 that requested the denied network access. In an embodiment, one of the commands in the information file may be to request a new IDE file114 that may provide the latest malicious code and malicious application information

In an embodiment, the information file may include data that the remedial action facility 120 may interpret for locating the application that requested the denied network application request. In an embodiment, the data within the information file may include instructions to the remedial action facility 120 for steps to be taken to identify the application requesting the denied network access request. The remedial action facility 120 may parse the information file in to at least one instruction. In an embodiment, the parsed instructions may be interpreted by the remedial action facility 120 for the determination of the actions that are to be used to identify the application requesting the denied network access request. In embodiments, the instructions may be interpreted as requesting a new IDE file114, requesting the security facility 108 to scan the client computing facility 102, terminating an identified application, isolating an identified application, reporting an identified application to a reporting facility within the network, requesting additional actions from the network access control 122, or the like. 


Parts List

102

client computing facility

104

gateway facility

106

network

108

security facility

110

network control facility

112

application

114

116

database

118

policy facility

120

remedial action facility

122

network access control

124

network access rules

126

server

128

laptop computer

130

smart device


Terms/Definitions

IDE files

reported information

supplemental file

threat notice

block list

commands, definitions, or instructions

associated malicious code files

plurality

established rules

network resources

rules or policies

network access locations

desktop computer

user type

gateway facility

known malicious code

computing device

test file

particular enterprise

firmware

intranet

communication

combination

most recent malicious code definitions

applications and files

same network location

second embodiment

update

all the rules

resides

streaming file

certain types

block

one network

actions

protection

level

preparedness

client computer facility

planned update

network

same network

new IDE file

desired network location

action upon

rules

web browser

user request

successful network access request

interpretation

network control facility

user network access request

recording facility

at least one command

demand basis

updated rules

remedial action request architecture

data file and command file

data file

policy facility

malicious file

rules provider

computer facility

IDE management facility

network computing device

allowed list

command

other activities

external network

control

malicious application

access databases

received malicious code alert

network site reputation database

remedial action facility

generic rule

black list

set time period

streaming file or portions

update facility

attempt

network access port

denied network access

other client computing facilities

acceptable network site database

at least one instruction

organization hierarchy

tablet computer

security management facility

database

testing facility

file information

network access capability

result

type

IDE management

hardware

unacceptable network site database

network access rules management facility

generic set

legitimate application

virus identities

requested network site

instant messenger access

streaming files

network access device

action

malicious code

ability

blocks

overall security

gateway

certain applications and files

malicious applications

denied network location

streaming file management

access rights

at least part

parsed instructions

list

parsed data

commands

policy database

access rules

example

outgoing files

stored streaming file

additional actions

requested access

periodic basis

new updates

network access requests

white list

direct control

application access request

capability

IDE information

network access rules

known malicious code information

testing information

malicious code scan

computing facility

number

security configurations

at least one protocol

network access

able discover malicious code

rapid updating

updating

location

network locations

computer facilities

malicious code infected

corrective action

instructions

enterprise wide access rules

management

fixed periodic basis

enterprise rules

management facility

access request denial

external networks

address information

network accesses

test management facility

subset

rule evaluation

received information

application

requested network location

rules data base

reaction

external computing facilities

text file

client computing facilities

allow list

policy

website

user

laptop computer

enterprise’s

data

internet

access request

resident network

sporting website

only the personnel

adequate protection

document application or document file

individual client computing facility

transmitted

updates

peer-to-peer access request

scanning files or applications

outgoing file

other network locations

distribution system

additional attempts

connectivity

new malicious code

existing IDE file

reporting facility

Peer-to-Peer network

automatic and manual methods

network location

checking streaming files

malicious application network access

IDE file

security management

wireless network

other computer facilities

various aspects

access rights and permissions

remedial actions

system administrator’s

distribution

incoming files

test files

entire enterprise

other rule evaluation method

network access rules management

blocked access

demand

malicious code descriptions

request

regular expression rule evaluation, virus description language

predefined rule sets

defense

rule

software, hardware

continual updating

IDE provider

access control

steps

protocol

software file

access

auto-requested network request

application capabilities

computer facility type

network access request

wired network

first command

external client computing facilities

requested website

FTP access

databases

only support personnel

bandwidth

threats

malicious application information

denied network access request

parsed information

isolation

requested network site interaction

altered malicious code

additional malicious code

continual defense

other security measures

outcome

IDE definitions

determination

policy management facility

command file

alert

more than one command

information file

firmware application

network administrator

other client computing facilities and networks

smart phone computing device

external computer devices

second network location

sporting websites

quarantine

support

second level

network access control

databases and access rules

client facility

applications

similar manner

deny access rules

enterprise

network access policies

websites

identified application

incoming file

information

definitions

contents

certain actions

alert basis

networks

different network locations

predefined rules

external computing facility

known or potential malicious code

search

source

embodiment

possibility

timely updates

data or commands

malicious code information

departments

file

facilities

more than one level

software application

customers

virus identity file

first embodiment

various actions

computing facilities

internal client computing facility

other networks

smart device

command or command file

security facility

sending

denied network application request

indication

handheld computer

rules evaluation

IM activity

application type

defined access rules

source application

client computing facility

known malicious code file

network access permissions

server

acceptability

policies

work

facility

different access location

second command

information store

executing applications

associated client facilities

rules evaluation request

embodiments

testing

malicious application protection

denied access

provider

scanning

system administrator

databases and text files

remedial action architecture

latest malicious code

client computer facilities

file or application

Hybrid Vehicle Drivetrain and Energy Storage Components


Drawings

Brief Description:

Figure 1 is a diagram of a hybrid vehicle illustrating typical drivetrain and energy storage components. 

Detailed Description:

Figure 1 depicts a typical plug-in hybrid-electric vehicle (PHEV). A typical plug-in hybrid-electric vehicle 116 may comprise one or more electric machines 128 mechanically connected to a hybrid transmission 124. The electric machines 128 may be capable of operating as a motor or a generator. In addition, the hybrid transmission 124 is mechanically connected to an engine 122. The hybrid transmission 124 is also mechanically connected to a drive shaft 140 that is mechanically connected to the wheels 120. The electric machines 128 can provide propulsion and deceleration capability when the engine 122 is turned on or off. The electric machines 128 also act as generators and can provide fuel economy benefits by recovering energy that would normally be lost as heat in the friction braking system. The electric machines 128 may also reduce vehicle emissions by allowing the engine 122 to operate at more efficient speeds and allowing the hybrid-electric vehicle 116 to be operated in electric mode with the engine 122 off under certain conditions

glo

A traction battery 138 or battery packstores energy that can be used by the electric machines 128. A vehicletraction battery 138 typically provides a high voltage DC output. The traction battery 138 is electrically connected to one or more power electronics modules 134. One or more contactors 142 may isolate the traction battery 138 from other components when opened and connect the traction battery 138 to other components when closed. The power electronics module 134 is also electrically connected to the electric machines 128 and provides the ability to bi-directionally transferenergy between the traction battery 138 and the electric machines 128. For example, a typical traction battery 138 may provide a DC voltage while the electric machines 128 may operate using a three-phase AC current. The power electronics module 134 may convert the DC voltage to a three-phase AC current for use by the electric machines 128. In a regenerative mode, the power electronics module 134 may convert the three-phase AC current from the electric machines 128 acting as generators to the DC voltage compatible with the traction battery 138. The description herein is equally applicable to a pure electric vehicle. For a pure electric vehicle, the hybrid transmission 124 may be a gear box connected to an electric machine 14 and the engine 122 may not be present. 

In addition to providing energy for propulsion, the traction battery 138 may provide energy for other vehicle electrical systems. A typical system may include a DC/DC converter module 132 that converts the high voltage DC output of the traction battery 138 to a low voltage DC supply that is compatible with other vehicle loads. Other electrical loads 144, such as compressors and electric heaters, may be connected directly to the high-voltage without the use of a DC/DC converter module 132. The low-voltage systems may be electrically connected to an auxiliary battery 130 (e.g., 116V battery). 

The hybrid-electric vehicle 116 may be an electric vehicle or a plug-in hybrid vehicle in which the traction battery 138 may be recharged by a wireless vehicle charging system 108. The wireless vehicle charging system 108 may include an external power source 102. The external power source 102 may be a connection to an electrical outlet. The external power source 102 may be electrically connected to electric vehicle supply equipment 106. The electric vehicle supply equipment 106 may provide an EVSE controller 104 to provide circuitry and controls to regulate and manage the transfer of energy between the external power source 102 and the hybrid-electric vehicle 116. The external power source 102 may provide DC or AC electric power to the electric vehicle supply equipment 106. The electric vehicle supply equipment 106 may be coupled to a 110 for wirelessly transferring energy to a receive coil 112 of the vehicle 116. The receive coil 112 may be electrically connected to a charger or on-board power conversion module 136. The receive coil 112 may be located on an underside of the vehicle 116. The power conversion module 136 may condition the power supplied to the receive coil 112 to provide the proper voltage and current levels to the traction battery 138. The power conversion module 136 may interface with the electric vehicle supply equipment 106 to coordinate the delivery of power to the hybrid-electric vehicle 116

One or more wheel brakes 126 may be provided for decelerating the hybrid-electric vehicle 116 and preventing motion of the hybrid-electric vehicle 116. The wheel brakes 126 may be hydraulically actuated, electrically actuated, or some combination thereof. The wheel brakes 126 may be a part of a brake system 118. The brake system 118 may include other components to operate the wheel brakes 126. For simplicity, the figure depicts a single connection between the brake system 118 and one of the wheel brakes 126. A connection between the brake system 118 and the other wheel brakes 126 is implied. The brake system 118 may include a controller to monitor and coordinate the brake system 118. The brake system 118 may monitor the brake components and control the wheel brakes 126 for vehicle deceleration. The brake system 118 may respond to driver commands and may also operate autonomously to implement features such as stability control. The controller of the brake system 118 may implement a method of applying a requested brake force when requested by another controller or sub-function

One or more electrical loads 144 may be connected to the high-voltage bus. The electrical loads 144 may have an associated controller that operates and controls the electrical loads 144 when appropriate. Examples of electrical loads 144 may be a heating module or an air-conditioning module

The wireless vehicle charging system 108 may define an area (e.g., a parking space) for parking the hybrid-electric vehicle 116 for charging. The area may be suitable for charging a variety of different sized vehicles. The wireless vehicle charging system 108 may provide visual feedback to a vehicle operator. The visual feedback may include one or more indicators to indicate that charging is in progress, charging is completed, or that a diagnostic condition is present that inhibits charging. The visual feedback may be part of a display that is external to the vehicle or within the vehicle


Parts List

100

item

102

external power source

104

EVSE controller

106

electric vehicle supply equipment

108

wireless vehicle charging system

110

transmit coil

112

receive coil

114

system controller

116

hybrid-electric vehicle

118

brake system

120

tire(s)

122

engine

124

hybrid transmission

126

wheel brakes

128

electric machines

130

auxiliary battery

132

DC/DC converter module

134

power electronics module

136

power conversion module

138

traction battery

140

drive shaft

142

contactors

144

electrical loads


Terms/Definitions

example

minimum emissions

electric machines

minimal attention

brake components

receive coil

wireless vehicle

heat

requested brake force

variety

certain conditions

power electronics module

on-board power conversion module

compressors and electric heaters

heating module

EVSE controller

generator

combination

part

brake system

pad separator

system controller

parking area

power source

constant spacing

high voltage DC output

contactors

parking spot

vehicle deceleration

hybrid-electric vehicle

parking aids

other wheel brakes

wheel brakes

given direction

tire pad

different vehicles

vehicle

electric vehicle supply equipment

energy

circuitry and controls

connection

propulsion and deceleration capability

precise parking

minimal operator intervention

gear box

other vehicle electrical systems

travel

tire stop

motor

current levels

regenerative mode

charger

drive shaft

friction braking system

spacing

raised area

simplicity

progress

vehicle emissions

need

routing cables

proper voltage

features

automated parking system

hybrid transmission

auxiliary battery

area

selected transmit coil

pair

align the selected transmit coil

low voltage DC supply

such an automated system

movement

DC voltage

parking space

advantages

operator

commands

plug-in hybrid vehicle

traction battery

battery

visual feedback

transmit coil transport mechanism

wheels

typical system

vehicle battery pack

different sized vehicles

inhibits

other components

battery pack

coil

transfer

associated controller

description herein

other high-voltage loads

more efficient speeds

fuel economy benefits

delivery

appropriate transmit coil

various positions

three-phase AC

underside

center line

typical traction battery

transport mechanism

other vehicle loads

generators

three-phase AC current

desired spacing

DC or AC electric power

automated charging system

air-conditioning module

electrical outlet

maximum power transmission

tire(s)

direction

external power source

user interface

propulsion

tire pads

power

generally parallel orientation

automated system

vehicle operator

pressure sensitive tire pads

stores energy

transport mechanism separator

display

location

method

examples

side

high-voltage

controller or sub-function

electric vehicle

single connection

transmit coils

engine

stability control

addition

plurality

PHEV

electric mode

electrical loads

transmit coil

vehicle locating system

normal manner

separate piece

wireless vehicle charging system

ways

diagnostic condition

vehicle locating mechanism

DC/DC converter module

position

low-voltage systems

power conversion module

motion

relation

further advantage

high-voltage bus

figure

pure electric vehicle

Handheld Device Schematic


Drawings

Brief Description:

Figure 1 is a schematic front view of a handheld device 100 representing one embodiment

Detailed Description:

The handheld device 100 of Figure 1 and figure 3 may represent, for example, a cellular phone, a portable phone, a media player, a personal data organizer, a handheld game platform, a tablet computer, a notebook computer, or any combination of such devices. By way of example, the handheld device 100 may be a model of an iPad®, iPod®, iPhone®, or macbook® available from Apple Inc. of cupertino, califFigure 1 depicts the front of handheld device 100, while Figure 2 depicts the back of handheld device 100.

The handheld device 100 may include an enclosure 116 to protect interior components from physical damage and to shield them from electromagnetic interference. The enclosure 116 may include window a 108 and window b 112 configured to conceal components such as an image capture device 110 and biometric sensor 114, respectively. By concealing the image capture device 110 and the biometric sensor 114 behind the enclosure 116, these components may remain unseen when not in use. For example, when the image capture device 110 and the biometric sensor 114 are not in use, they may be concealed by selectively causing the window a 108 and window b 112 to be opaque, or “closed.” Since the window a 108 and window b 112 may be color-matched so as to be indistinguishable from the enclosure 116, the enclosure 116 may appear seamless when the window a 108 and window b 112 are closed. When a concealed component is to be in use, such as image capture device 110 and/or biometric sensor 114, they may be exposed from beneath the enclosure 116 by selectively causing the window a 108 and/or window b 112 to become transparent, or “open.” components such as the image capture device 110 and the biometric sensor 114 may be exposed for as long as desired.

In some embodiments, components of the handheld device 100, such as the image capture device 110 and the biometric sensor 114, may be selectively exposed when certain component-using features of the handheld device 100 are activated. By way of example, an image capture feature of the handheld device 100, which may employ the image capture device 110, may become activated when a user elects to run a camera application selectable via a graphical user interface (GUI 106). In general, the GUI 106 may include one or more icon(s) 120 for providing access to features of the handheld device 100 (e.g., applications, features of an operating system of the handheld device 100, features of firmware of the handheld device 100, and so forth). At times during the use of such features, the features may utilize components of the handheld device 100that may be hidden behind a window a 108, window b 112, window c 202, or window c 204 (e.g., the image capture device 110hidden behind the window a 108 or the biometric sensor 114 hidden behind the window a 108 or window b 112B). Thus, in some embodiments, when the handheld device 100 detects that a feature (e.g., a camera application) that is expected to use a hidden component (e.g., the image capture device 110) has been selected via the GUI 106, the window controller 22 of Figure 1 may open the associated window a 108, window b 112, window c 202, or window c 204 (e.g., the window a 108). When the handheld device 100 detects that the utilization of the component (e.g., the image capture device 110) is no longer desired by the feature of the handheld device 100(e.g., the camera application is closed), the window controller 22 may close the window a 108, window b 112, window c 202, or window c 204, hiding the component.


Brief Description:

Figure 2 is a schematic backview of the handheld device 100 illustrated in Figure 1

Detailed Description:

The technique of exposing concealed components is not limited to dynamically changing window a 108, window b 112, window c 202, or window d 204 opacity upon the launch of applications within the electronic device 10. For example, as illustrated in Figure 1, the back of the handheld device 100 may have two windows window c 202 and window d 204 disposed above an image capture device 110 and a strobe 206, respectively. Other embodiments may include more or fewer windows and corresponding concealed components. Initially, the windows window c 202 and window d 204 may conceal the image capture device 110 and the strobe 206. In one embodiment, the window c 202 disposed above the image capture device 110 may be opened by the window controller 22 upon selection of the icon(s) 120 of Figure 1 linking to the camera application. The window d 204 disposed above the LED strobe 206 may remain closed until the camera application determines that increased illumination is desired. Upon such a determination, the camera application may provide some indication to the window controller 22 that the window d 204 disposed above the LED strobe 206 should be opened. The window controller 22 may “open” the window d 204 disposed above the LED strobe 206 by making the window d 204 transparent, exposing the LED strobe 206 for use. Upon determining that the strobe 206 is no longer desired for use, the camera application may provide some indication to the window controller 22 that the window d 204 should be closed. The window controller 22 then may cause the window d 204 disposed above the LED strobe 206 to “close,” becoming opaque and hiding the LED strobe 206. Upon completion of the use of the image capture device 110, the window controller 22 may also close the window c 202 disposed above the image capture device 110, causing the image capture device 110 to disappear into the enclosure 116.

In some embodiments, even the display 118 of an electronic device 10 may be concealed. For example, FIGS. 16A and B illustrate a handheld device 100 having a window a 108, window b 112, window c 202, or window d 204 disposed above a display 118. As shown in figure 16A, when the display 118 is not in use, the window a 108, window b 112, window c 202, or window d 204 may remain closed, hiding the display 118 and giving the appearance of a single seamless enclosure without a display 118. When the display 118 is activated, the window a 108, window b 112, window c 202, or window d 204 may be opened, exposing the display 118, as shown in figure 16B. By way of example, the display 118 may be activated when a user selects certain of the input structures 104 of the handheld device 100.

Window a 108, window b 112, window c 202, or window d 204 may conceal components in the enclosure 116 and/or, when the display 118 is transparent (e.g., a transparent OLED display), under the display 118 of the electronic device 10. 


Parts List

100

handheld device

102

opening loop block

104

input structures

106

GUI

108

window a

110

image capture device

112

window b

114

biometric sensor

116

enclosure

118

display

120

icon(s)

202

window c

204

window d

206

strobe


Terms/Definitions

concealed component

window d

biometric sensor

suitable component

personal data organizer

touch layer

example

window(s)

window controller

cupertino

touch inputs

electronic display system

transparent material

printing layers

electromagnetic interference

enclosure

selection

indication

several printing layers

ambient light layer

infrared layer

icon(s)

transparent OLED display

underlying layers

protection

image capture device

camera application

electronic device

opaque

features

calif

schematic front view

other embodiments

handheld device

glass or plastic

Apple Inc

opacity

image capture feature

technique

input structures

black enclosure system

embodiments

handheld game platform

strobe

window c

more or fewer windows

figure

interior components

current level

increased illumination

window b

protective cover layer

even the display

such devices

GUI

view

color

launch

display cutouts

immediate environment

macbook®

operating system

media player

hidden component

exposure

black color layer

access

front

user elects

tablet computer

layer

completion

single seamless enclosure

suitable embodiment

window cutouts

utilization

display

lower layers

capacitive touch layer

device

notebook computer

portable phone

component

cellular phone

infrared radiation

physical damage

enclosure system

concealed components

other layers

window a

applications

appearance

color layer

components

associated window

visible light

combination

two windows

user

certain component-using features

back

feature

wear

certain components

layers

times

model

firmware

such a determination

windows

such features

General Lab


Drawings

Brief Description:

illustrates a reaction system 100 in accordance with one embodiment.

Detailed Description:

Referencing Figure 1, a reaction system 100 illustrates a set of initial conditions and quantities 124 for a quantitiative Polymerase Chain Reaction that includes reagent(s) 106 (e.g., polymerase, primers, probes, etc.,)  and a sample 118 (e.g., target DNA strand, template DNA strand, etc.,). In qPCR, the sample 118 may contain DNA strands that serves as a template during the amplication process. The sample 118 may under go through a sample preperation process prior to being combined with the reagent(s) 106.

In qPCR, the  initial conditions and quantities 124 may additionally include quantities 122 for the reagent(s) 106 and the sample 118, as well as supplemenatal information such as the location (e.g., reaction well, plate position, etc.,) where the reagent(s) 106 and the sample 118 where placed in a reaction vessel 102 (reaction site 116). Environmental conditions may also factor into as part of the initial conditions and quantities 124 including the temperature 108 and pressure 120 at the start of and during the course of the qPCR reaction as changes in temperature 108 and pressure 120 may affect volumetric measurements. 

When the reaction vessel 102 is provided the instrument 104 to start the qPCR reaction, the initial conditions and quantities 124 may be entered in or detcted by the instrument 104 and reported to an initial reaction condition database 110

During the reaction, the sample 118 is denatured during a high temperature phase of the reaction, separating the double stranded DNA in two complementary strands. High-temperature incubation is used to “melt” the double stranded DNA  into single strands and loosen the secondary structure in single-stranded DNA. The highest temperature that the DNA polymerase can withstand is typically used (usually 95C). The denaturation time can be increased if template guanine cytosine(GC) content is high.

An annealing phase follows the denaturing phase. During the annealing phase, complementary sequences have an opportunity to hybridize, so an appropriate temperature is used that is based on the calculated melting temperature (Tm) of the primers (typically this temperature is 5C below the Tm of the primer). During the annealing phase the primers and probes anneal to the single stranded DNA. The primers and probes anneal to specific complementary sequences of the single stranded DNA on either of the signle strands.  The primers attach to specific sites of the DNA identifying a start location for the polymerase, the probes anneal to a site downstream of the primers.  The probes may be utilized to identify a marker (e.g., gene, phenotype, microsatellite sequence, SNP) of interest 

Following the annealling phase, the reaction undergoes an extension/replication phase where the single strands of DNA are replicated. The extension/replication phase changes adjusts the temperature to 70–72C, as this is where the activity of the DNA polymerase is optimal, and primer extension occurs at rates of up to 100 bases per second. When an amplicon in real-time PCR is small, this step is often combined with the annealing step, using 60C as the temperature. During replication/extension phase, the primers indicate an attachment point for the polymerase to begin extending the single stranded DNA of nucleotides adjacent to the primer nucleotides to the template DNA forming a complementary sequence and releasing the fluorescent dyes/tag when the probes are cleaved by the polymerase. 

During the qPCR reaction, the instrument 104 may detect the fluorescent emissions for the fluorescent probes. The fluorescent emissions may correspond to the intensity of emitted light (fluorescence) as a function of the wavelength of the emitted light used to identify specific probes. The instrument 104 records these emssion or lackthereof as the results that of qPCR reaction and record this information in a reaction results database 112.

Indentifying optimal reactants and reactant conditions is important in improving the reaction efficiency and subsequently the accuracy of a real time (rt) PCR data. 

In a perfect scenario, each target copy in a PCR reaction will be copied at each cycle, doubling the number of full-length target molecules: this corresponds to 100% amplification efficiency. Variations in efficiency will be amplified as thermal cycling progresses. Thus, any deviation from 100% efficiency can result in potentially erroneous data.

One way to minimize efficiency bias is to amplify relatively short targets. Amplifying a 100 basepair (bp) region is much more likely to result in complete synthesis in a given cycle than, say, amplifying a 1,200 bp target. For this reason, real-time PCR target lengths are generally 60–200 bp. In addition, shorter amplicons are less affected by variations in template integrity. If nucleic acid samples are slightly degraded and the target sequence is long, upstream and downstream primers will be less likely to find their complementary sequence in the same DNA fragment.

Amplicon GC content and secondary structure can be another cause of data inaccuracy. Less-than-perfect target doubling at each cycle is more likely to occur if secondary structure obstructs the path of the DNA polymerase. Ideally, primers should be designed to anneal with, and to amplify, a region of medium (50%) GC content with no significant GC stretches. For amplifying cDNA, it is best to locate amplicons near the 3ʹ ends of transcripts. If RNA secondary structure prohibits full-length cDNA synthesis in a percentage of the transcripts, these amplicons are less likely to be impacted.

Target specificity is another important factor in data accuracy. When designing real-time PCR primers, check primers to be sure that their binding sites are unique in the genome. This reduces the possibility that the primers could amplify similar sequences elsewhere in the sample genome. Primer design software programs automate the process of screening target sequences against the originating genome and masking homologous areas, thus eliminating primer designs in these locations.

Genomic DNA(gDNA), pseudogenes, and allelic variants needed to be factored into consideration when considering different primer and amplicon designs. 

gDNA carryover in an RNA sample may be a concern when measuring gene expression levels. The gDNA may be co-amplified with the target transcripts of interest, resulting in invalid data. gDNA contamination is detected by setting up control reactions that do not contain reverse transcriptase (no-RT controls); if the Ct for the no-RT control is higher than the Ct generated by the most dilute target, it indicates that gDNA is not contributing to signal generation. However, gDNA can compromise the efficiency of the reaction due to competition for reaction components such as dNTPs and primers.

The best method for avoiding gDNA interference in realtime PCR is thoughtful primer (or primer/probe) design, which takes advantage of the introns present in gDNA that are absent in mRNA. Whenever possible, Applied Biosystems™ TaqMan™ Gene Expression Assays are designed so that the TaqMan probe spans an exonexon boundary. Primer sets for SYBR Green dye–based detection should be designed to anneal in adjacent exons or with one of the primers spanning an exon/exon junction. When upstream and downstream PCR primers anneal within the same exon, they can amplify target from both DNA and RNA. Conversely, when primers anneal in adjacent exons, only cDNA will be amplified in most cases, because the amplicon from gDNA would include intron sequence, resulting in an amplicon that is too long to amplify efficiently in the conditions used for real-time PCR.

Pseudogenes, or silent genes, are other transcript variants to consider when designing primers. These are derivatives of existing genes that have become nonfunctional due to mutations and/or rearrangements in the promoter or gene itself. Primer design software programs can perform BLAST™ searches to avoid pseudogenes and their mRNA products.

Allelic variants are two or more unique forms of a gene that occupy the same chromosomal locus. Transcripts originating from these variants can vary by one or more mutations. Allelic variants should be considered when designing primers, depending on whether one or more variants are being studied. In addition, GC-content differences between variants may alter amplification efficiencies and generate separate peaks on a melt curve, which can be incorrectly diagnosed as off-target amplification. Alternately spliced variants should also be considered when designing primers.

Specificity, dimerization, and self-folding in primers and probes are another set of conditions that needed to be accounted for when considering different designs of a primers and amplicons.

Primer-dimers are most often caused by an interaction between forward and reverse primers, but can also be the result of forward-forward or reverse-reverse primer annealing, or a single primer folding upon itself. Primerdimers are of greater concern in more complex reactions such as multiplex real-time PCR. If the dimerization occurs in a staggered manner, as often is the case, some extension can occur, resulting in products that approach the size of the intended amplicon and become more abundant as cycling progresses. Typically, the lower the amount of target at the start of the PCR, the more likely primer-dimer formation will be. The positive side of this potential problem is that the interaction of primer-dimers is usually less favorable than the intended primer-template interaction, and there are many ways to minimize or eliminate this phenomenon.

The main concern with primer-dimers is that they may cause false-positive results. This is of particular concern with reactions that use DNA-binding dyes such as SYBR Green I dye. Another problem is that the resulting competition for reaction components can contribute to a reaction efficiency outside the desirable range of 90–110%. The last major concern, also related to efficiency, is that the dynamic range of the reaction may shrink, impacting reaction sensitivity. Even if signal is not generated from the primer-dimers themselves (as is the case with TaqMan Assays), efficiency and dynamic range may still be affected.

Several free software programs are available to analyze real-time PCR primer designs and determine if they will be prone to dimerize or fold upon themselves. The AutoDimer software program (authored by P.M. Vallone, National Institute of Standards and Technology, USA) is a bioinformatics tool that can analyze a full list of primers at the same time. This is especially helpful with multiplexing applications. However, while bioinformatics analysis of primer sequences can greatly minimize the risk of dimer formation, it is still necessary to monitor dimerization experimentally.

The traditional method of screening for primer-dimers is gel electrophoresis. Primer-dimers appear as diffuse, smudgy bands near the bottom of the gel. One concern with gel validation is that it is not very sensitive and therefore may be inconclusive. However, gel analysis is useful for validating data obtained from a melting/ dissociation curve, which is considered the best method for detecting primer-dimers.

Melting or dissociation curves should be generated following any real-time PCR run that uses DNA-binding dyes for detection. In brief, the instrument ramps from low temperature, in which DNA is double-stranded and fluorescence is high, to high temperature, which denatures DNA and results in lower fluorescence. A sharp decrease in fluorescence will be observed at the Tm for each product generated during the PCR. The melting curve peak obtained for the no-template control can be compared to the peak obtained from the target to determine whether primer-dimers are present in the reaction.

Ideally, a single distinct peak should be observed for each reaction containing template, and no peaks should be present in the no-template controls. Smaller, broader peaks at a lower melting temperature than that of the desired amplicon and also appearing in the no-template control reactions are quite often dimers. Again, gel runs of product can often validate the size of the product corresponding to the melting peak.

There are situations in which primer-dimers are present, but they may not affect the overall accuracy of the realtime PCR assay. A common observation is that primerdimers are present in the no-template control but do not appear in reactions containing template DNA. This is not surprising because in the absence of template, primers are much more likely to interact with each other. When template is present, primer-dimer formation is not favored.

As long as the peak seen in the no-template control is absent in the plus-template dissociation curve, primerdimers are not an issue.

Primer-dimers are part of a broad category of nonspecific PCR products that includes amplicons created when a primer anneals to an unexpected location with an imperfect match. Amplification of nonspecific products is of concern because they can contribute to fluorescence, which in turn artificially shifts the Ct of the reaction. They can influence reaction efficiency through competition for reaction components, resulting in a decreased dynamic range and decreased data accuracy. Nonspecific products are an even greater concern in absolute quantification assays, in which precise copy numbers are reported.

Standard gel electrophoresis is generally the first step in any analysis of real-time PCR specificity. While it can help to identify products that differ in size from a target amplicon, a band may still mask similar-sized amplicons and have limited sensitivity. Due to its accuracy and sensitivity, melting curve analysis provides the most confidence in confirming gel electrophoretic assessment of primer specificity.

While nonspecific amplification should always be eliminated when possible, there are some cases in which the presence of these secondary products is not a major concern. For example, if alternate isoforms or multiple alleles that differ in GC content are knowingly targeted, multiple products are expected.

When considering the design of certain Primers, the following following software options may be useful such as Applied Biosystems™ Primer Express™ Software, Invitrogen™ OligoPerfect™ Designer web-based tool, and Invitrogen™ Vector NTI™ Software. 

These programs can automatically design primers for specific genes or target sequences using algorithms that incorporate the following guidelines and can also perform genome-wide BLAST searches for known sequence homologies.

• In general, design primers that are 18–28 nucleotides in length

• Avoid stretches of repeated nucleotides

• Aim for 50% GC content, which helps to prevent mismatch stabilization

• Choose primers that have compatible Tm values (within 1°C of each other)

• Avoid sequence complementarity between all primers employed in an assay and within each primer

These considerations may be important to improve the effiiency of the system but may require the additional analysis of the initial conditions and quantities 124 in comparison with the reaction results 114 of a plurality of similar reaction sets to identify and predict possible changes to improve the efficiency of other PCR reactions. 

Brief Description:

illustrates an item 200 in accordance with one embodiment.

Detailed Description:

Parts List

100

reaction system

102

reaction vessel

104

instrument

106

reagent(s)

108

temperature

110

initial reaction condition database

112

reaction results database

114

results

116

reaction site

118

sample

120

pressure

122

quantities

124

initial conditions and quantities

200

item


Terms/Definitions

Remedial Action Against Malicious Code at a Client Facility


Drawings

Brief Description:

illustrates an item 100 (deleted) in accordance with one embodiment.

Detailed Description:

Parts List

102

client facility

104

gateway facility

106

network

108

security facility

110

network control facility

112

application

114

116

database

118

policy facility

120

remedial action facility

122

network access control

124

network access rules

126

server

128

laptop computer

130

smart device


Terms/Definitions

IDE files

reported information

supplemental file

threat notice

block list

commands, definitions, or instructions

associated malicious code files

plurality

established rules

network resources

rules or policies

network access locations

desktop computer

user type

gateway facility

known malicious code

computing device

test file

particular enterprise

firmware

intranet

communication

combination

most recent malicious code definitions

applications and files

same network location

second embodiment

update

all the rules

resides

streaming file

certain types

block

one network

actions

protection

level

preparedness

client computer facility

planned update

network

same network

new IDE file

desired network location

action upon

rules

web browser

user request

successful network access request

interpretation

network control facility

user network access request

recording facility

at least one command

demand basis

updated rules

remedial action request architecture

data file and command file

data file

policy facility

malicious file

rules provider

computer facility

IDE management facility

network computing device

allowed list

command

other activities

external network

control

malicious application

access databases

received malicious code alert

network site reputation database

remedial action facility

generic rule

black list

set time period

streaming file or portions

update facility

attempt

network access port

denied network access

other client computing facilities

acceptable network site database

at least one instruction

organization hierarchy

tablet computer

security management facility

database

testing facility

file information

network access capability

result

type

IDE management

hardware

unacceptable network site database

network access rules management facility

generic set

legitimate application

virus identities

requested network site

instant messenger access

streaming files

network access device

action

malicious code

ability

blocks

overall security

gateway

certain applications and files

malicious applications

denied network location

streaming file management

access rights

at least part

parsed instructions

list

parsed data

commands

policy database

access rules

example

outgoing files

stored streaming file

additional actions

requested access

periodic basis

new updates

network access requests

white list

direct control

application access request

capability

IDE information

network access rules

known malicious code information

testing information

malicious code scan

computing facility

number

security configurations

at least one protocol

network access

able discover malicious code

rapid updating

updating

location

network locations

computer facilities

malicious code infected

corrective action

instructions

enterprise wide access rules

management

fixed periodic basis

enterprise rules

management facility

access request denial

external networks

address information

network accesses

test management facility

subset

rule evaluation

received information

application

requested network location

rules data base

reaction

external computing facilities

text file

client computing facilities

allow list

policy

website

user

laptop computer

enterprise’s

data

internet

access request

resident network

sporting website

only the personnel

adequate protection

document application or document file

individual client computing facility

transmitted

updates

peer-to-peer access request

scanning files or applications

outgoing file

other network locations

distribution system

additional attempts

connectivity

new malicious code

existing IDE file

reporting facility

files

Peer-to-Peer network

automatic and manual methods

network location

checking streaming files

malicious application network access

IDE file

security management

wireless network

other computer facilities

various aspects

access rights and permissions

remedial actions

system administrator’s

distribution

incoming files

test files

entire enterprise

other rule evaluation method

network access rules management

blocked access

demand

malicious code descriptions

request

regular expression rule evaluation, virus description language

predefined rule sets

defense

rule

software, hardware

continual updating

IDE provider

access control

steps

protocol

software file

access

auto-requested network request

application capabilities

computer facility type

network access request

wired network

first command

external client computing facilities

requested website

FTP access

databases

only support personnel

bandwidth

threats

malicious application information

denied network access request

parsed information

isolation

requested network site interaction

altered malicious code

additional malicious code

continual defense

other security measures

outcome

IDE definitions

determination

policy management facility

command file

alert

more than one command

information file

firmware application

network administrator

other client computing facilities and networks

smart phone computing device

external computer devices

second network location

sporting websites

quarantine

support

second level

network access control

databases and access rules

client facility

applications

similar manner

deny access rules

enterprise

network access policies

websites

identified application

incoming file

information

definitions

contents

certain actions

alert basis

networks

different network locations

predefined rules

external computing facility

known or potential malicious code

search

source

embodiment

possibility

timely updates

data or commands

malicious code information

departments

file

facilities

more than one level

software application

customers

virus identity file

first embodiment

various actions

computing facilities

internal client computing facility

other networks

smart device

command or command file

security facility

sending

denied network application request

indication

handheld computer

rules evaluation

IM activity

application type

defined access rules

source application

client computing facility

known malicious code file

network access permissions

server

acceptability

policies

work

facility

different access location

second command

information store

executing applications

associated client facilities

rules evaluation request

embodiments

testing

malicious application protection

denied access

provider

scanning

system administrator

databases and text files

remedial action architecture

latest malicious code

client computer facilities

file or application