Flexibly configurable data modification services

Description

BACKGROUND

Large amounts of network data are generated and consumed in the course of modern electronic communication. Such data are often transmitted to and/or received from entities outside of the influence or control of customers, both at an enterprise level and at a granular and/or personal level. Such entities may require formatting, censorship, compliance or other requirements for incoming and outgoing data. However, the number of manifestations and combinations of such data requirements is nearly infinite, and it can be difficult to configure systems to modify, format, or otherwise alter data to meet such widely disparate sets of requirements. Additionally, such requirements may change on short notice, and necessary reconfiguration to meet the changed requirements can be burdensome.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments in accordance with the present disclosure will be described with reference to the drawings, in which:

FIG. 1 shows an illustrative example of an environment for a flexibly configurable data alteration service in accordance with at least one embodiment;

FIG. 2 shows an illustrative example of an environment having a flexibly configurable data alteration service in accordance with at least one embodiment;

FIG. 3 shows an illustrative example of an interface for configuring and/or requisitioning data modification rules in accordance with at least one embodiment;

FIG. 4 shows an illustrative example of a process for modifying network traffic in accordance with at least one embodiment;

FIG. 5 shows an illustrative example of a process for implementing data modification rules in accordance with at least one embodiment; and

FIG. 6 illustrates an environment in which various embodiments can be implemented.

DETAILED DESCRIPTION

In the following description, various embodiments will be described. For purposes of explanation, specific configurations and details are set forth in order to provide a thorough understanding of the embodiments. However, it will also be apparent to one skilled in the art that the embodiments may be practiced without the specific details. Furthermore, well-known features may be omitted or simplified in order not to obscure the embodiment being described.

Techniques described and suggested herein include systems and methods for implementing a customer-configurable packet mangler or other data alteration service in and/or using a distributed computing system. In particular, a customer may specify certain rules by which various types of data, inbound and/or outbound from customer devices, may be modified, upon which various components of the distributed computing system are utilized to implement the rules, e.g., using packet mangling techniques. For example, the customer may specify that outbound data to specific external device types or locales must conform to a customer-provided specification (e.g., for regulatory compliance and/or performance optimization), upon which the distributed computing system determines the necessary alterations and data patterns (or other markers) to which they apply. Thereafter, in the example given, the implementation may include redirection of some or all of the network traffic between the customer and the external device in question to a component of the distributed computing system. Upon processing in the determined manner, the redirected data is thereupon relayed to the original destination. As will be contemplated, a similar process may be utilized for inbound network traffic.

In another example, the data alteration service may be effective to modify data transiting between two virtualized instances of the distributed computing system, one of which is controlled by a customer requesting the service, while the other is controlled by a different customer. A separate virtualized instance of the distributed computing system may be invoked to implement the customer-requested rules, or in some embodiments, the same instance from whence (or to which) the data desired to be modified may perform the actual modification, e.g., in a quarantine or “sandbox.” It is contemplated that data transiting to or from any device or component controlled by a service-requesting customer, whether physical, virtual, aggregated or otherwise, to a device not under control by the customer (without regard to its nature), may be subject to packet mangling by the service. The service may, in some embodiments, be granularly controllable based on a number of criteria, including customer or external device type, geographic location, and the like.

An example implementation of such a data alteration service may include the generation of one or more policies that apply to some or all components involved in a given data transaction type. The policies, in some embodiments, are generated by the distributed computing system upon receipt of customer-defined rules, and may take into account data type, connected device type, customer characteristics, network topology, or any other characteristics relevant to the generation of an effective policy. Such policies, when broadcasted to the relevant devices, can ensure that all controlled devices (or a desired subset thereof) act to implement the associated customer-defined rules in a unified, predictable fashion. In embodiments where a customer controls a significant plurality of devices at varying levels of abstraction and/or access, such policies may also ensure that, e.g., mission-critical or strict rules take effect across all affected devices.

FIG. 1 illustrates an example environment 100 that implements a data alteration service. One or more customer devices 102 connect, via data connection 104, to distributed computing system 106. The distributed computing system connects via public network connection 108 to one or more public network entities 110. The one or more customer devices may have a public network connection 112 to the public network, as illustrated. Customer devices may include datacenters, mainframes, individual computing devices, distributed computing environments, or other devices or groups of devices capable of communicating to other devices, such as the distributed computing system described herein, via data connections. In some embodiments, the customer device may consist of one or more servers 114 or other resources. As may be contemplated, such servers or similar resources may be networked and configured to support a distributed computing system. For example, a customer, such as an enterprise customer, may have a datacenter comprising multiple servers, some or all of which are interconnected via network connections. Customer devices, and devices in general, may include devices and/or resources of the distributed computing system, such as the resources 118 described below. The datacenter or constituents thereof may nominally connect to a public network, such as the Internet, via a public network connection (e.g., the public network connection 112 as illustrated). However, the customer device (e.g., datacenter) may require one or more data transformations to be effected upon traffic transiting across a boundary of the customer's control or influence. The customer device may wish to exert a given transformation regime upon traffic that is inbound from external devices (e.g., those which are outside of the customer's influence or control), or outbound from authorized resources, such as the constituent nodes 114 of customer device 102, to such external devices. In some embodiments, to transform transiting data in a manner prescribed by a customer or customer device, the customer or customer device may avail of a data modification service provided by the distributed computing system 106 in a manner herein described in further detail.

In some embodiments, the distributed computing system 106 consists of a plurality of networked computing resources 116, such as storage devices, servers, processors, network equipment, and the like. The networked computing resources are abstracted and/or grouped into virtualized or grouped resources 118 that consist of any portion or number of underlying networked computing resources, which in some embodiments includes physical hardware. For example, the virtualized or grouped resources may include guest operating systems that run in virtual machines enabled by a hypervisor with direct access to the hardware (e.g., a bare metal hypervisor). As another example, such virtualized or grouped resources may include relational databases, data storage and archival services and/or devices, distributed computing services and/or devices, or any level of abstraction thereof (e.g., physical machines, virtual machines, instances, and the like). Such virtualized resources may, in some embodiments, be exposed to a plurality of connecting customers, such as the customer or customer device described above. In some embodiments, the underlying networked computing resources from which the virtualized resources are derived are obfuscated to connecting customers. In some embodiments, the distributed computing system is capable of supporting a plurality of customers simultaneously connecting to the virtualized resources.

In some embodiments, such a distributed computing system may support the provision, using a virtualized resource, of a data modification service upon request of a customer. Such a request may be propagated by a customer, a customer device, or any constituent thereof by programmatic, graphical, automatic and/or manual invocation. For example, a customer may request the service via an application programming interface (API) or user interface (UI) provided by a provider of the distributed computing system and/or service provider. In some embodiments, rules may be provided by the customer as part of the service request, and/or separately from such a request, and in certain embodiments may be provided by the customer via a similar interface (e.g., an API or UI). The rules may be defined in any manner that the service and/or system is configured to receive. For example, rules may be formed using relational database queries such as structured query language (SQL) queries, artificial intelligence language and/or predicate logic notation, natural language, specialized languages developed specifically for the service, and the like. In some embodiments, the rules specify, to varying levels of granularity, desired alterations to transiting data, and may also specify the characteristics of devices or network traffic to which such alterations should apply.

In some embodiments, as previously mentioned, the rules are implemented by the service to apply to traffic transiting across a boundary of customer control or influence, e.g., between devices authorized by or for access by a customer and external devices without such authorization. In the illustrated example, a customer is authorized to access the constituents of customer device 102 (and vice versa), while devices 110 across the public network and external to that of a customer or customer device lie beyond a boundary that lies in between. It is contemplated that, in some embodiments, such authorized devices may connect with customer assets across a public network (and thus not necessarily co-located with other customer devices), but still be included as an authorized device due to implemented trust mechanisms, e.g., by encrypting the public network connection using a virtual private network or similar securing mechanism. It will be appreciated that, as previously mentioned, such devices may include virtual resources such as those of distributed computing system 106.

In some embodiments, the service uses the virtualized instance to determine, by at least processing the received rules, a policy that is thereupon propagated to some or all authorized and/or customer devices. Such a policy may, for example, be provided to various devices as part of regularly scheduled maintenance, via a policy push by a system management system, upon association and/or connection with a different customer device (e.g., upon establishing a VPN connection), and/or manually. The policy, in some embodiments, includes instructions that, when implemented, causes the affected device to retrieve and/or redirect all or some data or network traffic that would otherwise be directed via a direct network connection (e.g., the public network connection 112) to the virtualized resource of the distributed computing system that provides the service. In some embodiments, multiple policies may be generated and propagated, for example, to address different alteration schemes, device types, and/or scenarios. In alternate embodiments, a single policy addresses all specified rules. The policy may, in some embodiments, be determined from the rules by considering the characteristics of the devices involved, the nature of the data, the volume and/or resources of the distributed computing system that are required to implement the rules, and other factors.

Upon implementation of the policy across some or all devices, it will be appreciated that a portion of data transiting across the aforementioned boundary will instead be routed through the distributed computing system implementing the service, in particular the virtualized instance. Such redirected data is processed, in some embodiments, by the virtualized instance according to the received rules. The virtualized resource may configure the data in one of a large plurality of ways, including packet mangling techniques to achieve the effects specified by the rules. As the rules are customer-specified, the data may be configured for a large number of applications. Some examples include rules that enable anonymous browsing or access to external devices (e.g., by stripping cookies, user agents or other personally identifiable information within the data stream), transparent language translation, restriction or redirection of traffic according to defined quotas, code sanitization (e.g., processing transiting code to comply with industry standards), watermarking of images, data compression (either lossless or lossy), UTF-8 inbound canonicalization, differentiation of transmitted and/or received data based on geographic location(s) of one or more of the customer devices or external devices, caching and/or de-duplication (e.g., to improve performance and/or throughput), government or regulatory compliance (e.g., PCI DSS, destination-dependent government data import/export requirements, obscenity and/or morality filters, insertion of third party certifications and the like), content filtering (e.g., with respect to a set of published signatures), distributed denial of service (DDoS) mitigation (e.g., rules may be written, generated and/or implemented in accordance with a given volume of traffic), security filtering and pattern-based vulnerability mitigation (e.g., protection from SQL injection), selective filtering of network traffic (e.g., filtering traffic in one direction of a given data stream based at least in part on content previously received in the opposing direction, such as an automated cross-site scripting (XSS) mitigation scheme that detects and filters hypertext markup language (HTML) code in outbound traffic that matches content in an associated inbound request) and many other transformative cases. In some embodiments, the rules may be operable to cause certain actions to occur within the customer environment, e.g., upon at least a subset of customer devices. Such actions may include tripping of warnings or alarms, propagation of notifications, augmentation of data streams within the customer environment, quarantining or termination of unresponsive or otherwise malfunctioning customer devices, modification of the rules themselves, and many other types of actions. As will be appreciated, rules, and thus the associated data modification, may include both the restriction and augmentation of flowing data, depending on the nature of the rules. In embodiments where multiple rules are specified, duplicate and/or overlapping rules may be combined in order to save resources, improve latency and decrease processing time and/or cost.

In some embodiments, the rules may be operable to cause a distributed computing system or customer environment to recognize that multiple subsets of resources thereof are capable of processing data according to the rules. In some of such embodiments, a first subset of resources applies a first transformation to data according to the implemented rules. Additionally, a second (or greater) subset of resources applies a second (or greater) transformation to the data in accordance with the rules. The data may flow to the disparate subsets of resources in parallel, in sequence, or in some combination thereof. In some embodiments, the second (or greater) transformation may include injecting an additional executable instruction into the data stream, or possibly installing another (or the same) rule to be implemented by the second (or greater) subset of resources. In some embodiments, the second (or greater) subset of resources caches a portion of the data transiting it in accordance with the implemented rule, and the first subset of resources is configured to deduplicate the cached data, such as by replacing data in the data stream with the corresponding data cached by the second resources. In some embodiments, the first subset of resources replaces at least some of the transferred and/or cached data, such as data cached by the second or greater subset of resources, with cache identifiers, placeholders, or pointers indicating that such data has been cached. In some embodiments, the second or greater subset of resources inverts the transformation effected by the first subset of resources, e.g., by re-inserting at least some of the data replaced by cache identifiers and the like. In such embodiments, the inversion of the transformation may be triggered by, or at least influenced by, characteristics of the received data in the data stream and/or in the cache. Such techniques, as may be utilized in a wide area network (WAN) optimization scheme or other bandwidth optimization and/or caching scheme, may be transparently or specifically implemented in order to decrease network traffic, decrease latency, and improve performance of applications requiring data to transit high-cost and/or capacity limited uplinks, including, for example, cellular or wireless data networks. Such techniques may also decrease traffic, latency, etc. from poorly implemented software or hardware solutions that fail to cache data independently.

Costs incurred to process the rules (e.g., by resource usage, per implemented rule, and/or by data volume and/or network traffic processed), including generation and propagation of the associated policy, may be tracked in a manner that allows the requesting customer to be billed for such usage. In such embodiments, accounting records may be updated, and in some embodiments, when an existing allocation or virtual resource under control of the customer is used to implement the service, such records and tracked usage may be used to adjust the amount charged to the customer for the virtual resource or allocation already in their possession. Other metrics may be tracked, such as those associated with traffic matching an implemented or unimplemented rule or set of rules. Such metrics may be exposed to the customer, a managed data transformation provider, and/or the distributed computing resource provider (e.g., to be used internally to improve efficiency of operations thereof).

FIG. 2 illustrates an example distributed computing environment 200 having a distributed computing system 202, which in some embodiments may include the distributed computing system 106 of FIG. 1, and implementing a data alteration service. In the example illustrated, the distributed computing system includes virtualized customer resources 204, 206, e.g., instances, which in some embodiments may be similar to the virtual resources 118 described in connection with FIG. 1, and may in some embodiments also be customer devices 102 or components thereof 114, also as described in connection with FIG. 1. The physical resources from which the virtual resource is abstracted is intentionally omitted in the illustration in order to emphasize the obfuscation of such physical resources from, e.g., customers. The virtualized customer resources may be networked together, and in some embodiments, may be segregated from other virtualized resources of the same distributed computing system. In some embodiments, the virtualized customer resources may be connected via a virtual private network (VPN) connection to other customer devices, e.g., the customer device 102 or constituents 114 described in connection with FIG. 1.

Data transiting across customer boundary 208 may, in whole or part as defined by customer rules or policies (e.g., the customer rules and policies described in connection with FIG. 1), be processed in a similar manner as described in connection with FIG. 1, e.g., using a virtualized resource 210. In the illustrated example, the customer boundary traverses between virtualized resources under control of the customer 204, 206 and other virtualized resources 214 of the same distributed computing system 202. The virtualized resource performing the data processing 210 may, as alluded to above, be a separate virtualized resource from that of a customer, may be bound to or otherwise associated with a customer, or may in some embodiments be an existing virtualized resource that is already associated with a customer. The data processing itself may occur on a portion of data redirected to the virtualized resource, as described in connection with FIG. 1, or the implementing virtualized resource may, based on the rules and/or policies previously described, detect in situ that data flowing through pre-existing mechanisms should be processed without the need for such redirection. In some embodiments, a combination of the approaches may be employed. For example, rules and/or derived policies may specify that data directed to, or originating from, certain devices or device types should be altered in a prescribed way. In such embodiments, the implementing virtualized resource may only redirect and/or process the subset of data to which the rules would apply, based, e.g., upon information received from listeners, connected devices, predictive mechanisms such as data pattern recognition, and the like. Such processing may apply to any set of data crossing the aforementioned boundary, e.g., via data connection 212 to the virtual resource 214, or, in some embodiments, to external device 220, e.g., Web hosts or application servers, outside of the distributed computing system via network connection 216 to external networks 218 (such as the Internet and/or to other distributed computing systems).

Although the virtualized resource performing the data processing is illustrated as straddling the customer boundary, such location is meant to be merely illustrative. Such a resource may, by virtue of being virtualized, be associated with physical resources located anywhere along, e.g., a network topology, and not necessarily on an external edge of such a topology. Additionally, the illustrated customer boundary is conceptual in nature, and does not necessarily require an implemented barrier, such as a firewall. For example, virtualized resources outside the control of the customer requesting the services (e.g., virtualized resource 214) may, in some embodiments, be under control of a different customer of the distributed computing system. A policy, such as the policy described in connection with FIG. 1, may, in some embodiments, be pushed out to precisely the set of resources under a given customer's control, and not to resources outside of said customer's control (e.g., even those springing from or associated with the same system, such as the virtualized resource 214, and not otherwise segregated from one another). However, the customer boundary may, in some embodiments, defined at least in part by other well-known techniques used for segregating certain resources, either virtual or physical, from one another. In some embodiments, the boundary itself is configurable, e.g., by a customer, a third party such as a managed data transformation provider, and/or by the distributed computing system. Managed data transformation providers include any provider of data-related services that use data transformation techniques, including but not limited to any of those described in connection with FIG. 1. Such managed data transformation providers may, in some embodiments, also request rules for implementation, e.g., on behalf of a customer requesting the aforementioned data transformation services as may be provided by managed data transformation providers. In embodiments where managed data transformation providers provide rules, services, boundaries and the like, such rules, services and boundaries may be associated with a defined pricing structure (e.g., per rule selected, implementing resource used, and/or data amount processed) wherein associated costs for such managed data transformation providers accrue to the customer's account, rather than that of the managed data transformation provider. In such embodiments, an additional rule may be implemented (e.g., by the managed data transformation provider and/or the distributed computing system) to redirect payments, upon remittal from the customer, to the managed data transformation provider.

FIG. 3 illustrates an example user interface (UI) 300 for selecting and defining rules. As previously mentioned in connection with at least FIG. 1, a customer may define rules and provide them to, e.g., the provider of the implementing distributed computing system or the data modification service, by a number of techniques. Such techniques, as previously alluded to, include submission and configuration using an application programming interface (API) or a user interface (UI). In some embodiments, the UI may be provided by the provider of the service, in some embodiments also the provider of the implementing distributed computing system, and presented to a requesting customer at the time of requisitioning. Such requisitioning may be specific to the service, or may be integrated into the requisitioning process for other products and services provided by the distributed computing system provider or the service provider.

An illustrated example UI 300 is shown. The UI may be used for initial requisitioning, configuration after initial requisitioning, or both. The rule selection portion 302 allows a customer to select among predetermined rule sets 304 or define a customer rule set 306. The predetermined rule sets may be preconfigured for ease of selecting common data transformation regimes and applications, including those examples provided above in connection with FIG. 1. The custom rule set, as previously mentioned in connection with at least FIG. 1, may be defined in any manner prescribed by the service provider and for which the underlying distributed computing system or implementing virtual instance is configured to receive. Such defined custom rule sets may be preserved for ease of future access, e.g., by being presented as a different “predetermined” rule set for selection upon subsequent visits to the UI.

In the example given, a device type restriction portion 308 is also shown. From this portion of the UI, the customer may select among predetermined device types 310 to which one or more selected rule sets 312 may apply. Such device types may be separate using any appropriate criteria. For example, one device type may include mobile devices, while another may include virtualized instances. Each selected device type may be subject to any number of rule sets selected in the rule selection portion described above. Additionally, the customer may define a custom device type 314 in a fashion similar to that of a custom rule set, also as described above. Such additional device types may be displayed in a dropdown, e.g., of all other device types known to the system, or defined manually. Upon completing selection, the customer's selections are passed to the implementing entity, e.g., the virtualized resource, for implementation, reconfiguration, and/or further processing.

FIG. 4 illustrates an example process 400 for implementing customer-defined rules across resources of a distributed computing system, in accordance with at least one embodiment. Some or all of the process 400 (or any other processes described herein, or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications) executing collectively on one or more processors, by hardware, or combinations thereof. The code may be stored on a computer-readable storage medium, for example, in the form of a computer program comprising a plurality of instructions executable by one or more processors. The computer-readable storage medium may be non-transitory.

In some embodiments, such as those shown and described in connection with FIGS. 1 and 2, a data alteration service provider or associated distributed computing system (e.g., the distributed computing system 106) receives customer-defined rules and/or a customer's specification of desired effect(s) upon transiting data 402. As previously described, such rules may be received using a number of techniques, such as the UI shown and described in connection with FIG. 3. The system or provider thereupon generates a policy from the received rules 404, using, e.g., a virtualized instance 118, 210 of the distributed computing system. At a time after generating the policy, the policy is distributed to some or all customer devices 406, e.g., on the customer side of a customer boundary 208. Such distribution may be effected using a number of techniques, including those previously described in connection with at least FIGS. 1 and 2 (e.g., using system management techniques or login scripts). The policy may, in some embodiments, cause the affected customer devices to retrieve and redirect data transiting across the boundary to the entity employed to perform the data transformations specified by the rules 408. As previously discussed, the entity may be a virtualized resource or instance of a distributed computing system. Once the entity has access to the target data, the cross-boundary data is then processed 410 using, e.g., packet mangling techniques, in order to implement the rules. Although packet mangling has been provided as an example of such techniques, other transformation techniques, including those described in connection with at least FIG. 1, may be employed.

FIG. 5 illustrates an example process 500 for altering data in accordance with customer-defined rules, in accordance with at least one embodiment. As will be contemplated, example process 500 may incorporate, or be incorporated in, some or all aspects of at least process 400. Upon receiving customer-defined rules according to various techniques, some of which are described in connection with at least FIGS. 1-4, a subset of transiting data (e.g., network traffic) is determined for processing according to the received rules 502, for example in accordance with an implemented policy described in connection with at least FIGS. 1-3 and 4. The subset of data is then processed to determine the specific data to which the received rules apply 504. Techniques used for determining the subset of data for processing are exemplified in connection with, e.g., FIG. 2. In embodiments where the rules or desired effects on transiting data (e.g., network traffic) are dependent upon or sensitive to one or more characteristics of a connecting external device to or from which the data is transiting, the characteristics of the external device, or device types, are determined 506. Applicable techniques may be employed in response to the device type restrictions described in connection with the UI of FIG. 3, and characteristics of external devices may include, for example, connection speed, connecting system type, geographic or network location, latency, and any other device characteristic supported by the service and/or specified by the customer, e.g., via an API or UI. The determined data is then processed, by techniques previously discussed in connection with at least FIGS. 1, 2, and 4, according to the applicable rules and determined device characteristics 508. The processed (e.g., augmented, compressed, destructively compressed, scrubbed, or otherwise modified) data is thereon relayed to its intended destination 510, for example a customer device 102, its constituents 114, a virtualized customer resource 204, 206, an external device 110, 220, and/or a virtualized resource 214 beyond customer boundary 208. Accounting records are optionally updated 512, for example, to reflect monetary charges to the customer and/or, e.g., processing time used, such as described in connection with at least FIG. 1.

FIG. 6 illustrates aspects of an example environment 600 for implementing aspects in accordance with various embodiments. As will be appreciated, although a Web-based environment is used for purposes of explanation, different environments may be used, as appropriate, to implement various embodiments. The environment includes an electronic client device 602, which can include any appropriate device operable to send and receive requests, messages, or information over an appropriate network 604 and convey information back to a user of the device. Examples of such client devices include personal computers, cell phones, handheld messaging devices, laptop computers, set-top boxes, personal data assistants, electronic book readers, and the like. The network can include any appropriate network, including an intranet, the Internet, a cellular network, a local area network, or any other such network, or combination thereof. Components used for such a system can depend at least in part upon the type of network and/or environment selected. Protocols and components for communicating via such a network are well known and will not be discussed herein in detail. Communication over the network can be enabled by wired or wireless connections, and combinations thereof. In this example, the network includes the Internet, as the environment includes a Web server 606 for receiving requests and serving content in response thereto, although for other networks an alternative device serving a similar purpose could be used as would be apparent to one of ordinary skill in the art.

The illustrative environment includes at least one application server 608 and a data store 610. It should be understood that there can be several application servers, layers, or other elements, processes, or components, which may be chained or otherwise configured, which can interact to perform tasks such as obtaining data from an appropriate data store. As used herein the term “data store” refers to any device or combination of devices capable of storing, accessing, and retrieving data, which may include any combination and number of data servers, databases, data storage devices, and data storage media, in any standard, distributed, or clustered environment. The application server can include any appropriate hardware and software for integrating with the data store as needed to execute aspects of one or more applications for the client device, handling a majority of the data access and business logic for an application. The application server provides access control services in cooperation with the data store, and is able to generate content such as text, graphics, audio, and/or video to be transferred to the user, which may be served to the user by the Web server in the form of HTML, XML, or another appropriate structured language in this example. The handling of all requests and responses, as well as the delivery of content between the client device 602 and the application server 608, can be handled by the Web server. It should be understood that the Web and application servers are not required and are merely example components, as structured code discussed herein can be executed on any appropriate device or host machine as discussed elsewhere herein.

The data store 610 can include several separate data tables, databases, or other data storage mechanisms and media for storing data relating to a particular aspect. For example, the data store illustrated includes mechanisms for storing production data 612 and user information 616, which can be used to serve content for the production side. The data store also is shown to include a mechanism for storing log data 614, which can be used for reporting, analysis, or other such purposes. It should be understood that there can be many other aspects that may need to be stored in the data store, such as for page image information and to access right information, which can be stored in any of the above listed mechanisms as appropriate or in additional mechanisms in the data store 610. The data store 610 is operable, through logic associated therewith, to receive instructions from the application server 608 and obtain, update, or otherwise process data in response thereto. In one example, a user might submit a search request for a certain type of item. In this case, the data store might access the user information to verify the identity of the user, and can access the catalog detail information to obtain information about items of that type. The information then can be returned to the user, such as in a results listing on a Web page that the user is able to view via a browser on the user device 602. Information for a particular item of interest can be viewed in a dedicated page or window of the browser.

Each server typically will include an operating system that provides executable program instructions for the general administration and operation of that server, and typically will include a computer-readable storage medium (e.g., a hard disk, random access memory, read only memory, etc.) storing instructions that, when executed by a processor of the server, allow the server to perform its intended functions. Suitable implementations for the operating system and general functionality of the servers are known or commercially available, and are readily implemented by persons having ordinary skill in the art, particularly in light of the disclosure herein.

The environment in one embodiment is a distributed computing environment utilizing several computer systems and components that are interconnected via communication links, using one or more computer networks or direct connections. However, it will be appreciated by those of ordinary skill in the art that such a system could operate equally well in a system having fewer or a greater number of components than are illustrated in FIG. 6. Thus, the depiction of the system 600 in FIG. 6 should be taken as being illustrative in nature, and not limiting to the scope of the disclosure.

The various embodiments further can be implemented in a wide variety of operating environments, which in some cases can include one or more user computers, computing devices, or processing devices which can be used to operate any of a number of applications. User or client devices can include any of a number of general purpose personal computers, such as desktop or laptop computers running a standard operating system, as well as cellular, wireless, and handheld devices running mobile software and capable of supporting a number of networking and messaging protocols. Such a system also can include a number of workstations running any of a variety of commercially-available operating systems and other known applications for purposes such as development and database management. These devices also can include other electronic devices, such as dummy terminals, thin-clients, gaming systems, and other devices capable of communicating via a network.

Most embodiments utilize at least one network that would be familiar to those skilled in the art for supporting communications using any of a variety of commercially-available protocols, such as TCP/IP, OSI, FTP, UPnP, NFS, CIFS, and AppleTalk. The network can be, for example, a local area network, a wide-area network, a virtual private network, the Internet, an intranet, an extranet, a public switched telephone network, an infrared network, a wireless network, and any combination thereof.

In embodiments utilizing a Web server, the Web server can run any of a variety of server or mid-tier applications, including HTTP servers, FTP servers, CGI servers, data servers, Java servers, and business application servers. The server(s) also may be capable of executing programs or scripts in response requests from user devices, such as by executing one or more Web applications that may be implemented as one or more scripts or programs written in any programming language, such as Java®, C, C # or C++, or any scripting language, such as Perl, Python, or TCL, as well as combinations thereof. The server(s) may also include database servers, including without limitation those commercially available from Oracle®, Microsoft®, Sybase®, and IBM®.

The environment can include a variety of data stores and other memory and storage media as discussed above. These can reside in a variety of locations, such as on a storage medium local to (and/or resident in) one or more of the computers or remote from any or all of the computers across the network. In a particular set of embodiments, the information may reside in a storage-area network (“SAN”) familiar to those skilled in the art. Similarly, any necessary files for performing the functions attributed to the computers, servers, or other network devices may be stored locally and/or remotely, as appropriate. Where a system includes computerized devices, each such device can include hardware elements that may be electrically coupled via a bus, the elements including, for example, at least one central processing unit (CPU), at least one input device (e.g., a mouse, keyboard, controller, touch screen, or keypad), and at least one output device (e.g., a display device, printer, or speaker). Such a system may also include one or more storage devices, such as disk drives, optical storage devices, and solid-state storage devices such as random access memory (“RAM”) or read-only memory (“ROM”), as well as removable media devices, memory cards, flash cards, etc.

Such devices also can include a computer-readable storage media reader, a communications device (e.g., a modem, a network card (wireless or wired), an infrared communication device, etc.), and working memory as described above. The computer-readable storage media reader can be connected with, or configured to receive, a computer-readable storage medium, representing remote, local, fixed, and/or removable storage devices as well as storage media for temporarily and/or more permanently containing, storing, transmitting, and retrieving computer-readable information. The system and various devices also typically will include a number of software applications, modules, services, or other elements located within at least one working memory device, including an operating system and application programs, such as a client application or Web browser. It should be appreciated that alternate embodiments may have numerous variations from that described above. For example, customized hardware might also be used and/or particular elements might be implemented in hardware, software (including portable software, such as applets), or both. Further, connection to other computing devices such as network input/output devices may be employed.

Storage media and computer readable media for containing code, or portions of code, can include any appropriate media known or used in the art, including storage media and communication media, such as but not limited to volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage and/or transmission of information such as computer readable instructions, data structures, program modules, or other data, including RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the a system device. Based on the disclosure and teachings provided herein, a person of ordinary skill in the art will appreciate other ways and/or methods to implement the various embodiments.

The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. It will, however, be evident that various modifications and changes may be made thereunto without departing from the broader spirit and scope of the invention as set forth in the claims.

Other variations are within the spirit of the present disclosure. Thus, while the disclosed techniques are susceptible to various modifications and alternative constructions, certain illustrated embodiments thereof are shown in the drawings and have been described above in detail. It should be understood, however, that there is no intention to limit the invention to the specific form or forms disclosed, but on the contrary, the intention is to cover all modifications, alternative constructions, and equivalents falling within the spirit and scope of the invention, as defined in the appended claims.

The use of the terms “a” and “an” and “the” and similar referents in the context of describing the disclosed embodiments (especially in the context of the following claims) are to be construed to cover both the singular and the plural, unless otherwise indicated herein or clearly contradicted by context. The terms “comprising,” “having,” “including,” and “containing” are to be construed as open-ended terms (i.e., meaning “including, but not limited to,”) unless otherwise noted. The term “connected” is to be construed as partly or wholly contained within, attached to, or joined together, even if there is something intervening. Recitation of ranges of values herein are merely intended to serve as a shorthand method of referring individually to each separate value falling within the range, unless otherwise indicated herein, and each separate value is incorporated into the specification as if it were individually recited herein. All methods described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The use of any and all examples, or exemplary language (e.g., “such as”) provided herein, is intended merely to better illuminate embodiments of the invention and does not pose a limitation on the scope of the invention unless otherwise claimed. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the invention.

Preferred embodiments of this disclosure are described herein, including the best mode known to the inventors for carrying out the invention. Variations of those preferred embodiments may become apparent to those of ordinary skill in the art upon reading the foregoing description. The inventors expect skilled artisans to employ such variations as appropriate, and the inventors intend for the invention to be practiced otherwise than as specifically described herein. Accordingly, this invention includes all modifications and equivalents of the subject matter recited in the claims appended hereto as permitted by applicable law. Moreover, any combination of the above-described elements in all possible variations thereof is encompassed by the invention unless otherwise indicated herein or otherwise clearly contradicted by context.

All references, including publications, patent applications, and patents, cited herein are hereby incorporated by reference to the same extent as if each reference were individually and specifically indicated to be incorporated by reference and were set forth in its entirety herein.

Claims

1. A computer-implemented method comprising: obtaining a request to apply upon transiting data at least one data transformation technique provided by a managed data transformation provider that is external to a computing resource provider; andconfiguring at least a first set of computing resources to implement a policy derived based at least in part on customer-defined rules to cause a transiting first set of data to pass to a second set of computing resources of the computing resource provider that applies the customer-defined rules to the transiting first set of data prior to reaching a third set of computing resources that is outside of control of a customer of the computing resource provider that defines the customer-defined rules, with at least a portion of the transiting first set of data processed in accordance with at least one first rule provided by the managed data transformation provider and at least one second rule associated with the requested data transformation technique, at least one of the first and second rules defining remittance of customer-charged costs that accrue to the customer, the customer-charged costs accruing in accordance with a pricing structure associated with the at least one rule provided by the managed data transformation provider.
2. The computer-implemented method of claim 1, further comprising: providing to the customer a plurality of predefined selectable rules; andobtaining, from the customer, information identifying at least: a selection of one or more rules from the plurality of predefined selectable rules, the selection of the one or more rules defining the customer-defined rules; anda request to apply the customer-defined rules upon transiting data.
3. The computer-implemented method of claim 1, wherein the first set of computing resources is programmatically managed by the customer of the computing resource provider.
4. The computer-implemented method of claim 1, wherein the third set of computing resources is outside of control of the customer.
5. The computer-implemented method of claim 1, wherein the first set of computing resources is a subset of a plurality of sets of computing resources, at least some of which are remotely and programmatically managed by different customers.
6. The computer-implemented method of claim 1, wherein the transiting first set of data further transits from the first set of computing resources and the third set of computing resources via the second set of computing resources.
7. The computer-implemented method of claim 6, further comprising applying the customer-defined rules to the transiting first set of data at a time after determining that the transiting first set of data is transiting between the first set of computing resources and the third set of computing resources.
8. A computer-implemented method comprising: obtaining a request to apply at least one data transformation technique upon transiting data; andconfiguring at least a first resource to cause at least a first portion of the transiting data to be processed by a second resource in accordance with customer-defined rules prior to reaching a third resource, and at least a second portion of the transiting data to be processed in accordance with at least one rule provided by a managed data transformation provider associated with the at least one data transformation technique and a computing resource provider associated with the first resource, the at least one rule provided by the managed data transformation provider including a rule that, as a result of being processed, causes at least a portion of customer-charged costs to be remitted to the managed data transformation provider, the customer-charged costs accruing in accordance with a pricing structure associated with the at least one rule provided by the managed data transformation provider.
9. The computer-implemented method of claim 8, wherein the data transformation technique is provided by a managed data transformation provider that is external to and separate from the computing resource provider.
10. The computer-implemented method of claim 8, further comprising obtaining a request to apply the customer-defined rules on the transiting data, the transiting data transiting across a customer-defined boundary that is between at least the first resource and the second resource.
11. The computer-implemented method of claim 8, wherein the first resource is programmatically managed by a customer and is at least one of a plurality of resources with at least some of the plurality of resources being remotely and programmatically managed by different customers of the computing resource provider; and wherein the second resource is outside of control of the customer.
12. The computer-implemented method of claim 8, wherein the customer-defined rules are obtained from a customer that selects the customer-defined rules from a predetermined plurality of rule sets using at least an application programming interface exposed to the customer.
13. A computer system comprising: one or more processors; andmemory, including instructions executable by the one or more processors to cause the computer system to at least:process customer-specified rules defining at least one alteration to be applied to data transferred between at least one customer device among a plurality of customer devices and an external device that is outside of control of the customer device;process at least one rule provided by a managed data transformation provider defining remittance of customer-charged costs accruing in accordance with a pricing structure associated with the managed data transformation provider;implement a rule provided by the managed data transformation provider to process the transferred data;implement the customer-specified rules to cause the at least one alteration to be applied to the transferred data by another device prior to the transferred data reaching the external device;provide a policy to the at least one customer device such that the at least one customer device is configured to implement the customer-specified rules using one or more resources of the computer system, the one or more resources capable of being simultaneously associated with a plurality of the customer devices that are programmatically managed by respective customers of a computing resource provider;process the policy to determine, among the plurality of customer devices, the at least one customer device; andredirect the transferred data to a set of configured resources such that the set of configured resources implements the customer-specified rules.
14. The computer system of claim 13, wherein the instructions further cause the computer system to: process the customer-specified rules to generate the policy; andprovide the policy to the at least one customer device such that the at least one customer device is configured to implement the customer-specified rules using one or more resources of the computer system and associated with a computing resource provider.
15. The computer system of claim 14, wherein the resources of the computer system are configured such that the resources are capable of being simultaneously associated with the plurality of the customer devices that are programmatically managed by respective customers of the computing resource provider.
16. The computer system of claim 14, wherein the instructions further cause the computer system to: process the policy to determine, among the plurality of customer devices, the at least one customer device; andat a time after providing the policy to the at least one customer device, redirect the transferred data to a set of configured resources such that the set of configured resources implements the customer-specified rules.
17. The computer system of claim 13, wherein the customer-specified rules include at least one subset of rules that, when implemented, restricts the transferred data based at least in part on a geographic location of the external device.
18. The computer system of claim 13, wherein the external device is connected to the customer device across a public network.
19. The computer system of claim 13, wherein the customer-specified rules are implementable to alter at least a subset of the transferred data such that the transferred data complies with one or more content requirements of a recipient of the data.

CROSS REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No. 13/491,403, filed Jun. 7, 2012, entitled “FLEXIBLY CONFIGURABLE DATA MODIFICATION SERVICES,” now U.S. Pat. No. 10,084,818, the disclosure of which is hereby incorporated herein in its entirety.

US Referenced Citations (357)

Number	Name	Date	Kind
4782517	Bernardis et al.	Nov 1988	A
4868877	Fischer	Sep 1989	A
4908759	Alexander et al.	Mar 1990	A
4918728	Matyas et al.	Apr 1990	A
5054067	Moroney et al.	Oct 1991	A
5146498	Smith	Sep 1992	A
5201000	Matyas et al.	Apr 1993	A
5495533	Linehan et al.	Feb 1996	A
5633931	Wright	May 1997	A
5675653	Nelson	Oct 1997	A
5826245	Sandberg-Diment	Oct 1998	A
5862220	Perlman	Jan 1999	A
5933503	Schell et al.	Aug 1999	A
6012144	Pickett	Jan 2000	A
6175625	Safford et al.	Jan 2001	B1
6185679	Coppersmith et al.	Feb 2001	B1
6195622	Altschuler et al.	Feb 2001	B1
6199162	Luyster	Mar 2001	B1
6240187	Lewis	May 2001	B1
6259789	Paone	Jul 2001	B1
6336186	Dyksterhouse et al.	Jan 2002	B1
6356941	Cohen	Mar 2002	B1
6505299	Zeng et al.	Jan 2003	B1
6546492	Walker et al.	Apr 2003	B1
6816595	Kudo	Nov 2004	B1
6934249	Bertin et al.	Aug 2005	B1
6934702	Faybishenko et al.	Aug 2005	B2
7149698	Guheen et al.	Dec 2006	B2
7194424	Greer et al.	Mar 2007	B2
7295671	Snell	Nov 2007	B2
7362868	Madoukh et al.	Apr 2008	B2
7490248	Valfridsson et al.	Feb 2009	B1
7565419	Kwiatkowski et al.	Jul 2009	B1
7620680	Lamport	Nov 2009	B1
7680905	Roberts et al.	Mar 2010	B1
7707288	Dawson et al.	Apr 2010	B2
7716240	Lim	May 2010	B2
7756808	Weigt et al.	Jul 2010	B2
7774826	Romanek et al.	Aug 2010	B1
7865446	Armingaud et al.	Jan 2011	B2
7877607	Circenis et al.	Jan 2011	B2
7882247	Sturniolo et al.	Feb 2011	B2
7894604	Nishioka et al.	Feb 2011	B2
7894626	Wang et al.	Feb 2011	B2
7937432	Rowley	May 2011	B2
7953978	Greco et al.	May 2011	B2
7970625	Reicher et al.	Jun 2011	B2
7991747	Upadhyay et al.	Aug 2011	B1
7992055	Agarwal et al.	Aug 2011	B1
8024562	Gentry et al.	Sep 2011	B2
8024582	Kunitz et al.	Sep 2011	B2
8051187	Noy et al.	Nov 2011	B2
8060596	Wootton et al.	Nov 2011	B1
8065720	Ebrahimi et al.	Nov 2011	B1
8091125	Hughes et al.	Jan 2012	B1
8111828	Raman et al.	Feb 2012	B2
8131663	Taylor	Mar 2012	B1
8140679	Hatanaka	Mar 2012	B2
8140847	Wu	Mar 2012	B1
8185931	Reeves	May 2012	B1
8213602	Mamidwar	Jul 2012	B2
8219869	Ahn et al.	Jul 2012	B2
8224796	Shinde et al.	Jul 2012	B1
8224979	Herz et al.	Jul 2012	B2
8230050	Brandwine et al.	Jul 2012	B1
8244745	Lim	Aug 2012	B2
8245037	Durgin et al.	Aug 2012	B1
8245039	Jones	Aug 2012	B2
8251283	Norton	Aug 2012	B1
8261320	Serenyi et al.	Sep 2012	B1
8295492	Suarez et al.	Oct 2012	B2
8296434	Miller et al.	Oct 2012	B1
8302170	Kramer et al.	Oct 2012	B2
8312064	Gauvin	Nov 2012	B1
8315387	Kanter et al.	Nov 2012	B2
8321560	Pai et al.	Nov 2012	B1
8370648	Natanzon	Feb 2013	B1
8379857	Zheng	Feb 2013	B1
8387127	Narver et al.	Feb 2013	B1
8443367	Taylor et al.	May 2013	B1
8468455	Jorgensen et al.	Jun 2013	B2
8494168	Tolfmans	Jul 2013	B1
8538020	Miller	Sep 2013	B1
8555383	Marshall et al.	Oct 2013	B1
8565108	Marshall et al.	Oct 2013	B1
8572369	Schmidt-Karaca et al.	Oct 2013	B2
8572758	Clifford	Oct 2013	B1
8588426	Xin et al.	Nov 2013	B2
8601263	Shankar et al.	Dec 2013	B1
8607358	Shankar et al.	Dec 2013	B1
8654970	Olson et al.	Feb 2014	B2
8681773	Chazel et al.	Mar 2014	B2
8713311	Roskind	Apr 2014	B1
8751807	Ma et al.	Jun 2014	B2
8752067	Kishita	Jun 2014	B2
8774403	MacMillan et al.	Jul 2014	B2
8804950	Panwar	Aug 2014	B1
8850516	Hrebicek et al.	Sep 2014	B1
8868914	Teppler	Oct 2014	B2
8904181	Felsher et al.	Dec 2014	B1
8950005	Torney	Feb 2015	B1
8964990	Baer et al.	Feb 2015	B1
8973008	Czajkowski et al.	Mar 2015	B2
8989379	Katar et al.	Mar 2015	B2
9031240	Yang et al.	May 2015	B2
9053460	Gilbert et al.	Jun 2015	B2
9094291	Jackson et al.	Jul 2015	B1
9130937	Ostermann	Sep 2015	B1
9268947	Jarlstrom et al.	Feb 2016	B1
9288184	Kvamme et al.	Mar 2016	B1
9367697	Roth et al.	Jun 2016	B1
9705674	Roth et al.	Jul 2017	B2
20010011226	Greer et al.	Aug 2001	A1
20010052071	Kudo et al.	Dec 2001	A1
20020029337	Sudia et al.	Mar 2002	A1
20020076044	Pires	Jun 2002	A1
20020078361	Giroux et al.	Jun 2002	A1
20020135611	Deosaran et al.	Sep 2002	A1
20020141590	Montgomery	Oct 2002	A1
20030021417	Vasic et al.	Jan 2003	A1
20030037237	Abgrall et al.	Feb 2003	A1
20030079120	Hearn et al.	Apr 2003	A1
20030081790	Kallahalla et al.	May 2003	A1
20030084290	Murty et al.	May 2003	A1
20030093694	Medvinsky et al.	May 2003	A1
20030131238	Vincent	Jul 2003	A1
20030163701	Ochi et al.	Aug 2003	A1
20030172269	Newcombe	Sep 2003	A1
20030188181	Kunitz et al.	Oct 2003	A1
20030188188	Padmanabhan et al.	Oct 2003	A1
20030195957	Banginwar	Oct 2003	A1
20040009815	Zotto et al.	Jan 2004	A1
20040093499	Arditi et al.	May 2004	A1
20040107345	Brandt et al.	Jun 2004	A1
20040143733	Ophir et al.	Jul 2004	A1
20040193915	Smith et al.	Sep 2004	A1
20040215987	Farkas et al.	Oct 2004	A1
20040223608	Oommen et al.	Nov 2004	A1
20050004978	Reed et al.	Jan 2005	A1
20050010760	Goh et al.	Jan 2005	A1
20050021712	Chassapis et al.	Jan 2005	A1
20050050317	Kramer et al.	Mar 2005	A1
20050120232	Hori et al.	Jun 2005	A1
20050123142	Freeman et al.	Jun 2005	A1
20050149677	Shimada et al.	Jul 2005	A1
20050165859	Geyer et al.	Jul 2005	A1
20050195743	Rochberger et al.	Sep 2005	A1
20050246778	Usov et al.	Nov 2005	A1
20050273629	Abrams et al.	Dec 2005	A1
20060010323	Martin et al.	Jan 2006	A1
20060018468	Toba et al.	Jan 2006	A1
20060021018	Hinton et al.	Jan 2006	A1
20060031301	Herz et al.	Feb 2006	A1
20060031586	Sethi	Feb 2006	A1
20060089163	Khawand	Apr 2006	A1
20060123010	Landry et al.	Jun 2006	A1
20060143685	Vasishth et al.	Jun 2006	A1
20060155829	Annic	Jul 2006	A1
20060168248	Sack	Jul 2006	A1
20060190724	Adams	Aug 2006	A1
20060195575	Delany et al.	Aug 2006	A1
20060204003	Takata et al.	Sep 2006	A1
20060206932	Chong	Sep 2006	A1
20060288232	Ho et al.	Dec 2006	A1
20060291664	Suarez et al.	Dec 2006	A1
20070033637	Yami et al.	Feb 2007	A1
20070050641	Flynn et al.	Mar 2007	A1
20070055862	Sharma et al.	Mar 2007	A1
20070055921	Challenor	Mar 2007	A1
20070136599	Suga	Jun 2007	A1
20070140480	Yao	Jun 2007	A1
20070143851	Nicodemus et al.	Jun 2007	A1
20070150480	Hwang et al.	Jun 2007	A1
20070157288	Lim	Jul 2007	A1
20070179987	Lim	Aug 2007	A1
20070180153	Cornwell et al.	Aug 2007	A1
20070198656	Mazzaferri et al.	Aug 2007	A1
20070220279	Northcutt et al.	Sep 2007	A1
20070230704	Youn et al.	Oct 2007	A1
20070230706	Youn	Oct 2007	A1
20070239987	Hoole et al.	Oct 2007	A1
20070266037	Terry et al.	Nov 2007	A1
20070283446	Yami et al.	Dec 2007	A1
20080005024	Kirkwood	Jan 2008	A1
20080019516	Fransdonk	Jan 2008	A1
20080019527	Youn et al.	Jan 2008	A1
20080022376	Ke et al.	Jan 2008	A1
20080025514	Coombs	Jan 2008	A1
20080034200	Polcha et al.	Feb 2008	A1
20080046984	Bohmer et al.	Feb 2008	A1
20080082827	Agrawal et al.	Apr 2008	A1
20080084996	Chen et al.	Apr 2008	A1
20080086717	Brunn	Apr 2008	A1
20080112561	Kim	May 2008	A1
20080127279	Futa et al.	May 2008	A1
20080172562	Cachin et al.	Jul 2008	A1
20080247540	Ahn et al.	Oct 2008	A1
20080294711	Barber	Nov 2008	A1
20080298590	Katar et al.	Dec 2008	A1
20080319909	Perkins et al.	Dec 2008	A1
20090025087	Peirson, Jr. et al.	Jan 2009	A1
20090034733	Raman et al.	Feb 2009	A1
20090060197	Taylor et al.	Mar 2009	A1
20090092252	Noll et al.	Apr 2009	A1
20090106552	Mohamed	Apr 2009	A1
20090158033	Jeong et al.	Jun 2009	A1
20090158430	Borders	Jun 2009	A1
20090165076	DeCusatis et al.	Jun 2009	A1
20090165114	Baum et al.	Jun 2009	A1
20090196418	Tkacik et al.	Aug 2009	A1
20090232300	Zucker et al.	Sep 2009	A1
20090241114	Kirihata	Sep 2009	A1
20090244600	Haycock	Oct 2009	A1
20090245519	Cachin et al.	Oct 2009	A1
20090274300	Tou et al.	Nov 2009	A1
20090276364	Iaia et al.	Nov 2009	A1
20090276514	Subramanian	Nov 2009	A1
20090300356	Crandell	Dec 2009	A1
20100008499	Lee et al.	Jan 2010	A1
20100011448	Wagner	Jan 2010	A1
20100014662	Jutila	Jan 2010	A1
20100017626	Sato et al.	Jan 2010	A1
20100036779	Sadeh-Koniecpol et al.	Feb 2010	A1
20100074445	Nefedov et al.	Mar 2010	A1
20100088126	Iaia et al.	Apr 2010	A1
20100095118	Meka	Apr 2010	A1
20100115614	Barile et al.	May 2010	A1
20100138218	Geiger	Jun 2010	A1
20100146269	Baskaran	Jun 2010	A1
20100153670	Dodgson et al.	Jun 2010	A1
20100161830	Noy et al.	Jun 2010	A1
20100162347	Barile	Jun 2010	A1
20100165876	Shukla et al.	Jul 2010	A1
20100174919	Ito et al.	Jul 2010	A1
20100185863	Rabin et al.	Jul 2010	A1
20100211781	Auradkar et al.	Aug 2010	A1
20100211782	Auradkar et al.	Aug 2010	A1
20100235635	Kshirsagar et al.	Sep 2010	A1
20100241848	Stuber et al.	Sep 2010	A1
20100242088	Thomas	Sep 2010	A1
20100250965	Olson et al.	Sep 2010	A1
20100254537	Buer et al.	Oct 2010	A1
20100266132	Bablani et al.	Oct 2010	A1
20100268788	Arimilli et al.	Oct 2010	A1
20100269171	Raz et al.	Oct 2010	A1
20100289627	McAllister et al.	Nov 2010	A1
20100299313	Orsini et al.	Nov 2010	A1
20100303241	Breyel	Dec 2010	A1
20100306850	Barile et al.	Dec 2010	A1
20100316219	Boubion et al.	Dec 2010	A1
20100318782	Auradkar et al.	Dec 2010	A1
20100325732	Mittal et al.	Dec 2010	A1
20100332401	Prahlad et al.	Dec 2010	A1
20110022642	deMilo et al.	Jan 2011	A1
20110072264	McNulty	Mar 2011	A1
20110083163	Auvenshine et al.	Apr 2011	A1
20110083190	Brown et al.	Apr 2011	A1
20110099362	Haga et al.	Apr 2011	A1
20110113466	Stringham et al.	May 2011	A1
20110113467	Agarwal et al.	May 2011	A1
20110116636	Steed	May 2011	A1
20110145571	Schmidt-Karaca et al.	Jun 2011	A1
20110154031	Banerjee et al.	Jun 2011	A1
20110154057	England et al.	Jun 2011	A1
20110173435	Liu et al.	Jul 2011	A1
20110178933	Bailey	Jul 2011	A1
20110191462	Smith	Aug 2011	A1
20110209064	Jorgensen et al.	Aug 2011	A1
20110213971	Gurel et al.	Sep 2011	A1
20110225423	Lynch	Sep 2011	A1
20110225431	Stufflebeam, Jr. et al.	Sep 2011	A1
20110244440	Saxon et al.	Oct 2011	A1
20110246765	Schibuk	Oct 2011	A1
20110252071	Cidon	Oct 2011	A1
20110258437	McKelvey et al.	Oct 2011	A1
20110258443	Barry	Oct 2011	A1
20110270872	Alvarez et al.	Nov 2011	A1
20110289134	de los Reyes et al.	Nov 2011	A1
20110289314	Whitcomb	Nov 2011	A1
20110296497	Becker	Dec 2011	A1
20110320819	Weber et al.	Dec 2011	A1
20120036370	Lim et al.	Feb 2012	A1
20120042162	Anglin et al.	Feb 2012	A1
20120079289	Weng et al.	Mar 2012	A1
20120096272	Jasper et al.	Apr 2012	A1
20120114118	Verma	May 2012	A1
20120124612	Adimatyam et al.	May 2012	A1
20120134495	Liu	May 2012	A1
20120140923	Lee et al.	Jun 2012	A1
20120144233	Griffith et al.	Jun 2012	A1
20120151551	Readshaw et al.	Jun 2012	A1
20120159148	Behren et al.	Jun 2012	A1
20120159518	Boliek et al.	Jun 2012	A1
20120170753	Pandrangi et al.	Jul 2012	A1
20120173881	Trotter et al.	Jul 2012	A1
20120185913	Martinez et al.	Jul 2012	A1
20120191979	Feldbau	Jul 2012	A1
20120198042	Dunbar et al.	Aug 2012	A1
20120204032	Wilkins et al.	Aug 2012	A1
20120216041	Naono et al.	Aug 2012	A1
20120240183	Sinha	Sep 2012	A1
20120254090	Burris et al.	Oct 2012	A1
20120260094	Asim et al.	Oct 2012	A1
20120266218	Mattsson	Oct 2012	A1
20120281839	Arnold et al.	Nov 2012	A1
20120290850	Brandt et al.	Nov 2012	A1
20120291101	Ahlstrom et al.	Nov 2012	A1
20120297183	Mukkara et al.	Nov 2012	A1
20120297200	Thom et al.	Nov 2012	A1
20120300936	Green	Nov 2012	A1
20120303961	Kean et al.	Nov 2012	A1
20120311675	Ham et al.	Dec 2012	A1
20120314854	Waters	Dec 2012	A1
20120321086	D'Zouza et al.	Dec 2012	A1
20120323717	Kirsch	Dec 2012	A1
20120323990	Hayworth	Dec 2012	A1
20120331293	Ma et al.	Dec 2012	A1
20130013931	O'Hare et al.	Jan 2013	A1
20130031255	Maloy et al.	Jan 2013	A1
20130031356	Prince et al.	Jan 2013	A1
20130044878	Rich et al.	Feb 2013	A1
20130047034	Salomon	Feb 2013	A1
20130085936	Law	Apr 2013	A1
20130086661	Roth et al.	Apr 2013	A1
20130091350	Gluck	Apr 2013	A1
20130097320	Ritter et al.	Apr 2013	A1
20130103834	Dzerve et al.	Apr 2013	A1
20130111217	Kopasz et al.	May 2013	A1
20130157619	Di Luoffo et al.	Jun 2013	A1
20130159732	Leoutsarakos	Jun 2013	A1
20130163753	MacMillan et al.	Jun 2013	A1
20130166703	Hammer et al.	Jun 2013	A1
20130167196	Spencer et al.	Jun 2013	A1
20130198521	Wu	Aug 2013	A1
20130212576	Huang et al.	Aug 2013	A1
20130269035	Bajaj et al.	Oct 2013	A1
20130283045	Li et al.	Oct 2013	A1
20130290716	Gavrilov	Oct 2013	A1
20130305311	Puttaswamy Naga	Nov 2013	A1
20130312094	Zecheru	Nov 2013	A1
20130316682	Vieira	Nov 2013	A1
20130326233	Tolfmans	Dec 2013	A1
20140012751	Kuhn et al.	Jan 2014	A1
20140020072	Thomas	Jan 2014	A1
20140047549	Bostley, III et al.	Feb 2014	A1
20140115327	Gorbach et al.	Apr 2014	A1
20140122866	Haeger et al.	May 2014	A1
20140164774	Nord et al.	Jun 2014	A1
20140177829	MacMillan et al.	Jun 2014	A1
20140201533	Kruglick	Jul 2014	A1
20140215554	Roberts	Jul 2014	A1
20150222604	Ylonen	Aug 2015	A1
20150295941	Lim et al.	Oct 2015	A1
20150304399	Kramer	Oct 2015	A1
20160224651	Kumarasamy et al.	Aug 2016	A1
20170142092	Lim	May 2017	A1
20180045189	Lee et al.	Feb 2018	A1

Foreign Referenced Citations (51)

Number	Date	Country
1740944	Mar 2006	CN
101281578	Oct 2008	CN
101573910	Nov 2009	CN
101741547	Jun 2010	CN
101753302	Jun 2010	CN
102130768	Jul 2011	CN
102318263	Jan 2012	CN
102656591	Sep 2012	CN
SHO61177479	Aug 1986	JP
H09233067	Sep 1997	JP
2000215240	Apr 2000	JP
2000295209	Oct 2000	JP
2001209582	Mar 2001	JP
2002540748	Nov 2002	JP
2003188871	Jul 2003	JP
2003208355	Jul 2003	JP
2004126716	Apr 2004	JP
2005057417	Mar 2005	JP
2005197912	Jul 2005	JP
2005258801	Sep 2005	JP
2005533438	Nov 2005	JP
2006099548	Apr 2006	JP
2006279848	Oct 2006	JP
2007081482	Mar 2007	JP
2007507760	Mar 2007	JP
2007293468	Nov 2007	JP
2008015669	Jan 2008	JP
2008541273	Nov 2008	JP
2008306418	Dec 2008	JP
2009064178	Mar 2009	JP
2009213064	Sep 2009	JP
2009246800	Oct 2009	JP
2010128824	Jun 2010	JP
2011019129	Jan 2011	JP
2011159053	Aug 2011	JP
2011175578	Sep 2011	JP
2012073374	Apr 2012	JP
2012178010	Sep 2012	JP
2013513834	Apr 2013	JP
2014501955	Jan 2014	JP
101145766	May 2012	KR
WO0154099	Jul 2001	WO
WO2004008676	Jan 2004	WO
WO2009060283	May 2009	WO
WO2010001150	Jan 2010	WO
WO2010093559	Aug 2010	WO
WO2011083343	Jul 2011	WO
WO2011089712	Jul 2011	WO
WO2012060979	May 2012	WO
WO2012109640	Aug 2012	WO
WO2013145517	Mar 2013	WO

Non-Patent Literature Citations (106)

Entry
Australian Examination Report No. 1 for Patent Application No. 2017204853 dated Jun. 29, 2018, 4 pages.
Australian Examination Report No. 2, dated Mar. 5, 2019, for Patent Application No. 2017204853, 3 pages.
Barker et al., “Recommendation for Random Number Generation Using Deterministic Random Bit Generators,” National Institute Standards and Technology Special Publication 800-90A, Jan. 2012, 136 pages.
Bernstein et al., “The Poly1305-AES Message-Authentication Code,” Lecture Notes in Computer Science, Department of Mathematics, Statistics, and Computer Science (M/C 249), The University of Illinois at Chicago, Feb. 21, 2005, 18 pages.
Bethencourt et al., “Ciphertext-Policy Attribute-Based Encryption,” IEEE Symposium on Security and Privacy 2007, 15 pages.
Canadian Notice of Allowance for Patent Application No. 2,899,014 dated Feb. 8, 2018, 1 page.
Canadian Notice of Allowance for Patent Application No. 2,916,954 dated Dec. 19, 2017, 1 page.
Canadian Office Action for Patent Application No. 2,898,995 dated Jul. 3, 2018, 9 pages.
Canadian Office Action for Patent Application No. 2,899,008 dated Mar. 1, 2019, 4 pages.
Canadian Office Action for Patent Application No. 2,899,008 dated Mar. 14, 2018, 4 pages.
Canadian Office Action for Patent Application No. 2,899,019 dated Jul. 3, 2018, 8 pages.
Canadian Office Action for Patent Application No. 2,899,019 dated Mar. 25, 2019, 8 pages.
Canadian Office Action for Patent Application No. 2,899,027 dated Jul. 17, 2018, 6 pages.
Canadian Office Action for Patent Application No. 2,916,954 dated Feb. 11, 2019, 4 pages.
Chinese Decision on Grant for Patent Application No. 201480046236.7 dated Jan. 4, 2019, 4 pages.
Chinese Decision on Rejection for Patent Application No. 201480011965.9 dated Jan. 15, 2018, 6 pages.
Chinese Decision on Rejection for Patent Application No. 201480013039.5 dated Apr. 12, 2019, 15 pages.
Chinese First Office Action for Patent Application No. 201480020482.5, dated Dec. 28, 2017, 11 pages.
Chinese First Office Action for Patent Application No. 201480046236.7, dated Feb. 24, 2018, 11 pages.
Chinese Notice on Grant of Patent for Application No. 201480020500.X dated Dec. 28, 2017, 4 pages.
Chinese Notice on the Second Office Action for Patent Application No. 201480020517.5 dated Jan. 3, 2018, 8 pages.
Chinese Second Office Action for Patent Application No. 201480020482.5 dated Jul. 19, 2018, 28 pages.
Chinese Second Office Action, dated Sep. 25, 2018, for Patent Application No. 201480013039.5, 11 pages.
Chinese Third Office Action dated Mar. 15, 2019 for Patent Application No. 201480020482.5, 19 pages.
Chinese Third Office Action for Patent Application No. 201480020517.5 dated Jul. 25, 2018, 6 pages.
Chowdhury et al., “Network Virtualization: State of the Art and Research Challenges”, IEEE Communications Magazine, Jul. 2009, 7 pages.
Chowdhury et al., “Virtual Network Embedding With Coordinated Node and Link Mapping”, IEEE INFOCOM 2009, Apr. 2009, 9 pages.
European Communication pursuant to Article 94(3) EPC for Application No. 14751237.0 dated May 28, 2018, 4 pages.
European Communication pursuant to Article 94(3) EPC for Application No. 14751612.4 dated Jan. 3, 2018, 4 pages.
European Communication pursuant to Article 94(3) EPC for Application No. 14819866.6 dated Feb. 8, 2019, 4 pages.
European Communication pursuant to Article 94(3) EPC for Patent Application No. 14751881.5 dated Oct. 25, 2018, 5 pages.
European Communication Under Rule 71(3) EPC for Application No. 14752191.8, Intention to Grant, dated Mar. 22, 2019, 75 pages.
European Official Communication Pursuant to Article 94(3) EPC for Patent Application No. 14751256.0 dated Jan. 3, 2018, 5 pages.
European Official Letter for Patent Application No. 14751881.5 dated Feb. 21, 2018, 3 pages.
Guttman et al., “An Introduction to Computer Security: The NIST Handbook,” Special Publication 800-12, Oct. 1, 1995, Sections 17.6 and 18.3.2 and Section 19 for cryptographic tools, XP055298016, retrieved on Aug. 26, 2016, from http://www.davidsalomon.name/CompSec/auxiliary/handbook.pdf.
IEEE, “Draft Standard for Identity-based Public-key Cryptography Using Pairings,” IEEE P1363.3/D1, Apr. 2008, retrieved Sep. 22, 2015, from http://grouper.ieee.org/groups/1363/IBC/material/P1363.3-D1-200805.pdf, 85 pages.
International Search Report and Written Opinion dated Apr. 29, 2014, in International Patent Application No. PCT/US2014/015404, filed Feb. 7, 2014.
International Search Report and Written Opinion dated May 28, 2014, in International Patent Application No. PCT/US2014/15697, filed Feb. 11, 2014.
International Search Report and Written Opinion dated May 30, 2014, in International Patent Application No. PCT/US2014/015408, filed Feb. 7, 2014.
International Search Report and Written Opinion dated May 30, 2014, in International Patent Application No. PCT/US2014/015410, filed Feb. 7, 2014.
International Search Report and Written Opinion dated May 30, 2014, International Patent Application No. PCT/US2014/015414, filed Feb. 7, 2014.
International Search Report and Written Opinion dated Oct. 28, 2014, International Patent Application No. PCT/US2014/044861, filed Jun. 30, 2014.
Itani et al., “Privacy as a Service: Privacy-Aware Data Storage and Processing in Cloud Computing Architectures,” 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing, pp. 711-716.
Japanese Appeal Decision for Patent Application No. 2016-511994 dated Mar. 12, 2019, 3 pages.
Japanese Final Decision of Rejection for Patent Application No. 2015-558056 dated Mar. 13, 2018, 18 pages.
Japanese Final Decision on Rejection for Patent Application No. 2015-558070 dated Apr. 3, 2018, 7 pages.
Japanese Notice and Report for Revocation of Reconsideration Report for Patent Application No. 2015-558043 dated Mar. 9, 2018, 6 pages.
Japanese Notice and Report for Revocation of Reconsideration Report for Patent Application No. 2016-524288 dated Apr. 13, 2018, 6 pages.
Japanese Notice of Allowance for Patent Application No. 2015-558042, dated Dec. 27, 2017, 6 pages.
Japanese Notice of Allowance, dated Oct. 2, 2018, for Patent Application No. 2015-558056, 6 pages.
Japanese Notice of Final Rejection for Patent Application No. 2017-232031 dated Mar. 26, 2019, 13 pages.
Japanese Notice of Rejection for Patent Application No. 2017-217362 dated Feb. 12, 2019, 9 pages.
Japanese Notice of Rejection, dated Oct. 9, 2018, for Patent Application No. 2016-524288, 21 pages.
Japanese Notice of Rejection, dated Sep. 4, 2018, for Patent Application No. 2015-558043, 25 pages.
Japanese Notice of Revocation for Reconsideration and Report, dated Dec. 4, 2018, for Patent Application No. 2015-558070, 4 pages.
Japanese Report on Notice of Allowance for Patent Application No. 2015-558044 dated Mar. 27, 2018, 6 pages.
Korean Notice of Preliminary Amendment, dated Apr. 4, 2019, for Patent Application No. 10-2017-7022249, 8 pages.
Krawczyk et al., “HMAC-based Extract-and-Expand Key Derivation Function (HKDF),” Internet Engineering Task Force (IETF), May 2010, retrieved Sep. 22, 2015, from https://tools.ietf.org/html/rfc5869, 14 pages.
Manulis, et al., “Group Signatures: Authentication with Privacy,” retrieved from https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/GruPA/GruPA.pdf?_blob=publicationFile, Published May 15, 2010, 267 pages.
Nikkei Trendy, “Simple Input of URL Using Hosts File,” Nikkei Business Publications, Inc., Feb. 6, 2006, retrieved Dec. 21, 2016, from http://trendy.nikkeibp.co.jp/article/tec/winxp/20060131/115213/?45=nocnt, 5 pages.
NIST, “Implementation Guidance for FIPS PUB 140-1 and the Cryptographic Module Validation Program,” Jan. 10, 2002, 63 pages.
NIST, “Implementation Guidance for Fips Pub 140-2 and the Cryptographic Module Validation Program,” Initial Release Mar. 28, 2003, 205 pages.
Olexiy et al., “Starting Share Files with NFS,” Linux Journal, dated Jan. 1, 2002, retrieved on Jan. 2, 2018, from http://www.linuxjournal.com/article/4880?page=0,0, 13 pages.
Rahumed et al., “A Secure Cloud Backup System with Assured Deletion and Version Control,” 2011 International Conference on Parallel Processing Workshops, IEEE Computer Society, 8 pages.
Rescorla, “Diffie-Hellman Key Agreement Method,” Network Working Group, RTFM Inc., Jun. 1999, retrieved on Sep. 22, 2015, from https://tools.ietf.org/html/rfc2631, 13 pages.
Sieloff, “The new systems administrator: The role of becoming root,” Inside Solaris, Oct. 2002, 8(10):6-9.
Singapore Notice of Eligibility for Grant, dated Feb. 5, 2018, for Patent Application No. 11201510650U, 3 pages.
Stack Exchange, “Storing secrets in software,” by ninefingers, Stack Exchange Security Blog, dated Sep. 6, 2011, retrieved on Jan. 2, 2018, from http://security.blogoverflow.com/2011/09/storing-secrets-in-software/, 3 pages.
Wikipedia, “IEEE P1363” an Institute of Electrical and Electronics Engineers (IEEE) standardization project for public-key cryptography, retrieved Sep. 22, 2015, from https://en.wikipedia.org/wiki/IEEE_P1363, 3 pages.
Wikipedia, “Key derivation function,” retrieved Sep. 22, 2015, from https://en.wikipedia.org/wiki/Key_derivation_function, 4 pages.
Zhu et al., “Algorithms for assigning substrate network resources to virtual network components”, IEEE INFOCOM 2006, Apr. 2006, 12 pages.
Australian Notice of Acceptance for Patent Application No. 2017204853 dated May 16, 2019, 3 pages.
Canadian Notice of Allowance, dated Jun. 25, 2019, for Patent Application No. 2,898,995, 1 page.
Canadian Office Action for Patent Application No. 2,899,027 dated May 13, 2019, 6 pages.
Chinese Fourth Office Action for Patent Application No. 201480011965.9 dated May 20, 2019, 5 pages.
Chinese Notice on Grant for Patent Application No. 201480011965.9 dated Aug. 22, 2019, 4 pages.
European Communication pursuant to Article 94(3) EPC for Application No. 14751881.5 dated Jul. 2, 2019, 4 pages.
India First Examination Report for Patent Application No. 201617000381 dated Sep. 10, 2019, 7 pages.
Japanese Notice of Allowance for Patent Application No. 2017-217362 dated Sep. 17, 2019, 6 pages.
Japanese Notice of Allowance for Patent Application No. 2018-133603 dated May 21, 2019, 6 pages.
Japanese Notice of Final Rejection for Patent Application No. 2015-558070 dated Sep. 3, 2019, 8 pages.
Japanese Notice of Rejection, dated Jun. 4, 2019, for Patent Application No. 2016-524288, 9 pages.
Japanese Notice of Rejection, dated May 14, 2019, for Patent Application No. 2018-000819, 12 pages.
Korean Decision of Grant for Patent Application No. 10-2017-7022249 dated Sep. 6, 2019, 3 pages.
European Communication Rule 69 for Patent Application No. 19187650.7 dated Nov. 7, 2019, 7 pages.
Japanese Appeal Decision for Patent Application No. 2016-524288 dated Nov. 5, 2019, 3 pages.
Chinese Notice to Grant for Patent Application No. 201480020482.5 dated Oct. 10, 2019, 4 pages.
European 94(3) Communication for Patent Application No. 14819866.6 dated Nov. 18, 2019, 5 pages.
India First Examination Report for Patent Application No. 7420/DELNP/2015 dated Oct. 21, 2019, 6 pages.
India First Examination Report for Patent Application No. 7421/DELNP/2015 dated Dec. 27, 2019, 7 pages.
India First Examination Report for Patent Application No. 7426/DELNP/2015 dated Dec. 26, 2019, 8 pages.
India First Examination Report for Patent Application No. 7474/DELNP/2015 dated Dec. 26, 2019, 7 pages.
Brazil Preliminary Office Action for Patent Application No. BR1120150193781 dated Mar. 3, 2020, 7 pages.
Canadian Office Action for Patent Application No. 2,899,019 dated Feb. 17, 2020, 5 pages.
Canadian Office Action for Patent Application No. 2899008 dated Feb. 19, 2020, 2 pages.
Canadian Office Action for Patent Application No. 2916954 dated Feb. 19, 2020, 5 pages.
Chinese Third Office Action for Patent Application No. 201480013039.5 dated Dec. 13, 2019, 7 pages.
European Rule 71(3) Communication Patent Application No. 14751881.5 dated Feb. 21, 2020, 109 pages.
India First Examination Report for Patent Application No. 7428/DELNP/2015 dated Jan. 29, 2020, 8 pages.
Japanese Appeal Decision for Patent Application No. 2015-558070 dated Feb. 18, 2020, 3 pages.
Japanese Decision on Final Rejection for Patent Application No. 2017-232031 dated Mar. 3, 2020, 4 pages.
Japanese Final Decision on Rejection for Patent Application No. 2018-000819 dated Feb. 4, 2020, 6 pages.
Canadian Office Action for Patent Application No. 2,898,995 dated Jul. 31, 2020, 3 pages.
Japanese Notice of Allowance for Patent Application No. 2018-000819 dated Aug. 18, 2020, 6 pages.
European Communication pursuant to Article 94(3) EPC for Application No. 14819866.6 dated Aug. 20, 2020, 8 pages.
Japanese Notice of Final Rejection for Patent Application No. 2020-097937 dated Aug. 18, 2020, 14 pages.

Related Publications (1)

	Number	Date	Country
	20190036973 A1	Jan 2019	US

Continuations (1)

	Number	Date	Country
Parent	13491403	Jun 2012	US
Child	16140393		US

Flexibly configurable data modification services

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

Field of Search

US

International Classifications

Disclaimer

Abstract