The present invention relates to the field of communication systems and, more particularly, to unique identities and systems and methods for establishing globally unique identities for improved security in packet communication systems. BACKGROUND
User identifiers are used in disparate systems for authentication of users. These user identifiers take the form of passwords, electronic mail (email) user identifiers, and biometrics, among others. Each system may have its own method for the identification of a particular user.
The invention is best understood from the following detailed description when read in connection with the accompanying drawings. Moreover in the drawings, common numerical references are used to represent like features/elements. Included in the drawing are the following figures:
Although the invention is illustrated and described herein with reference to specific embodiments, the invention is not intended to be limited to the details shown. Rather, various modifications may be made in the details within the scope and range of equivalents of the claims and without departing from the invention.
In conventional distributed networked application environments, user attributes such as last name, telephone extension, department, project role, security clearance, and location, among others, may be temporal in nature. This causes top-down provisioning of changes which may be tedious, workflow driven administrative procedures in enterprises. Moreover, static access control lists without an identity component are not an extensible framework in current mobile networking environments where source IP address are translated by Network Address Translation (NAT) and Virtual Private Network (VPN) gateways to obscure a true endpoint address of a remote user at a point of network access. Identity-based access control may include tighter integration with identity data silos and virtualization for administrative simplicity and manageability. Conventional systems include user directories, such as RADIUS and Active Directory, to authenticate users in a single incarnation. Applications may use directory enabled networking to enforce policies at an application layer. In conventional systems, conflict resolution and ambiguity in automated entities merged across disparate identity silos use manual intervention and moderation. For example, two different people may exist in the same or different organization unit by the same first and last name. This represents a unique challenge for policy enforcement at the network layer based on non-repudiated identity.
Methods and systems are described below for creating a globally unique identity for a user or user-container by performing, for example, an iterative join in which each participating back-end pre-existing data source may serve as a primary node in a mathematical join operation. The systems and methods may include hardware or software or a combination thereof, referred to herein as the ID-Unify (IDU), that may perform identity virtualization. The IDU may create or generate a globally unique identifier for a user. The globally unique identifier may be used in operational environments having pre-existing conflicts caused by the existence of different identities for the user in different authentication data sources.
Directory Enabled Networking (DEN) and virtual directories operate at an application layer. By contrast, the Identity Driven Networking (IDN) process used by the IDU may operate at a network layer. The IDU and IM (described in detail below) may provide a dynamic and monolithic solution to aggregate policy as an integral part of a globally unique identity captured in and distributed from a single authoritative repository for establishing identity-based access control.
Conventionally, virtual directories typically support transitive and non-transitive joins where a primary node in the join is a superset node. Under such a conventional scheme, however, users not present in the primary node are excluded by the join. An aggregate join, where a superset node is not used, may be applicable where no overlap exists, (i.e., a user exists in one and only one node in the join). In cases where conventional joins and aggregation methods are inadequate, because there is no superset identity data source and there is identity overlap across the disparate data sources in the join, an N-ary join may enable consolidation of identities, and an IM conflict resolution may provide reconciliation and normalization of redundant identities, and may distinguish and resolve ambiguous identities. The identity virtualization of various exemplary embodiments may facilitate creation of a superset of global identities from scattered and disparate sources of identity.
Referring to
The communication system 10 may also include an ID-Enforce (IDE) 120 coupled either directly or indirectly (e.g., via network 115) to the IDU 100. The IDE 120 may include a gateway appliance or device that receives electronic requests from a requestor (e.g., via an application from a client 200). Application policies may be provisioned top-down and may be enforced at layer 7 (e.g., a network layer) of, for example, an OSI protocol stack. Identity authentication may be performed when a user attempts to access the application. In certain exemplary embodiments, enforcement of an application policy occurs at the network layer prior to the user obtaining access to the application at the application layer, for example of the OSI protocol stack. The IDE 120 may provide a policy enforcement point that integrates global user identity with enterprise application access at the network layer. The IDE 120 may provide access controls for both pre-application and post-application access based on: (1) user identity; (2) memberships in user containers; and (3) changing identifiers including, for example, information from mandatory and optional directory attributes in LDAP directories, relation databases, role based access control solutions and solutions that may provision and/or integrate with pre-provisioned user's application specific entitlements.
The communication system 10 also may include an Identisphere Manager (IM) 130 coupled (either directly or indirectly via network 115) to IDU 100 and the IDE 120. The IM 130 may include hardware and software such as, for example, a computer executing graphical user interface software or other applications. The IM 130 and the IDU 100 may use standards such as LDAP and SQL protocol specifications to integrate with directories and relational databases 110, respectively.
The IDU 100 may create a globally unique identity for a user or a user-container by performing an iterative join in which each participating DS 110 may serve as a primary node in a mathematical join operation. That is, the IDU 100 may perform identity virtualization that creates or generates the globally unique identifier for the user in operational environments where pre-existing conflict may be caused by the existence of different identities for a user in different authentication DSs 110. The identity virtualization performed by the IDU 100 may be a virtual data source that does not duplicate or mirror identities in the mapped backend DSs 110, however, other non-virtual data source configurations are possible. The IDU 100 may use virtual directories to consolidate disparate forms of identification from pre-existing identity islands such as LDAP directories and databases for authentication and authorization based on attributes and assigned user roles and privileges.
The IDU 100 may include a unified directory server and a virtual directory (not shown). The virtual directory or virtual directory server may provide a consolidated view of user identity without having to construct an entire directory infrastructure. Implemented in the form of middleware in a distributed environment, the virtual directory may be a lightweight service that may operate between applications and identity data or data entities of the DSs 110.
A virtual directory may receive one or more queries for user information and may direct them to the appropriate DSs 110. Once the user data is retrieved, the directory may apply transformations based on configured rulesets stored, for example in the IDU 100, and may present the user data to the enterprise application as though the data resides at a centrally managed location. The protocol used for the IDU may include LDAP, however, other protocols are possible. The virtual directory of the IDU 100 may serve to provide application specific views of identity data which may avoid developing a master enterprise schema.
Referring to
As an example, a request for user information corresponding to the user “Peter Pan” stored in DSs 110 may be received at the IDE 120. The request received from a requestor may include, for example, a name and a domain of the user. In response to the request, the IDE 120 may communicate with the IDU 100 such that the IDU 100 may determine if the user exists in any of the DSs 110. In this example, Peter Pan exists in the domain, so the IDU 100 may retrieve or may fetch user objects or identifiers corresponding to the user “Peter Pan” from data sources AD and OID. The IDU 100 then may manipulate the user objects to find the intersection between the objects stored in the data sources 110. The IDU 100 may use a join operation to find the intersection between the multiple user objects corresponding to the user “Peter Pan”.
Now referring to
Each data entity in the DSs 110 is represented by a distinguished name (DN) that includes a set of attributes corresponding to the data entity. In the case of a conflict between data entities, the IDU 100 may perform a conflict resolution operation between the conflicting entities by generating a composite Relative Distinguished Name (RDN). The composite RDN may combine or composite two or more attributes (e.g., user attributes) to form a single composite attribute corresponding, for example, to the user. For example, a composite RDN may be formed using a DN (e.g., common name, i.e., first name and last name) and one or more unique directory attributes to resolve conflicts/overlap of identities resulting from a join operation on multiple backend DSs 110. The directory attributes to be used in generating a composite RDN may be determined using a set of transformation rules or mappings. The attributes may include, for example, email identification, employee identification, department identification, social security number, and telephone extension number among others that are associated with a user or user container. Such attributes may also include any type of information used in an enterprise that is unique to and/or used to differentiate each user represented in the enterprise directories or databases. As one example, the composite RDN may be formed using the user's common name and email address. Data consolidation through virtualization may lead to conflicts that applications (e.g., the consumers of identity) of virtual directories may not be able to resolve for the specific use-cases that existed prior to the introduction of virtualization between the application and the data sources. The IM 130 (shown in
In various exemplary embodiments, access to a resource on a network may be secured using a global identifier. For example, the IDU may: obtain a plurality of identifiers associated with a user of the network, each of the plurality of identifiers may individually identify the user and may generate a superset of the plurality of identifiers, as the global identifier. One or more policies may be established to be associated with the global identifier of the user such that access to the resource on the network by the user may be restricted based on the one or more policies associated with the global identifier. Further, the user may also be allowed access to the resource when the user is authenticated and the one or more policies permit access by the user to the resource. Moreover, the one or more policies are identified as applying to the request for access by the user by generating the superset of the plurality of identifiers each time from the stored plurality of identifiers for each request.
In certain exemplary embodiments, the IDU may obtain the plurality of identifiers by, for example, determining a plurality of identifier storage locations (DS locations/logical addresses), each identifier storage location storing one or more of the plurality of identifiers and querying each of the identifier storage locations to obtain the plurality of identifiers.
In certain exemplary embodiments, the IDU may generate the superset of the plurality of identifiers by, for example, determining whether information associated with the user from the different storage locations conflict and if the user information from the different identified storage locations do not conflict, generating an aggregate join of the plurality of identifiers.
In certain exemplary embodiments, the IM may select one or more attributes of the global identifier for identifying the user when a conflict exists between information associated with the user from different identifier storage locations and the IDU may determine the particular policies to be used for access control by matching the user information from the user or client system of the user regarding the one or more attributes to the one or more selected attributes in the global identifier.
Referring to
The IM 130 may reconcile redundant forms of identification that are associated with a single unique instance of a user to a single globally unique identity descriptor. The single globally unique identity descriptor may be associated with access control rules and policies used by policy definitions and enforcement points. The IM 130 also may distinguish users in cases where there is an existing conflict and/or ambiguity in distinguishing users having identical names in DSs 110, through a unique attribute or a series of prioritized unique attributes associated with the user, such as an email-address, a department, an office location, and/or a telephone extension, among many others. Furthermore, the IM 130 may provide a method to distinguish users in cases where there is an existing conflict and/or ambiguity in distinguishing user-containers (such as user-groups) with identical names, through a unique attribute or prioritized unique attributes associated with the user container.
Referring to
When manipulating user objects from the data sources to find intersections between the objects, the IDU 100 may generate a superset of global identities and consolidated attributes for a user from any number of disparate identity sources such as DSs 110. The IDU 100 may support a plurality of different join operations, or transformation mappings, including, but not limited to, proxy mapping, hierarchical mapping, aggregation joins, and/or N-ary joins.
For proxy mapping, the users and groups (user containers) stored in the backend data source 110 may be represented as virtual IDU DNs. The IDE 120 may send a search request for the user (e.g., using login attributes) and receive a user IDU DN in response. The IDU 100 may support under proxy mapping: (1) authentication using the received user IDU DN; (2) fetching a user policy associated with a user IDU DN, where the IDU 120 is setup as the policy repository; and (3) fetching modified objects, where the IDU is setup as the policy repository, among others.
A hierarchical transformation may be used to generate IDU group mappings. Using a hierarchical mapping, the users and groups in the backend DSs 110 may be represented as virtual IDU DNs. The IDE 120 may send a search request for the user and may receive an IDU virtual user/group object. The backend user/group DN may be available as an attribute of the user/group object. The members of the group may be available as IDU DNs. The IDE 120 may map the backend user/group DN to an IDU user/group DN to fetch associated policies. The IDU 100 may support under hierarchical transformation: (1) authentication using the received user IDU DN; (2) fetching a user policy by user IDU DN, where IDU is setup as the policy repository; (3) fetching a group policies, where IDU is setup as the policy repository; and (4) fetching modified objects, where IDU is setup as the policy repository, among others.
The aggregation join operation may include a union to process users from different data sources. The users and groups in the backend DSs 110 may be represented as virtual IDU DNs. The IDE 120 may send a search request for the user and may receive an IDU virtual user/group object. The backend user/group DN may be available as an attribute of the user/group object. The members of the group may be available as IDU DNs. The IDU DN for the user includes a single backend user DN. The IDE may map the backend user/group DN to an IDU user/group DN to fetch associated policies. For authentication, the primary node of the join is used to authenticate the user. The IDU 100 may support under such an aggregation join: (1) authentication using the received user IDU DN against the primary node; (2) fetching a user policy by user IDU DN, where IDU is setup as the policy repository; (3) fetching a group policies, where IDU is setup as the policy repository; and (4) fetching modified objects, where IDU is setup as the policy repository, among others.
Referring to
Referring to
By manipulating user objects from data sources to find the intersection between the objects, the IDU 100 may generate a superset of global identities and consolidated attributes for a user from any number of disparate identity sources (e.g., LDAP directories, databases, etc.) using the iterative join operation. The N-ary join may include a transitive join operation or a non-transitive join operation; in consideration that no superset data source exists that contains the users, that a user may be present in multiple data sources and that a unique join attribute may not exist across all data sources.
A join operation generally includes a join attribute between a primary data source and one or more secondary data sources. In a transitive join, values of the join attribute from both the primary and secondary data sources may be used to perform lookups in subsequent secondary data sources. In a non-transitive join, the lookup on the secondary data source may be performed using values for the join attribute from the primary data source only. The N-ary join may be a non-transitive join. That is, a different data source serves as the primary data source during each iteration and a different join attribute may be used to perform lookups in the secondary data sources. This process provides flexibility in performing joins on disparate data sources without exclusions.
Referring to
Referring back to
The IDE 120 may query the IDU 100 for groups and respective memberships. The IDU may return IDU DNs for the groups (e.g., G1, G2, G3), including as attributes the backend group DN, and user/group members as backend DNs. For nested groups, the IDE may map the backend DNs to the IDU DNs. Such a query may occur, for example, dynamically, on restart or based on user input.
When a user logs in, the IDE 120 may send a search request with user credentials to the IDU 100 and, in response, receives the IDU DNs for the user (e.g., UA, UB). The IDE then may send a bind request to authenticate with the IDU DN. On successful authentication, the IDE 120 may determine group memberships based on the user's IDU DN.
In certain exemplary embodiments, the IDU may serve as the single authoritative source of globally unique user identity validation, policy and user/user-container level directory attribute association based on the validation for network level access control. Furthermore, the IM 130 may display users and groups mapped to the IDU DNs, and user and group policies may be defined for IDU DNs.
For either the aggregate join operation or N-ary join operation, during user authentication, the IDE 120 may send user credentials (e.g., a domain, a username, among others.) to the IDU 100. The IDU 100 may initiate search operations, for example, LDAP search operations on backend directories DSs 110 based on aggregate or N-ary mappings/transformation rules configured on the IDU 100 to fetch one or more backend distinguished names (DNs). The IDU 100 may generate a mapped IDU DN for each backend DN. The IDU may send to the IDE one mapped IDU DN corresponding to each backend DN, using a composite RDN. The composite RDN may be formed using a DN and one or more unique directory attributes (e.g., email-id, employee-id, department-id, SSN, telephone-extension, etc.). If user information (user objects) associated with the user exists in multiple (e.g., N) backend directories, N IDU DNs may be returned to IDE 120. The IDE 120 may perform a bind operation on each IDU DN in the returned list to authenticate the user. The authentication may be considered successful, for example, when one or more of the user's credentials match the user information in one of the IDU DNs in the returned list.
Referring back to
In certain exemplary embodiments, the multiple disparate data sources 110 may reside outside of a single administrative scope or authority. For example, users from one agency, partner organization or subsidiary may have access to resources outside their local realm. Users authenticated in their local realm 800 (e.g., Realm A), for example, having access to extranet resources may present their local realm credentials to a remote IDE 810 (e.g., Realm B). The remote IDE 810 then may request authentication of these credentials from directory IDU-B 820 in Realm B. The IDU-B 820 may securely transport the credentials to the requestor's local IDU-A 830 (in Realm A) for user authentication. That is one IDU 830 may virtualize another trusted IDU 820 to expand the scope of a join operation. Furthermore, one IDU may itself serve as a data source to another IDU 830. In certain exemplary embodiments, an IDE (not shown) associated with the local IDU 830 may permit or restrict access to the resource via the first computing environment based on the global unique identifier from the second computing environment.
Static access control lists without an identity component are not an extensible framework in current mobile networking environment where source IP address are translated by NAT and VPN gateways to obscure a true endpoint address of the remote user at the point of network access. Identity-based access control may use tighter integration with identity data silos and virtualization for administrative simplicity and manageability.
The IDE may provide an innovative approach to enforce application specific access privileges based on directory enrollment of users and user containers at the network layer. The IDE may provide end-users the flexibility to use one of multiple credentials in one or multiple realms to derive globally unique access policies based on granular role and access profiles. Identity virtualization allows the IDE to enforce access control policies keyed by authentication profiles including the user's current login credentials, authentication sources such as authentication server that validated the user in the session, cross-domain/realm validation of user identity across trust bridges, and dynamic role-based access privileges.
The virtual data-less identity join provided by the IDU enables the IDE to accommodate dynamically changing user and user container attributes to adjust access controls without requiring changes with top down provisioning of policies enforced on the IDE.
The IM may provide an interactive and intuitive user interface to identity conflicts and resolve conflicts in tight integration with extensible IDU mapping elements. The IM may include a graphical user interface that enables policy administrators to manage conflict and ambiguity resolution during policy definition to ensure appropriate access privileges are provisioned for resource access.
Certain exemplary embodiments use one or more unique directory attributes to generate the unique global user identifier for policy definition using a composite RDN. For example, a company wide employee ID or email address may be used as the attribute to uniquely differentiate between two users with the same first and last name. This is extensible and may be modified to use a different set of attributes later. The IDU abstracts the intricacies of such conflict resolution from the IDE in the control path of the user session.
Although the system is described with reference to IDUs, IDEs and DSs, the system may include hardware and software i.e., processor-based devices or computing devices operating together, or components thereof. For example, the processing system may include one or more of a portable computer, portable communication device operating in a communication network, and/or a network server. The portable computer may be any of a number and/or combination of devices selected from among personal computers, mobile telephones, personal digital assistants, portable computing devices, and portable communication devices, among others. The processing system may also include components within a larger computer system.
The processing system may include at least one processor and at least one memory device or subsystem. The processing system also may include or be coupled to at least one database. The term “processor” as generally used herein refers to any logic processing unit, such as one or more central processing units (CPUs), digital signal processors (DSPs), application-specific integrated circuits (ASIC), etc. The processor and memory may be monolithically integrated onto a single chip, distributed among a number of chips or components, and/or provided by some combination of algorithms. The methods described herein may be implemented in one or more of software algorithm(s), programs, firmware, hardware, components, circuitry, in any combination.
Components of the systems and methods described herein may be located together or in separate locations. Communication paths couple the components and include any medium for communicating or transferring files among the components. The communication paths may include wireless connections, wired connections, or hybrid wireless/wired connections. The communication paths also may include couplings or connections to networks including local area networks (LANs), metropolitan area networks (MANs), WiMax networks, wide area networks (WANs), proprietary networks, interoffice or backend networks, or the Internet. Furthermore, the communication paths include removable fixed mediums such as floppy disks, hard disk drives, and CD-ROM disks, as well as flash RAM, Universal Serial Bus (USB) connections, RS-232 connections, telephone lines, buses, or electronic mail messages.
Although the invention has been described in terms of system and method for establishing and maintaining globally unique identities and a method thereof, it is contemplated that the method may be executed by a computer using software stored on a computer readable storage medium, for example, a magnetic or optical disk, or a memory-card.
This application claims the benefit of United States Patent Application No. 60/987,466, filed Nov. 13, 2007, the content of which is incorporated herein by reference.
Number | Name | Date | Kind |
---|---|---|---|
5218637 | Angebaud et al. | Jun 1993 | A |
5757916 | MacDoran et al. | May 1998 | A |
5784562 | Diener | Jul 1998 | A |
5867494 | Krishnaswamy et al. | Feb 1999 | A |
5887065 | Audebert | Mar 1999 | A |
5983270 | Abraham et al. | Nov 1999 | A |
5987611 | Freund | Nov 1999 | A |
5999525 | Krishnaswamy et al. | Dec 1999 | A |
6021495 | Jain et al. | Feb 2000 | A |
6070245 | Murphy et al. | May 2000 | A |
6076108 | Courts et al. | Jun 2000 | A |
6105136 | Cromer et al. | Aug 2000 | A |
6141758 | Benantar et al. | Oct 2000 | A |
6145083 | Shaffer et al. | Nov 2000 | A |
6161182 | Nadooshan | Dec 2000 | A |
6170019 | Dresel et al. | Jan 2001 | B1 |
6199113 | Alegre et al. | Mar 2001 | B1 |
6219669 | Haff et al. | Apr 2001 | B1 |
6253326 | Lincke et al. | Jun 2001 | B1 |
6304969 | Wasserman et al. | Oct 2001 | B1 |
6335927 | Elliott et al. | Jan 2002 | B1 |
6345291 | Murphy et al. | Feb 2002 | B2 |
6393569 | Orenshteyn | May 2002 | B1 |
6418472 | Mi et al. | Jul 2002 | B1 |
6442571 | Haff et al. | Aug 2002 | B1 |
6452915 | Jorgensen | Sep 2002 | B1 |
6470453 | Vilhuber | Oct 2002 | B1 |
6473794 | Guheen et al. | Oct 2002 | B1 |
6480967 | Jensen et al. | Nov 2002 | B1 |
6502192 | Nguyen | Dec 2002 | B1 |
6510350 | Steen et al. | Jan 2003 | B1 |
6519571 | Guheen et al. | Feb 2003 | B1 |
6523027 | Underwood | Feb 2003 | B1 |
6535917 | Zamanzadeh et al. | Mar 2003 | B1 |
6536037 | Guheen et al. | Mar 2003 | B1 |
6594589 | Coss et al. | Jul 2003 | B1 |
6601233 | Underwood | Jul 2003 | B1 |
6609128 | Underwood | Aug 2003 | B1 |
6615166 | Guheen et al. | Sep 2003 | B1 |
6633878 | Underwood | Oct 2003 | B1 |
6640248 | Jorgensen | Oct 2003 | B1 |
6704873 | Underwood | Mar 2004 | B1 |
6718535 | Underwood | Apr 2004 | B1 |
6721713 | Guheen et al. | Apr 2004 | B1 |
6725269 | Megiddo | Apr 2004 | B1 |
6731625 | Eastep et al. | May 2004 | B1 |
6735691 | Capps et al. | May 2004 | B1 |
6748287 | Hagen et al. | Jun 2004 | B1 |
6754181 | Elliott et al. | Jun 2004 | B1 |
6766314 | Burnett | Jul 2004 | B2 |
6785692 | Wolters et al. | Aug 2004 | B2 |
6826616 | Larson et al. | Nov 2004 | B2 |
6839759 | Larson et al. | Jan 2005 | B2 |
6850252 | Hoffberg | Feb 2005 | B1 |
6856330 | Chew et al. | Feb 2005 | B1 |
6870921 | Elsey et al. | Mar 2005 | B1 |
6909708 | Krishnaswamy et al. | Jun 2005 | B1 |
6944279 | Elsey et al. | Sep 2005 | B2 |
6947992 | Shachor | Sep 2005 | B1 |
6954736 | Menninger et al. | Oct 2005 | B2 |
6957186 | Guheen et al. | Oct 2005 | B1 |
6985922 | Bashen et al. | Jan 2006 | B1 |
7013290 | Ananian | Mar 2006 | B2 |
7039606 | Hoffman et al. | May 2006 | B2 |
7054837 | Hoffman et al. | May 2006 | B2 |
7072843 | Menninger et al. | Jul 2006 | B2 |
7096495 | Warrier et al. | Aug 2006 | B1 |
7100195 | Underwood | Aug 2006 | B1 |
7107285 | Von Kaenel et al. | Sep 2006 | B2 |
7120596 | Hoffman et al. | Oct 2006 | B2 |
7145898 | Elliott | Dec 2006 | B1 |
7149698 | Guheen et al. | Dec 2006 | B2 |
7149803 | Douglis et al. | Dec 2006 | B2 |
7160599 | Hartman | Jan 2007 | B2 |
7165041 | Guheen et al. | Jan 2007 | B1 |
7171379 | Menninger et al. | Jan 2007 | B2 |
7188138 | Schneider | Mar 2007 | B1 |
7188180 | Larson et al. | Mar 2007 | B2 |
7194552 | Schneider | Mar 2007 | B1 |
7331061 | Ramsey et al. | Feb 2008 | B1 |
7334125 | Pellacuru et al. | Feb 2008 | B1 |
7353533 | Wright et al. | Apr 2008 | B2 |
7363347 | Thomas | Apr 2008 | B2 |
7386889 | Shay | Jun 2008 | B2 |
7398552 | Pardee et al. | Jul 2008 | B2 |
7430760 | Townsend et al. | Sep 2008 | B2 |
7509687 | Ofek et al. | Mar 2009 | B2 |
7519986 | Singhal | Apr 2009 | B2 |
7567510 | Gai et al. | Jul 2009 | B2 |
7596803 | Barto et al. | Sep 2009 | B1 |
7637147 | Lee et al. | Dec 2009 | B2 |
7644434 | Pollutro et al. | Jan 2010 | B2 |
7660902 | Graham et al. | Feb 2010 | B2 |
7660980 | Shay et al. | Feb 2010 | B2 |
7770223 | Shevenell et al. | Aug 2010 | B2 |
8412838 | Wang et al. | Apr 2013 | B1 |
20010020195 | Patel et al. | Sep 2001 | A1 |
20010052012 | Rinne et al. | Dec 2001 | A1 |
20010054044 | Liu et al. | Dec 2001 | A1 |
20010054147 | Richards | Dec 2001 | A1 |
20020002577 | Garg et al. | Jan 2002 | A1 |
20020022969 | Berg et al. | Feb 2002 | A1 |
20020029086 | Ogushi et al. | Mar 2002 | A1 |
20020062367 | Debber et al. | May 2002 | A1 |
20020077981 | Takatori et al. | Jun 2002 | A1 |
20020078015 | Ponnekanti | Jun 2002 | A1 |
20020080822 | Brown et al. | Jun 2002 | A1 |
20020083183 | Pujare et al. | Jun 2002 | A1 |
20020116643 | Raanan et al. | Aug 2002 | A1 |
20020133723 | Tait | Sep 2002 | A1 |
20020146026 | Unitt et al. | Oct 2002 | A1 |
20020146129 | Kaplan | Oct 2002 | A1 |
20020184224 | Haff et al. | Dec 2002 | A1 |
20020193966 | Buote et al. | Dec 2002 | A1 |
20030005118 | Williams | Jan 2003 | A1 |
20030005300 | Noble et al. | Jan 2003 | A1 |
20030009538 | Shah et al. | Jan 2003 | A1 |
20030023726 | Rice et al. | Jan 2003 | A1 |
20030033545 | Wenisch et al. | Feb 2003 | A1 |
20030055962 | Freund et al. | Mar 2003 | A1 |
20030063750 | Medvinsky et al. | Apr 2003 | A1 |
20030083991 | Kikinis | May 2003 | A1 |
20030084350 | Eibach et al. | May 2003 | A1 |
20030171885 | Coss et al. | Sep 2003 | A1 |
20030179900 | Tian et al. | Sep 2003 | A1 |
20030200439 | Moskowitz | Oct 2003 | A1 |
20030204421 | Houle et al. | Oct 2003 | A1 |
20030208448 | Perry et al. | Nov 2003 | A1 |
20030208562 | Hauck et al. | Nov 2003 | A1 |
20030217126 | Polcha et al. | Nov 2003 | A1 |
20030217166 | Dal Canto et al. | Nov 2003 | A1 |
20030220768 | Perry et al. | Nov 2003 | A1 |
20030220821 | Walter et al. | Nov 2003 | A1 |
20040006710 | Pollutro et al. | Jan 2004 | A1 |
20040022191 | Bernet et al. | Feb 2004 | A1 |
20040024764 | Hsu et al. | Feb 2004 | A1 |
20040031058 | Reisman | Feb 2004 | A1 |
20040049515 | Haff et al. | Mar 2004 | A1 |
20040107342 | Pham et al. | Jun 2004 | A1 |
20040107360 | Herrmann et al. | Jun 2004 | A1 |
20040111410 | Burgoon et al. | Jun 2004 | A1 |
20040142686 | Kirkup et al. | Jul 2004 | A1 |
20040193606 | Arai et al. | Sep 2004 | A1 |
20040193912 | Li et al. | Sep 2004 | A1 |
20040214576 | Myers et al. | Oct 2004 | A1 |
20040228362 | Maki et al. | Nov 2004 | A1 |
20040230797 | Ofek et al. | Nov 2004 | A1 |
20050015624 | Ginter et al. | Jan 2005 | A1 |
20050027788 | Koopmans et al. | Feb 2005 | A1 |
20050038779 | Fernandez et al. | Feb 2005 | A1 |
20050132030 | Hopen et al. | Jun 2005 | A1 |
20050185647 | Rao et al. | Aug 2005 | A1 |
20050265351 | Smith et al. | Dec 2005 | A1 |
20050283822 | Appleby et al. | Dec 2005 | A1 |
20060005240 | Sundarrajan et al. | Jan 2006 | A1 |
20060068755 | Shraim et al. | Mar 2006 | A1 |
20060075464 | Golan et al. | Apr 2006 | A1 |
20060080441 | Chen et al. | Apr 2006 | A1 |
20060080667 | Sanghvi et al. | Apr 2006 | A1 |
20060090196 | Van Bemmel et al. | Apr 2006 | A1 |
20060198394 | Gotoh et al. | Sep 2006 | A1 |
20060218273 | Melvin | Sep 2006 | A1 |
20060245414 | Susai et al. | Nov 2006 | A1 |
20060248480 | Faraday et al. | Nov 2006 | A1 |
20060248580 | Fulp et al. | Nov 2006 | A1 |
20060271652 | Stavrakos et al. | Nov 2006 | A1 |
20060274774 | Srinivasan et al. | Dec 2006 | A1 |
20060277275 | Glaenzer | Dec 2006 | A1 |
20060277591 | Arnold et al. | Dec 2006 | A1 |
20060282545 | Arwe et al. | Dec 2006 | A1 |
20060282876 | Shelest et al. | Dec 2006 | A1 |
20070038618 | Kosciusko et al. | Feb 2007 | A1 |
20070061434 | Schmieder et al. | Mar 2007 | A1 |
20070113269 | Zhang | May 2007 | A1 |
20070136317 | Przywara | Jun 2007 | A1 |
20070192853 | Shraim et al. | Aug 2007 | A1 |
20070271592 | Noda et al. | Nov 2007 | A1 |
20070283014 | Shinomiya et al. | Dec 2007 | A1 |
20070294762 | Shraim et al. | Dec 2007 | A1 |
20070299915 | Shraim et al. | Dec 2007 | A1 |
20080005779 | Takenaka et al. | Jan 2008 | A1 |
20080008202 | Terrell et al. | Jan 2008 | A1 |
20080215889 | Celik et al. | Sep 2008 | A1 |
20090158384 | Kanade et al. | Jun 2009 | A1 |
20090210364 | Adi et al. | Aug 2009 | A1 |
20100037284 | Sachs | Feb 2010 | A1 |
20100223222 | Zhou et al. | Sep 2010 | A1 |
20100235879 | Burnside et al. | Sep 2010 | A1 |
20110280215 | Nakagawa et al. | Nov 2011 | A1 |
20120051529 | Dobbins et al. | Mar 2012 | A1 |
20120096513 | Raleigh et al. | Apr 2012 | A1 |
20120304277 | Li et al. | Nov 2012 | A1 |
Number | Date | Country |
---|---|---|
2286534 | Apr 2001 | CA |
1 071 256 | Jan 2001 | EP |
1 418 730 | May 2004 | EP |
1 641 215 | Mar 2006 | EP |
06-097905 | Apr 1994 | JP |
11-205388 | Jul 1999 | JP |
2001-306521 | Nov 2001 | JP |
2003-008651 | Jan 2003 | JP |
WO-0133759 | May 2001 | WO |
WO-0138995 | May 2001 | WO |
WO-02079949 | Oct 2002 | WO |
WO-2005066737 | Jul 2005 | WO |
Entry |
---|
Aleksander Svelokken, “Biometric Authentication and Identification Using Keystroke Dynamics With Alert Levels”, Master Thesis (Retrieved from University of Oslo), May 23, 2007, pp. 1-124. |
Darryle Merlette, Dr. Parag Pruthi; Network Security; NetDetector: Identifying Real Threats and Securing Your Network; Copyright © 2003 Niksun, Inc., Monmouth Junction NJ, USA. |
Darryle Merlette; Spencer Parker, Dr. Parag Pruthi; Niksun Network Security; NetDetector: Monitoring and Minimizing Instant Messaging Risks; Copyright © 2003 Niksun, Inc., Monmouth Junction NJ, USA. |
International Search Report for International Application No. PCT/US2008/007984; Completed Aug. 22, 2009; Mailed Sep. 3, 2009. |
International Search Report for PCT Application No. PCT/US2004/043405; Completed Mar. 15, 2005; Mailed Mar. 23, 2005. |
Japanese Office Action on 2006-547397 dated Jul. 5, 2011. |
Japanese Office Action on 2006-547397 dated Nov. 30, 2010. |
Notice of Allowance for U.S. Appl. No. 10/423,444 dated Nov. 16, 2009. |
Office Action for U.S. Appl. No. 12/163,292 dated Aug. 8, 2011. |
Office Action for U.S. App. No. 12/163,292 dated Feb. 2, 2011. |
Office Action for U.S. Appl. No. 10/423,444 dated Dec. 2, 2008. |
Office Action for U.S. Appl. No. 10/423,444 dated Feb. 25, 2009. |
Office Action for U.S. Appl. No. 10/423,444 dated Jul. 27, 2009. |
Office Action for U.S. Appl. No. 10/423,444 dated Jun. 13, 2006. |
Office Action for U.S. Appl. No. 10/423,444 dated Mar. 12, 2007. |
Office Action for U.S. Appl. No. 10/423,444 dated Mar. 14, 2008. |
Office Action for U.S. Appl. No. 10/423,444 dated Sep. 19, 2008. |
Office Action for U.S. Appl. No. 10/423,444 dated Sep. 7, 2007. |
Office Action for U.S. Appl. No. 10/583,578 dated Feb. 11, 2011. |
Office Action for U.S. Appl. No. 10/583,578 dated Jul. 19, 2011. |
Office Action for U.S. Appl. No. 10/583,578 dated Jun. 24, 2010. |
Office Action for U.S. Appl. No. 12/406,613 dated Oct. 24, 2011. |
Office Action on U.S. Appl. No. 12/267,804 dated Aug. 16, 2011. |
Office Action on U.S. Appl. No. 12/267,804 dated Apr. 25, 2011. |
Scarfone et ai, Guide to Intrusion Detection and Prevention Systems (IOPS), Feb. 2007, NIST, Special Publication 800-94. |
Written Opinion of the International Search Authority for PCT Application No. PCT/US2004/043405; Completed Mar. 15, 2005; Mailed Mar. 23, 2005. |
Notice of Allowance for U.S. Appl. No. 10/583,578 dated Mar. 27, 2012. |
Office Action for U.S. Appl. No. 12/267,804 dated Apr. 10, 2012. |
Office Action for U.S. Appl. No. 12/267,850 dated Nov. 7, 2012. |
Office Action for U.S. Appl. No. 12/267,850 dated Jun. 14, 2012. |
Office Action for U.S. Appl. No. 12/406,613 dated Mar. 20, 2012. |
Office Action for U.S. Appl. No. 12/432,186 dated Jun. 25, 2012. |
Notice of Allowance for U.S. Appl. No. 12/267,804 dated Apr. 24, 2013. |
Office Action for U.S. Appl. No. 12/267,804 dated Sep. 27, 2012. |
Office Action for U.S. Appl. No. 12/267,850 dated Mar. 26, 2013. |
Office Action for U.S. Appl. No. 12/267,850 dated Sep. 30, 2013. |
Office Action for U.S. Appl. No. 12/432,186 dated Feb. 21, 2013. |
Office Action for U.S. Appl. No. 12/163,292 dated Apr. 25, 2014. |
Number | Date | Country | |
---|---|---|---|
20090133110 A1 | May 2009 | US |
Number | Date | Country | |
---|---|---|---|
60987466 | Nov 2007 | US |