US20200213318A1 - Leveraging location information of a secondary device - Google Patents
Leveraging location information of a secondary device Download PDFInfo
- Publication number
- US20200213318A1 US20200213318A1 US16/730,352 US201916730352A US2020213318A1 US 20200213318 A1 US20200213318 A1 US 20200213318A1 US 201916730352 A US201916730352 A US 201916730352A US 2020213318 A1 US2020213318 A1 US 2020213318A1
- Authority
- US
- United States
- Prior art keywords
- location
- computing device
- location information
- server
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0668—Management of faults, events, alarms or notifications using network fault recovery by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0681—Configuration of triggering conditions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/50—Network service management, e.g. ensuring proper service fulfilment according to agreements
- H04L41/5003—Managing SLA; Interaction between SLA and QoS
- H04L41/5019—Ensuring fulfilment of SLA
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/12—Shortest path evaluation
- H04L45/121—Shortest path evaluation by minimising delays
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/22—Alternate routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/24—Multipath
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/28—Routing or path finding of packets in data switching networks using route fault recovery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/63—Location-dependent; Proximity-dependent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/04—Arrangements for maintaining operational condition
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/24—Reselection being triggered by specific parameters
- H04W36/30—Reselection being triggered by specific parameters by measured or perceived connection quality data
- H04W36/305—Handover due to radio link failure
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W40/00—Communication routing or communication path finding
- H04W40/02—Communication route or path selection, e.g. power-based or shortest path routing
- H04W40/12—Communication route or path selection, e.g. power-based or shortest path routing based on transmission quality or channel quality
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W40/00—Communication routing or communication path finding
- H04W40/34—Modification of an existing route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W64/00—Locating users or terminals or network equipment for network management purposes, e.g. mobility management
- H04W64/003—Locating users or terminals or network equipment for network management purposes, e.g. mobility management locating network equipment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/15—Setup of multiple wireless link connections
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/02—Terminal devices
- H04W88/04—Terminal devices adapted for relaying to or from another terminal or user
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/082—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/107—Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/18—Selecting a network or a communication service
Definitions
- a laptop computer might support Ethernet, Wi-Fi (IEEE 802.11x), and/or cellular network connections. If one network connection fails, a user has the option to change networks, e.g., by accessing network settings on the laptop and selecting a different network.
- Wi-Fi IEEE 802.11x
- Some devices change network connections automatically. For example, a user of a smartphone might start listening to a podcast at home, where the smartphone is connected to Wi-Fi, but then might decide to continue listening outside. When the user gets out of Wi-Fi range, the smartphone detects the loss of Wi-Fi and switches over to cellular service. With adequate buffering, the transition may appear seamless, and the user may never notice that there has been a connection failure and then a failover from Wi-Fi to cellular service.
- a technique disclosed herein maintains multiple network paths simultaneously, exchanging the same data redundantly through the network paths and allowing a receiver to select one of the network paths as its source of data.
- a first, currently-selected network path becomes weak, for example, the receiver can automatically and seamlessly switch its source of data to a second network path, while the first network path remains operational.
- the transition is nearly instantaneous. Even highly interactive applications running in environments having network dead zones or interference can remain fully functional with generally no downtime.
- a first device may establish an additional connection to a network by operatively coupling to a second device.
- the first device may connect to Wi-Fi and may also connect, e.g., via Bluetooth, Wi-Fi, or cable, to the second device, which is configured to share its network connection with the first device.
- the first device is then able to use both its own Wi-Fi connection and the shared connection from the second device.
- the first device benefits from the reliability of having an additional network path.
- this arrangement also lends itself to enhanced access control based on location.
- an improved technique includes a first device that receives location information from a second device that shares its network connection with the first device.
- the first device applies the location information received from the second device when requesting access to a resource of a network.
- the first device effectively leverages the presence of the second device and its location information to increase authentication strength and/or to facilitate the administration of access rights.
- Certain embodiments are directed to a method that includes receiving, by a first computing device, data from a second computing device, the data being indicative of a location of the second computing device, the second computing device having a connection to a computer network. The method further includes determining, by the first computing device, a location indicator based at least in part on the received data from the second computing device.
- the method still further includes sending, by the first computing device, a request to access a resource of the computer network, the request including the determined location indicator and accessing, by the first computing device, the resource of the computer network in response to an authorization to access the resource, the authorization granted in response to the request and based at least in part on the determined location indicator, the location indicator received from the second computing device providing an indication of location of the first computing device for enabling access by the first computing device to the resource based at least in part on location.
- Other embodiments are directed to a method that includes receiving, by a server, a request from a first computing device over a computer network, the request being to access a resource on the computer network and including a location indicator, the location indicator being based at least in part on data indicative of a location of a second computing device.
- the method further includes verifying, by the server, that a location indicated by the location indicator is consistent with an authorized location in which to access the resource of the computer network based at least in part on the location indicator of the received request and, in response to the verification of the location, granting, by the server, the first computing device with access to the resource on the computer network.
- control circuitry configured to: receive a request from a first computing device over a computer network, the request being to access a resource on the computer network and including a location indicator, the location indicator based at least in part on data indicative of a location of a second computing device.
- the control circuitry is further configured to verify that a location indicated by the location indicator matches an authorized location in which to access the resource of the computer network based at least in part on the location indicator of the received request and, in response to the verification of the location, grant the first computing device with accessing to the resource on the computer network.
- control circuitry configured to obtain location information that indicates a location of a second device, the second device (i) operatively coupled to the client device, (ii) having a connection to a computer network, and (ii) sharing the connection with the client device.
- the control circuitry is further configured to form a location indicator based at least in part on the location information received from the second device, send an access request, including the location indicator, to a server to access a resource of the computer network, and access the resource based at least in part on a determination that the location indicator is consistent with an authorized location for accessing the resource.
- Additional embodiments include any method described above realized as a computerized apparatus, system, or device constructed and arranged to carry out the respective method, as well as a computer program product including a set of non-transitory, computer-readable media having instructions which, when executed by control circuitry, cause the control circuitry to perform the respective method.
- Further embodiments include any computerized apparatus, system, or device described above realized as a respective method or computer program product.
- Still further embodiments include any computer program product described above realized as a respective method, device, system, or computerized apparatus.
- FIG. 1 is a block diagram of an example environment in which embodiments of the disclosed technique can be practiced.
- FIG. 2 is a block diagram showing an example arrangement for downloading a SaaS (Software as a Service) application from a server to a client.
- SaaS Software as a Service
- FIG. 3 is a flowchart showing an example method for operating a client and/or server in the environment of FIG. 1 .
- FIGS. 4 a -4 d are simulated screenshots of a graphical user interface (GUI) of a client application component.
- GUI graphical user interface
- FIG. 5 is a simulated screenshot of a GUI of a SaaS workspace application.
- FIGS. 6-8 are flowcharts showing example methods conducted by the client device, by the server, and by a system that includes both the client device and the server.
- FIG. 9 is a block diagram that shows an example network environment in which various aspects of the disclosure may be implemented.
- FIG. 10 is a block diagram that shows a computing device useful for practicing an embodiment of client devices, appliances and/or servers.
- FIG. 11 is a block diagram of an example system in which embodiments for performing authentication can be practiced.
- FIG. 12 is a sequence diagram showing an example procedure for performing authentication by a first device based at least in part on security data received from a second device.
- FIG. 13 is a sequence diagram showing another example procedure for performing authentication by a first device based at least in part on security data received from a second device.
- FIG. 14 is a flowchart showing an example method conducted by a client device for participating in authentication.
- FIG. 15 is a flowchart showing an example method conducted by a server for participating in authentication.
- FIG. 16 is a block diagram of an example system in which embodiments for leveraging location information can be practiced.
- FIG. 17 is a sequence diagram showing an example procedure for using location information of a second device when making an access request by a first device.
- FIG. 18 is a flowchart showing an example method conducted by a client device for accessing a resource using locating information of a second device.
- FIG. 19 is a flowchart showing an example method conducted by a server for providing a first device with access to a resource using location information of a second device.
- Section I Example Environment and Technique for Maintaining Multiple, Simultaneous Network Paths
- a technique for operating an application maintains multiple, simultaneous network paths, exchanging the same data redundantly through the network paths and enabling a receiver to select one of the network paths as a source of the data.
- FIG. 1 shows an example environment 100 in which embodiments of the disclosed technique can be practiced.
- a client device 110 (“client”) is operatively connected to a server apparatus 120 (“server”) over a network 170 , such as a local area network (LAN), a wide area network (WAN), the Internet, and/or some other type of network or combination of networks.
- the client 110 may be provided as any user-operable computer or device, such as a laptop computer, desktop computer, tablet computer, smart phone, personal data assistant, set-top box, gaming system, or the like.
- the server 120 may be provided in a similar form, but is typically a server-grade computer that runs in a data center and is available “in the cloud,” meaning on the Internet.
- the server 120 is implemented using multiple computers, as part of a distributed server or server cluster.
- the client 110 is connected to the network 170 via multiple paths 180 , which may include an Ethernet path 180 a , a Wi-Fi path 180 b , and a cellular data path 180 c , for example.
- paths 180 may include an Ethernet path 180 a , a Wi-Fi path 180 b , and a cellular data path 180 c , for example.
- a greater or fewer number of paths 180 may be provided, and the disclosure is not limited to any particular type or types of paths.
- the cellular data path 180 c is an LTE (Long-Term Evolution) data path.
- the client 110 has a display 116 , such as a monitor, touch screen, or the like, and the display 116 is configured to render a graphical user interface (GUI) 118 , which may be operated by a user 102 .
- GUI graphical user interface
- the client 110 includes one or more communication interfaces 112 c , such as an Ethernet port, a Wi-Fi antenna, a cellular antenna, and/or the like.
- the client 110 also includes a set of processors 114 c , such as one or more processing chips and/or assemblies, and memory 130 c , which may include both volatile memory, e.g., RAM (Random Access Memory), and non-volatile memory, such as one or more ROMs (Read-Only Memories), disk drives, solid state drives, and the like.
- the set of processors 114 c and the memory 130 c together form client control circuitry, which is constructed and arranged to carry out various client methods and functions as described herein.
- the memory 130 c includes a variety of software constructs realized in the form of executable instructions. When the executable instructions are run by the set of processors 114 c , the processor(s) carry out the operations of the software constructs. Although certain software constructs are specifically shown and described, it is understood that the memory 130 c typically includes many other software components, which are not shown, such as an operating system, various applications, processes, and daemons.
- the configuration of the server 120 may be similar to that of the client 110 , with communication interface(s) 112 s , processor(s) 114 s , and memory 130 s .
- the processor(s) 114 s and memory 130 s form server control circuitry, which is constructed and arranged to carry out various server methods and functions as described herein. When the executable instructions on the server 120 are run by the processor(s) 114 s , the processor(s) carry out the operations of the software constructs.
- the memory 130 c of client 110 “includes,” i.e., realizes by execution of software instructions, a client component 132 c of a software application 132 , a micro-VPN (Virtual Private Network) client 134 c , and a link bonding client 140 c .
- the memory 130 c further includes a TCP/IP (transmission control protocol/Internet protocol) driver 150 c , as well as additional drivers 160 , such as Ethernet driver 160 a , Wi-Fi driver 160 b , and cellular data driver 160 c.
- TCP/IP transmission control protocol/Internet protocol
- the memory 130 s includes a server component 132 s of the software application 132 , a micro-VPN server 134 s , and a link bonding service 140 s .
- the memory 130 s further includes a TCP/IP driver 150 s , as well as one or more drivers 160 for one or more connection paths 180 .
- the server 120 uses only a single connection path, such as Ethernet, which is accessed via an Ethernet driver 160 d.
- the micro-VPN client 134 c and the link bonding client 140 c are provided as respective software libraries, with each library having its own API (Application Program Interface) for exposing its respective functions.
- the micro-VPN client 134 c and the link bonding client 140 c may each be “scoped” to the client component 132 c of the application program 132 , meaning that their functionality is limited to communications involving the application program 132 and does not generally extend to other programs running on the client device 110 .
- the micro-VPN client 134 c coordinates with the micro-VPN server 134 s to establish an encrypted channel, such as a network tunnel 134 , which is limited to communications over the network 170 between the client component 132 c and the server component 132 s .
- an encrypted channel such as a network tunnel 134
- the tunnel 134 can instead be restricted to network traffic of the application program 132 that passes between the client 110 and the server 120 .
- other network activity conducted by other programs running on the client device 110 may fall outside of the tunnel 134 , where such activity is not secured by the tunnel 134 .
- the micro-VPN thus provides the network tunnel 134 for a particular application, rather than for the client machine 110 as a whole.
- this feature enables the micro-VPN, along with the link bonding client 140 c and client application code 132 c , to be provided in a single downloadable package (see FIG. 2 ), which can be installed on the client device 110 , avoiding the need for multiple installation procedures and keeping all the related parts together.
- the micro-VPN client 134 c and server 134 s are configured to establish the encrypted channel by performing encryption and decryption of data passed through the tunnel 134 .
- the link bonding client 140 c is configured to direct outgoing data (from the client component 132 c ) over multiple network paths 180 , and to receive incoming data arriving over the network paths 180 , selecting one of the network paths as a source of data to be provided to the client component 132 c .
- the link bonding server 140 s is configured to direct outgoing data (from the server component 132 s ) over the network paths 180 , and to receive incoming network data arriving over the same network paths 180 , selecting one of the network paths 180 as a source of data to be provided to the server component 132 s .
- the link bonding client 140 c and the link bonding service 140 s operate at the data link layer (layer 2) of the OSI (Open Systems Interconnection) model, but this is not required.
- the micro-VPN client component 132 c and link bonding client component 140 c are shown herein as software libraries, they may alternatively be implemented at least in part using hardware and/or firmware. Also, one should appreciate that the micro-VPN client and server and link bonding client and service are merely illustrative and are not intended to be limiting.
- the application program 132 is a SaaS application.
- the client component 132 c may be a web browser or other client-side program that runs web pages and/or other content downloaded from the server component 132 s .
- the application program 132 is a workspace framework, i.e., a software environment that provides user access to multiple sub-applications from a single interface. Such sub-applications run within the workspace framework, with incoming and outgoing data of those sub-applications passing through the tunnel 134 via the link bonding component 140 c .
- the tunnel 134 applies to all application traffic to and from the application framework.
- user 102 of the client device 110 launches the client component 132 c , e.g., by clicking or tapping a shortcut or by navigating in a browser.
- the client component 132 c connects over the network 170 to the server component 132 s and the tunnel 134 is established by action of the micro-VPN client 134 c and the micro-VPN server 134 s .
- the link bonding client 140 c and the link bonding service 140 s may then exchange messages 148 through the tunnel 134 .
- the link bonding client 140 c uses the messages 148 as a basis for measuring network performance over the paths 180 .
- sensor 144 measures network speed, e.g., as round-trip delay (using a ping utility), bandwidth, or the like. In an example, sensor 144 separately measures network speed or bandwidth over each of the paths 180 and may repeat its measurements more or less continuously, or at regular intervals, such as once every 50 ms (milliseconds).
- messages 148 are shown as a dotted line that directly connects the link bonding client 140 c and server 140 s , such messages in actuality pass through the network 170 , e.g., via client and server-side drivers 160 , and through any supporting infrastructure for each path 180 (e.g., cell phone towers, routers, Internet service providers, and so forth).
- sensor 144 obtains real-time measurements of each path 180 .
- the sensor 144 identifies a selected path 144 a , i.e., one of the paths 180 that provides the highest speed, bandwidth, consistency, economy, and/or the like, and alerts the link bonding service 140 s on the server 120 of the identity of the selected path 144 a , e.g., in an indicator, sent over the network 170 , that identifies the selected path 144 a.
- the client 110 sends application data 162 to the network 170 over all paths 180 , at substantially the same time and in parallel.
- the link bonding client 140 c passes the outgoing application data 162 to the TCP/IP driver 150 c .
- the TCP/IP driver 150 c uses multi-path routing to forward the application data to the Ethernet driver 160 a , the Wi-Fi driver 160 b , and the cellular data driver 160 c .
- the client device 110 then sends out the packets 162 a , 162 b , and 162 c via the Ethernet port, the Wi-Fi antenna, and the cell phone antenna.
- Packets 162 a , 162 b , and 162 c all convey the same data 162 and pass through the network 170 in parallel and at the same time, or nearly so, with any differences among them deriving from differing delays along the paths 180 .
- all application data 162 sent through all paths passes through the tunnel 134 .
- packets 162 a , 162 b , and 162 c arrive at driver 160 a and pass to the TCP/IP driver 150 s and then to the link bonding service 140 s .
- the link bonding service 140 s having obtained the identity of the selected path 144 a based on the indicator sent from the client device 110 , proceeds to discard all packets arriving over all of the other paths. For example, if the Ethernet path 180 a was established as the selected path 144 a , then the link bonding service 140 s would discard all packets 162 b and 162 c , allowing only packets 162 a to pass to the server component 132 s .
- the server 120 receives packets 162 via all paths 180 , even if the server 120 includes only an Ethernet connection, as the packets 162 originate from different sources and travel through different paths 180 on their way to the server 120 .
- a packet 164 which is intended to be representative of all packets, includes a sequence identifier 164 a and a payload 164 b .
- the sequence identifier 164 a is unique to each packet, but duplicates of the same packet having the same sequence identifier 164 a may be sent over different paths 180 .
- the link bonding service 140 s discards arriving packets based on matching of sequence identifiers 164 a . For example, the link bonding service 140 s maintains a list of sequence identifiers 164 a of all recently received packets and discards redundant packets having the same sequence identifiers 164 a as those already on the list.
- the link bonding service 140 s may use other approaches for distinguishing packets. For example, particular port designations or other designators in the packet may identify the path 180 over which the packet was transmitted. In such cases, the link bonding service 140 s may discard packets whose port designations or other designators do not match that of the selected path 144 a.
- the link bonding service 140 s passes the application data to the TCP/IP driver 150 s and through the Ethernet driver 160 d to the network 170 .
- the server 120 sends the same application data redundantly in packets directed to all paths 180 , such that the same packets arrive at the client device 110 via all of the paths 180 in parallel.
- the server 120 thus sends packets via all paths 180 , even though the server 120 may connect to the network 170 using Ethernet only.
- Drivers 160 a , 160 b , and 160 c on the client device 110 receive the packets 162 and pass them to the TCP/IP driver 150 c , which passes them to the link bonding client 140 c .
- a selector 142 in the link bonding client 140 c assigns the selected path 144 a as the source of packets from the server component 132 s .
- the selector discards packets 162 d from all paths not designated as the selected path 144 a , and passes the packets from the selected path 144 a to the client component 132 c .
- the selector 142 identifies packets arriving over the selected path 144 a using the same techniques described above in connection with the server.
- the sensor 144 continuously or repeatedly monitors network speed over the paths 180 . If another path performs better than the current selected path 144 a , e.g., in terms of speed, economy, etc., then the link bonding client 140 c may select the better-performing path as a new selected path 144 a and communicate the new selected path 144 a to the link bonding service 140 s . In a particular example, only Wi-Fi and LTE paths are available. The link bonding service 140 s may then select Wi-Fi by default. If Wi-Fi speed falls below a designated threshold 146 , the link bonding client 140 c may choose LTE as the new selected path 144 a .
- the link bonding client 140 c only switches to LTE when the current Wi-Fi speed drops below the current LTE speed. If Wi-Fi speed later recovers, the link bonding client 140 c may reassign the selected path 144 a to Wi-Fi.
- the assignment of selected path 144 a is consequential in that it determines which packets are passed to the client component 132 c and which packets are discarded. It may also determine which packets the link bonding service 140 s on the server 120 passes to the server component 132 s and which packets it discards. In an example, the assignment of the selected path 144 a does not affect outgoing data transmitted by the client 110 or the server 120 , however, as transmission is conducted over all paths 180 in parallel, regardless of the current selected path 144 a.
- the client device 110 monitors speed of the paths 180 and selects the selected path 144 a at any given time. If Wi-Fi suddenly becomes weak, e.g., because the user 102 has moved into a Wi-Fi dead spot, operation seamlessly and transparently switches to LTE (or to some other path). When the user 102 comes back into an active Wi-Fi area, operation seamlessly and transparently switches back to Wi-Fi. The user 102 need never know that the switching has occurred and typically experiences no disruption in service.
- the client 110 may save power and/or cost by temporarily shutting down the cellular data connection. For example, if Wi-Fi signal strength and/or speed as measured by sensor 144 are consistently high, the client 110 may temporarily close the LTE connection and proceed with Wi-Fi-only communications. Speed testing by sensor 144 may continue, however, and if Wi-Fi speed or signal strength starts to decline, the client 110 may reestablish the LTE connection. Preferably, the client 110 reconnects via LTE before the Wi-Fi signal becomes unusable, such that switching from Wi-Fi to LTE can proceed seamlessly prior to complete loss of the Wi-Fi signal.
- the GUI 118 includes a control that allows the user 102 to turn off an undesired path.
- the user 102 might operate the GUI 118 to turn off LTE, thereby reducing power consumption associated with LTE processing and possibly reducing costs, which may be based on minutes used.
- selected path 144 a may be based on a variety of factors. These may include, for example, speed, bandwidth, round-trip time, variability in network strength, interference (e.g., as measured based on numbers of dropped packets), and cost. Such factors may be combined in any suitable way, such as using combinatorial logic, weighted sums, fuzzy logic, machine learning, neural nets, and the like. Although the selected path 144 a may be the fastest path in many cases, this is not required. For example, a slower path that is still fast enough to provide good user experience might be chosen as the selected path 144 a if it is inexpensive to use and/or has other advantages.
- a main operating mode of embodiments hereof is to keep multiple network paths active at the same time, such embodiments are not required to work this way all the time. For example, if a network path, such as Wi-Fi, is found to provide a consistently strong signal and is free to use, Wi-Fi may be chosen as the selected path 144 a and operation over other network paths may be shut down. In a like manner, network paths that require high power consumption may be shut down temporarily to conserve battery life of the client device 110 . Any paths 180 that have been shut down may be revived if the sensor 144 detects a drop in performance of the selected path 144 a.
- a network path such as Wi-Fi
- a single selected path 144 a has been described, some embodiments allow for multiple selected paths, such as one for download to the client device 110 and another for download to the server 120 . Accordingly, the selector 142 in the client device 110 chooses the selected path for the client device, whereas a similar selector (not shown) in the server 120 chooses the selected path for the server 120 . Allowing selected paths to differ for client and server reflects differences in upload versus download performance, which is common to many types of network paths. In these circumstances, measurements used as a basis for choosing the selected paths may be based on unidirectional delays rather than on round-trip delays. According to some variants, a separate computer or other facility may monitor network speed or bandwidth on behalf of the client device 110 and/or server 120 .
- FIG. 2 shows an example arrangement for installing an application program on the client device 110 .
- the server 120 stores a downloadable application package 210 , which may be provided, for example, as a compressed archive, and which includes code for implementing the client component 132 c , the micro-VPN client 134 c , and the link bonding client 140 c .
- the client device 110 contacts the server 120 , e.g., via a website, and downloads the application package 210 to the client device 110 over the network 170 .
- the client device 110 then opens the application package 210 , decompresses any compressed contents, and installs the components.
- the client device 110 is able to install all necessary components for supporting encrypted, multipath operation of the application program 132 via a single download.
- FIG. 3 shows an example method 300 for seamlessly and transparently switching between two connection paths, such as Wi-Fi and LTE, based on a quality attribute, which may itself be based on speed, bandwidth, network consistency, and/or cost; i.e., any of the factors described above for choosing the selected path 144 a .
- a quality attribute which may itself be based on speed, bandwidth, network consistency, and/or cost; i.e., any of the factors described above for choosing the selected path 144 a .
- the method 300 focuses on two connection paths 180 , the method 300 may be extended to any number of such paths.
- the depicted acts are shown in a particular order, the order may be varied and some acts may be performed simultaneously.
- a communication session is established between the application client 132 c and the application server 132 s , e.g., as a result of the user 102 launching the client component 132 c .
- the communication session takes place via the tunnel 134 established between the micro-VPN client 134 c and the micro-VPN server 134 s .
- a respective network connection is configured via each connection path 180 , and all communications between the client component 132 c and the server component 132 s pass through the tunnel 134 , for all paths 180 .
- the link bonding client 140 c identifies a currently selected path 144 a and proceeds to pass data (e.g., packets) that arrive via that selected path 144 a to the client component 132 c .
- the link bonding client 140 c uses the selected path 144 a as its sole source for all incoming application data 162 and discards data 162 arriving via the other paths.
- the link bonding service 140 c defaults to Wi-Fi as the initial selected path 144 a , switching to another path only if no Wi-Fi signal is detected.
- the sensor 144 in the link bonding client 140 c measures the connections over all paths 180 , e.g., by using ping commands, bandwidth measurements, and/or other approaches, and produces a quality attribute (QA) for each connection path 180 .
- the quality attribute is based solely on speed of the respective path. In other examples, the quality attribute is based on any combination of factors, which may include speed, bandwidth, cost, and/or consistency, for example.
- the link bonding client 140 c determines whether the quality attribute of the Wi-Fi path (Connection 1) has fallen below a threshold 146 (Thresh 1).
- the threshold may be predetermined or dynamically established, for example.
- the link bonding client 140 c may also determine whether the quality attribute of Wi-Fi is less than that of LTE (Connection 2).
- the link bonding client 140 c may apply these determinations in the alternative or in any combination.
- operation proceeds to 340 , whereupon the link bonding client 140 c proceeds to process data arriving via LTE, discarding any data arriving via Wi-Fi.
- the link bonding client 140 c may communicate this change in an attribute sent to the link bonding service 140 s , which may also process arriving data via the LTE path, discarding data arriving via Wi-Fi. Operation then returns to 320 , whereupon production of quality attributes and determinations are repeated.
- operation proceeds instead to 350 , whereupon the link bonding client 140 c determines whether the quality attribute of the Wi-Fi path (Connection 1) exceeds a second threshold (Thresh 2, which is preferably slightly higher than Thresh 1) and/or exceeds the quality attribute of LTE. If not, operation returns to 320 ; otherwise, operation proceeds to 360 , whereupon the link bonding client 140 c proceeds to process data arriving via Wi-Fi, discarding any data arriving via LTE.
- a second threshold which is preferably slightly higher than Thresh 1
- the link bonding client 140 c may communicate this change to the link bonding server 140 s , which may also process data arriving via the Wi-Fi path, discarding data arriving via LTE. Operation then returns to 320 , where the above-described acts are repeated. Thresh 2 may be predetermined or dynamically established, for example.
- Thresh 2 may simply be set to Thresh 1 (i.e., the same threshold may be used for both).
- Thresh 1 and Thresh 2 may be established in any suitable way. For example, Thresh 1 and Thresh 2 may be established dynamically based on user activity and/or the nature of the application 132 . For instance, the thresholds may be set to lower values if the application 132 exchanges relatively little data, such that a lower level of network performance does not impair user experience. Conversely, the thresholds may be set to higher values if more bandwidth-intensive applications are being run.
- FIGS. 4 a -4 d show various screenshots 118 a - 118 d , which represent portions of the GUI 118 as rendered by the client component 132 s of the application program 132 , and as viewed on the display 116 of the client device 110 .
- screenshots 118 a - 118 d may be displayed on a laptop computer or on any other computing device.
- the laptop may have a Wi-Fi connection and may be tethered, via Bluetooth, to a smart phone that has an LTE connection (tethering is an ability of many smart phones to share data via a PAN—Personal Area Network).
- the GUI 118 a displays icons 410 for currently active connection paths 180 .
- Icons 410 for Wi-Fi and Bluetooth PAN are specifically shown, indicating that the client device 110 is connected to the Internet via both Wi-Fi and LTE (LTE connection is achieved via the Bluetooth-tethered smart phone).
- the GUI 118 displays a speed indicator 420 , which shows network speed (in megabits per second) for both paths (0.6 Mbps for Wi-Fi and 0.1 Mbps for LTE), e.g., as measured by the sensor 144 in the link bonding client 140 c.
- FIGS. 4 b -4 d show additional information, including, in FIG. 4 b , statistics 430 for packets recovered (5.9 MB, the number of packets recovered by switching paths) and connections saved ( 2 ; the number of times a lost connection was avoided by switching paths).
- FIG. 4 c shows a usage breakdown 440 (how much data from each path has been used), and
- FIG. 4 d shows connection quality 450 , in terms of both latency and loss.
- FIGS. 4 a -4 d represents portions of a larger GUI 118 .
- FIG. 5 shows an example of such embodiments, in which an overall GUI 118 includes the above-described GUI portions 118 a - 118 d .
- user 102 may invoke the GUI portions 118 a - 118 d by clicking an arrow 510 on the overall GUI 118 .
- the overall GUI 118 provides a user interface for the application program 132 , which in this example is a workspace framework application.
- the workspace framework application runs as a SaaS application, e.g., in a web browser or other container, and enables the user 102 to select and run any of its registered sub-applications.
- the registered sub-applications all run within the context of the application program 132 , such that they all communicate via the micro-VPN client 134 c and the link bonding client 140 c .
- the depicted arrangement thus uniquely supports operation of a SaaS application over a micro-VPN using multiple paths 180 , which are seamlessly switched to maintain a quality connection, even in the presence of dead spots.
- FIGS. 6-8 show example methods 600 , 700 , and 800 that may be carried out in connection with the environment 100 .
- the method 600 can be performed, for example, by the software constructs described in connection with FIG. 1 , which reside in the memory 130 c of the client device 110 and are run by the set of processors 114 c .
- the method 700 may be performed, for example, by the software constructs that reside in the memory 130 s of the server 120 and are run by the set of processors 114 s .
- the method 800 may be performed by the software constructs that reside in both the client device 110 and the server 120 .
- the various acts of methods 600 , 700 , and 800 may be ordered in any suitable way. Accordingly, embodiments may be constructed in which acts are performed in orders different from those shown, which may include performing some acts simultaneously.
- the method 600 may be performed by the client device 110 .
- the client device 110 monitors a plurality of network paths 180 used by an encrypted channel 134 configured to convey information between the client device 110 and a server 120 for a single application 132 .
- the client device 110 receives data 162 of the single application 132 from the server 120 via each of the plurality of network paths 180 .
- the data 162 received from each of the plurality of network paths is the same data.
- the client device 110 selects a first network path 144 a of the plurality of network paths 180 as a source of the data 162 for a client component 132 c on the client device 110 .
- the selector 142 in the link bonding client 140 c passes packets arriving over the selected path 144 a and discards packets arriving over other paths.
- the client device 110 adjusts the source of data for the client component 132 c from the first network path to a second network path of the plurality of network paths based at least in part on the monitoring of the plurality of network paths, 180 so as to prevent delay in reception of data caused by a reduction of network continuity of the first network path.
- the method 700 may be performed by the server 120 .
- the server 120 receives application data from the client device 100 over an encrypted channel 134 provided between the server 120 and the client device 110 for a single application 132 .
- the application data 162 is received via a plurality of network paths 180 in parallel, with the plurality of network paths all conveying the same application data.
- the server assigns a first network path of the plurality of network paths 180 as a source of the application data 162 for a server component 132 s running on the server 120 .
- the server 120 adjusts the source of the application data 162 for the server component 132 s from the first network path to a second network path of the plurality of network paths.
- the adjusting is based at least in part on an indicator received from the client device 110 and acts to prevent delay in reception of data caused by a reduction of network continuity of the first network path.
- the method 800 may be performed by both the client device 110 and the server 120 .
- an encrypted channel 134 is established between the client device 110 and the server 120 .
- the encrypted channel 134 is configured to convey encrypted communications for a single application 132 .
- the encrypted channel 134 may be established under direction of the client device 110 , the server 120 , or based on coordination between the client device 110 and the server 120 .
- a plurality of network paths 180 used by the encrypted channel 134 between the client device 110 and the server 120 are monitored.
- the client 110 , the server 120 , and or some separate computer or facility measures network speed, bandwidth, and/or other factors pertaining to each of the plurality of network paths 180 .
- the server 120 transmits a set of application data 162 of the single application 132 to the client device 110 over the encrypted channel 134 via each of the plurality of network paths 180 .
- Each of the plurality of network paths 180 conveys the same set of application data 162 .
- the client device 110 transmits a set of application data 162 of the single application 132 to the server 120 over the encrypted channel 134 via each of the plurality of network paths 180 , with each of the plurality of network paths 180 conveying the same set of application data 162 .
- the client device 110 selects a first network path of the plurality of network paths 180 as a source of application data 162 for the client component 132 c running on the client device 110 .
- the server 120 selects a first network path of the plurality of network paths 180 as a source of application data 162 for the server component 132 s running on the server 120 .
- the client device 110 adjusts the source of data from the first network path to a second network path of the plurality of network paths based at least in part on the monitoring of the plurality of network paths, so as to prevent delay in communicating data between the client device and the server caused by a reduction of network continuity of the first path.
- the server 120 adjusts the source of data from the first network path to a second network path of the plurality of network paths based at least in part on the monitoring of the plurality of network paths, so as to prevent delay in communicating data between the server and the client device caused by a reduction of network continuity of the first path.
- a non-limiting network environment 901 in which various aspects of the disclosure may be implemented includes one or more client machines 902 A- 902 N, one or more remote machines 906 A- 906 N, one or more networks 904 , 904 ′, and one or more appliances 908 installed within the computing environment 901 .
- the client machines 902 A- 902 N communicate with the remote machines 906 A- 906 N via the networks 904 , 904 ′.
- the client machines 902 A- 902 N (which may be similar to client device 110 ) communicate with the remote machines 906 A- 906 N (which may be similar to server 120 ) via an intermediary appliance 908 .
- the illustrated appliance 908 is positioned between the networks 904 , 904 ′ and may also be referred to as a network interface or gateway.
- the appliance 908 may operate as an application delivery controller (ADC) to provide clients with access to business applications and other data deployed in a datacenter, the cloud, or delivered as Software as a Service (SaaS) across a range of client devices, and/or provide other functionality such as load balancing, etc.
- ADC application delivery controller
- SaaS Software as a Service
- multiple appliances 908 may be used, and the appliance(s) 908 may be deployed as part of the network 904 and/or 904 ′.
- the client machines 902 A- 902 N may be generally referred to as client machines 902 , local machines 902 , clients 902 , client nodes 902 , client computers 902 , client devices 902 , computing devices 902 , endpoints 902 , or endpoint nodes 902 .
- the remote machines 906 A- 906 N may be generally referred to as servers 906 or a server farm 906 .
- a client device 902 may have the capacity to function as both a client node seeking access to resources provided by a server 906 and as a server 906 providing access to hosted resources for other client devices 902 A- 902 N.
- the networks 904 , 904 ′ may be generally referred to as a network 904 .
- the networks 904 may be configured in any combination of wired and wireless networks.
- a server 906 may be any server type such as, for example: a file server; an application server; a web server; a proxy server; an appliance; a network appliance; a gateway; an application gateway; a gateway server; a virtualization server; a deployment server; a Secure Sockets Layer Virtual Private Network (SSL VPN) server; a firewall; a web server; a server executing an active directory; a cloud server; or a server executing an application acceleration program that provides firewall functionality, application functionality, or load balancing functionality.
- SSL VPN Secure Sockets Layer Virtual Private Network
- a server 906 may execute, operate or otherwise provide an application that may be any one of the following: software; a program; executable instructions; a virtual machine; a hypervisor; a web browser; a web-based client; a client-server application; a thin-client computing client; an ActiveX control; a Java applet; software related to voice over internet protocol (VoIP) communications like a soft IP telephone; an application for streaming video and/or audio; an application for facilitating real-time-data communications; a HTTP client; a FTP client; an Oscar client; a Telnet client; or any other set of executable instructions.
- VoIP voice over internet protocol
- a server 906 may execute a remote presentation services program or other program that uses a thin-client or a remote-display protocol to capture display output generated by an application executing on a server 906 and transmit the application display output to a client device 902 .
- a server 906 may execute a virtual machine providing, to a user of a client device 902 , access to a computing environment.
- the client device 902 may be a virtual machine.
- the virtual machine may be managed by, for example, a hypervisor, a virtual machine manager (VMM), or any other hardware virtualization technique within the server 906 .
- VMM virtual machine manager
- the network 904 may be: a local-area network (LAN); a metropolitan area network (MAN); a wide area network (WAN); a primary public network 904 ; and a primary private network 904 .
- Additional embodiments may include a network 904 of mobile telephone networks that use various protocols to communicate among mobile devices.
- the protocols may include 802.11, Bluetooth, and Near Field Communication (NFC).
- FIG. 10 depicts a block diagram of a computing device 900 useful for practicing an embodiment of client devices 902 , appliances 908 and/or servers 906 .
- the computing device 900 includes one or more processors 903 , volatile memory 922 (e.g., random access memory (RAM)), non-volatile memory 928 , user interface (UI) 923 , one or more communications interfaces 918 , and a communications bus 950 .
- volatile memory 922 e.g., random access memory (RAM)
- non-volatile memory 928 e.g., user interface (UI) 923
- UI user interface
- the non-volatile memory 928 may include: one or more hard disk drives (HDDs) or other magnetic or optical storage media; one or more solid state drives (SSDs), such as a flash drive or other solid-state storage media; one or more hybrid magnetic and solid-state drives; and/or one or more virtual storage volumes, such as a cloud storage, or a combination of such physical storage volumes and virtual storage volumes or arrays thereof.
- HDDs hard disk drives
- SSDs solid state drives
- virtual storage volumes such as a cloud storage, or a combination of such physical storage volumes and virtual storage volumes or arrays thereof.
- the user interface 923 may include a graphical user interface (GUI) 924 (e.g., a touchscreen, a display, etc.) and one or more input/output (I/O) devices 926 (e.g., a mouse, a keyboard, a microphone, one or more speakers, one or more cameras, one or more biometric scanners, one or more environmental sensors, and one or more accelerometers, etc.).
- GUI graphical user interface
- I/O input/output
- the non-volatile memory 928 stores an operating system 915 , one or more applications 916 , and data 917 such that, for example, computer instructions of the operating system 915 and/or the applications 916 are executed by processor(s) 903 out of the volatile memory 922 .
- the volatile memory 922 may include one or more types of RAM and/or a cache memory that may offer a faster response time than a main memory.
- Data may be entered using an input device of the GUI 924 or received from the I/O device(s) 926 .
- Various elements of the computer 900 may communicate via the communications bus 950 .
- the illustrated computing device 900 is shown merely as an example client device or server, and may be implemented by any computing or processing environment with any type of machine or set of machines that may have suitable hardware and/or software capable of operating as described herein.
- the processor(s) 903 may be implemented by one or more programmable processors to execute one or more executable instructions, such as a computer program, to perform the functions of the system.
- processor describes circuitry that performs a function, an operation, or a sequence of operations. The function, operation, or sequence of operations may be hard coded into the circuitry or soft coded by way of instructions held in a memory device and executed by the circuitry.
- a processor may perform the function, operation, or sequence of operations using digital values and/or using analog signals.
- the processor can be embodied in one or more application specific integrated circuits (ASICs), microprocessors, digital signal processors (DSPs), graphics processing units (GPUs), microcontrollers, field programmable gate arrays (FPGAs), programmable logic arrays (PLAs), multi-core processors, or general-purpose computers with associated memory.
- ASICs application specific integrated circuits
- DSPs digital signal processors
- GPUs graphics processing units
- FPGAs field programmable gate arrays
- PDAs programmable logic arrays
- multi-core processors or general-purpose computers with associated memory.
- the processor 903 may be analog, digital or mixed-signal. In some embodiments, the processor 903 may be one or more physical processors, or one or more virtual (e.g., remotely located or cloud) processors.
- a processor including multiple processor cores and/or multiple processors may provide functionality for parallel, simultaneous execution of instructions or for parallel, simultaneous execution of one instruction on more than one piece of data.
- the communications interfaces 918 may include one or more interfaces to enable the computing device 100 to access a computer network such as a Local Area Network (LAN), a Wide Area Network (WAN), a Personal Area Network (PAN), or the Internet through a variety of wired and/or wireless connections, including cellular connections.
- a computer network such as a Local Area Network (LAN), a Wide Area Network (WAN), a Personal Area Network (PAN), or the Internet through a variety of wired and/or wireless connections, including cellular connections.
- the computing device 900 may execute an application on behalf of a user of a client device.
- the computing device 900 may execute one or more virtual machines managed by a hypervisor. Each virtual machine may provide an execution session within which applications execute on behalf of a user or a client device, such as a hosted desktop session.
- the computing device 900 may also execute a terminal services session to provide a hosted desktop environment.
- the computing device 900 may provide access to a remote computing environment including one or more applications, one or more desktop applications, and one or more desktop sessions in which one or more applications may execute.
- a technique has been described for managing communication over a network 170 .
- the technique maintains multiple network paths 180 simultaneously, exchanging the same data 162 redundantly through all network paths 180 and allowing a receiver (e.g., selector 142 ) to select one of the network paths 180 as its source of data.
- a receiver e.g., selector 142
- the receiver 142 automatically and seamlessly switches its source of data to a second network path, such as LTE, while the first network path remains operational.
- LTE second network path
- the transition is nearly instantaneous.
- User experience is greatly improved, as even highly interactive applications running in environments with inconsistent networks can remain fully functional with generally no downtime. Reliability and user experience are thereby enhanced.
- a method includes monitoring, by a client device, a plurality of network paths that convey data between the client device and a server, the data being associated with a single application on the server. The method further includes receiving, by the client device, the data from the server via each of the plurality of network paths, the data received from each of the plurality of network paths being the same.
- the method still further includes selecting, by the client device, a first network path of the plurality of network paths from which to receive data to enable delivery of the single application on the server to the client device, and adjusting, by the client device, the selected network path from the first network path to a second network path of the plurality of network paths based at least in part on the monitoring of the plurality of network paths, so as to prevent delay in receipt of data from the server caused by a reduction of network continuity of the first network path.
- Section II Authenticating to Secured Resource Via Coupled Devices
- a technique for performing authentication by a first device increases authentication strength and/or convenience based at least in part on security data received from a second device that shares its network connection with the first device.
- the technique described in this section may be provided in the environment of Section I, e.g., in an arrangement in which a device maintains multiple, simultaneous network connections and seamlessly switches between or among them.
- the Section-I arrangement is not required, however, as the technique presented in this section may be used independently of the one presented in Section I.
- FIG. 11 shows an example system 1100 in which embodiments of the disclosed technique can be practiced.
- a first (client) device 110 operatively connect to a network 170 .
- the first device 110 , server 120 , and network 170 may be similar to those described in connection with FIG. 1 , though this is not required.
- the first device 110 and the second device 1110 may be owned and operated by the same person or entity, although this is also not required.
- the first device 110 connects to the network 170 via a first network path 180 - 1
- the second device 1110 connects to the network 170 via a second network path 180 - 2
- the first network path 180 - 1 may be Wi-Fi (IEEE 802.11X)
- the second network path 180 - 2 may be cellular data, such as LTE (Long Term Evolution), GSM (Global System for Mobile), CDMA (Code Division Multiple Access), or WiMAX.
- the second network path 180 - 2 may also be 5G or some other developing or future cellular scheme.
- the first device 110 may be a laptop, tablet, or other computer, and the second device 1110 may be a smartphone, tablet, dongle, personal reader, or other device having a cellular data interface.
- each device may have multiple paths to the network 170 .
- the first device 110 may have an Ethernet and/or cellular interface in addition to Wi-Fi
- the second device 1110 may have an Ethernet and/or Wi-Fi interface in addition to cellular.
- the network 170 may be provided as a local area network (LAN), a wide area network (WAN), an intranet, the Internet, and/or some other type of network or combination of networks.
- the network 170 includes the Internet
- the server 120 is a provider of cloud-based and/or virtual services, such as SaaS (Software as a Service) applications and/or file storage.
- the first device 110 and the second device 1110 are both registered with the server 120 .
- the devices have a code or other data element that uniquely identifies the respective devices to the server 120 .
- the first device 110 is configured to access the second network path 180 - 2 via the second device 1110 , for example by tethering or otherwise communicatively coupling the devices.
- “Tethering” describes the sharing of a mobile device's network connection with other computers.
- the first device 110 is able to maintain multiple, simultaneous connection paths to the network 170 , and thus to the server 120 . If connection path 180 - 1 becomes weak, the client device 110 may seamlessly and transparently switch to connection path 180 - 2 , or vice-versa, with little or no disruption.
- Coupling of the first device 110 by the second device 1110 may be achieved over a connection medium 1112 , such as Bluetooth, Wi-Fi, USB (Universal Serial Bus), or some other protocol or type of cable.
- the user 102 configures the second device 1110 to share (e.g., tether) its network path 180 - 2 with the first device 110 .
- the second device 1110 runs Apple iOS
- the user 102 may go into Settings on the second device 1110 , select Cellular settings, and operate the controls to set up a Personal Hotspot.
- the second device 1110 may then give the user a choice to connect to the first computer 110 using Wi-Fi, Bluetooth, or USB. Similar procedures are available on devices running Android OS, Chrome OS, Windows Phone, and other mobile operating systems.
- the first device 110 discovers and connects to the second network path 180 - 2 , such that the first device 110 can access the network 170 via both the first network path 180 - 1 and the second network path 180 - 2 .
- the first device 110 upon discovering the second network path 180 - 2 , the first device 110 initiates a handshaking protocol with the second device 1110 to obtain security data 1114 from a security agent 1118 on the second device 1110 .
- the security data 1114 may take various forms, such as a security token, information that identifies the second device 1110 , or any other form.
- the first device 110 obtains the security data 1114 and keeps it available for future use.
- handshaking is advantageously performed upon discovering the second network path 180 - 2 , this is merely an example, as handshaking may be performed at any time, including in response to an express request by the user 102 .
- the user 102 may wish to operate the first device 110 to access a secured resource 1140 on the server 120 , such as a secured SaaS application, a secured file, or some other resource on the server 120 that requires authentication.
- the secured resource 1140 may be accessible solely by the user 102 , or it may be accessible to multiple authenticated users, e.g., based on respective authorization settings.
- the user 102 may start a browser or client-side application on the first device 110 .
- the browser or client-side application displays an authentication page, which requests authentication factors from the user 102 , such as a password, token, biometric input, and/or the like.
- the user fills out the authentication page and submits the page to the server 120 .
- the security data 1114 which was received from the second device 1110 , provides a basis for improving authentication strength and/or convenience when accessing the secured resource 1140 .
- the security data 1114 may include identifying information about the second device 1110 , such as a registration code of the second device 1110 (e.g., one previously obtained from the server 120 by the security agent 1118 ).
- an authentication agent 1116 running on the first device 110 generates an indicator 1114 a and provides the indicator 1114 a as part of an authentication request 1150 , which may be submitted to the server 120 , e.g., along with one or more other authentication factors 1117 , such as a password, biometric input, etc.
- the indicator 1114 a may be the same as the security data 1114 or otherwise may be based on the security data 1114 . In some examples, the indicator 1114 a is hidden, such that the user 102 never sees or handles the indicator 1114 a . Rather, the indicator 1114 a may be included with the authentication request 1150 automatically, e.g., as a hidden authentication factor.
- an authentication server 1130 receives the request 1150 and attempts to validate the received information. For example, the authentication server 1130 performs an authentication operation that compares provided authentication factors 1114 a and 1117 with expected values for those factors, producing an authentication result 1160 . The result 1160 is successful if the actual and expected values match and unsuccessful if the values do not match. As part of the authentication operation, the authentication server 1130 compares the indicator 1114 a to an expected value thereof and bases the authentication result 1160 at least in part on whether the indicator 1114 a matches its expected value. If authentication succeeds, the authentication server 1130 may allow the first device 110 to access the secured resource 1140 . Otherwise, the authentication server 1130 may deny such access or challenge the user 102 to supply additional authentication factors.
- the authentication server 1130 is considered to be part of the server 120 , there is no need for the authentication server 1130 to be located on the same physical computer. Rather, as in Section I, the server 120 may be implemented using any number of physical computers and/or virtual machines, which are collectively referred to herein as “the server.”
- the security agent 1118 generates the security data 1114 or a portion thereof as a token code and the token code provides an additional authentication factor for the authentication request 1150 .
- the security agent 1118 on the second device 1110 may be synchronized with a third party token provider 1120 a , such as Symantec VIP.
- the security agent 1118 and token provider 1120 a may each generate token codes from a common seed, such that both are able to generate the same token codes at the same times.
- the authentication server 130 may validate a token code received in an authentication request 1150 by obtaining a current code from the third party token provider 1120 a and comparing the received code with the current code.
- the authentication server 130 itself runs a local token provider 1120 b , which performs a similar role as the third party token provider 1120 a but runs locally on the server 120 .
- the first device 110 leverages the second device 1110 to which the first device 110 is coupled to assist with authentication to the secured resource 1140 .
- the second device 1110 share its network path 180 - 2 for enhancing reliability, but also it supplies security data 1114 for enhancing authentication.
- FIG. 12 shows an example arrangement 1200 in which the presence of the second device 1110 communicatively coupled to the first device 110 serves as an authentication factor for authentication requests 1150 .
- the illustrated activities may involve the first device 110 , second device 1110 , authentication server 1130 , and secured resource 1140 .
- the first device 110 discovers the second network path 180 - 2 upon becoming communicatively coupled to the second device 1110 .
- the user 102 configures the second device 1110 as a personal hotspot and establishes a connection between the first device 110 and the second device 1110 , e.g., via Wi-Fi, Bluetooth, or USB.
- the first device 110 discovers the second network path 180 - 2 and establishes a connection to the network 170 through the second path.
- the first device 110 receives security data 1114 from the second device 1110 .
- the security data 1114 may include an identifier of the second device 1110 , e.g., a registration code or other shared secret created or allocated to uniquely identify the second device 1110 from among other devices.
- the server 120 may have previously created the registration code specifically for the second device 1110 as part of a registration process for registering the second device 1110 to the server 120 .
- the registration code identifies the second device 110 as a known device, to which the server 120 may accord some level of trust.
- the first device 110 generates an indicator 1114 a from the security data 1114 .
- the indicator 1114 a may be identical to the security data 1114 or may be otherwise based on the security data 1114 .
- the indicator 1114 a may be provided as an encrypted version of the registration code or as a result of running an algorithm on the registration code.
- the indicator 1114 a includes additional information, such as a code that specifies that the first device 110 is currently tethered or otherwise communicatively coupled to the second device 1110 .
- the first device sends an authentication request 1150 to the authentication server 1130 .
- the authentication request 1150 includes the indicator 1114 a , which may be provided as a hidden authentication factor.
- the authentication request 1150 also includes one or more additional authentication factors 1117 , such as a password, a thumbprint, or the like. The first device 110 may add these additional authentication factors 1117 to the authentication request 1150 .
- the authentication server 1130 receives the authentication request 1150 and performs an authentication operation 1252 .
- the authentication operation 1252 verifies the received authentication factors (or some subset thereof) and produces a successful result or an unsuccessful result.
- the authentication operation 1252 may generate a passcode 1254 , which acts as a key for unlocking the secured resource 1140 .
- the authentication request 1150 typically specifies multiple authentication factors (e.g., 1114 a and 1117 ), of which only a subset 1114 a are normally provided by the second device 1110 .
- a malicious user would normally be unable to successfully authenticate by stealing an authorized user's phone (or other device) and trying to log on, as the malicious user would be unable to enter other factors 1117 that are required for authentication to succeed.
- the authentication server 1130 returns the passcode 1254 to the first device 110 , e.g., as part of an authentication response 1160 .
- the first device 110 uses the passcode 1254 to access the secured resource 1140 , e.g., to run a secured SaaS application or to access a secured file.
- the arrangement 1200 thus leverages the previously-established knowledge of the second device 1110 to improve authentication strength and/or convenience of authentication requests 1150 made by the first device 110 .
- the indicator 1114 a may be one of multiple silent authentication factors or may be used alone to produce successful authentication, such that the user 102 need not manually enter any authentication factors. In such cases, the user 102 may access the secured resource 1140 merely by requesting such access, without having to do anything extra for purposes of authentication.
- FIG. 13 shows an example arrangement 1300 in which the second device 1110 provides a security token automatically to the first device 110 for providing an additional authentication factor.
- the illustrated arrangement may involve the first device 110 , second device 1110 , authentication server 1130 , and secured resource 1140 .
- the flow in FIG. 13 may start at 1210 , the same way as in FIG. 12 , with the first device 110 discovering the second network path 180 - 2 upon being communicatively coupled to the second device 1110 .
- Operation differs from that of FIG. 12 at 1310 , however, in that the first device 110 requests security data 1114 from the second device 1110 .
- the request may be issued at the direction of the user 102 or may automatically.
- the second device 1110 in response to the request at 1310 , the second device 1110 generates a new security token 1322 , e.g., by operation of the security agent 1118 .
- the new security token 1322 may be a one-time password or other type of token, which is known to a token provider 1120 a or 1120 b or can be computed by a token provider.
- the second device 1110 returns the new token 1322 to the first device 110 .
- the ensuing activities may be similar to those shown in FIG. 12 , with like reference numerals indicating similar acts.
- the authentication operation 1252 may additionally involve contacting the token provider 1120 a or 1120 b to verify the security token 1322 .
- FIG. 13 thus allows a token code 1322 to be conveyed automatically to the first device 110 , without requiring the user 102 to manually transfer the token code 1322 from the second device 1110 to the first device 110 .
- the token code 1322 can thus provide an additional authentication factor without requiring additional manual activity on the part of the user 102 .
- the entire authentication process can be made transparent to the user 102 , as it may be performed automatically without user involvement.
- act 1220 of receiving the security data 1114 may return both a token code 1322 , as in FIG. 13 , and a registration code of the second device 1110 or other shared secret, as in FIG. 12 . Both elements may then be included in the indicator 1114 a , which may be sent to the server 120 as part of the authentication request 1150 .
- the disclosed arrangement thus seamlessly provides two authentication factors automatically, e.g., one for the known second device 1110 and another for the token code 1322 .
- FIGS. 14 and 15 show example methods 1400 and 1500 that may be carried out in connection with the environment 1100 .
- the methods 1400 and 1500 are respectively presented from the client and server perspectives.
- operation begins at 1410 , whereupon the first device 110 receives security data 1114 from the second device 1110 .
- the second device 1110 has a network path 180 - 2 , such as a cellular data path, shared with the first device 110 .
- the first device 110 may have its own network path 180 - 1 , such as Wi-Fi.
- the security data 1114 may include identity information about the second device 1110 , such as a registration code or other shared secret, and/or may include a token code 1322 , such as a one-time password.
- the first device 110 sends a request to the server 120 to access a secured resource 1140 using an indicator 1114 a based on the security data 1114 .
- the secured resource 1140 is a secured SaaS application, a secured file, or some other resource.
- the indicator 1114 a may be identical to the received security data 1114 or it may be based upon such security data 1114 .
- the request may also include additional authentication factors 1117 .
- the first device 110 accesses the secured resource 1140 in response to successful authentication based at least in part on the identifier 1114 a .
- successful authentication may result from verification that the second device 1110 coupled to the first device 110 and is known to (e.g., registered with or otherwise trusted by) the server 120 , and/or that a token code 1322 provided in an authentication request 1150 matches an expected token code.
- operation begins at 1510 , whereupon the server 120 receives an authentication request 1150 from the first device 110 for accessing the secured resource 1140 .
- the received authentication request 1140 includes an indicator 1114 a based on security data 1114 obtained from the second device 1110 , which shares its network connection to the first device 110 .
- the indicator 1114 a may include, for example, an identifier of the second device 1110 , such as a registration code or other shared secret, and/or a one-time password generated by the second device 1110 .
- the server 120 e.g., acting through the authentication server 1130 , performs an authentication operation 1252 based at least in part on the received indicator 1114 a .
- the authentication operation 1252 verifies, based on the registration code, that the second device 1110 is known to the server 120 , and/or verifies that the token code 1322 matches an expected value.
- the server 120 enables the first device 110 to access the secured resource 1140 in response to the authentication operation 1252 producing a successful result.
- the server 120 may generate a passcode 1254 that the first device 110 may use as a key for accessing the secured resource 1140 .
- a technique has been described for performing authentication.
- the technique increases authentication strength and/or convenience by receiving security data 1114 from a second device 1100 that shares its network connection 180 - 2 with a first device 110 .
- the second device 1100 can provide increased authentication strength with little or no additional effort on the part of a user. Rather, in some examples the second device 1100 can transparently add authentication strength to authentication requests 1152 made by the first device 110 with little or no user involvement
- Section III Leveraging Location Information of a Second Device when Requesting Access to a Resource by a First Device
- An improved technique for managing computerized access includes a first device that receives location information from a second device that shares its network connection with the first device.
- the first device applies the location information received from the second device when requesting access to a resource on the network.
- the first device effectively leverages the presence of the second device and its location information to increase authentication strength and/or to facilitate the administration of access rights.
- the technique described in this section may be provided in the environment of Section I, e.g., in an arrangement in which a device maintains multiple, simultaneous network connections and seamlessly switches between or among them.
- the technique described in this section may be provided with the particular features described in Section II, e.g., wherein a first device leverages the presence of a second device when performing authentication. Neither the Section-I arrangement nor the Section-II arrangement is required, however, as the technique presented in this section may be used independently of those presented in the previous sections.
- FIG. 16 shows an example system 1600 in which embodiments of the improved technique can be practiced.
- a first computing device 110 client
- a second computing device 1110 coupled
- a server 120 operatively connect to a network 170 .
- the first computing device 110 (or simply, “first device”), server 120 , and network 170 may be similar to those described in connection with FIGS. 1 and 11 , although this is not required.
- the first device 110 and the second computing device 1110 (“second device”) may be owned and operated by the same person or entity, although this is also not required.
- the server apparatus 120 as shown in FIG. 16 is seen to include an authorization/authentication (A/A) server 1630 , which is configured to support both authentication and access control (e.g., authorization) to system resources.
- A/A authorization/authentication
- the server 120 may be implemented using any number of physical computer and/or virtual machines, which are referred to collectively herein as “the server.”
- the first device 110 connects to the network 170 via a first network path 180 - 1 and the second device 1110 connects to the network 170 via a second network path 180 - 2 .
- the first network path 180 - 1 may be Wi-Fi (IEEE 802.11X)
- the second network path 180 - 2 may be cellular data, such as LTE (Long Term Evolution), GSM (Global System for Mobile), CDMA (Code Division Multiple Access), or WiMAX.
- the second network path 180 - 2 may also be 5G or some other developing or future cellular scheme.
- the first device 110 may be a laptop, tablet, or other computer
- the second device 1110 may be a smartphone, tablet, dongle (e.g., LTE dongle), personal reader, or other device having a cellular data interface.
- devices 110 and 1110 are both shown as having a single path 180 - 1 or 180 - 2 to the network 170 , one should appreciate that each device may have multiple paths to the network 170 .
- the network 170 may be provided as a local area network (LAN), a wide area network (WAN), an intranet, the Internet, and/or some other type of network or combination of networks.
- the network 170 includes the Internet
- the server 120 is a provider of cloud-based and/or virtual services, such as SaaS (Software as a Service) applications and/or file storage.
- SaaS Software as a Service
- the first device 110 is configured to access the second network path 180 - 2 via the second device 1110 , for example by tethering or otherwise communicatively coupling the devices.
- “Tethering” describes the sharing of a mobile device's network connection with other computers.
- the first device 110 is able to maintain multiple, simultaneous connection paths to the network 170 , and thus to the server 120 . If connection path 180 - 1 becomes weak, for example, the client device 110 may seamlessly and transparently switch to connection path 180 - 2 , or vice-versa, with little or no disruption.
- Coupling of the first device 110 by the second device 1110 may be achieved over a local connection, such as connection medium 1112 , which may be provided as Bluetooth, Wi-Fi, USB (Universal Serial Bus), or some other wireless protocol or type of cable.
- the devices 110 and 1110 may provide location information 1610 , such as first location information 1610 a of the first device 110 and second location information 1610 b of the second device 1110 .
- the location information 1610 may take a variety of forms, such as GPS (Global Positioning System) coordinates, Wi-Fi identifiers, MAC (Media Access Control) addresses, IP (Internet Protocol) addresses, telephone numbers, and the like.
- Wi-Fi mapping technology associates Wi-Fi hotspots with respective locations, which may be obtained by correlation with GPS coordinates and/or other location sources.
- Wi-Fi identifiers may include MAC addresses and/or SSIDs (Service Set Identifiers), which uniquely identify hotspots, enabling simple lookups of location based on detected MAC addresses and SSIDs.
- Location services also track locations based on ISP (Internet Service Provider) data, phone numbers, and/or specially compiled maps. IP addresses provide common sources of location information, as ISPs and associated network components track locations based on network distribution and customer data.
- ISP Internet Service Provider
- a user 102 configures the second device 1110 to share (e.g., tether) its network path 180 - 2 with the first device 110 , e.g., in a manner similar to that described in Section II. Sharing of network connection 180 - 2 may be established over local connection 1112 , which may be Wi-Fi, Bluetooth, or USB, for example. With the second device 1110 configured to share the second network path 180 - 2 , the first device 110 discovers and connects to the second network path 180 - 2 , such that the first device 110 can access the network 170 via both the first network path 180 - 1 and the second network path 180 - 2 .
- the second device 1110 configured to share the second network path 180 - 2
- the first device 110 discovers and connects to the second network path 180 - 2 , such that the first device 110 can access the network 170 via both the first network path 180 - 1 and the second network path 180 - 2 .
- the first device 110 upon discovering the second network path 180 - 2 , the first device 110 initiates a handshaking protocol with the second device 1110 to obtain location information 1610 b of the second device 1110 .
- Initial handshaking is not required, however, as the first device 110 may instead request location information 1610 b on demand and/or as needed, e.g., in response to a specific request or operation that uses the location information 1610 b.
- the user 102 and/or an application (not shown) running on the first device 110 requests access to a resource of the network 170 , such as the secured resource 1140 .
- the secured resource 1140 may be a file, a file system, an application, a virtual machine, or any other resource for which access based on requestor location is desired.
- Access manager 1608 on the first device 110 begins to prepare an access request 1650 .
- the first device 110 may request ( 1608 a ) location information 1610 b from the second device 1110 , which returns ( 1608 b ) the location information 1610 b to the first device 110 .
- a location processor 1620 running on the first device 110 forms a location indicator 1622 .
- the location indicator 1622 may be formed in a variety of ways. In one example, location processor 1620 obtains first location information 1610 a of the first device 110 and combines it with the second location information 1610 b from the second device 1110 , thereby forming the location indicator 1622 , which is based on both the first location information 1610 a and the second location information 1610 b .
- the location processor 1620 forms the location indicator 1622 based solely on the second location information 1610 b of the second device 1100 , i.e., ignoring the location information 1610 a , which is not required in all embodiments and need not be present.
- the location processor 1620 forms the location indicator 1622 based on three or more sources of location information 1610 , such as the first location information 1610 a , the second location information 1610 b , and third location information 1610 c.
- the first location information 1610 a may be a Wi-Fi identifier (e.g., a MAC address, or a MAC address plus an SSID) or an IP address.
- the second location information 1610 b may be GPS coordinates, an IP address, a phone number, or the like.
- the first location information 1610 a , second location information 1610 b , and third location information 1610 c are selected from distinct sources, so that the information they provide is not redundant.
- the first location information is Wi-Fi
- the second location information is GPS
- the third location information is an IP address or a phone number.
- the location processor 1620 forms the location indicator 1622 by including the available location information 1610 separately, i.e., with little or no processing or combining. In other examples, the location processor 1620 processes the provided location information 1610 to produce combined location information. In cases where multiple sources of location information 1610 are available, the combined location information generally provides a more accurate measure of location than could any of the individual sources alone.
- the access manager 1608 issues an access request 1650 for accessing the resource 1140 .
- the access request 1650 includes the location indicator 1622 , which is based on the available location information 1610 .
- the first device 110 sends the access request 1650 to the server 120 over the network path 180 - 1 (e.g., Wi-Fi).
- the first device 110 sends the access request 1650 over the network path 180 - 2 (e.g., LTE), via local connection 1112 , e.g., if Wi-Fi is unavailable, not working, or otherwise not preferred.
- the access request 1650 is part of an authentication request (e.g., authentication request 1150 of FIG. 11 ).
- the location of the requestor may be an explicit authentication factor required to authenticate the user 102 and/or device 110 (e.g., one of the authentication factors 1117 ).
- the user 102 and/or the device 110 is already authenticated (or authentication is not required), in which case the server 120 may still use the location indicator 1622 for making access control decisions.
- the server 120 may allow access to a resource when the originating location is the user's home but deny access when the originating location is a neighborhood coffee shop.
- the server 120 includes a location manager 1636 , which receives and processes the location indicator 1622 arriving in the access request 1650 .
- the location manager 1636 contacts a third-party location service 1632 a , and/or uses a local location service 1632 b , to transform elements of location information 1610 (e.g., 1610 a , 1610 b , 1610 c ) into respective geographical coordinates or other indicators of geographical location.
- location service 1632 a and/or 1632 b transforms any of a MAC address (or a MAC address plus SSID), IP address, phone number, or the like into a corresponding geographical location.
- the location manager 1636 may combine the resulting locations in any suitable way to produce a representative location 1638 based on the received elements of location information 1610 .
- the process for generating the representative location 1638 may vary based on the elements of location information 1610 themselves. For example, if the location information 1610 b or 1610 c includes GPS coordinates that remain stable over time (suggesting a strong GPS signal), then the location manager 1636 may simply use the GPS coordinates as the representative location 1638 , effectively ignoring other location information. If the GPS coordinates are noisy (indicating a weak GPS signal), the location manager 1636 may instead use Wi-Fi, IP address, and/or phone number. The location manager 1636 may discard location information that appears to be clearly erroneous, preventing it from contributing to the representative location 1638 . For example, a location based on IP address might be wholly unreliable for an IP address received from a proxy server. Where multiple elements of location information 1610 are available, some may be disregarded if they disagree with others.
- LON longitude
- the location manager 1636 may compute the centroid as follows:
- W i is a weight that represents a confidence score of the respective location information.
- higher-confidence location information may be given higher weight than lower-confidence location information, with the result tending to bias the centroid toward the more highly-weighted source.
- the location manager 1636 may then set the representative location 1638 as the centroid coordinates.
- centroids may be used primarily in cases where reliable GPS is not available.
- the location manager 1636 verifies that the representative location 1638 is consistent with an authorized location for accessing the resource 1140 .
- the server 120 may include or otherwise have access to a white list 1634 of authorized locations. To determine whether a representative location 1638 is authorized, the location manager 1636 compares the representative location 1638 with locations on the white list 1634 . If the representative location 1638 matches an entry on the white list 1634 , e.g., if the locations are the same to within a specified distance threshold, a location match is confirmed. In this case, the server apparatus 120 may return an access response 1660 to the first device 110 , and thereby grant access to the resource 1140 .
- the access response 1660 may include a session key, a token, or other data for enabling the first device 110 to access the resource 1140 .
- the access response 1660 may include the resource 1140 itself.
- the server 120 may issue an access response 1660 that indicates that no location match was found. Access to the resource 1140 may be denied and/or access privileges may be limited, as a consequence of the failed location match.
- FIG. 17 shows an example arrangement 1700 in which location information 1610 from the second device 1110 facilitates access control of a secured resource 1140 .
- the illustrated activities involve the first device 110 , second device 1110 , authentication server 1630 , and secured resource 1140 .
- the first device 110 discovers the second network path 180 - 2 upon becoming communicatively coupled to the second device 1110 .
- the user 102 configures the second device 1110 as a personal hotspot and establishes a connection 1112 between the first device 110 and the second device 1110 , e.g., via Wi-Fi, Bluetooth, or USB.
- the first device 110 discovers the second network path 180 - 2 and establishes a connection to the network 170 through the second network path 180 - 2 .
- the first device 110 issues a request 1608 a to the second device 1110 for location information 1610 b of the second device 1110 .
- the second device gathers available sources of location information 1610 , (e.g., GPS coordinates, IP address, phone number, etc.).
- location information 1610 e.g., GPS coordinates, IP address, phone number, etc.
- the second device 1110 returns the gathered location information, which includes location information 1610 b (and possibly other location information), to the first device 110 .
- the first device 110 forms a location indicator 1622 , which may be based on any location information 1610 returned at 1716 , as well as any first location information 1610 a obtained from the first device 110 .
- the location indicator 1622 may directly include the individual elements of location information 1610 , or it may provide some combination thereof.
- the first device sends an access request 1650 to the authentication/authorization (A/A) server 1630 .
- the access request 1650 includes the location indicator 1622 .
- the access request 1650 includes additional information, e.g., if the access request 1650 is also an authentication request 1150 .
- the A/A server 1630 receives the access request 1650 and proceeds to establish a representative location 1638 based on the location indicator 1622 .
- establishing the representative location 1638 may involve using received GPS coordinates, if they are available and reliable.
- establishing the representative location 1638 may involve transforming certain received elements of location information 1610 into corresponding geographical locations, e.g., via action of location services 1632 b and/or 1632 c .
- the A/A server 1630 may establish the representative location 1638 by computing a centroid of geographical locations, and the centroid may be weighted based on confidence.
- the A/A server 1630 determines whether the information in the location indicator 1622 is consistent with an authorized location from which to access the secured resource 1140 . For example, the A/A server 1630 checks whether the representative location 1638 matches the location of any entry on the white list 1634 , e.g., whether the two locations differ by less than a threshold distance.
- the A/A server 1630 returns an access response 1660 .
- the access response 1660 may include a passcode 1762 , which grants access to the secured resource 1140 .
- the access response 1660 may include a token, other data, and/or the secure resource 1140 itself (e.g., if the secure resource 1140 is a file or other transferrable element).
- the first device 110 may then uses the passcode 1762 or other element to access secure resource 1140 .
- access request 1650 may be denied.
- access may be granted but with limited privileges, such as read/only privileges rather than full control.
- FIGS. 18 and 19 show example methods 1800 and 1900 that may be carried out in connection with the system 1700 .
- the methods 1800 and 1900 are respectively presented from the client and server perspectives.
- operation begins at 1810 , whereupon the first device 110 obtains location information 1610 b from the second device 1110 .
- the location information 1610 b may include, for example, GPS coordinates, an IP address, a Wi-Fi identifier, a phone number, and/or the like.
- the first device 110 is communicatively coupled to the second device 1110 and the second device shares its network connection with the first device 110 .
- the second device 1110 may establish a personal hotspot or the like and the first device 110 may be tethered to the second device 1110 .
- the first device 110 forms a location indicator 1622 based on location information 1610 .
- location information 1610 may include only the second location information 1610 b . In other examples, it includes the first location information 1610 a and the second location information 1610 b . In further examples, the location information 1610 includes three or more elements of location information. The first device 110 may form the location indicator 1622 by providing the elements of location information 1610 separately, or by combining them in any suitable fashion.
- the first device 110 sends an access request 1650 to the server 120 .
- the access request 1650 includes the location identifier 1622 as formed by the first device 110 and requests access to a resource, such as secured resource 1140 .
- the first device 110 is allowed to access the resource 1140 based on the location indicator 1622 being consistent with an authorized location, such as a location listed on a white list 1634 . Consistency of location may be established, for example, based on a location derived from the location indicator 1622 , such as a representative location 1638 , falling within a threshold distance of an entry in the white list 1634 .
- operation begins at 1910 , whereupon the server 120 receives an access request 1650 from the first device 110 for accessing the secured resource 1140 .
- the received access request 1650 includes a location indicator 1622 , which is based on location information 1610 b from the second device 1110 .
- the second device 1110 is operatively connected to the first device 110 and shares its network connection with the first device 110 .
- the server 120 optionally transforms certain elements of location information 1610 , provided by the location indicator 1622 , into corresponding geographical locations. This act may be omitted for any element of location information 1610 that already includes geographical coordinates or the like, such as GPS coordinates.
- act 1930 the server 120 generates a representative location 1638 from the location information 1610 .
- act 1930 includes generating a centroid of geographical locations, which may be weighted (based on confidence scores) or unweighted.
- act 1930 includes providing any received GPS coordinates as the representative location 1638 .
- the server 120 verifies that the location indicated by the location indicator 1622 (e.g., the representative location 1638 ) is consistent with an authorized location from which the resource 1140 may be accessed, such as an entry in a white list 1634 .
- the first device 110 is granted access to the resource 1140 , e.g., by providing the resource directly or by providing a passcode, token, or other data that enables the first device 1140 to access the resource. If no location match is found, the access request 1650 may be denied or access may be granted but with reduced privileges.
- the technique includes a first device 110 that receives location information 1610 b from a second device 1110 that shares its network connection 180 - 2 with the first device 110 .
- the first device 110 applies the location information 1610 b received from the second device 1110 when requesting access to a resource 1140 of a network 170 .
- the first device 110 thus effectively leverages the presence of the second device 1110 and its location information 1610 to increase authentication strength and/or to facilitate the administration of access rights.
- the second device 1110 provides the first device with a second connection to the computer network, e.g., to support multiple redundant network paths, this is also merely an example.
- the second device 1110 is used to provide location information but does not provide the first device with a second connection to the network.
- the improvement or portions thereof may be embodied as a computer program product including one or more non-transient, computer-readable storage media, such as a magnetic disk, magnetic tape, compact disk, DVD, optical disk, flash drive, solid state drive, SD (Secure Digital) chip or device, Application Specific Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA), and/or the like.
- a computer-readable storage media such as a magnetic disk, magnetic tape, compact disk, DVD, optical disk, flash drive, solid state drive, SD (Secure Digital) chip or device, Application Specific Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA), and/or the like.
- ASIC Application Specific Integrated Circuit
- FPGA Field Programmable Gate Array
- the words “comprising,” “including,” “containing,” and “having” are intended to set forth certain items, steps, elements, or aspects of something in an open-ended fashion.
- the word “set” means one or more of something. This is the case regardless of whether the phrase “set of” is followed by a singular or plural object and regardless of whether it is conjugated with a singular or plural verb.
- ordinal expressions such as “first,” “second,” “third,” and so on, may be used as adjectives herein for identification purposes. Unless specifically indicated, these ordinal expressions are not intended to imply any ordering or sequence.
- a “second” event may take place before or after a “first event,” or even if no first event ever occurs.
- an identification herein of a particular element, feature, or act as being a “first” such element, feature, or act should not be construed as requiring that there must also be a “second” or other such element, feature or act. Rather, the “first” item may be the only one.
- “based on” is intended to be nonexclusive. Thus, “based on” should not be interpreted as meaning “based exclusively on” but rather “based at least in part on” unless specifically indicated otherwise.
Abstract
Description
- This application claims the benefit of U.S. Provisional Application No. 62/786,813, filed Dec. 31, 2018, the contents and teachings of which are incorporated herein by reference in their entirety.
- It is common for modern computing devices to support multiple network connections. For example, a laptop computer might support Ethernet, Wi-Fi (IEEE 802.11x), and/or cellular network connections. If one network connection fails, a user has the option to change networks, e.g., by accessing network settings on the laptop and selecting a different network.
- Some devices change network connections automatically. For example, a user of a smartphone might start listening to a podcast at home, where the smartphone is connected to Wi-Fi, but then might decide to continue listening outside. When the user gets out of Wi-Fi range, the smartphone detects the loss of Wi-Fi and switches over to cellular service. With adequate buffering, the transition may appear seamless, and the user may never notice that there has been a connection failure and then a failover from Wi-Fi to cellular service.
- Unfortunately, certain applications do not support seamless transitions when the devices on which they run switch networks. For example, applications like web conferencing, which involve real-time interactivity, may temporarily freeze when network connections change. In some cases, establishing a new connection may require handshaking or other communications, which can extend the durations of outages. Even if outages are only momentary, they can still cause frustration and annoyance and diminish user experience.
- In contrast with these conventional approaches, a technique disclosed herein maintains multiple network paths simultaneously, exchanging the same data redundantly through the network paths and allowing a receiver to select one of the network paths as its source of data. In the event that a first, currently-selected network path becomes weak, for example, the receiver can automatically and seamlessly switch its source of data to a second network path, while the first network path remains operational. Given that the second network path is already on and conveying data, the transition is nearly instantaneous. Even highly interactive applications running in environments having network dead zones or interference can remain fully functional with generally no downtime.
- In some arrangements, a first device may establish an additional connection to a network by operatively coupling to a second device. For example, the first device may connect to Wi-Fi and may also connect, e.g., via Bluetooth, Wi-Fi, or cable, to the second device, which is configured to share its network connection with the first device. The first device is then able to use both its own Wi-Fi connection and the shared connection from the second device.
- In such arrangements, the first device benefits from the reliability of having an additional network path. We have observed that this arrangement also lends itself to enhanced access control based on location.
- Along these lines, an improved technique includes a first device that receives location information from a second device that shares its network connection with the first device. The first device applies the location information received from the second device when requesting access to a resource of a network. Using the improved technique, the first device effectively leverages the presence of the second device and its location information to increase authentication strength and/or to facilitate the administration of access rights.
- Certain embodiments are directed to a method that includes receiving, by a first computing device, data from a second computing device, the data being indicative of a location of the second computing device, the second computing device having a connection to a computer network. The method further includes determining, by the first computing device, a location indicator based at least in part on the received data from the second computing device. The method still further includes sending, by the first computing device, a request to access a resource of the computer network, the request including the determined location indicator and accessing, by the first computing device, the resource of the computer network in response to an authorization to access the resource, the authorization granted in response to the request and based at least in part on the determined location indicator, the location indicator received from the second computing device providing an indication of location of the first computing device for enabling access by the first computing device to the resource based at least in part on location.
- Other embodiments are directed to a method that includes receiving, by a server, a request from a first computing device over a computer network, the request being to access a resource on the computer network and including a location indicator, the location indicator being based at least in part on data indicative of a location of a second computing device. The method further includes verifying, by the server, that a location indicated by the location indicator is consistent with an authorized location in which to access the resource of the computer network based at least in part on the location indicator of the received request and, in response to the verification of the location, granting, by the server, the first computing device with access to the resource on the computer network.
- Other embodiments are directed to a server that includes control circuitry configured to: receive a request from a first computing device over a computer network, the request being to access a resource on the computer network and including a location indicator, the location indicator based at least in part on data indicative of a location of a second computing device. The control circuitry is further configured to verify that a location indicated by the location indicator matches an authorized location in which to access the resource of the computer network based at least in part on the location indicator of the received request and, in response to the verification of the location, grant the first computing device with accessing to the resource on the computer network.
- Other embodiments are directed to a device that includes control circuitry configured to obtain location information that indicates a location of a second device, the second device (i) operatively coupled to the client device, (ii) having a connection to a computer network, and (ii) sharing the connection with the client device. The control circuitry is further configured to form a location indicator based at least in part on the location information received from the second device, send an access request, including the location indicator, to a server to access a resource of the computer network, and access the resource based at least in part on a determination that the location indicator is consistent with an authorized location for accessing the resource.
- Additional embodiments include any method described above realized as a computerized apparatus, system, or device constructed and arranged to carry out the respective method, as well as a computer program product including a set of non-transitory, computer-readable media having instructions which, when executed by control circuitry, cause the control circuitry to perform the respective method. Further embodiments include any computerized apparatus, system, or device described above realized as a respective method or computer program product. Still further embodiments include any computer program product described above realized as a respective method, device, system, or computerized apparatus.
- The foregoing summary is presented for illustrative purposes to assist the reader in readily grasping example features presented herein; however, this summary is not intended to set forth required elements or to limit embodiments hereof in any way. One should appreciate that the above-described features can be combined in any manner that makes technological sense, and that all such combinations are intended to be disclosed herein, regardless of whether such combinations are identified explicitly or not.
- The foregoing and other features and advantages will be apparent from the following description of particular embodiments, as illustrated in the accompanying drawings, in which like reference characters refer to the same or similar parts throughout the different views.
-
FIG. 1 is a block diagram of an example environment in which embodiments of the disclosed technique can be practiced. -
FIG. 2 is a block diagram showing an example arrangement for downloading a SaaS (Software as a Service) application from a server to a client. -
FIG. 3 is a flowchart showing an example method for operating a client and/or server in the environment ofFIG. 1 . -
FIGS. 4a-4d are simulated screenshots of a graphical user interface (GUI) of a client application component. -
FIG. 5 is a simulated screenshot of a GUI of a SaaS workspace application. -
FIGS. 6-8 are flowcharts showing example methods conducted by the client device, by the server, and by a system that includes both the client device and the server. -
FIG. 9 is a block diagram that shows an example network environment in which various aspects of the disclosure may be implemented. -
FIG. 10 is a block diagram that shows a computing device useful for practicing an embodiment of client devices, appliances and/or servers. -
FIG. 11 is a block diagram of an example system in which embodiments for performing authentication can be practiced. -
FIG. 12 is a sequence diagram showing an example procedure for performing authentication by a first device based at least in part on security data received from a second device. -
FIG. 13 is a sequence diagram showing another example procedure for performing authentication by a first device based at least in part on security data received from a second device. -
FIG. 14 is a flowchart showing an example method conducted by a client device for participating in authentication. -
FIG. 15 is a flowchart showing an example method conducted by a server for participating in authentication. -
FIG. 16 is a block diagram of an example system in which embodiments for leveraging location information can be practiced. -
FIG. 17 is a sequence diagram showing an example procedure for using location information of a second device when making an access request by a first device. -
FIG. 18 is a flowchart showing an example method conducted by a client device for accessing a resource using locating information of a second device. -
FIG. 19 is a flowchart showing an example method conducted by a server for providing a first device with access to a resource using location information of a second device. - Embodiments of disclosed techniques will now be described. One should appreciate that such embodiments are provided by way of example to illustrate certain features and principles but are not intended to be limiting.
- This document is provided in the following sections to assist the reader:
-
- Section I presents an example environment and technique for improving network reliability through the use of multiple, simultaneous network paths.
- Section II presents an example technique for using a second device to improve authentication strength and/or convenience of authentication requests made by a first device tethered to the second device.
- Section III presents an example technique for leveraging location information of a second device when requesting access to a resource by a first device.
The techniques disclosed in Sections I, II, and III may be used together or independently. Although each technique may benefit from the features of the other, neither technique is required to be used with the other.
- A technique for operating an application maintains multiple, simultaneous network paths, exchanging the same data redundantly through the network paths and enabling a receiver to select one of the network paths as a source of the data.
-
FIG. 1 shows anexample environment 100 in which embodiments of the disclosed technique can be practiced. Here, a client device 110 (“client”) is operatively connected to a server apparatus 120 (“server”) over anetwork 170, such as a local area network (LAN), a wide area network (WAN), the Internet, and/or some other type of network or combination of networks. Theclient 110 may be provided as any user-operable computer or device, such as a laptop computer, desktop computer, tablet computer, smart phone, personal data assistant, set-top box, gaming system, or the like. Theserver 120 may be provided in a similar form, but is typically a server-grade computer that runs in a data center and is available “in the cloud,” meaning on the Internet. In some examples, theserver 120 is implemented using multiple computers, as part of a distributed server or server cluster. - The
client 110 is connected to thenetwork 170 viamultiple paths 180, which may include anEthernet path 180 a, a Wi-Fi path 180 b, and acellular data path 180 c, for example. A greater or fewer number ofpaths 180 may be provided, and the disclosure is not limited to any particular type or types of paths. In an example, thecellular data path 180 c is an LTE (Long-Term Evolution) data path. Theclient 110 has adisplay 116, such as a monitor, touch screen, or the like, and thedisplay 116 is configured to render a graphical user interface (GUI) 118, which may be operated by auser 102. - As shown, the
client 110 includes one ormore communication interfaces 112 c, such as an Ethernet port, a Wi-Fi antenna, a cellular antenna, and/or the like. Theclient 110 also includes a set ofprocessors 114 c, such as one or more processing chips and/or assemblies, andmemory 130 c, which may include both volatile memory, e.g., RAM (Random Access Memory), and non-volatile memory, such as one or more ROMs (Read-Only Memories), disk drives, solid state drives, and the like. The set ofprocessors 114 c and thememory 130 c together form client control circuitry, which is constructed and arranged to carry out various client methods and functions as described herein. Also, thememory 130 c includes a variety of software constructs realized in the form of executable instructions. When the executable instructions are run by the set ofprocessors 114 c, the processor(s) carry out the operations of the software constructs. Although certain software constructs are specifically shown and described, it is understood that thememory 130 c typically includes many other software components, which are not shown, such as an operating system, various applications, processes, and daemons. - The configuration of the
server 120 may be similar to that of theclient 110, with communication interface(s) 112 s, processor(s) 114 s, andmemory 130 s. The processor(s) 114 s andmemory 130 s form server control circuitry, which is constructed and arranged to carry out various server methods and functions as described herein. When the executable instructions on theserver 120 are run by the processor(s) 114 s, the processor(s) carry out the operations of the software constructs. - As further shown in
FIG. 1 , thememory 130 c ofclient 110 “includes,” i.e., realizes by execution of software instructions, aclient component 132 c of asoftware application 132, a micro-VPN (Virtual Private Network)client 134 c, and alink bonding client 140 c. Thememory 130 c further includes a TCP/IP (transmission control protocol/Internet protocol)driver 150 c, as well asadditional drivers 160, such as Ethernet driver 160 a, Wi-Fi driver 160 b, and cellular data driver 160 c. - Turning now to the
server 120, thememory 130 s includes aserver component 132 s of thesoftware application 132, amicro-VPN server 134 s, and alink bonding service 140 s. Thememory 130 s further includes a TCP/IP driver 150 s, as well as one ormore drivers 160 for one ormore connection paths 180. In a particular example, theserver 120 uses only a single connection path, such as Ethernet, which is accessed via anEthernet driver 160 d. - In an example, the
micro-VPN client 134 c and thelink bonding client 140 c are provided as respective software libraries, with each library having its own API (Application Program Interface) for exposing its respective functions. In addition, themicro-VPN client 134 c and thelink bonding client 140 c may each be “scoped” to theclient component 132 c of theapplication program 132, meaning that their functionality is limited to communications involving theapplication program 132 and does not generally extend to other programs running on theclient device 110. For example, themicro-VPN client 134 c coordinates with themicro-VPN server 134 s to establish an encrypted channel, such as anetwork tunnel 134, which is limited to communications over thenetwork 170 between theclient component 132 c and theserver component 132 s. Rather than thetunnel 134 applying to the entire client device 110 (which is a common arrangement for conventional VPNs), thetunnel 134 can instead be restricted to network traffic of theapplication program 132 that passes between theclient 110 and theserver 120. In this arrangement, other network activity conducted by other programs running on theclient device 110 may fall outside of thetunnel 134, where such activity is not secured by thetunnel 134. The micro-VPN thus provides thenetwork tunnel 134 for a particular application, rather than for theclient machine 110 as a whole. Among other things, this feature enables the micro-VPN, along with thelink bonding client 140 c andclient application code 132 c, to be provided in a single downloadable package (see FIG. 2), which can be installed on theclient device 110, avoiding the need for multiple installation procedures and keeping all the related parts together. In an example, themicro-VPN client 134 c andserver 134 s are configured to establish the encrypted channel by performing encryption and decryption of data passed through thetunnel 134. They may also be configured to restrict connections to designated resources on thenetwork 170, e.g., by applying a white list of allowed sites and/or a black list of blocked sites. One should appreciate that the term “channel” as used herein is not limited to any one network path but rather encompasses all communication over all of thenetwork paths 180. Thelink bonding client 140 c is configured to direct outgoing data (from theclient component 132 c) overmultiple network paths 180, and to receive incoming data arriving over thenetwork paths 180, selecting one of the network paths as a source of data to be provided to theclient component 132 c. In a similar manner, thelink bonding server 140 s is configured to direct outgoing data (from theserver component 132 s) over thenetwork paths 180, and to receive incoming network data arriving over thesame network paths 180, selecting one of thenetwork paths 180 as a source of data to be provided to theserver component 132 s. In some examples, thelink bonding client 140 c and thelink bonding service 140 s operate at the data link layer (layer 2) of the OSI (Open Systems Interconnection) model, but this is not required. Although themicro-VPN client component 132 c and linkbonding client component 140 c are shown herein as software libraries, they may alternatively be implemented at least in part using hardware and/or firmware. Also, one should appreciate that the micro-VPN client and server and link bonding client and service are merely illustrative and are not intended to be limiting. - In an example, the
application program 132 is a SaaS application. Theclient component 132 c may be a web browser or other client-side program that runs web pages and/or other content downloaded from theserver component 132 s. In an example, theapplication program 132 is a workspace framework, i.e., a software environment that provides user access to multiple sub-applications from a single interface. Such sub-applications run within the workspace framework, with incoming and outgoing data of those sub-applications passing through thetunnel 134 via thelink bonding component 140 c. According to some examples, thetunnel 134 applies to all application traffic to and from the application framework. - In example operation,
user 102 of theclient device 110 launches theclient component 132 c, e.g., by clicking or tapping a shortcut or by navigating in a browser. Based on previously-establishedassociations 114, theclient component 132 c connects over thenetwork 170 to theserver component 132 s and thetunnel 134 is established by action of themicro-VPN client 134 c and themicro-VPN server 134 s. Thelink bonding client 140 c and thelink bonding service 140 s may then exchangemessages 148 through thetunnel 134. Thelink bonding client 140 c uses themessages 148 as a basis for measuring network performance over thepaths 180. For example,sensor 144 measures network speed, e.g., as round-trip delay (using a ping utility), bandwidth, or the like. In an example,sensor 144 separately measures network speed or bandwidth over each of thepaths 180 and may repeat its measurements more or less continuously, or at regular intervals, such as once every 50 ms (milliseconds). Althoughmessages 148 are shown as a dotted line that directly connects thelink bonding client 140 c andserver 140 s, such messages in actuality pass through thenetwork 170, e.g., via client and server-side drivers 160, and through any supporting infrastructure for each path 180 (e.g., cell phone towers, routers, Internet service providers, and so forth). In this manner,sensor 144 obtains real-time measurements of eachpath 180. In some examples, thesensor 144 identifies a selectedpath 144 a, i.e., one of thepaths 180 that provides the highest speed, bandwidth, consistency, economy, and/or the like, and alerts thelink bonding service 140 s on theserver 120 of the identity of the selectedpath 144 a, e.g., in an indicator, sent over thenetwork 170, that identifies the selectedpath 144 a. - As the
user 102 operates theGUI 118 to control theapplication 132, theclient 110 sendsapplication data 162 to thenetwork 170 over allpaths 180, at substantially the same time and in parallel. For example, thelink bonding client 140 c passes theoutgoing application data 162 to the TCP/IP driver 150 c. The TCP/IP driver 150 c uses multi-path routing to forward the application data to the Ethernet driver 160 a, the Wi-Fi driver 160 b, and the cellular data driver 160 c. Theclient device 110 then sends out thepackets Packets same data 162 and pass through thenetwork 170 in parallel and at the same time, or nearly so, with any differences among them deriving from differing delays along thepaths 180. In an example, allapplication data 162 sent through all paths passes through thetunnel 134. - At the
server 120,packets IP driver 150 s and then to thelink bonding service 140 s. Thelink bonding service 140 s, having obtained the identity of the selectedpath 144 a based on the indicator sent from theclient device 110, proceeds to discard all packets arriving over all of the other paths. For example, if theEthernet path 180 a was established as the selectedpath 144 a, then thelink bonding service 140 s would discard allpackets packets 162 a to pass to theserver component 132 s. One should appreciate that theserver 120 receivespackets 162 via allpaths 180, even if theserver 120 includes only an Ethernet connection, as thepackets 162 originate from different sources and travel throughdifferent paths 180 on their way to theserver 120. - As shown at the bottom of
FIG. 1 , apacket 164, which is intended to be representative of all packets, includes asequence identifier 164 a and apayload 164 b. Thesequence identifier 164 a is unique to each packet, but duplicates of the same packet having thesame sequence identifier 164 a may be sent overdifferent paths 180. In one example, thelink bonding service 140 s discards arriving packets based on matching ofsequence identifiers 164 a. For example, thelink bonding service 140 s maintains a list ofsequence identifiers 164 a of all recently received packets and discards redundant packets having thesame sequence identifiers 164 a as those already on the list. Thelink bonding service 140 s may use other approaches for distinguishing packets. For example, particular port designations or other designators in the packet may identify thepath 180 over which the packet was transmitted. In such cases, thelink bonding service 140 s may discard packets whose port designations or other designators do not match that of the selectedpath 144 a. - When the
server 120 sendsapplication data 162 to theclient device 110, thelink bonding service 140 s passes the application data to the TCP/IP driver 150 s and through theEthernet driver 160 d to thenetwork 170. Theserver 120 sends the same application data redundantly in packets directed to allpaths 180, such that the same packets arrive at theclient device 110 via all of thepaths 180 in parallel. Theserver 120 thus sends packets via allpaths 180, even though theserver 120 may connect to thenetwork 170 using Ethernet only. - Drivers 160 a, 160 b, and 160 c on the
client device 110 receive thepackets 162 and pass them to the TCP/IP driver 150 c, which passes them to thelink bonding client 140 c. Aselector 142 in thelink bonding client 140 c assigns the selectedpath 144 a as the source of packets from theserver component 132 s. The selector discardspackets 162 d from all paths not designated as the selectedpath 144 a, and passes the packets from the selectedpath 144 a to theclient component 132 c. In an example, theselector 142 identifies packets arriving over the selectedpath 144 a using the same techniques described above in connection with the server. - In an example, the
sensor 144 continuously or repeatedly monitors network speed over thepaths 180. If another path performs better than the currentselected path 144 a, e.g., in terms of speed, economy, etc., then thelink bonding client 140 c may select the better-performing path as a new selectedpath 144 a and communicate the new selectedpath 144 a to thelink bonding service 140 s. In a particular example, only Wi-Fi and LTE paths are available. Thelink bonding service 140 s may then select Wi-Fi by default. If Wi-Fi speed falls below a designatedthreshold 146, thelink bonding client 140 c may choose LTE as the new selectedpath 144 a. In some examples, thelink bonding client 140 c only switches to LTE when the current Wi-Fi speed drops below the current LTE speed. If Wi-Fi speed later recovers, thelink bonding client 140 c may reassign the selectedpath 144 a to Wi-Fi. The assignment of selectedpath 144 a is consequential in that it determines which packets are passed to theclient component 132 c and which packets are discarded. It may also determine which packets thelink bonding service 140 s on theserver 120 passes to theserver component 132 s and which packets it discards. In an example, the assignment of the selectedpath 144 a does not affect outgoing data transmitted by theclient 110 or theserver 120, however, as transmission is conducted over allpaths 180 in parallel, regardless of the currentselected path 144 a. - With the arrangement as described, the
client device 110 monitors speed of thepaths 180 and selects the selectedpath 144 a at any given time. If Wi-Fi suddenly becomes weak, e.g., because theuser 102 has moved into a Wi-Fi dead spot, operation seamlessly and transparently switches to LTE (or to some other path). When theuser 102 comes back into an active Wi-Fi area, operation seamlessly and transparently switches back to Wi-Fi. Theuser 102 need never know that the switching has occurred and typically experiences no disruption in service. - In some examples, the
client 110 may save power and/or cost by temporarily shutting down the cellular data connection. For example, if Wi-Fi signal strength and/or speed as measured bysensor 144 are consistently high, theclient 110 may temporarily close the LTE connection and proceed with Wi-Fi-only communications. Speed testing bysensor 144 may continue, however, and if Wi-Fi speed or signal strength starts to decline, theclient 110 may reestablish the LTE connection. Preferably, theclient 110 reconnects via LTE before the Wi-Fi signal becomes unusable, such that switching from Wi-Fi to LTE can proceed seamlessly prior to complete loss of the Wi-Fi signal. In some examples, theGUI 118 includes a control that allows theuser 102 to turn off an undesired path. For example, if theuser 102 is in an area with a strong Wi-Fi signal and does not intend to move during the course of a session, theuser 102 might operate theGUI 118 to turn off LTE, thereby reducing power consumption associated with LTE processing and possibly reducing costs, which may be based on minutes used. - One should appreciate that the choice of selected
path 144 a may be based on a variety of factors. These may include, for example, speed, bandwidth, round-trip time, variability in network strength, interference (e.g., as measured based on numbers of dropped packets), and cost. Such factors may be combined in any suitable way, such as using combinatorial logic, weighted sums, fuzzy logic, machine learning, neural nets, and the like. Although the selectedpath 144 a may be the fastest path in many cases, this is not required. For example, a slower path that is still fast enough to provide good user experience might be chosen as the selectedpath 144 a if it is inexpensive to use and/or has other advantages. - Although a main operating mode of embodiments hereof is to keep multiple network paths active at the same time, such embodiments are not required to work this way all the time. For example, if a network path, such as Wi-Fi, is found to provide a consistently strong signal and is free to use, Wi-Fi may be chosen as the selected
path 144 a and operation over other network paths may be shut down. In a like manner, network paths that require high power consumption may be shut down temporarily to conserve battery life of theclient device 110. Anypaths 180 that have been shut down may be revived if thesensor 144 detects a drop in performance of the selectedpath 144 a. - Further, although a single selected
path 144 a has been described, some embodiments allow for multiple selected paths, such as one for download to theclient device 110 and another for download to theserver 120. Accordingly, theselector 142 in theclient device 110 chooses the selected path for the client device, whereas a similar selector (not shown) in theserver 120 chooses the selected path for theserver 120. Allowing selected paths to differ for client and server reflects differences in upload versus download performance, which is common to many types of network paths. In these circumstances, measurements used as a basis for choosing the selected paths may be based on unidirectional delays rather than on round-trip delays. According to some variants, a separate computer or other facility may monitor network speed or bandwidth on behalf of theclient device 110 and/orserver 120. -
FIG. 2 shows an example arrangement for installing an application program on theclient device 110. Here, theserver 120 stores adownloadable application package 210, which may be provided, for example, as a compressed archive, and which includes code for implementing theclient component 132 c, themicro-VPN client 134 c, and thelink bonding client 140 c. To install theapplication program 132, theclient device 110 contacts theserver 120, e.g., via a website, and downloads theapplication package 210 to theclient device 110 over thenetwork 170. Theclient device 110 then opens theapplication package 210, decompresses any compressed contents, and installs the components. As all threecomponents single package 210, theclient device 110 is able to install all necessary components for supporting encrypted, multipath operation of theapplication program 132 via a single download. -
FIG. 3 shows anexample method 300 for seamlessly and transparently switching between two connection paths, such as Wi-Fi and LTE, based on a quality attribute, which may itself be based on speed, bandwidth, network consistency, and/or cost; i.e., any of the factors described above for choosing the selectedpath 144 a. Although themethod 300 focuses on twoconnection paths 180, themethod 300 may be extended to any number of such paths. Also, although the depicted acts are shown in a particular order, the order may be varied and some acts may be performed simultaneously. - At 310, a communication session is established between the
application client 132 c and theapplication server 132 s, e.g., as a result of theuser 102 launching theclient component 132 c. In an example, the communication session takes place via thetunnel 134 established between themicro-VPN client 134 c and themicro-VPN server 134 s. A respective network connection is configured via eachconnection path 180, and all communications between theclient component 132 c and theserver component 132 s pass through thetunnel 134, for allpaths 180. Thelink bonding client 140 c identifies a currently selectedpath 144 a and proceeds to pass data (e.g., packets) that arrive via that selectedpath 144 a to theclient component 132 c. Thus, thelink bonding client 140 c uses the selectedpath 144 a as its sole source for allincoming application data 162 anddiscards data 162 arriving via the other paths. In an example, prior to thesensor 144 making any network measurements, thelink bonding service 140 c defaults to Wi-Fi as the initialselected path 144 a, switching to another path only if no Wi-Fi signal is detected. - At 320, the
sensor 144 in thelink bonding client 140 c measures the connections over allpaths 180, e.g., by using ping commands, bandwidth measurements, and/or other approaches, and produces a quality attribute (QA) for eachconnection path 180. In some examples, the quality attribute is based solely on speed of the respective path. In other examples, the quality attribute is based on any combination of factors, which may include speed, bandwidth, cost, and/or consistency, for example. - At 330, the
link bonding client 140 c determines whether the quality attribute of the Wi-Fi path (Connection 1) has fallen below a threshold 146 (Thresh 1). The threshold may be predetermined or dynamically established, for example. Thelink bonding client 140 c may also determine whether the quality attribute of Wi-Fi is less than that of LTE (Connection 2). Thelink bonding client 140 c may apply these determinations in the alternative or in any combination. - If the quality attribute of Wi-Fi has fallen below
Thresh 1 and/or below that of LTE, then operation proceeds to 340, whereupon thelink bonding client 140 c proceeds to process data arriving via LTE, discarding any data arriving via Wi-Fi. Thelink bonding client 140 c may communicate this change in an attribute sent to thelink bonding service 140 s, which may also process arriving data via the LTE path, discarding data arriving via Wi-Fi. Operation then returns to 320, whereupon production of quality attributes and determinations are repeated. - At 330, if the quality attribute for Wi-Fi has not fallen below
Thresh 1 and/or below that of LTE, then operation proceeds instead to 350, whereupon thelink bonding client 140 c determines whether the quality attribute of the Wi-Fi path (Connection 1) exceeds a second threshold (Thresh 2, which is preferably slightly higher than Thresh 1) and/or exceeds the quality attribute of LTE. If not, operation returns to 320; otherwise, operation proceeds to 360, whereupon thelink bonding client 140 c proceeds to process data arriving via Wi-Fi, discarding any data arriving via LTE. As before, thelink bonding client 140 c may communicate this change to thelink bonding server 140 s, which may also process data arriving via the Wi-Fi path, discarding data arriving via LTE. Operation then returns to 320, where the above-described acts are repeated.Thresh 2 may be predetermined or dynamically established, for example. - Operation may proceed in this fashion indefinitely, as long as the
application program 132 continues to run. A rationale for makingThresh 2 slightly higher thanThresh 1 is to prevent operation from chattering between sources when quality attributes are close toThresh 1. If this is not a concern, then Thresh 2 may simply be set to Thresh 1 (i.e., the same threshold may be used for both). One should appreciate thatThresh 1 andThresh 2 may be established in any suitable way. For example,Thresh 1 andThresh 2 may be established dynamically based on user activity and/or the nature of theapplication 132. For instance, the thresholds may be set to lower values if theapplication 132 exchanges relatively little data, such that a lower level of network performance does not impair user experience. Conversely, the thresholds may be set to higher values if more bandwidth-intensive applications are being run. -
FIGS. 4a-4d showvarious screenshots 118 a-118 d, which represent portions of theGUI 118 as rendered by theclient component 132 s of theapplication program 132, and as viewed on thedisplay 116 of theclient device 110. One may recognize the layout of the depicted GUIs as that of a common smartphone app; however, theGUIs 118 a-118 d are not limited to smartphone applications. For instance,screenshots 118 a-118 d may be displayed on a laptop computer or on any other computing device. The laptop may have a Wi-Fi connection and may be tethered, via Bluetooth, to a smart phone that has an LTE connection (tethering is an ability of many smart phones to share data via a PAN—Personal Area Network). - As shown in
FIG. 4a , theGUI 118 adisplays icons 410 for currentlyactive connection paths 180.Icons 410 for Wi-Fi and Bluetooth PAN are specifically shown, indicating that theclient device 110 is connected to the Internet via both Wi-Fi and LTE (LTE connection is achieved via the Bluetooth-tethered smart phone). TheGUI 118 displays aspeed indicator 420, which shows network speed (in megabits per second) for both paths (0.6 Mbps for Wi-Fi and 0.1 Mbps for LTE), e.g., as measured by thesensor 144 in thelink bonding client 140 c. -
FIGS. 4b-4d show additional information, including, inFIG. 4b ,statistics 430 for packets recovered (5.9 MB, the number of packets recovered by switching paths) and connections saved (2; the number of times a lost connection was avoided by switching paths).FIG. 4c shows a usage breakdown 440 (how much data from each path has been used), andFIG. 4d showsconnection quality 450, in terms of both latency and loss. In some embodiments,FIGS. 4a-4d represents portions of alarger GUI 118. -
FIG. 5 shows an example of such embodiments, in which anoverall GUI 118 includes the above-describedGUI portions 118 a-118 d. For example,user 102 may invoke theGUI portions 118 a-118 d by clicking anarrow 510 on theoverall GUI 118. Theoverall GUI 118 provides a user interface for theapplication program 132, which in this example is a workspace framework application. The workspace framework application runs as a SaaS application, e.g., in a web browser or other container, and enables theuser 102 to select and run any of its registered sub-applications. The registered sub-applications all run within the context of theapplication program 132, such that they all communicate via themicro-VPN client 134 c and thelink bonding client 140 c. The depicted arrangement thus uniquely supports operation of a SaaS application over a micro-VPN usingmultiple paths 180, which are seamlessly switched to maintain a quality connection, even in the presence of dead spots. -
FIGS. 6-8 show example methods environment 100. Themethod 600 can be performed, for example, by the software constructs described in connection withFIG. 1 , which reside in thememory 130 c of theclient device 110 and are run by the set ofprocessors 114 c. Themethod 700 may be performed, for example, by the software constructs that reside in thememory 130 s of theserver 120 and are run by the set ofprocessors 114 s. Themethod 800 may be performed by the software constructs that reside in both theclient device 110 and theserver 120. The various acts ofmethods - In
FIG. 6 , themethod 600 may be performed by theclient device 110. At act 610, theclient device 110 monitors a plurality ofnetwork paths 180 used by anencrypted channel 134 configured to convey information between theclient device 110 and aserver 120 for asingle application 132. - At 620, the
client device 110 receivesdata 162 of thesingle application 132 from theserver 120 via each of the plurality ofnetwork paths 180. Thedata 162 received from each of the plurality of network paths is the same data. - At 630, the
client device 110 selects afirst network path 144 a of the plurality ofnetwork paths 180 as a source of thedata 162 for aclient component 132 c on theclient device 110. For example, theselector 142 in thelink bonding client 140 c passes packets arriving over the selectedpath 144 a and discards packets arriving over other paths. - At 640, the
client device 110 adjusts the source of data for theclient component 132 c from the first network path to a second network path of the plurality of network paths based at least in part on the monitoring of the plurality of network paths, 180 so as to prevent delay in reception of data caused by a reduction of network continuity of the first network path. - Turning now to
FIG. 7 , themethod 700 may be performed by theserver 120. At 710, theserver 120 receives application data from theclient device 100 over anencrypted channel 134 provided between theserver 120 and theclient device 110 for asingle application 132. Theapplication data 162 is received via a plurality ofnetwork paths 180 in parallel, with the plurality of network paths all conveying the same application data. - At 720, the server assigns a first network path of the plurality of
network paths 180 as a source of theapplication data 162 for aserver component 132 s running on theserver 120. - At 730, the
server 120 adjusts the source of theapplication data 162 for theserver component 132 s from the first network path to a second network path of the plurality of network paths. The adjusting is based at least in part on an indicator received from theclient device 110 and acts to prevent delay in reception of data caused by a reduction of network continuity of the first network path. - Turning now to
FIG. 8 , themethod 800 may be performed by both theclient device 110 and theserver 120. At 810, anencrypted channel 134 is established between theclient device 110 and theserver 120. Theencrypted channel 134 is configured to convey encrypted communications for asingle application 132. Theencrypted channel 134 may be established under direction of theclient device 110, theserver 120, or based on coordination between theclient device 110 and theserver 120. - At 820, a plurality of
network paths 180 used by theencrypted channel 134 between theclient device 110 and theserver 120 are monitored. For example, theclient 110, theserver 120, and or some separate computer or facility measures network speed, bandwidth, and/or other factors pertaining to each of the plurality ofnetwork paths 180. - At 830, the
server 120 transmits a set ofapplication data 162 of thesingle application 132 to theclient device 110 over theencrypted channel 134 via each of the plurality ofnetwork paths 180. Each of the plurality ofnetwork paths 180 conveys the same set ofapplication data 162. When theclient device 110 is the one sending the data, theclient device 110 transmits a set ofapplication data 162 of thesingle application 132 to theserver 120 over theencrypted channel 134 via each of the plurality ofnetwork paths 180, with each of the plurality ofnetwork paths 180 conveying the same set ofapplication data 162. - At 840, the
client device 110 selects a first network path of the plurality ofnetwork paths 180 as a source ofapplication data 162 for theclient component 132 c running on theclient device 110. When theserver 120 is the one receiving the data, theserver 120 selects a first network path of the plurality ofnetwork paths 180 as a source ofapplication data 162 for theserver component 132 s running on theserver 120. - At 840, the
client device 110 adjusts the source of data from the first network path to a second network path of the plurality of network paths based at least in part on the monitoring of the plurality of network paths, so as to prevent delay in communicating data between the client device and the server caused by a reduction of network continuity of the first path. When theserver 120 is receiving the data, theserver 120 adjusts the source of data from the first network path to a second network path of the plurality of network paths based at least in part on the monitoring of the plurality of network paths, so as to prevent delay in communicating data between the server and the client device caused by a reduction of network continuity of the first path. - Referring now to
FIG. 9 , anon-limiting network environment 901 in which various aspects of the disclosure may be implemented includes one or more client machines 902A-902N, one or more remote machines 906A-906N, one or more networks 904, 904′, and one ormore appliances 908 installed within thecomputing environment 901. The client machines 902A-902N communicate with the remote machines 906A-906N via the networks 904, 904′. - In some embodiments, the client machines 902A-902N (which may be similar to client device 110) communicate with the remote machines 906A-906N (which may be similar to server 120) via an
intermediary appliance 908. The illustratedappliance 908 is positioned between the networks 904, 904′ and may also be referred to as a network interface or gateway. In some embodiments, theappliance 908 may operate as an application delivery controller (ADC) to provide clients with access to business applications and other data deployed in a datacenter, the cloud, or delivered as Software as a Service (SaaS) across a range of client devices, and/or provide other functionality such as load balancing, etc. In some embodiments,multiple appliances 908 may be used, and the appliance(s) 908 may be deployed as part of the network 904 and/or 904′. - The client machines 902A-902N may be generally referred to as
client machines 902,local machines 902,clients 902,client nodes 902,client computers 902,client devices 902,computing devices 902,endpoints 902, orendpoint nodes 902. The remote machines 906A-906N may be generally referred to asservers 906 or aserver farm 906. In some embodiments, aclient device 902 may have the capacity to function as both a client node seeking access to resources provided by aserver 906 and as aserver 906 providing access to hosted resources for other client devices 902A-902N. The networks 904, 904′ may be generally referred to as a network 904. The networks 904 may be configured in any combination of wired and wireless networks. - A
server 906 may be any server type such as, for example: a file server; an application server; a web server; a proxy server; an appliance; a network appliance; a gateway; an application gateway; a gateway server; a virtualization server; a deployment server; a Secure Sockets Layer Virtual Private Network (SSL VPN) server; a firewall; a web server; a server executing an active directory; a cloud server; or a server executing an application acceleration program that provides firewall functionality, application functionality, or load balancing functionality. - A
server 906 may execute, operate or otherwise provide an application that may be any one of the following: software; a program; executable instructions; a virtual machine; a hypervisor; a web browser; a web-based client; a client-server application; a thin-client computing client; an ActiveX control; a Java applet; software related to voice over internet protocol (VoIP) communications like a soft IP telephone; an application for streaming video and/or audio; an application for facilitating real-time-data communications; a HTTP client; a FTP client; an Oscar client; a Telnet client; or any other set of executable instructions. - In some embodiments, a
server 906 may execute a remote presentation services program or other program that uses a thin-client or a remote-display protocol to capture display output generated by an application executing on aserver 906 and transmit the application display output to aclient device 902. - In yet other embodiments, a
server 906 may execute a virtual machine providing, to a user of aclient device 902, access to a computing environment. Theclient device 902 may be a virtual machine. The virtual machine may be managed by, for example, a hypervisor, a virtual machine manager (VMM), or any other hardware virtualization technique within theserver 906. - In some embodiments, the network 904 may be: a local-area network (LAN); a metropolitan area network (MAN); a wide area network (WAN); a primary public network 904; and a primary private network 904. Additional embodiments may include a network 904 of mobile telephone networks that use various protocols to communicate among mobile devices. For short range communications within a wireless local-area network (WLAN), the protocols may include 802.11, Bluetooth, and Near Field Communication (NFC).
-
FIG. 10 depicts a block diagram of acomputing device 900 useful for practicing an embodiment ofclient devices 902,appliances 908 and/orservers 906. Thecomputing device 900 includes one ormore processors 903, volatile memory 922 (e.g., random access memory (RAM)),non-volatile memory 928, user interface (UI) 923, one ormore communications interfaces 918, and acommunications bus 950. - The
non-volatile memory 928 may include: one or more hard disk drives (HDDs) or other magnetic or optical storage media; one or more solid state drives (SSDs), such as a flash drive or other solid-state storage media; one or more hybrid magnetic and solid-state drives; and/or one or more virtual storage volumes, such as a cloud storage, or a combination of such physical storage volumes and virtual storage volumes or arrays thereof. - The
user interface 923 may include a graphical user interface (GUI) 924 (e.g., a touchscreen, a display, etc.) and one or more input/output (I/O) devices 926 (e.g., a mouse, a keyboard, a microphone, one or more speakers, one or more cameras, one or more biometric scanners, one or more environmental sensors, and one or more accelerometers, etc.). - The
non-volatile memory 928 stores anoperating system 915, one ormore applications 916, anddata 917 such that, for example, computer instructions of theoperating system 915 and/or theapplications 916 are executed by processor(s) 903 out of thevolatile memory 922. In some embodiments, thevolatile memory 922 may include one or more types of RAM and/or a cache memory that may offer a faster response time than a main memory. Data may be entered using an input device of theGUI 924 or received from the I/O device(s) 926. Various elements of thecomputer 900 may communicate via thecommunications bus 950. - The illustrated
computing device 900 is shown merely as an example client device or server, and may be implemented by any computing or processing environment with any type of machine or set of machines that may have suitable hardware and/or software capable of operating as described herein. - The processor(s) 903 may be implemented by one or more programmable processors to execute one or more executable instructions, such as a computer program, to perform the functions of the system. As used herein, the term “processor” describes circuitry that performs a function, an operation, or a sequence of operations. The function, operation, or sequence of operations may be hard coded into the circuitry or soft coded by way of instructions held in a memory device and executed by the circuitry. A processor may perform the function, operation, or sequence of operations using digital values and/or using analog signals.
- In some embodiments, the processor can be embodied in one or more application specific integrated circuits (ASICs), microprocessors, digital signal processors (DSPs), graphics processing units (GPUs), microcontrollers, field programmable gate arrays (FPGAs), programmable logic arrays (PLAs), multi-core processors, or general-purpose computers with associated memory.
- The
processor 903 may be analog, digital or mixed-signal. In some embodiments, theprocessor 903 may be one or more physical processors, or one or more virtual (e.g., remotely located or cloud) processors. A processor including multiple processor cores and/or multiple processors may provide functionality for parallel, simultaneous execution of instructions or for parallel, simultaneous execution of one instruction on more than one piece of data. - The communications interfaces 918 may include one or more interfaces to enable the
computing device 100 to access a computer network such as a Local Area Network (LAN), a Wide Area Network (WAN), a Personal Area Network (PAN), or the Internet through a variety of wired and/or wireless connections, including cellular connections. - In described embodiments, the
computing device 900 may execute an application on behalf of a user of a client device. For example, thecomputing device 900 may execute one or more virtual machines managed by a hypervisor. Each virtual machine may provide an execution session within which applications execute on behalf of a user or a client device, such as a hosted desktop session. Thecomputing device 900 may also execute a terminal services session to provide a hosted desktop environment. Thecomputing device 900 may provide access to a remote computing environment including one or more applications, one or more desktop applications, and one or more desktop sessions in which one or more applications may execute. - A technique has been described for managing communication over a
network 170. The technique maintainsmultiple network paths 180 simultaneously, exchanging thesame data 162 redundantly through allnetwork paths 180 and allowing a receiver (e.g., selector 142) to select one of thenetwork paths 180 as its source of data. In the event that a first, currently-selected network path, such as Wi-Fi, becomes weak, thereceiver 142 automatically and seamlessly switches its source of data to a second network path, such as LTE, while the first network path remains operational. Given that the second (LTE) network path is already on and is already conveying data, the transition is nearly instantaneous. User experience is greatly improved, as even highly interactive applications running in environments with inconsistent networks can remain fully functional with generally no downtime. Reliability and user experience are thereby enhanced. - The following paragraphs describe example implementations of methods, systems, and computer-readable media in accordance with the present disclosure.
- According to some examples, a method includes monitoring, by a client device, a plurality of network paths that convey data between the client device and a server, the data being associated with a single application on the server. The method further includes receiving, by the client device, the data from the server via each of the plurality of network paths, the data received from each of the plurality of network paths being the same. The method still further includes selecting, by the client device, a first network path of the plurality of network paths from which to receive data to enable delivery of the single application on the server to the client device, and adjusting, by the client device, the selected network path from the first network path to a second network path of the plurality of network paths based at least in part on the monitoring of the plurality of network paths, so as to prevent delay in receipt of data from the server caused by a reduction of network continuity of the first network path.
- A technique for performing authentication by a first device increases authentication strength and/or convenience based at least in part on security data received from a second device that shares its network connection with the first device. The technique described in this section may be provided in the environment of Section I, e.g., in an arrangement in which a device maintains multiple, simultaneous network connections and seamlessly switches between or among them. The Section-I arrangement is not required, however, as the technique presented in this section may be used independently of the one presented in Section I.
-
FIG. 11 shows anexample system 1100 in which embodiments of the disclosed technique can be practiced. Here, a first (client)device 110, a second (coupling)device 1110, and aserver 120 operatively connect to anetwork 170. Thefirst device 110,server 120, andnetwork 170 may be similar to those described in connection withFIG. 1 , though this is not required. Also, thefirst device 110 and thesecond device 1110 may be owned and operated by the same person or entity, although this is also not required. - The
first device 110 connects to thenetwork 170 via a first network path 180-1, and thesecond device 1110 connects to thenetwork 170 via a second network path 180-2. For example, the first network path 180-1 may be Wi-Fi (IEEE 802.11X) and the second network path 180-2 may be cellular data, such as LTE (Long Term Evolution), GSM (Global System for Mobile), CDMA (Code Division Multiple Access), or WiMAX. The second network path 180-2 may also be 5G or some other developing or future cellular scheme. Thefirst device 110 may be a laptop, tablet, or other computer, and thesecond device 1110 may be a smartphone, tablet, dongle, personal reader, or other device having a cellular data interface. Althoughdevices network 170, one should appreciate that each device may have multiple paths to thenetwork 170. For example, thefirst device 110 may have an Ethernet and/or cellular interface in addition to Wi-Fi, and thesecond device 1110 may have an Ethernet and/or Wi-Fi interface in addition to cellular. Thenetwork 170 may be provided as a local area network (LAN), a wide area network (WAN), an intranet, the Internet, and/or some other type of network or combination of networks. In a particular example, thenetwork 170 includes the Internet, and theserver 120 is a provider of cloud-based and/or virtual services, such as SaaS (Software as a Service) applications and/or file storage. In an example, thefirst device 110 and thesecond device 1110 are both registered with theserver 120. For example, the devices have a code or other data element that uniquely identifies the respective devices to theserver 120. - In the manner shown, the
first device 110 is configured to access the second network path 180-2 via thesecond device 1110, for example by tethering or otherwise communicatively coupling the devices. “Tethering” describes the sharing of a mobile device's network connection with other computers. By communicatively coupling to thesecond device 1110, thefirst device 110 is able to maintain multiple, simultaneous connection paths to thenetwork 170, and thus to theserver 120. If connection path 180-1 becomes weak, theclient device 110 may seamlessly and transparently switch to connection path 180-2, or vice-versa, with little or no disruption. Coupling of thefirst device 110 by thesecond device 1110 may be achieved over aconnection medium 1112, such as Bluetooth, Wi-Fi, USB (Universal Serial Bus), or some other protocol or type of cable. - In example operation, the
user 102 configures thesecond device 1110 to share (e.g., tether) its network path 180-2 with thefirst device 110. For example, if thesecond device 1110 runs Apple iOS, theuser 102 may go into Settings on thesecond device 1110, select Cellular settings, and operate the controls to set up a Personal Hotspot. Thesecond device 1110 may then give the user a choice to connect to thefirst computer 110 using Wi-Fi, Bluetooth, or USB. Similar procedures are available on devices running Android OS, Chrome OS, Windows Phone, and other mobile operating systems. - With the
second device 1110 configured to share the second network path 180-2, thefirst device 110 discovers and connects to the second network path 180-2, such that thefirst device 110 can access thenetwork 170 via both the first network path 180-1 and the second network path 180-2. - In some examples, upon discovering the second network path 180-2, the
first device 110 initiates a handshaking protocol with thesecond device 1110 to obtainsecurity data 1114 from asecurity agent 1118 on thesecond device 1110. Thesecurity data 1114 may take various forms, such as a security token, information that identifies thesecond device 1110, or any other form. During initial handshaking, for example, thefirst device 110 obtains thesecurity data 1114 and keeps it available for future use. Although handshaking is advantageously performed upon discovering the second network path 180-2, this is merely an example, as handshaking may be performed at any time, including in response to an express request by theuser 102. - At some point, the
user 102 may wish to operate thefirst device 110 to access a securedresource 1140 on theserver 120, such as a secured SaaS application, a secured file, or some other resource on theserver 120 that requires authentication. The securedresource 1140 may be accessible solely by theuser 102, or it may be accessible to multiple authenticated users, e.g., based on respective authorization settings. To access the resource, theuser 102 may start a browser or client-side application on thefirst device 110. The browser or client-side application displays an authentication page, which requests authentication factors from theuser 102, such as a password, token, biometric input, and/or the like. The user fills out the authentication page and submits the page to theserver 120. - In accordance with particular improvements hereof, the
security data 1114, which was received from thesecond device 1110, provides a basis for improving authentication strength and/or convenience when accessing the securedresource 1140. For example, thesecurity data 1114 may include identifying information about thesecond device 1110, such as a registration code of the second device 1110 (e.g., one previously obtained from theserver 120 by the security agent 1118). Based on the received security data, anauthentication agent 1116 running on thefirst device 110 generates anindicator 1114 a and provides theindicator 1114 a as part of anauthentication request 1150, which may be submitted to theserver 120, e.g., along with one or moreother authentication factors 1117, such as a password, biometric input, etc. Theindicator 1114 a may be the same as thesecurity data 1114 or otherwise may be based on thesecurity data 1114. In some examples, theindicator 1114 a is hidden, such that theuser 102 never sees or handles theindicator 1114 a. Rather, theindicator 1114 a may be included with theauthentication request 1150 automatically, e.g., as a hidden authentication factor. - When the
first device 110 submits theauthentication request 1150 to theserver 120, anauthentication server 1130 receives therequest 1150 and attempts to validate the received information. For example, theauthentication server 1130 performs an authentication operation that compares providedauthentication factors authentication result 1160. Theresult 1160 is successful if the actual and expected values match and unsuccessful if the values do not match. As part of the authentication operation, theauthentication server 1130 compares theindicator 1114 a to an expected value thereof and bases theauthentication result 1160 at least in part on whether theindicator 1114 a matches its expected value. If authentication succeeds, theauthentication server 1130 may allow thefirst device 110 to access the securedresource 1140. Otherwise, theauthentication server 1130 may deny such access or challenge theuser 102 to supply additional authentication factors. - Although the
authentication server 1130 is considered to be part of theserver 120, there is no need for theauthentication server 1130 to be located on the same physical computer. Rather, as in Section I, theserver 120 may be implemented using any number of physical computers and/or virtual machines, which are collectively referred to herein as “the server.” - In some examples, the
security agent 1118 generates thesecurity data 1114 or a portion thereof as a token code and the token code provides an additional authentication factor for theauthentication request 1150. For example, thesecurity agent 1118 on thesecond device 1110 may be synchronized with a thirdparty token provider 1120 a, such as Symantec VIP. Thesecurity agent 1118 andtoken provider 1120 a may each generate token codes from a common seed, such that both are able to generate the same token codes at the same times. The authentication server 130 may validate a token code received in anauthentication request 1150 by obtaining a current code from the thirdparty token provider 1120 a and comparing the received code with the current code. In some examples, the authentication server 130 itself runs alocal token provider 1120 b, which performs a similar role as the thirdparty token provider 1120 a but runs locally on theserver 120. - In the manner described, the
first device 110 leverages thesecond device 1110 to which thefirst device 110 is coupled to assist with authentication to the securedresource 1140. Thus, not only does thesecond device 1110 share its network path 180-2 for enhancing reliability, but also it suppliessecurity data 1114 for enhancing authentication. -
FIG. 12 shows anexample arrangement 1200 in which the presence of thesecond device 1110 communicatively coupled to thefirst device 110 serves as an authentication factor forauthentication requests 1150. The illustrated activities may involve thefirst device 110,second device 1110,authentication server 1130, and securedresource 1140. - At 1210, the
first device 110 discovers the second network path 180-2 upon becoming communicatively coupled to thesecond device 1110. For example, theuser 102 configures thesecond device 1110 as a personal hotspot and establishes a connection between thefirst device 110 and thesecond device 1110, e.g., via Wi-Fi, Bluetooth, or USB. Thefirst device 110 discovers the second network path 180-2 and establishes a connection to thenetwork 170 through the second path. - At 1220, the
first device 110 receivessecurity data 1114 from thesecond device 1110. In this example, thesecurity data 1114 may include an identifier of thesecond device 1110, e.g., a registration code or other shared secret created or allocated to uniquely identify thesecond device 1110 from among other devices. For example, theserver 120 may have previously created the registration code specifically for thesecond device 1110 as part of a registration process for registering thesecond device 1110 to theserver 120. The registration code identifies thesecond device 110 as a known device, to which theserver 120 may accord some level of trust. - At 1230, the
first device 110 generates anindicator 1114 a from thesecurity data 1114. Theindicator 1114 a may be identical to thesecurity data 1114 or may be otherwise based on thesecurity data 1114. For example, theindicator 1114 a may be provided as an encrypted version of the registration code or as a result of running an algorithm on the registration code. In some examples, theindicator 1114 a includes additional information, such as a code that specifies that thefirst device 110 is currently tethered or otherwise communicatively coupled to thesecond device 1110. - At 1240, the first device sends an
authentication request 1150 to theauthentication server 1130. Theauthentication request 1150 includes theindicator 1114 a, which may be provided as a hidden authentication factor. In some examples, theauthentication request 1150 also includes one or moreadditional authentication factors 1117, such as a password, a thumbprint, or the like. Thefirst device 110 may add theseadditional authentication factors 1117 to theauthentication request 1150. - At 1250, the
authentication server 1130 receives theauthentication request 1150 and performs anauthentication operation 1252. In an example, theauthentication operation 1252 verifies the received authentication factors (or some subset thereof) and produces a successful result or an unsuccessful result. In response to generating a successful result, theauthentication operation 1252 may generate apasscode 1254, which acts as a key for unlocking the securedresource 1140. One should appreciate that theauthentication request 1150 typically specifies multiple authentication factors (e.g., 1114 a and 1117), of which only asubset 1114 a are normally provided by thesecond device 1110. Thus, a malicious user would normally be unable to successfully authenticate by stealing an authorized user's phone (or other device) and trying to log on, as the malicious user would be unable to enterother factors 1117 that are required for authentication to succeed. - At 1260, the
authentication server 1130 returns thepasscode 1254 to thefirst device 110, e.g., as part of anauthentication response 1160. - At 1270, the
first device 110 uses thepasscode 1254 to access the securedresource 1140, e.g., to run a secured SaaS application or to access a secured file. - The
arrangement 1200 thus leverages the previously-established knowledge of thesecond device 1110 to improve authentication strength and/or convenience ofauthentication requests 1150 made by thefirst device 110. In some situations, theindicator 1114 a may be one of multiple silent authentication factors or may be used alone to produce successful authentication, such that theuser 102 need not manually enter any authentication factors. In such cases, theuser 102 may access the securedresource 1140 merely by requesting such access, without having to do anything extra for purposes of authentication. -
FIG. 13 shows anexample arrangement 1300 in which thesecond device 1110 provides a security token automatically to thefirst device 110 for providing an additional authentication factor. As inFIG. 12 , the illustrated arrangement may involve thefirst device 110,second device 1110,authentication server 1130, and securedresource 1140. - The flow in
FIG. 13 may start at 1210, the same way as inFIG. 12 , with thefirst device 110 discovering the second network path 180-2 upon being communicatively coupled to thesecond device 1110. - Operation differs from that of
FIG. 12 at 1310, however, in that thefirst device 110 requestssecurity data 1114 from thesecond device 1110. The request may be issued at the direction of theuser 102 or may automatically. At 1320, in response to the request at 1310, thesecond device 1110 generates anew security token 1322, e.g., by operation of thesecurity agent 1118. Thenew security token 1322 may be a one-time password or other type of token, which is known to atoken provider second device 1110 returns thenew token 1322 to thefirst device 110. - The ensuing activities may be similar to those shown in
FIG. 12 , with like reference numerals indicating similar acts. Here, however, theauthentication operation 1252 may additionally involve contacting thetoken provider security token 1322. - The arrangement of
FIG. 13 thus allows atoken code 1322 to be conveyed automatically to thefirst device 110, without requiring theuser 102 to manually transfer thetoken code 1322 from thesecond device 1110 to thefirst device 110. Thetoken code 1322 can thus provide an additional authentication factor without requiring additional manual activity on the part of theuser 102. As inFIG. 12 , the entire authentication process can be made transparent to theuser 102, as it may be performed automatically without user involvement. - Although the activities of
FIGS. 12 and 13 are shown as alternatives, they may alternatively be used together. For example,act 1220 of receiving thesecurity data 1114 may return both atoken code 1322, as inFIG. 13 , and a registration code of thesecond device 1110 or other shared secret, as inFIG. 12 . Both elements may then be included in theindicator 1114 a, which may be sent to theserver 120 as part of theauthentication request 1150. The disclosed arrangement thus seamlessly provides two authentication factors automatically, e.g., one for the knownsecond device 1110 and another for thetoken code 1322. -
FIGS. 14 and 15 showexample methods environment 1100. Themethods - In
FIG. 14 , operation begins at 1410, whereupon thefirst device 110 receivessecurity data 1114 from thesecond device 1110. Thesecond device 1110 has a network path 180-2, such as a cellular data path, shared with thefirst device 110. Thefirst device 110 may have its own network path 180-1, such as Wi-Fi. Thesecurity data 1114 may include identity information about thesecond device 1110, such as a registration code or other shared secret, and/or may include atoken code 1322, such as a one-time password. - At 1420, the
first device 110 sends a request to theserver 120 to access a securedresource 1140 using anindicator 1114 a based on thesecurity data 1114. For example, the securedresource 1140 is a secured SaaS application, a secured file, or some other resource. Theindicator 1114 a may be identical to the receivedsecurity data 1114 or it may be based uponsuch security data 1114. The request may also includeadditional authentication factors 1117. - At 1430, the
first device 110 accesses the securedresource 1140 in response to successful authentication based at least in part on theidentifier 1114 a. For example, successful authentication may result from verification that thesecond device 1110 coupled to thefirst device 110 and is known to (e.g., registered with or otherwise trusted by) theserver 120, and/or that atoken code 1322 provided in anauthentication request 1150 matches an expected token code. - Turning now to
FIG. 15 , operation begins at 1510, whereupon theserver 120 receives anauthentication request 1150 from thefirst device 110 for accessing the securedresource 1140. The receivedauthentication request 1140 includes anindicator 1114 a based onsecurity data 1114 obtained from thesecond device 1110, which shares its network connection to thefirst device 110. Theindicator 1114 a may include, for example, an identifier of thesecond device 1110, such as a registration code or other shared secret, and/or a one-time password generated by thesecond device 1110. - At 1520, the
server 120, e.g., acting through theauthentication server 1130, performs anauthentication operation 1252 based at least in part on the receivedindicator 1114 a. For example, theauthentication operation 1252 verifies, based on the registration code, that thesecond device 1110 is known to theserver 120, and/or verifies that thetoken code 1322 matches an expected value. - At 1530, the
server 120 enables thefirst device 110 to access the securedresource 1140 in response to theauthentication operation 1252 producing a successful result. For example, theserver 120 may generate apasscode 1254 that thefirst device 110 may use as a key for accessing the securedresource 1140. - A technique has been described for performing authentication. The technique increases authentication strength and/or convenience by receiving
security data 1114 from asecond device 1100 that shares its network connection 180-2 with afirst device 110. In cases where thefirst device 110 uses the network connection 180-2 of thesecond device 1100 to maintain multiplesimultaneous network connections 180, thesecond device 1100 can provide increased authentication strength with little or no additional effort on the part of a user. Rather, in some examples thesecond device 1100 can transparently add authentication strength to authentication requests 1152 made by thefirst device 110 with little or no user involvement - Section III: Leveraging Location Information of a Second Device when Requesting Access to a Resource by a First Device
- An improved technique for managing computerized access includes a first device that receives location information from a second device that shares its network connection with the first device. The first device applies the location information received from the second device when requesting access to a resource on the network. Using the improved technique, the first device effectively leverages the presence of the second device and its location information to increase authentication strength and/or to facilitate the administration of access rights.
- The technique described in this section may be provided in the environment of Section I, e.g., in an arrangement in which a device maintains multiple, simultaneous network connections and seamlessly switches between or among them. In addition, the technique described in this section may be provided with the particular features described in Section II, e.g., wherein a first device leverages the presence of a second device when performing authentication. Neither the Section-I arrangement nor the Section-II arrangement is required, however, as the technique presented in this section may be used independently of those presented in the previous sections.
-
FIG. 16 shows anexample system 1600 in which embodiments of the improved technique can be practiced. Here, a first computing device 110 (client), a second computing device 1110 (coupling), and aserver 120 operatively connect to anetwork 170. The first computing device 110 (or simply, “first device”),server 120, andnetwork 170 may be similar to those described in connection withFIGS. 1 and 11 , although this is not required. Also, thefirst device 110 and the second computing device 1110 (“second device”) may be owned and operated by the same person or entity, although this is also not required. Theserver apparatus 120 as shown inFIG. 16 is seen to include an authorization/authentication (A/A)server 1630, which is configured to support both authentication and access control (e.g., authorization) to system resources. As before, theserver 120 may be implemented using any number of physical computer and/or virtual machines, which are referred to collectively herein as “the server.” - Features of
FIG. 16 having the same reference numerals as those inFIG. 11 may be realized in a similar manner. For example, thefirst device 110 connects to thenetwork 170 via a first network path 180-1 and thesecond device 1110 connects to thenetwork 170 via a second network path 180-2. The first network path 180-1 may be Wi-Fi (IEEE 802.11X), and the second network path 180-2 may be cellular data, such as LTE (Long Term Evolution), GSM (Global System for Mobile), CDMA (Code Division Multiple Access), or WiMAX. The second network path 180-2 may also be 5G or some other developing or future cellular scheme. Thefirst device 110 may be a laptop, tablet, or other computer, and thesecond device 1110 may be a smartphone, tablet, dongle (e.g., LTE dongle), personal reader, or other device having a cellular data interface. Althoughdevices network 170, one should appreciate that each device may have multiple paths to thenetwork 170. Thenetwork 170 may be provided as a local area network (LAN), a wide area network (WAN), an intranet, the Internet, and/or some other type of network or combination of networks. In a particular example, thenetwork 170 includes the Internet, and theserver 120 is a provider of cloud-based and/or virtual services, such as SaaS (Software as a Service) applications and/or file storage. - In the manner shown, the
first device 110 is configured to access the second network path 180-2 via thesecond device 1110, for example by tethering or otherwise communicatively coupling the devices. “Tethering” describes the sharing of a mobile device's network connection with other computers. By communicatively coupling to thesecond device 1110, thefirst device 110 is able to maintain multiple, simultaneous connection paths to thenetwork 170, and thus to theserver 120. If connection path 180-1 becomes weak, for example, theclient device 110 may seamlessly and transparently switch to connection path 180-2, or vice-versa, with little or no disruption. Coupling of thefirst device 110 by thesecond device 1110 may be achieved over a local connection, such asconnection medium 1112, which may be provided as Bluetooth, Wi-Fi, USB (Universal Serial Bus), or some other wireless protocol or type of cable. - As further shown in
FIG. 16 , thedevices location information 1610, such asfirst location information 1610 a of thefirst device 110 andsecond location information 1610 b of thesecond device 1110. Thelocation information 1610 may take a variety of forms, such as GPS (Global Positioning System) coordinates, Wi-Fi identifiers, MAC (Media Access Control) addresses, IP (Internet Protocol) addresses, telephone numbers, and the like. - Although not all of this data is normally regarded as location sources, various technologies have evolved to infer location from such data. For instance, Wi-Fi mapping technology associates Wi-Fi hotspots with respective locations, which may be obtained by correlation with GPS coordinates and/or other location sources. Wi-Fi identifiers may include MAC addresses and/or SSIDs (Service Set Identifiers), which uniquely identify hotspots, enabling simple lookups of location based on detected MAC addresses and SSIDs. Location services also track locations based on ISP (Internet Service Provider) data, phone numbers, and/or specially compiled maps. IP addresses provide common sources of location information, as ISPs and associated network components track locations based on network distribution and customer data. A simple on-line search for “what's my IP address?” often reveals ones location to a surprising degree of accuracy. In addition, cellular phone numbers can enable accurate measures of location based on triangulation to cell phone towers. One should thus appreciate that location information may come in a variety of forms, and the instant disclosure is not limited in this regard.
- In example operation, a
user 102 configures thesecond device 1110 to share (e.g., tether) its network path 180-2 with thefirst device 110, e.g., in a manner similar to that described in Section II. Sharing of network connection 180-2 may be established overlocal connection 1112, which may be Wi-Fi, Bluetooth, or USB, for example. With thesecond device 1110 configured to share the second network path 180-2, thefirst device 110 discovers and connects to the second network path 180-2, such that thefirst device 110 can access thenetwork 170 via both the first network path 180-1 and the second network path 180-2. - In some examples, upon discovering the second network path 180-2, the
first device 110 initiates a handshaking protocol with thesecond device 1110 to obtainlocation information 1610 b of thesecond device 1110. Initial handshaking is not required, however, as thefirst device 110 may instead requestlocation information 1610 b on demand and/or as needed, e.g., in response to a specific request or operation that uses thelocation information 1610 b. - For example, the
user 102 and/or an application (not shown) running on thefirst device 110 requests access to a resource of thenetwork 170, such as the securedresource 1140. The securedresource 1140 may be a file, a file system, an application, a virtual machine, or any other resource for which access based on requestor location is desired.Access manager 1608 on thefirst device 110 begins to prepare anaccess request 1650. As authentication and/or access rights to theresource 1140 may depend at least in part on location of the requestor, thefirst device 110 may request (1608 a)location information 1610 b from thesecond device 1110, which returns (1608 b) thelocation information 1610 b to thefirst device 110. - Upon obtaining the
location information 1610 b, alocation processor 1620 running on thefirst device 110 forms alocation indicator 1622. Thelocation indicator 1622 may be formed in a variety of ways. In one example,location processor 1620 obtainsfirst location information 1610 a of thefirst device 110 and combines it with thesecond location information 1610 b from thesecond device 1110, thereby forming thelocation indicator 1622, which is based on both thefirst location information 1610 a and thesecond location information 1610 b. Alternatively, thelocation processor 1620 forms thelocation indicator 1622 based solely on thesecond location information 1610 b of thesecond device 1100, i.e., ignoring thelocation information 1610 a, which is not required in all embodiments and need not be present. In yet another example, thelocation processor 1620 forms thelocation indicator 1622 based on three or more sources oflocation information 1610, such as thefirst location information 1610 a, thesecond location information 1610 b, andthird location information 1610 c. - Without limiting the generality of the foregoing, the
first location information 1610 a may be a Wi-Fi identifier (e.g., a MAC address, or a MAC address plus an SSID) or an IP address. Also, thesecond location information 1610 b may be GPS coordinates, an IP address, a phone number, or the like. Preferably, thefirst location information 1610 a,second location information 1610 b, andthird location information 1610 c (if provided) are selected from distinct sources, so that the information they provide is not redundant. For example, the first location information is Wi-Fi, the second location information is GPS, and the third location information is an IP address or a phone number. These are merely examples. - According to some examples, the
location processor 1620 forms thelocation indicator 1622 by including theavailable location information 1610 separately, i.e., with little or no processing or combining. In other examples, thelocation processor 1620 processes the providedlocation information 1610 to produce combined location information. In cases where multiple sources oflocation information 1610 are available, the combined location information generally provides a more accurate measure of location than could any of the individual sources alone. - With the
location indicator 1622 thusly formed, theaccess manager 1608 issues anaccess request 1650 for accessing theresource 1140. Theaccess request 1650 includes thelocation indicator 1622, which is based on theavailable location information 1610. In some examples, thefirst device 110 sends theaccess request 1650 to theserver 120 over the network path 180-1 (e.g., Wi-Fi). In other examples, thefirst device 110 sends theaccess request 1650 over the network path 180-2 (e.g., LTE), vialocal connection 1112, e.g., if Wi-Fi is unavailable, not working, or otherwise not preferred. - In some examples, the
access request 1650 is part of an authentication request (e.g.,authentication request 1150 ofFIG. 11 ). In such examples, the location of the requestor may be an explicit authentication factor required to authenticate theuser 102 and/or device 110 (e.g., one of the authentication factors 1117). In other examples, theuser 102 and/or thedevice 110 is already authenticated (or authentication is not required), in which case theserver 120 may still use thelocation indicator 1622 for making access control decisions. For instance, theserver 120 may allow access to a resource when the originating location is the user's home but deny access when the originating location is a neighborhood coffee shop. - In some examples, the
server 120 includes alocation manager 1636, which receives and processes thelocation indicator 1622 arriving in theaccess request 1650. According to some examples, thelocation manager 1636 contacts a third-party location service 1632 a, and/or uses alocal location service 1632 b, to transform elements of location information 1610 (e.g., 1610 a, 1610 b, 1610 c) into respective geographical coordinates or other indicators of geographical location. For example,location service 1632 a and/or 1632 b transforms any of a MAC address (or a MAC address plus SSID), IP address, phone number, or the like into a corresponding geographical location. Thelocation manager 1636 may combine the resulting locations in any suitable way to produce arepresentative location 1638 based on the received elements oflocation information 1610. - The process for generating the
representative location 1638 may vary based on the elements oflocation information 1610 themselves. For example, if thelocation information location manager 1636 may simply use the GPS coordinates as therepresentative location 1638, effectively ignoring other location information. If the GPS coordinates are noisy (indicating a weak GPS signal), thelocation manager 1636 may instead use Wi-Fi, IP address, and/or phone number. Thelocation manager 1636 may discard location information that appears to be clearly erroneous, preventing it from contributing to therepresentative location 1638. For example, a location based on IP address might be wholly unreliable for an IP address received from a proxy server. Where multiple elements oflocation information 1610 are available, some may be disregarded if they disagree with others. - In some examples, determining a
representative location 1638 from multiple elements oflocation information 1610 may involve computing a centroid of the elements (which may exclude those elements found to be clearly erroneous). For example, if two plausibly accurate elements oflocation information location manager 1636 may compute a centroid as mean latitude and the mean longitude. For example, -
- where the subscripts “a” and “b” correspond to the
elements location manager 1636 may compute the centroid as follows: -
- Here, Wi is a weight that represents a confidence score of the respective location information. Thus, higher-confidence location information may be given higher weight than lower-confidence location information, with the result tending to bias the centroid toward the more highly-weighted source. The
location manager 1636 may then set therepresentative location 1638 as the centroid coordinates. One should appreciate that centroids may be used primarily in cases where reliable GPS is not available. - Once the
representative location 1638 has been established, thelocation manager 1636 verifies that therepresentative location 1638 is consistent with an authorized location for accessing theresource 1140. For example, theserver 120 may include or otherwise have access to awhite list 1634 of authorized locations. To determine whether arepresentative location 1638 is authorized, thelocation manager 1636 compares therepresentative location 1638 with locations on thewhite list 1634. If therepresentative location 1638 matches an entry on thewhite list 1634, e.g., if the locations are the same to within a specified distance threshold, a location match is confirmed. In this case, theserver apparatus 120 may return anaccess response 1660 to thefirst device 110, and thereby grant access to theresource 1140. For example, theaccess response 1660 may include a session key, a token, or other data for enabling thefirst device 110 to access theresource 1140. Alternatively, theaccess response 1660 may include theresource 1140 itself. - If the
representative location 1638 fails to match any entry on thewhite list 1634, then there is no location match. In this case, theserver 120 may issue anaccess response 1660 that indicates that no location match was found. Access to theresource 1140 may be denied and/or access privileges may be limited, as a consequence of the failed location match. - One should appreciate that above-described methods for establishing a
representative location 1638 are merely examples of how multiple elements oflocation information 1610 may be used together. Such examples are intended to be illustrative rather than limiting. -
FIG. 17 shows anexample arrangement 1700 in whichlocation information 1610 from thesecond device 1110 facilitates access control of a securedresource 1140. The illustrated activities involve thefirst device 110,second device 1110,authentication server 1630, and securedresource 1140. - At 1710, the
first device 110 discovers the second network path 180-2 upon becoming communicatively coupled to thesecond device 1110. For example, theuser 102 configures thesecond device 1110 as a personal hotspot and establishes aconnection 1112 between thefirst device 110 and thesecond device 1110, e.g., via Wi-Fi, Bluetooth, or USB. Thefirst device 110 discovers the second network path 180-2 and establishes a connection to thenetwork 170 through the second network path 180-2. - At 1712, the
first device 110 issues arequest 1608 a to thesecond device 1110 forlocation information 1610 b of thesecond device 1110. - At 1714, the second device gathers available sources of
location information 1610, (e.g., GPS coordinates, IP address, phone number, etc.). - At 1716, the
second device 1110 returns the gathered location information, which includeslocation information 1610 b (and possibly other location information), to thefirst device 110. - At 1720, the
first device 110 forms alocation indicator 1622, which may be based on anylocation information 1610 returned at 1716, as well as anyfirst location information 1610 a obtained from thefirst device 110. Thelocation indicator 1622 may directly include the individual elements oflocation information 1610, or it may provide some combination thereof. - At 1730, the first device sends an
access request 1650 to the authentication/authorization (A/A)server 1630. Theaccess request 1650 includes thelocation indicator 1622. In some examples, theaccess request 1650 includes additional information, e.g., if theaccess request 1650 is also anauthentication request 1150. - At 1740, the A/
A server 1630 receives theaccess request 1650 and proceeds to establish arepresentative location 1638 based on thelocation indicator 1622. In some examples, as described above, establishing therepresentative location 1638 may involve using received GPS coordinates, if they are available and reliable. In some examples, establishing therepresentative location 1638 may involve transforming certain received elements oflocation information 1610 into corresponding geographical locations, e.g., via action oflocation services 1632 b and/or 1632 c. In some examples, the A/A server 1630 may establish therepresentative location 1638 by computing a centroid of geographical locations, and the centroid may be weighted based on confidence. - At 1750, the A/
A server 1630 determines whether the information in thelocation indicator 1622 is consistent with an authorized location from which to access the securedresource 1140. For example, the A/A server 1630 checks whether therepresentative location 1638 matches the location of any entry on thewhite list 1634, e.g., whether the two locations differ by less than a threshold distance. - At 1760, if the two locations match, the A/
A server 1630 returns anaccess response 1660. Theaccess response 1660 may include apasscode 1762, which grants access to the securedresource 1140. Alternatively, theaccess response 1660 may include a token, other data, and/or thesecure resource 1140 itself (e.g., if thesecure resource 1140 is a file or other transferrable element). Thefirst device 110 may then uses thepasscode 1762 or other element to accesssecure resource 1140. - If no location match is found, however, then at 1770
access request 1650 may be denied. In some examples, access may be granted but with limited privileges, such as read/only privileges rather than full control. -
FIGS. 18 and 19 showexample methods system 1700. Themethods - In
FIG. 18 , operation begins at 1810, whereupon thefirst device 110 obtainslocation information 1610 b from thesecond device 1110. Thelocation information 1610 b may include, for example, GPS coordinates, an IP address, a Wi-Fi identifier, a phone number, and/or the like. In the arrangement ofFIG. 18 , thefirst device 110 is communicatively coupled to thesecond device 1110 and the second device shares its network connection with thefirst device 110. For example, thesecond device 1110 may establish a personal hotspot or the like and thefirst device 110 may be tethered to thesecond device 1110. - At 1820, the
first device 110 forms alocation indicator 1622 based onlocation information 1610. In some examples,such location information 1610 may include only thesecond location information 1610 b. In other examples, it includes thefirst location information 1610 a and thesecond location information 1610 b. In further examples, thelocation information 1610 includes three or more elements of location information. Thefirst device 110 may form thelocation indicator 1622 by providing the elements oflocation information 1610 separately, or by combining them in any suitable fashion. - At 1830, the
first device 110 sends anaccess request 1650 to theserver 120. Theaccess request 1650 includes thelocation identifier 1622 as formed by thefirst device 110 and requests access to a resource, such assecured resource 1140. - At 1840, the
first device 110 is allowed to access theresource 1140 based on thelocation indicator 1622 being consistent with an authorized location, such as a location listed on awhite list 1634. Consistency of location may be established, for example, based on a location derived from thelocation indicator 1622, such as arepresentative location 1638, falling within a threshold distance of an entry in thewhite list 1634. - Turning now to
FIG. 19 , operation begins at 1910, whereupon theserver 120 receives anaccess request 1650 from thefirst device 110 for accessing the securedresource 1140. The receivedaccess request 1650 includes alocation indicator 1622, which is based onlocation information 1610 b from thesecond device 1110. Thesecond device 1110 is operatively connected to thefirst device 110 and shares its network connection with thefirst device 110. - At 1920, the
server 120 optionally transforms certain elements oflocation information 1610, provided by thelocation indicator 1622, into corresponding geographical locations. This act may be omitted for any element oflocation information 1610 that already includes geographical coordinates or the like, such as GPS coordinates. - At 1930, the
server 120 generates arepresentative location 1638 from thelocation information 1610. In some examples,act 1930 includes generating a centroid of geographical locations, which may be weighted (based on confidence scores) or unweighted. In some examples,act 1930 includes providing any received GPS coordinates as therepresentative location 1638. - At 1940, the
server 120 verifies that the location indicated by the location indicator 1622 (e.g., the representative location 1638) is consistent with an authorized location from which theresource 1140 may be accessed, such as an entry in awhite list 1634. - At 1950, assuming a location match is found at 1940, the
first device 110 is granted access to theresource 1140, e.g., by providing the resource directly or by providing a passcode, token, or other data that enables thefirst device 1140 to access the resource. If no location match is found, theaccess request 1650 may be denied or access may be granted but with reduced privileges. - An improved technique has been described for managing computerized access. The technique includes a
first device 110 that receiveslocation information 1610 b from asecond device 1110 that shares its network connection 180-2 with thefirst device 110. Thefirst device 110 applies thelocation information 1610 b received from thesecond device 1110 when requesting access to aresource 1140 of anetwork 170. Thefirst device 110 thus effectively leverages the presence of thesecond device 1110 and itslocation information 1610 to increase authentication strength and/or to facilitate the administration of access rights. - The following paragraphs (M1) through (M10) describe examples of methods that may be implemented in accordance with the present disclosure:
-
- (M1) A method has been described that includes receiving, by a first computing device, data from a second computing device, the data being indicative of a location of the second computing device, the second computing device having a connection to a computer network and determining, by the first computing device, a location indicator based at least in part on the received data from the second computing device. The method further includes sending, by the first computing device, a request to access a resource of the computer network, the request including the determined location indicator, and accessing, by the first computing device, the resource of the computer network in response to an authorization to access the resource, the authorization granted in response to the request and based at least in part on the determined location indicator, the location indicator received from the second computing device providing an indication of location of the first computing device for enabling access by the first computing device to the resource based at least in part on location.
- (M2) Another method may be performed as described in paragraph (M1), wherein the second computing device shares the connection to the computer network with the first computing device, and wherein receiving the location information includes obtaining the location information from the second computing device over a local connection between the first computing device and the second computing device.
- (M3) Another method may be performed as described in paragraph (M2), and further involves the second computing device being one of (i) a mobile device or (ii) a cellular dongle, wherein, when obtaining the location information over the local connection, the first computing device is tethered to the second computing device over the local connection using one of (i) Bluetooth, (ii) Wi-Fi, or (iii) a cable.
- (M4) Another method may be performed as described in any one of paragraphs (M1)-(M3), wherein sending the request includes transmitting the request over the shared connection shared by the second computing device with the first computing device.
- (M5) Another method may be performed as described in any one of paragraphs (M1)-(M3), wherein the first computing device has a second connection to the computer network separate from the shared connection, and wherein sending the access request includes transmitting the access request over the second connection.
- (M6) Another method may be performed as described in any one of paragraphs (M1)-(M5), wherein the location information that indicates the location of the second computing device is second location information, wherein the method may further involve obtaining, by the first computing device, first location information of the first computing device, and wherein forming the location indicator is based at least in part on the first location information and the second location information.
- (M7) Another method may be performed as described in any one of paragraphs (M1)-(M6), wherein obtaining the first location information of the first computing device includes identifying a Wi-Fi network to which the first computing device belongs.
- (M8) Another method may be performed as described in any one of paragraphs (M1)-(M7), wherein obtaining the second location information of the second computing device includes receiving GPS (Global Positioning System) coordinates of the second computing device.
- (M9) Another method may be performed as described in any one of paragraphs (M1)-(M7), wherein obtaining the second location information of the second computing device includes identifying an IP (Internet Protocol) address of the second computing device.
- (M10) Another method may be performed as described in any one of paragraphs (M1)-(M9), wherein the location information that indicates the location of the second computing device is second location information, and wherein the method may further involve obtaining, by the first computing device over the local connection, third location information that indicates the location of the second computing device, the third location information derived from a distinct source from that of the second location information, wherein forming the location indicator is based at least in part on the first location information, the second location information, and the third location information.
- The following paragraphs (MM1) through (MM8) describe further examples of methods that may be implemented in accordance with the present disclosure:
-
- (MM1) A method has been described that includes receiving, by a server, a request from a first computing device over a computer network, the request being to access a resource on the computer network and including a location indicator, the location indicator being based at least in part on data indicative of a location of a second computing device. The method further includes verifying, by the server, that a location indicated by the location indicator is consistent with an authorized location in which to access the resource of the computer network based at least in part on the location indicator of the received request, and, in response to the verification of the location, granting, by the server, the first computing device with access to the resource on the computer network.
- (MM2) Another method may be performed as described in paragraph (MM1), wherein the data indicative of the location of the second device is second location information, wherein the location indicator is further based at least in part on first location information of the first computing device, and wherein the method further involves establishing a representative location based at least in part on the first location information of the first computing device and the second location information of the second computing device, wherein verifying that the location indicator is consistent with the authorized location includes confirming that the representative location matches the authorized location.
- (MM3) Another method may be performed as described in any one of paragraphs (MM1) through (MM2), wherein the location indicator is further based at least in part on third location information of the second computing device, the third location information derived from a distinct source from that of the second location information, wherein producing the representative location includes combining geographical locations based on at least the first location information, the second location information, and the third location information, and wherein confirming that the representative location matches an authorized location is based at least in part on the first location information, the second location information, and the third location information.
- (MM4) Another method may be performed as described in any one of paragraphs (MM1) through (MM3), wherein producing the representative location includes generating a centroid based at least in part on the first location information and the second location information, the centroid indicating a geographical center based at least in part on the first location information and the second location information.
- (MM5) Another method may be performed as described in paragraph (MM4), and may further involve assigning confidence scores to the first location information and the second location information and applying the confidence scores as weights when generating the centroid.
- (MM6) Another method may be performed as described in any one of paragraphs (MM1) through (MM5), wherein the data indicative of the location of the second computing device is second location information, wherein the location indicator is further based at least in part on first location information of the first computing device, the first location information including a Wi-Fi identifier of a wireless network to which the first computing device is connected, and wherein the method further comprises transforming the Wi-Fi identifier into a geographic location of the first computing device.
- (MM7) Another method may be performed as described in any one of paragraphs (MM1) through (MM6), wherein the second location information includes an IP (Internet Protocol) address of the second computing device, and wherein the method further comprises transforming the IP address into a geographic location of the second computing device.
- (MM8) Another method may be performed as described in any one of paragraphs (MM1) through (MM7), wherein the location information of the second computing device includes GPS (Global Positioning System) coordinates of the second computing device, and wherein verifying that the location indicated by the location indicator is consistent with an authorized location includes confirming that the GPS coordinates of the second computing device match GPS coordinates of an authorized location to within a predetermined distance threshold.
- In addition, the following paragraphs (S1) through (S3) describe examples of a server that may be implemented in accordance with the present disclosure:
-
- (S1) A server may include control circuitry configured to: receive a request from a first computing device over a computer network, the request being to access a resource on the computer network and including a location indicator, the location indicator based at least in part on data indicative of a location of a second computing device; verify that a location indicated by the location indicator matches an authorized location in which to access the resource of the computer network based at least in part on the location indicator of the received request; and, in response to the verification of the location, grant the first computing device with accessing to the resource on the computer network.
- (S2) Another server may be provided as described in paragraph (S1), wherein the data indicative of the location of the second computing device is second location information, wherein the location indicator is further based at least in part on first location information of the first device, and wherein the control circuitry is further configured to: combine geographical locations based on at least the first set of location information and the second set of location information to produce a representative location based at least in part on the first set of location information and the second set of location information; and verify that the representative location matches an authorized location.
- (S3) Another server may be provided as described in any one of paragraphs (S1) or (S2), wherein the control circuitry is further configured to generate the representative location as a centroid, the centroid indicating a geographical center formed by at least the first location information and the second location information.
- In addition, the following paragraph (DD1) describes an example of a device that may be implemented in accordance with the present disclosure:
-
- (DD1) A device includes control circuitry configured to: obtain location information that indicates a location of a second device, the second device (i) operatively coupled to the client device, (ii) having a connection to a computer network, and (iii) sharing the connection with the client device; form a location indicator based at least in part on the location information received from the second device; send an access request, including the location indicator, to a server to access a resource of the computer network; and access the resource based at least in part on a determination that the location indicator is consistent with an authorized location for accessing the resource.
- Having described certain embodiments, numerous alternative embodiments or variations can be made. For example, although embodiments have been described wherein the A/
A server 1630 provides apasscode 1762 that thefirst device 110 may use for accessing the securedresource 1140, this is merely an example. For instance, other mechanisms may be used to provide secure access to authenticated users, such as SAML (Security Assertion Markup Language). - Further still, although embodiments have been described in which the
second device 1110 provides the first device with a second connection to the computer network, e.g., to support multiple redundant network paths, this is also merely an example. Alternatively, thesecond device 1110 is used to provide location information but does not provide the first device with a second connection to the network. - Further, although embodiments have been described in connection with a
user 102, one should appreciate that embodiments are not limited to those that involve a user. - Further, although features have been shown and described with reference to particular embodiments hereof, such features may be included and hereby are included in any of the disclosed embodiments and their variants. Thus, it is understood that features disclosed in connection with any embodiment are included in any other embodiment.
- Further still, the improvement or portions thereof may be embodied as a computer program product including one or more non-transient, computer-readable storage media, such as a magnetic disk, magnetic tape, compact disk, DVD, optical disk, flash drive, solid state drive, SD (Secure Digital) chip or device, Application Specific Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA), and/or the like. Any number of computer-readable media may be used. The media may be encoded with instructions which, when executed on one or more computers or other processors, perform the process or processes described herein. Such media may be considered articles of manufacture or machines, and may be transportable from one machine to another.
- As used throughout this document, the words “comprising,” “including,” “containing,” and “having” are intended to set forth certain items, steps, elements, or aspects of something in an open-ended fashion. Also, as used herein and unless a specific statement is made to the contrary, the word “set” means one or more of something. This is the case regardless of whether the phrase “set of” is followed by a singular or plural object and regardless of whether it is conjugated with a singular or plural verb. Further, ordinal expressions, such as “first,” “second,” “third,” and so on, may be used as adjectives herein for identification purposes. Unless specifically indicated, these ordinal expressions are not intended to imply any ordering or sequence. Thus, for example, a “second” event may take place before or after a “first event,” or even if no first event ever occurs. In addition, an identification herein of a particular element, feature, or act as being a “first” such element, feature, or act should not be construed as requiring that there must also be a “second” or other such element, feature or act. Rather, the “first” item may be the only one. Also, and unless specifically stated to the contrary, “based on” is intended to be nonexclusive. Thus, “based on” should not be interpreted as meaning “based exclusively on” but rather “based at least in part on” unless specifically indicated otherwise. Although certain embodiments are disclosed herein, it is understood that these are provided by way of example only and should not be construed as limiting.
- Those skilled in the art will therefore understand that various changes in form and detail may be made to the embodiments disclosed herein without departing from the scope of the following claims.
Claims (21)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/730,352 US20200213318A1 (en) | 2018-12-31 | 2019-12-30 | Leveraging location information of a secondary device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201862786813P | 2018-12-31 | 2018-12-31 | |
US16/730,352 US20200213318A1 (en) | 2018-12-31 | 2019-12-30 | Leveraging location information of a secondary device |
Publications (1)
Publication Number | Publication Date |
---|---|
US20200213318A1 true US20200213318A1 (en) | 2020-07-02 |
Family
ID=69185765
Family Applications (5)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/547,102 Active 2039-09-18 US11082451B2 (en) | 2018-12-31 | 2019-08-21 | Maintaining continuous network service |
US16/730,184 Active 2040-03-21 US11178185B2 (en) | 2018-12-31 | 2019-12-30 | Extending management control to IoT devices |
US16/730,304 Active 2040-03-22 US11431754B2 (en) | 2018-12-31 | 2019-12-30 | Authenticating to secured resource via coupled devices |
US16/730,352 Abandoned US20200213318A1 (en) | 2018-12-31 | 2019-12-30 | Leveraging location information of a secondary device |
US17/495,054 Active 2040-05-18 US11722528B2 (en) | 2018-12-31 | 2021-10-06 | Extending management control to IoT devices |
Family Applications Before (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/547,102 Active 2039-09-18 US11082451B2 (en) | 2018-12-31 | 2019-08-21 | Maintaining continuous network service |
US16/730,184 Active 2040-03-21 US11178185B2 (en) | 2018-12-31 | 2019-12-30 | Extending management control to IoT devices |
US16/730,304 Active 2040-03-22 US11431754B2 (en) | 2018-12-31 | 2019-12-30 | Authenticating to secured resource via coupled devices |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/495,054 Active 2040-05-18 US11722528B2 (en) | 2018-12-31 | 2021-10-06 | Extending management control to IoT devices |
Country Status (7)
Country | Link |
---|---|
US (5) | US11082451B2 (en) |
EP (2) | EP3888311B1 (en) |
JP (2) | JP7110494B2 (en) |
CN (2) | CN113261247B (en) |
AU (2) | AU2019418343B2 (en) |
CA (2) | CA3122265C (en) |
WO (2) | WO2020142162A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11228597B2 (en) * | 2019-02-12 | 2022-01-18 | Nutanix, Inc. | Providing control to tenants over user access of content hosted in cloud infrastructures |
WO2023069801A1 (en) * | 2021-10-18 | 2023-04-27 | Skylo Technologies, Inc. | Connecting a wireless hub across multiple wireless networks |
US11758604B2 (en) | 2021-01-16 | 2023-09-12 | Skylo Technologies, Inc. | Coordinated transmissions over a transient roving wireless communication channel |
Families Citing this family (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020062175A1 (en) * | 2018-09-29 | 2020-04-02 | Orange | Discovery of internet-of-things resources |
US11334336B2 (en) | 2019-01-16 | 2022-05-17 | Vmware, Inc. | Automatic creation of device campaigns |
US11483762B2 (en) | 2019-02-22 | 2022-10-25 | Vmware, Inc. | Virtual service networks |
US11246087B2 (en) | 2019-02-22 | 2022-02-08 | Vmware, Inc. | Stateful network slice selection using slice selector as connection termination proxy |
US11146964B2 (en) * | 2019-02-22 | 2021-10-12 | Vmware, Inc. | Hierarchical network slice selection |
US10939369B2 (en) | 2019-02-22 | 2021-03-02 | Vmware, Inc. | Retrieval of slice selection state for mobile device connection |
US11024144B2 (en) | 2019-02-22 | 2021-06-01 | Vmware, Inc. | Redirecting traffic from mobile device to initial slice selector for connection |
CN110601870B (en) * | 2019-07-31 | 2021-10-15 | 华为技术有限公司 | Method, device and system for registering device distribution network |
US11240113B2 (en) | 2019-08-26 | 2022-02-01 | Vmware, Inc. | Forwarding element slice identifying control plane |
US10848567B1 (en) * | 2019-11-29 | 2020-11-24 | Cygnus, LLC | Remote support for IoT devices |
US11656966B2 (en) * | 2020-04-06 | 2023-05-23 | Computime Ltd. | Local computing cloud that is interactive with a public computing cloud |
US11711394B2 (en) * | 2020-05-29 | 2023-07-25 | Cyberus Labs sp. z o.o. | System for managing IoT devices |
US11711366B2 (en) * | 2020-07-16 | 2023-07-25 | Vmware, Inc. | Scalable onboarding for internet-connected devices |
US11792188B2 (en) * | 2020-08-05 | 2023-10-17 | Bank Of America Corporation | Application for confirming multi-person authentication |
CN114268931A (en) * | 2020-09-14 | 2022-04-01 | 华为技术有限公司 | IoT (Internet of things) equipment management method and terminal |
US20220116397A1 (en) * | 2020-10-12 | 2022-04-14 | Zscaler, Inc. | Granular SaaS tenant restriction systems and methods |
AU2021400495A1 (en) * | 2020-12-14 | 2023-07-13 | Thirdwayv, Inc. | Remote control of internet-of-things devices |
CN114915553A (en) * | 2021-01-29 | 2022-08-16 | Zoom视频通讯公司 | Equipment management tool |
CN114827362A (en) | 2021-01-29 | 2022-07-29 | Zoom视频通讯公司 | Method and apparatus for device management |
US11470162B2 (en) * | 2021-01-30 | 2022-10-11 | Zoom Video Communications, Inc. | Intelligent configuration of personal endpoint devices |
US11836551B2 (en) | 2021-03-05 | 2023-12-05 | Vmware, Inc. | Active and standby RICs |
US20220286915A1 (en) | 2021-03-05 | 2022-09-08 | Vmware, Inc. | Distributed ric |
US11689421B2 (en) * | 2021-04-19 | 2023-06-27 | Hewlett Packard Enterprise Development Lp | Selection of virtual private network profiles |
US11659049B2 (en) * | 2021-04-27 | 2023-05-23 | Electronics And Telecommunications Research Institute | Device and method for remote device profile management/identification for intelligent discovery |
SG10202104533XA (en) * | 2021-05-03 | 2021-11-29 | Garena Online Private Ltd | Method of switching between data connections for mobile communication devices |
US11601363B2 (en) * | 2021-05-14 | 2023-03-07 | Comcast Cable Communications, Llc | Intelligent internet traffic routing |
US20230216782A1 (en) * | 2022-01-04 | 2023-07-06 | Netflow, UAB | Automatic Network Configuration |
US11658940B1 (en) * | 2022-10-07 | 2023-05-23 | Osom Products, Inc. | Client-side virtual private network (VPN) chaining |
US11831615B1 (en) * | 2022-12-01 | 2023-11-28 | Uab 360 It | Parallel tunneling with virtual private network servers |
US11838176B1 (en) | 2022-12-19 | 2023-12-05 | Vmware, Inc. | Provisioning and deploying RAN applications in a RAN system |
Family Cites Families (62)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6978023B2 (en) * | 2003-03-25 | 2005-12-20 | Sony Corporation | Apparatus and method for location based wireless client authentication |
CN1938962B (en) | 2004-01-28 | 2012-07-18 | 曼诺维格私人有限公司 | Systems and methods for communication |
JP2005223375A (en) * | 2004-02-03 | 2005-08-18 | Elwing Co Ltd | Data transmission method and apparatus therefor |
US8495244B2 (en) | 2005-06-29 | 2013-07-23 | Jumpstart Wireless Corporation | System and method for dynamic automatic communication path selection, distributed device synchronization and task delegation |
US9762576B2 (en) * | 2006-11-16 | 2017-09-12 | Phonefactor, Inc. | Enhanced multi factor authentication |
US8543829B2 (en) * | 2007-01-05 | 2013-09-24 | Ebay Inc. | Token device re-synchronization through a network solution |
US20080209213A1 (en) * | 2007-02-23 | 2008-08-28 | Sony Ericsson Mobile Communications Ab | Authorizing secure resources |
US8964634B2 (en) * | 2009-02-06 | 2015-02-24 | Sony Corporation | Wireless home mesh network bridging adaptor |
US20130103785A1 (en) | 2009-06-25 | 2013-04-25 | 3Crowd Technologies, Inc. | Redirecting content requests |
US9544303B2 (en) * | 2009-10-23 | 2017-01-10 | Apriva, Llc | System and device for consolidating SIM, personal token, and associated applications for selecting a transaction settlement entity |
US20110237224A1 (en) * | 2009-10-23 | 2011-09-29 | Apriva, Llc | System and device for facilitating remote invocation of personal token capabilities |
US20110238579A1 (en) * | 2009-10-23 | 2011-09-29 | Apriva, Llc | System and device for facilitating a secure transaction with a validated token |
US20110246317A1 (en) * | 2009-10-23 | 2011-10-06 | Apriva, Llc | System and device for facilitating a transaction through use of a proxy account code |
WO2011050309A2 (en) * | 2009-10-23 | 2011-04-28 | Appsware Wireless, Llc | System and device for consolidating sim, personal token, and associated applications |
US20110238580A1 (en) * | 2009-10-23 | 2011-09-29 | Apriva, Llc | System and device for consolidating sim, personal token, and associated applications for secure transmission of sensitive data |
US9516017B2 (en) * | 2009-10-23 | 2016-12-06 | Apriva, Llc | System and device for consolidating SIM, personal token, and associated applications for electronic wallet transactions |
US9112857B2 (en) * | 2009-10-23 | 2015-08-18 | Apriva, Llc | System and device for facilitating a wireless transaction by consolidating SIM, personal token, and associated applications |
US8726010B2 (en) * | 2010-10-21 | 2014-05-13 | Qumu Corporation | Secure content distribution |
US8683562B2 (en) * | 2011-02-03 | 2014-03-25 | Imprivata, Inc. | Secure authentication using one-time passwords |
EP2538606B1 (en) * | 2011-06-21 | 2017-08-09 | BlackBerry Limited | Provisioning a shared secret to a portable electronic device and to a service entity |
WO2013028901A2 (en) * | 2011-08-23 | 2013-02-28 | Visa International Service Association | Authentication process for value transfer machine |
US20140053234A1 (en) * | 2011-10-11 | 2014-02-20 | Citrix Systems, Inc. | Policy-Based Application Management |
US9942750B2 (en) * | 2013-01-23 | 2018-04-10 | Qualcomm Incorporated | Providing an encrypted account credential from a first device to a second device |
US9021574B1 (en) * | 2013-03-12 | 2015-04-28 | TrustPipe LLC | Configuration management for network activity detectors |
US20150046558A1 (en) * | 2013-03-15 | 2015-02-12 | Google Inc. | System and method for choosing lowest latency path |
US9430624B1 (en) * | 2013-04-30 | 2016-08-30 | United Services Automobile Association (Usaa) | Efficient logon |
US9154488B2 (en) * | 2013-05-03 | 2015-10-06 | Citrix Systems, Inc. | Secured access to resources using a proxy |
US9124573B2 (en) * | 2013-10-04 | 2015-09-01 | At&T Intellectual Property I, Lp | Apparatus and method for managing use of secure tokens |
US9628482B2 (en) | 2013-10-31 | 2017-04-18 | Cellco Partnership | Mobile based login via wireless credential transfer |
JP6102728B2 (en) * | 2013-12-26 | 2017-03-29 | 株式会社Jvcケンウッド | Authentication system, terminal device, authentication method, authentication program, authentication server |
JP6364496B2 (en) * | 2014-02-07 | 2018-07-25 | オラクル・インターナショナル・コーポレイション | Mobile cloud service architecture |
CA2946150A1 (en) * | 2014-05-01 | 2015-11-05 | Visa International Service Association | Data verification using access device |
US9801120B2 (en) * | 2014-05-30 | 2017-10-24 | Apple Inc. | Client-initiated tethering for electronic devices |
EP3151777B1 (en) * | 2014-06-04 | 2021-08-04 | David J. Clark | Dental wedge |
US10225248B2 (en) * | 2014-06-11 | 2019-03-05 | Optimum Id Llc | Methods and systems for providing online verification and security |
US9485241B2 (en) * | 2014-11-21 | 2016-11-01 | Sprint Communications Company L.P. | Secure communication paths in data networks with tethered devices |
US20160182655A1 (en) | 2014-12-22 | 2016-06-23 | Unisys Corporation | Systems and methods of geo-location based community of interest |
US9980304B2 (en) * | 2015-04-03 | 2018-05-22 | Google Llc | Adaptive on-demand tethering |
US10257286B2 (en) * | 2015-04-09 | 2019-04-09 | Apple Inc. | Emulating a wireless connection using a wired connection |
US9549355B2 (en) * | 2015-05-08 | 2017-01-17 | Bandwidth.Com, Inc. | Optimal use of multiple concurrent internet protocol (IP) data streams for voice communications |
US9735943B2 (en) * | 2015-05-11 | 2017-08-15 | Citrix Systems, Inc. | Micro VPN tunneling for mobile platforms |
US11750603B2 (en) * | 2015-05-20 | 2023-09-05 | Verizon Patent And Licensing Inc. | System and method for authenticating users across devices |
US20180248892A1 (en) | 2015-08-25 | 2018-08-30 | Guy Hefetz | Location-Based Continuous Two-Factor Authentication |
US10735965B2 (en) * | 2015-10-07 | 2020-08-04 | Mcafee, Llc | Multilayer access control for connected devices |
WO2017070412A1 (en) * | 2015-10-23 | 2017-04-27 | Oracle International Corporation | Password-less authentication for access management |
US10084754B2 (en) * | 2015-12-11 | 2018-09-25 | Microsoft Technology Licensing, Llc | Virtual private network aggregation |
US10142107B2 (en) | 2015-12-31 | 2018-11-27 | Microsoft Technology Licensing, Llc | Token binding using trust module protected keys |
US10044674B2 (en) | 2016-01-04 | 2018-08-07 | Afero, Inc. | System and method for automatic wireless network authentication in an internet of things (IOT) system |
WO2017130292A1 (en) * | 2016-01-26 | 2017-08-03 | 株式会社ソラコム | Server, mobile terminal, and program |
KR102117584B1 (en) * | 2016-01-29 | 2020-06-26 | 구글 엘엘씨 | Local device authentication |
KR20170096394A (en) * | 2016-02-16 | 2017-08-24 | 삼성전자주식회사 | A method and apparatus for using a service interlocking with a mobile device by a plurality of mobile devices |
KR101688812B1 (en) | 2016-04-18 | 2016-12-22 | (주)케이사인 | Method and system of authorizing/managing iot device based on owner's authorization server |
US10511521B2 (en) * | 2016-08-03 | 2019-12-17 | Anchorfree Inc. | System and method for virtual multipath data transport |
EP3343962A1 (en) | 2016-12-30 | 2018-07-04 | British Telecommunications public limited company | Tethering via a cellular network device |
US11140157B1 (en) * | 2017-04-17 | 2021-10-05 | Microstrategy Incorporated | Proximity-based access |
US10412096B2 (en) * | 2017-04-18 | 2019-09-10 | Visa International Service Association | Wireless authentication based on location data |
US10218697B2 (en) * | 2017-06-09 | 2019-02-26 | Lookout, Inc. | Use of device risk evaluation to manage access to services |
US10387689B2 (en) * | 2017-09-22 | 2019-08-20 | Tocreo Labs, L.L.C. | NFC cryptographic security module |
WO2019074568A1 (en) * | 2017-10-13 | 2019-04-18 | Visa International Service Association | Mitigating risk for hands-free interactions |
US11153303B2 (en) * | 2017-11-15 | 2021-10-19 | Citrix Systems, Inc. | Secure authentication of a device through attestation by another device |
US11258756B2 (en) * | 2018-11-14 | 2022-02-22 | Citrix Systems, Inc. | Authenticating to a hybrid cloud using intranet connectivity as silent authentication factor |
US11184446B2 (en) * | 2018-12-05 | 2021-11-23 | Micron Technology, Inc. | Methods and apparatus for incentivizing participation in fog networks |
-
2019
- 2019-08-21 US US16/547,102 patent/US11082451B2/en active Active
- 2019-12-06 CA CA3122265A patent/CA3122265C/en active Active
- 2019-12-06 JP JP2021538232A patent/JP7110494B2/en active Active
- 2019-12-06 AU AU2019418343A patent/AU2019418343B2/en active Active
- 2019-12-06 CN CN201980087506.1A patent/CN113261247B/en active Active
- 2019-12-06 EP EP19836714.6A patent/EP3888311B1/en active Active
- 2019-12-06 WO PCT/US2019/064943 patent/WO2020142162A1/en unknown
- 2019-12-30 CN CN201980087242.XA patent/CN113228739A/en active Pending
- 2019-12-30 CA CA3121949A patent/CA3121949A1/en not_active Abandoned
- 2019-12-30 US US16/730,184 patent/US11178185B2/en active Active
- 2019-12-30 AU AU2019418792A patent/AU2019418792A1/en not_active Abandoned
- 2019-12-30 JP JP2021538364A patent/JP2022517548A/en active Pending
- 2019-12-30 US US16/730,304 patent/US11431754B2/en active Active
- 2019-12-30 WO PCT/US2019/068974 patent/WO2020142446A2/en active Search and Examination
- 2019-12-30 US US16/730,352 patent/US20200213318A1/en not_active Abandoned
- 2019-12-30 EP EP19839793.7A patent/EP3903517A2/en not_active Withdrawn
-
2021
- 2021-10-06 US US17/495,054 patent/US11722528B2/en active Active
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11228597B2 (en) * | 2019-02-12 | 2022-01-18 | Nutanix, Inc. | Providing control to tenants over user access of content hosted in cloud infrastructures |
US11758604B2 (en) | 2021-01-16 | 2023-09-12 | Skylo Technologies, Inc. | Coordinated transmissions over a transient roving wireless communication channel |
WO2023069801A1 (en) * | 2021-10-18 | 2023-04-27 | Skylo Technologies, Inc. | Connecting a wireless hub across multiple wireless networks |
US11690006B2 (en) | 2021-10-18 | 2023-06-27 | Skylo Technologies, Inc. | Connecting a wireless hub across multiple wireless networks |
Also Published As
Publication number | Publication date |
---|---|
CN113261247A (en) | 2021-08-13 |
CA3122265C (en) | 2022-03-08 |
CA3121949A1 (en) | 2020-07-09 |
WO2020142446A2 (en) | 2020-07-09 |
WO2020142162A1 (en) | 2020-07-09 |
EP3903517A2 (en) | 2021-11-03 |
JP2022510038A (en) | 2022-01-25 |
US20200213183A1 (en) | 2020-07-02 |
JP2022517548A (en) | 2022-03-09 |
CN113228739A (en) | 2021-08-06 |
JP7110494B2 (en) | 2022-08-01 |
US11178185B2 (en) | 2021-11-16 |
CN113261247B (en) | 2022-08-19 |
US11722528B2 (en) | 2023-08-08 |
US20220030033A1 (en) | 2022-01-27 |
AU2019418792A1 (en) | 2021-06-03 |
CA3122265A1 (en) | 2020-07-09 |
WO2020142446A3 (en) | 2020-08-13 |
EP3888311A1 (en) | 2021-10-06 |
EP3888311B1 (en) | 2022-10-12 |
US20200213317A1 (en) | 2020-07-02 |
US20200213360A1 (en) | 2020-07-02 |
AU2019418343B2 (en) | 2021-06-03 |
US11082451B2 (en) | 2021-08-03 |
US11431754B2 (en) | 2022-08-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20200213318A1 (en) | Leveraging location information of a secondary device | |
US10893031B2 (en) | Dynamically serving digital certificates based on secure session properties | |
US8392712B1 (en) | System and method for provisioning a unique device credential | |
WO2020057163A1 (en) | Mec platform deployment method and device | |
KR102581559B1 (en) | Log access point detection using multi-path verification | |
US20200404497A1 (en) | Message processing method and system, and user plane function device | |
US11432171B2 (en) | Providing uninterrupted access to resources via a mobile hotspot connection | |
TW201631510A (en) | Methods, apparatus, and systems for identity authentication | |
US20160234307A1 (en) | Data transmission method, device, and system | |
EP2446347A1 (en) | Systems and methods for obtaining network credentials | |
US20200037140A1 (en) | Device-based access point association and tracking of physical addresses | |
US11411839B1 (en) | System and method to correlate end user experience with location | |
US9531700B2 (en) | Authentication survivability for assigning role and VLAN based on cached radius attributes | |
EP2931000B1 (en) | Wireless communication apparatus, wireless communication method, and wireless communication program | |
JP2020057370A (en) | Network service exchange system and method of using network service exchange system | |
US20230232228A1 (en) | Method and apparatus for establishing secure communication | |
US11671904B1 (en) | Establishing communication links to assist headless devices | |
US20240007853A1 (en) | Systems and methods for authenticating users for subscribed services | |
US10880858B2 (en) | Access point association and tracking of physical addresses | |
US20230336983A1 (en) | Establishing a backup connectivity between a sensor and a management system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
AS | Assignment |
Owner name: CITRIX SYSTEMS, INC., FLORIDA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:OJHA, NIVEDITA;THORSLUND, DEREK;REEL/FRAME:051802/0604 Effective date: 20191227 |
|
AS | Assignment |
Owner name: CITRIX SYSTEMS, INC., FLORIDA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:WILSON, STEPHEN;REEL/FRAME:051916/0439 Effective date: 20200106 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
AS | Assignment |
Owner name: WILMINGTON TRUST, NATIONAL ASSOCIATION, DELAWARE Free format text: SECURITY INTEREST;ASSIGNOR:CITRIX SYSTEMS, INC.;REEL/FRAME:062079/0001 Effective date: 20220930 |
|
AS | Assignment |
Owner name: WILMINGTON TRUST, NATIONAL ASSOCIATION, AS NOTES COLLATERAL AGENT, DELAWARE Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:TIBCO SOFTWARE INC.;CITRIX SYSTEMS, INC.;REEL/FRAME:062113/0470 Effective date: 20220930 Owner name: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT, NEW YORK Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNORS:TIBCO SOFTWARE INC.;CITRIX SYSTEMS, INC.;REEL/FRAME:062113/0001 Effective date: 20220930 Owner name: BANK OF AMERICA, N.A., AS COLLATERAL AGENT, NORTH CAROLINA Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:TIBCO SOFTWARE INC.;CITRIX SYSTEMS, INC.;REEL/FRAME:062112/0262 Effective date: 20220930 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
AS | Assignment |
Owner name: CLOUD SOFTWARE GROUP, INC. (F/K/A TIBCO SOFTWARE INC.), FLORIDA Free format text: RELEASE AND REASSIGNMENT OF SECURITY INTEREST IN PATENT (REEL/FRAME 062113/0001);ASSIGNOR:GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT;REEL/FRAME:063339/0525 Effective date: 20230410 Owner name: CITRIX SYSTEMS, INC., FLORIDA Free format text: RELEASE AND REASSIGNMENT OF SECURITY INTEREST IN PATENT (REEL/FRAME 062113/0001);ASSIGNOR:GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT;REEL/FRAME:063339/0525 Effective date: 20230410 Owner name: WILMINGTON TRUST, NATIONAL ASSOCIATION, AS NOTES COLLATERAL AGENT, DELAWARE Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:CLOUD SOFTWARE GROUP, INC. (F/K/A TIBCO SOFTWARE INC.);CITRIX SYSTEMS, INC.;REEL/FRAME:063340/0164 Effective date: 20230410 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |