USRE42382E1 - Volume mount authentication - Google Patents

Volume mount authentication Download PDF

Info

Publication number
USRE42382E1
USRE42382E1 US12/860,612 US86061210A USRE42382E US RE42382 E1 USRE42382 E1 US RE42382E1 US 86061210 A US86061210 A US 86061210A US RE42382 E USRE42382 E US RE42382E
Authority
US
United States
Prior art keywords
zone
computing device
action handler
media
execution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US12/860,612
Inventor
Jason Robert Weiss
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Coreco Idera Ops Inc
Original Assignee
BBS Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US12/860,612 priority Critical patent/USRE42382E1/en
Application filed by BBS Technologies Inc filed Critical BBS Technologies Inc
Application granted granted Critical
Publication of USRE42382E1 publication Critical patent/USRE42382E1/en
Assigned to IDERA, INC. reassignment IDERA, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: BBS TECHNOLOGIES, INC.
Assigned to SQUARE 1 BANK reassignment SQUARE 1 BANK SECURITY AGREEMENT Assignors: IDERA, INC.
Assigned to IDERA, INC. F/K/A BBS TECHNOLOGIES, INC. reassignment IDERA, INC. F/K/A BBS TECHNOLOGIES, INC. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: SQUARE 1 BANK
Assigned to COMERICA BANK, AS AGENT reassignment COMERICA BANK, AS AGENT SECURITY INTEREST Assignors: CopperEgg Corporation, IDERA, INC., PRECISE SOFTWARE SOLUTIONS, INC.
Assigned to FIFTH STREET MANAGEMENT LLC, AS AGENT reassignment FIFTH STREET MANAGEMENT LLC, AS AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CopperEgg Corporation, IDERA, INC., PRECISE SOFTWARE SOLUTIONS, INC.
Assigned to IDERA, INC., CopperEgg Corporation, PRECISE SOFTWARE SOLUTIONS, INC. reassignment IDERA, INC. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: COMERICA BANK
Assigned to CopperEgg Corporation, IDERA, INC., PRECISE SOFTWARE SOLUTIONS, INC. reassignment CopperEgg Corporation RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: FIFTH STREET MANAGEMENT LLC
Assigned to JEFFERIES FINANCE LLC, AS COLLATERAL AGENT reassignment JEFFERIES FINANCE LLC, AS COLLATERAL AGENT FIRST LIEN SECURITY AGREEMENT Assignors: CODEGEAR LLC, CopperEgg Corporation, EMBARCADERO TECHNOLOGIES, INC., IDERA, INC., PRECISE SOFTWARE SOLUTIONS, INC.
Assigned to JEFFERIES FINANCE LLC, AS COLLATERAL AGENT reassignment JEFFERIES FINANCE LLC, AS COLLATERAL AGENT SECOND LIEN SECURITY AGREEMENT Assignors: CODEGEAR LLC, CopperEgg Corporation, EMBARCADERO TECHNOLOGIES, INC., IDERA, INC., PRECISE SOFTWARE SOLUTIONS, INC.
Assigned to CORECO IDERA OPS, INC. reassignment CORECO IDERA OPS, INC. NUNC PRO TUNC ASSIGNMENT (SEE DOCUMENT FOR DETAILS). Assignors: IDERA, INC.
Assigned to IDERA, INC. reassignment IDERA, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: CORECO IDERA OPS, INC.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/80Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention relates to the authentication of volume mount points, and in particular the ability of an operating system to selectively accept or reject a volume mount point request for media based on a configurable set of rules.
  • the present invention provides a dynamic and expeditious means of authenticating one or more mountable volumes. If the circumstances surrounding the volume undergoing authentication are found to be sufficiently proper, the volume is considered trustworthy and a mounting request is allowed to proceed. If circumstances are found to be outside the range of that considered proper, the mounting request is denied. In the case of a volume already mounted, dismounting action may be taken.
  • the present invention further provides a means of determining whether the found circumstances are proper, that is trustworthy, or not.
  • Volume Trust relies on a series of fuzzy logic calculations that inspect the attributes (size, number of sectors, drive interface type, et cetera) of a volume, applying weighted calculations to determine a raw score and an overall maximum possible score. This raw score is then mathematically adjusted to be within the range of 0 to 100, resulting in a Trustworthy Factor score for the volume undergoing authentication.
  • the Trustworthy Factor score can be calculated in a completely non-intrusive way, meaning that no data whatsoever has to be written to the volume during this process.
  • read-only media such as CD-ROM's and DVD's may be assigned unique Trustworthy Factor scores and there is no change in the amount of free space available on read/write volumes after the process completes.
  • the Trustworthy Factor score is not an absolute threshold. Analogies can be drawn to the popular consumer credit rating system. In that system, the higher the credit score, the less risk there is that the consumer will default on a loan. However, regardless of how high the credit score is, there is always the possibility of the consumer defaulting on the loan. Similarly, as the Trustworthy Factor score increases, the likelihood of the volume containing malignant code or being used for malicious purposes decreases, though the threat is never entirely eradicated. The only true way to eradicate the threat from mobile, external storage devices is to build a computer that has no external ports and is physically secured to ensure new drives can not be inserted. In the course of day-to-day business operations, such a device is impractical and would be a large impediment to business productivity.
  • a weighted scoring system provides administrators the ability to factor each capability of the volume in a different way. For instance, consider this example that inspects only the disk interface.
  • a 160 GB external IEEE 1394 drive, which resides outside the computer case, might score a Trustworthy Factor score in the low thirties. It may be considered a moderately trustable volume, since there are no pocket-sized or palm-sized drives meeting that description.
  • a 64 MB USB keychain drive might yield a Trustworthy Factor score less than twenty, meaning that it should be considered as untrustworthy and potentially a security threat, a low level of trust.
  • a volume's Trustworthy Factor score typically, over twenty five different factors, called metadata elements, are examined in the computation of a volume's Trustworthy Factor score.
  • Each factor can be given different weighing factors, as appropriate for the organization being served. For example, consider two devices, one that discloses the number of sectors and tracks it contains and another that does not. The device that discloses the number of sectors information is more trustworthy than the device that fails to disclose. Thus, the disclosing device receives a slightly higher Trustworthy Factor score. However, other factors may be more important in determining the trustworthiness of the device.
  • Another factor is the interface type used to interact with the device (IDE, USB, IEEE 1394, et cetera). This factor indicates the portability of the volume. IDE is considered more trustworthy than USB for the simple fact that it is difficult to mount an IDE drive outside the computer case. Thus, an IDE drive mounted inside a locked computer case should be considered to have a high level of trust.
  • One of the benefits of the present invention is the use of administrator-configured weighing factors to discriminate more important volume factors, metadata elements, from others. This allows the Volume Trust application to be adjusted to local needs without need for recompilation. Increasing the weighing factors directly impacts the trustworthy factor score of a volume that discloses that metadata element. In fact, the Volume Trust application can be tuned in the field in a matter of seconds to respond to the circumstances at hand. For example, a laptop used by an individual at their cubicle on the 37 th floor of corporate headquarters is at minimal risk. When that laptop is taken on a business trip to a conference room with 30 strangers at a client's office, the level of risk should increase moderately. Now, when that same laptop is taken to the Comdex tradeshow floor where there are hundreds of thousands of strangers walking around, the maximum level of protection should be enabled and the Volume Trust application should be extremely skeptical about every external storage device.
  • An advantage of the present invention is that it may be cost-effectively deployed to a large installation base through common software distribution techniques and does not require technicians to manipulate computer hardware.
  • the present invention is backwards compatible, easily working with existing computer infrastructure.
  • the present invention is operating system independent.
  • the present invention is independent of programming language.
  • the present invention allows a storage device, such as a DVD or CD-ROM drive, or card reader, to remain online while scrutinizing the media associated with the storage device.
  • the present invention does not require the modification of existing user security privileges, nor does it require the creation or modification of specialized security privilege groups.
  • the present invention operates in real-time by leveraging the event notification mechanisms built into most operating systems.
  • the present invention does not rely on cryptographic algorithms susceptible to aging, which become insecure over time, nor does it rely on expensive and administratively time-consuming Public Key Identification (PKI).
  • PKI Public Key Identification
  • the present invention does not require any modification of existing computer or computer-peripheral manufacturing techniques.
  • the present invention allows an administrator or user to refine the fuzzy logic used to establish trust between the device and media without requiring access to source code and redistributing new binary run-time objects.
  • the present invention allows for easy audit and logging of external storage device interactions through its robust and flexible daisy-chained list of zone action handlers.
  • the present invention works on virtually all devices that contain a microprocessor, from computers to phones to personal digital assistants across operating systems and programming languages.
  • the present invention provides the ability to slide the level of trust based upon external security factors, such as different states of terrorist alerts.
  • FIG. 1 is a an overall flow-chart view of the basic process steps of the volume mount authentication process, S 100 through S 800 ;
  • FIG. 2 is a detailed flow-chart view of the core process steps of the volume mount authentication process
  • FIG. 3 is a flow-chart view of the boot analysis steps
  • FIG. 4 is a flow-chart view of the graphic identification steps
  • FIG. 5 is a flow-chart view of dynamic adjustment of the scoring matrix, based on the perceived location of the computing device
  • FIG. 6 is a flow-chart view of dynamic adjustment of the calculating steps of the Trustworthy Factor Calculator, based on the perceived location of the computing device;
  • FIG. 7 is a flow-chart view of remotely accessed dynamic adjustment of the calculating steps of the Trustworthy Factor Calculator, based on the perceived location of the computing device;
  • FIG. 8 is a flow-chart view of the authentication steps
  • FIG. 9 is a flow-chart view of the volume mount point steps.
  • FIG. 10 is a flow-chart view of the metadata extraction steps.
  • FIG. 1 An overall flow-chart view of the basic process steps of the volume mount authentication process, S 100 through S 800 , is shown in FIG. 1 .
  • media currently available that may be inserted into a media reading or writing device. Examples include, but are not limited to: CD's, USB drives, floppy disks, memory sticks, and many other devices.
  • Media 1 is inserted into a media reading or writing device 2 that is in communication with a computing device 3 , such as a computer or network device.
  • Computing device 3 detects insertion of the media, step S 100 .
  • data structures containing metadata 6 related to media 1 becomes available to computing device 3 .
  • Metadata 6 is extracted, step S 200 . If not already available, a trustworthy factor calculator 9 is loaded, step S 300 . Trustworthy factor calculator 9 is typically a plug-in software module that processes each metadata element and applies a weighed score, resulting in a trustworthy factor score 27 , step S 400 . A scoring matrix 11 is loaded, step S 500 . Scoring matrix 11 denotes ranges of values of the trustworthy factor score 27 into zones, typically four zones.
  • Scoring matrix 11 is used to convert trustworthy factor score 27 into a zone number, called a Level of Trust Zone 12 , step S 600 . Based on the value of Level of Trust Zone 12 , an appropriate Zone Action Handler 14 is selected, step S 700 . By returning a Zone Action Handler Response 28 , Zone Action Handler 14 may direct computing device 3 to disallow the mounting of media 1 , may require specific authentication action to take place prior to allowing a mount of media 1 , or may indicate that media 1 may be mounted without further authentication. Typically, Zone Action Handler 14 comprises a plurality of action handlers that are executed in succession. Upon completion of execution of Zone Action Handler 14 , a decision to allow or disallow the mount is made, step S 800 .
  • a media device may be hosted by a second computing device.
  • Such second computing device may abstract the media device from the first computing device.
  • a desktop PC is a first computing device which is performing volume mount authentication on a PDA (a handheld portable computer) that contains a media device such as a hard disk storage drive.
  • the PDA in this example is a second computing device which is hosting the media device.
  • the second computing device, or any computing intermediary is effectively the same as a media device which it is hosting.
  • the meaning of the term media device may include any media device, its host, or other computing intermediary.
  • FIG. 2 A detailed flow-chart view of the core process steps of the volume mount authentication process is illustrated in FIG. 2 .
  • a user logs into computing device 3 , step S 110 .
  • a personal computer is used for purposes of illustration, but computing device 3 may be any of a myriad of devices either now known or developed in the future.
  • computing device 3 may be a Windows or LINUX based personal computer, a Macintosh, a UNIX machine, a Personal Digital Assistant, a telephone or telephone system, a network controller, server, workstation, digital appliance, computerized test equipment, custom computer, et cetera.
  • the volume mount authentication application called Volume Trust 50
  • a volume mount point is an abstraction of the memory addresses that reference a device or media capable of being mounted or recognized by the computer.
  • Volume mount points exist for all typical computer devices, especially those holding data, such as hard drives, floppy disks, CD/DVD drives, et cetera.
  • Volume mount points also exist for devices connected by way of infrared and radio signals. Beaming data to a computer by way of an infrared signal creates a volume mount point, as does personal area networks, such as “Blue Tooth”, and even radio frequency connections to telephone cell towers.
  • the volume mount point establishes the link between the logical connection and the physical connection to a device and its media.
  • a volume mount notification 16 occurs and is recognized by application Volume Trust 50 .
  • Application Volume Trust 50 spawns a thread 29 , step S 160 , to begin the volume trust authentication process. While it is not necessary to spawn a thread in order to practice the present invention, it is of great advantage to use multi-thread techniques. Use of multi-threading allows authentication of a plurality of media while the first media is still undergoing authentication. Optionally, a progress bar 15 is displayed for the user's benefit, step S 170 .
  • Volume mount notification 16 must be decoded so metadata 6 that is related to media 1 may be extracted. This is done by first converting the logical disk information 17 into a physical disk partition address 18 , step S 210 .
  • physical disk partition address 18 is commonly known to refer to any block of storage space that may be read from, written to, or is both readable and writable. Physical disk partition address 18 is then converted into a physical storage device address 19 , step S 220 . These steps of deabstracting the information are typically performed using routine libraries, and these steps are well known to those skilled in the art.
  • the storage device data is extracted, step S 230 , along with logical disk data, S 240 , disk partition data, S 250 , and physical media data, S 260 , from their respective data structures, as is appropriate for the media being authenticated.
  • Such collected metadata 6 is stored as a volume metadata object 7 .
  • at least two dozen metadata elements 8 describing media 1 and media device 2 are gathered.
  • One or more data communications channels may exist between the computing device and the media device or media itself. In such cases, it is also possible to collect metadata associated with the data communications channel.
  • the media may also be associated with one or more media devices, data communications channels, or media computing devices, each of which are abstracted behind the volume mount point.
  • the computing device under authentication may detect a volume mount point from an infrared signal being sent from a handheld computing device containing a miniature hard disk drive that is plugged into the handheld computing device's USB port.
  • the miniature hard disk drive represents the media device.
  • the computing device under authentication may retrieve metadata from the infra-communication channel, the handheld computing device itself, its USB data channel, and the miniature hard disk drive.
  • Trustworthy factor calculator 9 is loaded, step S 300 .
  • trustworthy factor calculator 9 is a dynamic linked library, a plug in module.
  • Trustworthy factor calculator 9 looks up and loads calculation steps 22 associated with the metadata elements of interest.
  • Trustworthy factor calculator 9 loads weighing factors 23 which correspond to the metadata elements, step S 350 .
  • Trustworthy factor calculator 9 uses calculation steps 22 , determines a score value 24 and its maximum possible score value 25 .
  • Weighing factors 23 are applied to each score value 24 and each maximum possible score value 25 .
  • Score values 24 are accumulated as a raw score 10 and the maximum possible score values 25 are accumulated as an overall maximum score 26 , step S 410 .
  • Accumulated raw score 10 is normalized, based on overall maximum score 26 , step S 420 , establishing a trustworthy factor score 27 .
  • trustworthy factor score 27 is set to create a range of zero (0) to one hundred (100). This is accomplished by simply dividing accumulated raw score 10 by overall maximum score 26 and multiplying by one hundred (100).
  • Scoring matrix 11 is loaded, step S 500 .
  • this module is a dynamic linked library, a plug in module.
  • Scoring matrix 11 is a set of established thresholds used to classify resulting Trustworthy Factor Score 27 created the Trustworthy Factor Calculator 9 .
  • the zone encompassing Trustworthy Factor Score 27 is identified as the Level of Trust Zone 12 , step S 600 .
  • a trustworthy factor score falling between 0 to 15 may be classed as zone one (1), a trustworthy factor score falling between 16 to 50 as zone two (2), a trustworthy factor score falling between 51 to 80 as zone three (3), and a trustworthy factor score falling between 81 to 100 as zone four (4).
  • the zone information is used to select and execute a Zone Action Handler 14 for that Level of Trust Zone 12 , step S 700 .
  • a trustworthy factor score of 45 falls between 16 and 50 and is therefore classed as zone two (2).
  • the Zone Action Handler corresponding to that zone two (2) is then executed.
  • Zone Action Handler 14 may perform a variety of actions, which will be detailed in FIG. 6 .
  • Zone Action Handler 14 returns an ultimate signal, a Zone Action Handler Response 39 , to allow mount of media 1 or disallow mount of media 1 , step S 800 . This concludes the volume mount authentication process.
  • FIG. 3 further details the boot analysis steps in the case of authenticating existing volume mount points 5 ′.
  • a user logs into computing device 3 , step S 110 .
  • application Volume Trust 50 is started automatically, step S 120 .
  • Application Volume Trust 50 polls for existing volume mount points 5 ′ seen by computing device 3 , step S 140 .
  • application Volume Trust 50 spawns a thread 29 , step S 160 , to begin the volume mount authentication process for each detected volume mount point 5 ′.
  • FIG. 4 illustrates an optional step of alerting the user that a volume mount has been authenticated by the Volume Trust application.
  • Zone Action Handler 14 returns Zone Action Handler Response 39 to allow mount of media 1 or disallow mount of media 1 , step S 800 .
  • a volume mount point icon 40 is displayed or otherwise communicated, reflecting the Level of Trust Zone for which the mount was allowed. This alerts the user of the trust level circumstances which allowed media 1 or media device 2 to be mounted. This icon or communication may be used by the operating system, throughout the operating system application dialogs, to denote the Level of Trust Zone.
  • FIG. 5 illustrates use of the device connection information to guide dynamic adjustment of scoring matrix 11 .
  • Trustworthy Factor Calculator 9 returns Trustworthy Factor Score 27 , step 420 .
  • the initial scoring matrix 11 is loaded, step S 500 .
  • Devices connected to computing device 3 (such as network connections, printers, media devices) are identified, step S 510 , establishing a perceived location for computing device 3 .
  • computing device 3 say a laptop computer
  • Adjustments to the scoring matrix 11 are selected from one or more alternate scoring matrices 11 ′, based on the perceived location of computing device 3 , step S 520 .
  • scoring matrix 11 may be adjusted, or an alternate scoring matrix 11 ′ loaded, to reflect a higher score requirement in order to produce a mount authentication.
  • the Level of Trust Zone 12 ′ is determined by comparing the Trustworthy Factor Score 27 to the adjusted scoring matrix 11 ′, step S 600 .
  • FIG. 6 illustrates use of device connection information to guide dynamic adjustment of the Trustworthy Factor Calculator.
  • Trustworthy Factor Calculator 9 is loaded, step S 300 .
  • Devices connected to computing device 3 are identified, step S 310 .
  • the appropriate calculation steps 22 to use are selected, step S 320 .
  • computing device 3 say a laptop computer
  • step S 330 it may be found that computing device 3 , say a laptop computer, is connected to a wireless network at a remote location rather than docked to a high-security network inside an office at a fixed location. This means that calculation steps 22 , one for remote wireless operation, are required.
  • Calculation steps 22 are loaded, step S 330 .
  • Trustworthy Factor Calculator 9 then loads weighing factors 23 which have been previously determined for the media 1 and media device 2 undergoing authentication, step S 350 .
  • FIG. 7 illustrates use of device connection information to guide dynamic adjustment of Trustworthy Factor Calculator 9 , where calculation steps 22 ′ are obtained from a remote location 32 , such as over a network or the internet.
  • Trustworthy Factor Calculator 9 is loaded, step S 300 .
  • Devices connected to computing device 3 are identified, step S 310 .
  • the appropriate calculation steps 22 ′ to use are selected, step S 320 .
  • computing device 3 say a laptop computer, is connected to a wireless network at a remote location rather than docked to a high-security network inside an office at a fixed location. This means that calculation steps 22 ′, one for remote wireless operation, are required.
  • calculation steps 22 ′ may not be obtained from computing device 3 , rather must be downloaded from a specific secure remote location.
  • Calculation steps 22 ′ are loaded from a remote location, step S 340 .
  • Trustworthy Factor Calculator 9 then loads weighing factors 23 which have been previously determined for the media 1 and media device 2 undergoing authentication, step S 350 .
  • FIG. 8 illustrates various details of the authentication process, including actions for external additional authentication, which may be called upon by a selected Zone Action Handler.
  • Scoring matrix 11 is used to convert Trustworthy Factor Score 27 into Level of Trust Zone 12 , step S 600 .
  • Zone Action Handler 14 is selected, step S 700 .
  • Zone Action Handler 14 may in practice embody one or more action handlers 13 , each of which performs particular tasks.
  • Zone Action Handler 14 refers to the collective actions of all action handlers 13 .
  • Zone Action Handler 14 may return a response that recommends or directs computing device 3 to disallow the mounting of media 1 , may require specific authentication action to take place prior to allowing a mount of media 1 , or may indicate that media 1 may be mounted without further authentication. For instance, one action handler 13 may prompt the user for a password, step S 710 , then call a second action handler 13 ′ to prompt for biometric information, step S 720 , which in turn calls a third action handler 13 ′′ to prompt for a security token card, step S 730 , then calling a fourth action handler 13 ′′′ to determine whether the user belongs to an administrative security group, step S 740 .
  • Each of these action handlers 13 , 13 ′, 13 ′′, 13 ′′′ returns a response.
  • Various other authentication steps may be programmed into a Zone Action Handler 14 or its action handlers 13 .
  • a Zone Action Handler Response 39 is returned and a decision to allow or disallow the mount is made, step S 800 .
  • Zone Action Handler 14 may include the capability to decide whether to remember the external additional authentication for the particular media or media device being authenticated, step S 750 .
  • Zone Action Handler 14 includes a Remember Media Action Handler 33 , which may be configured to always associate the particular media 1 ′ with a mount or dismount conclusion, step S 760 .
  • the Media Previously Trusted Action Handler 34 may directly return a mount or dismount conclusion without invoking other action handlers to prompt for password, biometrics, security token card, or administrator security group determination, step S 705 .
  • An additional alternate embodiment is to enable the Remember Media Action Handler 33 to grant such mount or dismount association for a fixed period of time, or other validity condition, step S 770 .
  • Media Previously Trusted Action Handler 34 uses the period of time or other validity condition in making its mount or dismount conclusion.
  • FIG. 9 illustrates volume mount point steps.
  • a user logs into computing device 3 , step S 110 .
  • application Volume Trust 50 is started automatically, step S 120 .
  • Application Volume Trust 50 polls or waits for notification to analyze a volume mount point 5 , step S 140 .
  • a notification may occur when a device beams an infrared or wireless signal to the computing device or a device attached to the computing device, step S 155 .
  • Application Volume Trust 50 spawns thread 29 , step S 160 , to begin the volume mount authentication process.
  • FIG. 10 illustrates various details of the metadata extraction process.
  • Partition information 18 is converted into physical drive information 19 , step S 220 .
  • the storage device data is extracted, step S 230 , along with logical disk data, step S 240 , disk partition data, step S 250 , and physical media data, step S 260 , as is appropriate for the media being authenticated.
  • the collected metadata 6 is stored as a volume metadata object 7 , composed of metadata elements 8 .
  • the Trustworthy Factor Calculator is loaded, step S 300 .
  • An alternate embodiment of the present invention includes use of external reporting of security levels to adjust the scoring matrix.
  • a governmental agency, an industry, a specific plant or locale may issue security alerts of various levels.
  • a refinery may receive “red”, “orange”, “yellow”, and “green” security levels, depending on external intelligence, terrorist action, or geopolitical conditions. These external security levels may be used to automatically modify the scoring matrix.
  • a “red” or “orange” security level indicating a threatening security condition, may be used to require greater trustworthy factor scores to meet specific level of trust zone thresholds.
  • the external security levels are used as indicators to adjust or replace the scoring matrix to reflect these more stringent security requirements.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

There is a variety of media that may be inserted into a reading or writing device, such as CD's, USB drives, floppy disks, memory sticks, and many other devices. Media is inserted into a media reading or writing device that is in communication with a computer or network device. Upon insertion of the media, a number of metadata regarding that media is available to the computer. The trustworthy calculator is typically a plug-in software module that processes each piece of volume metadata and applies a weighed score, resulting in a Trustworthy Factor. A scoring matrix denotes ranges of values of the Trustworthy Factor into a Level of Trust Zone. Based on the Level of Trust Zone, appropriate action handlers may direct the computer to disallow the mounting of the media, may require specific authentication action to take place prior to allowing a mount of the media, or may indicate that the media may be mounted without further authentication. Upon completion of the execution of the action handlers, a decision to allow or disallow the mount is made.

Description

BACKGROUND
1. Field of the Invention
The present invention relates to the authentication of volume mount points, and in particular the ability of an operating system to selectively accept or reject a volume mount point request for media based on a configurable set of rules.
2. Description of Prior Art
Individuals, corporations and governments face an increasing threat from within. Unethical individuals have at their disposal a multitude of high volume storage mediums available by simply walking into a local electronics store. Anyone can pay several hundred dollars or less to purchase storage devices that are highly resistant to detection. These devices assuredly help simplify the act of corporate and government espionage and greatly facilitate the proliferation of computer viruses, electronic Trojan Horses, and similar objects of computer mass infiltration. Even institutions that employ security checkpoints where backpacks and briefcases are searched and everyone must walk through a metal detector face the daunting challenge of detecting and deterring someone from walking out the front door with 256 MB, 512 MB, 2 GB, 4 GB or more of business intelligence, classified drawings, or sensitive financial documents on a device that is roughly the size of a clasp on a brazier.
Undoubtedly plug-and-play hard drives, palm-sized mobile storage solutions, infrared and radio frequency (RF) over-the-air digital data communications are now pervasive in today's society. As the popularity and number of these types of devices continue to grow, enterprise Information Technology (IT) departments, as well as a growing consumer base, are demanding methods to authenticate and trust certain physical devices while rejecting access to other physically identical devices. Obtaining such authentication and trust has to be accomplished in a way that does not compromise business productivity. To illustrate by example, consider employee A, who steps away from a physically secured laptop computer. Visitor B is able to quickly plug a USB flash drive into the computer. Visitor B may quickly copy trade secrets from the computer to the USB flash drive, or may download a computer virus from the USB flash drive to the computer. Visitor B is able to complete these tasks and remove the USB flash drive prior to employee A′s return. Employee A will have little chance to know that business intelligence was taken, nor that a virus was implanted.
BRIEF SUMMARY OF THE INVENTION
The present invention provides a dynamic and expeditious means of authenticating one or more mountable volumes. If the circumstances surrounding the volume undergoing authentication are found to be sufficiently proper, the volume is considered trustworthy and a mounting request is allowed to proceed. If circumstances are found to be outside the range of that considered proper, the mounting request is denied. In the case of a volume already mounted, dismounting action may be taken. The present invention further provides a means of determining whether the found circumstances are proper, that is trustworthy, or not.
The core application, called Volume Trust, relies on a series of fuzzy logic calculations that inspect the attributes (size, number of sectors, drive interface type, et cetera) of a volume, applying weighted calculations to determine a raw score and an overall maximum possible score. This raw score is then mathematically adjusted to be within the range of 0 to 100, resulting in a Trustworthy Factor score for the volume undergoing authentication. The Trustworthy Factor score can be calculated in a completely non-intrusive way, meaning that no data whatsoever has to be written to the volume during this process. As a result, read-only media such as CD-ROM's and DVD's may be assigned unique Trustworthy Factor scores and there is no change in the amount of free space available on read/write volumes after the process completes.
The Trustworthy Factor score is not an absolute threshold. Analogies can be drawn to the popular consumer credit rating system. In that system, the higher the credit score, the less risk there is that the consumer will default on a loan. However, regardless of how high the credit score is, there is always the possibility of the consumer defaulting on the loan. Similarly, as the Trustworthy Factor score increases, the likelihood of the volume containing malignant code or being used for malicious purposes decreases, though the threat is never entirely eradicated. The only true way to eradicate the threat from mobile, external storage devices is to build a computer that has no external ports and is physically secured to ensure new drives can not be inserted. In the course of day-to-day business operations, such a device is impractical and would be a large impediment to business productivity.
By its very nature, a weighted scoring system provides administrators the ability to factor each capability of the volume in a different way. For instance, consider this example that inspects only the disk interface. An IDE hard drive mounted as a fixed disk inside a computer, where the computer case has been secured, might score a Trustworthy Factor score in the mid-sixties and be considered a highly trustable volume, a high level of trust. A 160 GB external IEEE 1394 drive, which resides outside the computer case, might score a Trustworthy Factor score in the low thirties. It may be considered a moderately trustable volume, since there are no pocket-sized or palm-sized drives meeting that description. A 64 MB USB keychain drive might yield a Trustworthy Factor score less than twenty, meaning that it should be considered as untrustworthy and potentially a security threat, a low level of trust.
Typically, over twenty five different factors, called metadata elements, are examined in the computation of a volume's Trustworthy Factor score. Each factor can be given different weighing factors, as appropriate for the organization being served. For example, consider two devices, one that discloses the number of sectors and tracks it contains and another that does not. The device that discloses the number of sectors information is more trustworthy than the device that fails to disclose. Thus, the disclosing device receives a slightly higher Trustworthy Factor score. However, other factors may be more important in determining the trustworthiness of the device. Another factor is the interface type used to interact with the device (IDE, USB, IEEE 1394, et cetera). This factor indicates the portability of the volume. IDE is considered more trustworthy than USB for the simple fact that it is difficult to mount an IDE drive outside the computer case. Thus, an IDE drive mounted inside a locked computer case should be considered to have a high level of trust.
One of the benefits of the present invention is the use of administrator-configured weighing factors to discriminate more important volume factors, metadata elements, from others. This allows the Volume Trust application to be adjusted to local needs without need for recompilation. Increasing the weighing factors directly impacts the trustworthy factor score of a volume that discloses that metadata element. In fact, the Volume Trust application can be tuned in the field in a matter of seconds to respond to the circumstances at hand. For example, a laptop used by an individual at their cubicle on the 37th floor of corporate headquarters is at minimal risk. When that laptop is taken on a business trip to a conference room with 30 strangers at a client's office, the level of risk should increase moderately. Now, when that same laptop is taken to the Comdex tradeshow floor where there are hundreds of thousands of strangers walking around, the maximum level of protection should be enabled and the Volume Trust application should be extremely skeptical about every external storage device.
OBJECTS AND ADVANTAGES
While the present invention may be practiced using software, hardware or firmware, it is an object of the present invention to provide a software based solution to volume mount authentication.
An advantage of the present invention is that it may be cost-effectively deployed to a large installation base through common software distribution techniques and does not require technicians to manipulate computer hardware.
The present invention is backwards compatible, easily working with existing computer infrastructure.
The present invention is operating system independent.
The present invention is independent of programming language.
The present invention allows a storage device, such as a DVD or CD-ROM drive, or card reader, to remain online while scrutinizing the media associated with the storage device.
The present invention does not require the modification of existing user security privileges, nor does it require the creation or modification of specialized security privilege groups.
The present invention operates in real-time by leveraging the event notification mechanisms built into most operating systems.
The present invention does not rely on cryptographic algorithms susceptible to aging, which become insecure over time, nor does it rely on expensive and administratively time-consuming Public Key Identification (PKI).
The present invention does not require any modification of existing computer or computer-peripheral manufacturing techniques.
The present invention allows an administrator or user to refine the fuzzy logic used to establish trust between the device and media without requiring access to source code and redistributing new binary run-time objects.
The present invention allows for easy audit and logging of external storage device interactions through its robust and flexible daisy-chained list of zone action handlers.
The present invention works on virtually all devices that contain a microprocessor, from computers to phones to personal digital assistants across operating systems and programming languages.
The present invention provides the ability to slide the level of trust based upon external security factors, such as different states of terrorist alerts.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING
The present invention and its advantages will be better understood by referring to the following detailed description and the attached drawings in which:
FIG. 1 is a an overall flow-chart view of the basic process steps of the volume mount authentication process, S100 through S800;
FIG. 2 is a detailed flow-chart view of the core process steps of the volume mount authentication process;
FIG. 3 is a flow-chart view of the boot analysis steps;
FIG. 4 is a flow-chart view of the graphic identification steps;
FIG. 5 is a flow-chart view of dynamic adjustment of the scoring matrix, based on the perceived location of the computing device;
FIG. 6 is a flow-chart view of dynamic adjustment of the calculating steps of the Trustworthy Factor Calculator, based on the perceived location of the computing device;
FIG. 7 is a flow-chart view of remotely accessed dynamic adjustment of the calculating steps of the Trustworthy Factor Calculator, based on the perceived location of the computing device;
FIG. 8 is a flow-chart view of the authentication steps;
FIG. 9 is a flow-chart view of the volume mount point steps; and
FIG. 10 is a flow-chart view of the metadata extraction steps.
 REFERENCE NUMERALS
  • 1 Media
  • 2 Media device
  • 3 Computing device
  • 4 Computer
  • 5 Volume mount point
  • 6 Metadata
  • 7 Metadata object
  • 8 Metadata element
  • 9 Trustworthy factor calculator
  • 10 Raw score
  • 11 Scoring matrix
  • 12 Level of trust zone
  • 13 Action handler
  • 14 Zone action handler
  • 15 Progress bar
  • 16 Volume mount notification
  • 17 Logical disk information
  • 18 Physical disk partition address
  • 19 Physical storage device address
  • 20 Data communication channels
  • 21 Media computing devices
  • 22 Calculation steps
  • 23 Weighing factors
  • 24 Score value
  • 25 Maximum possible score value
  • 26 Overall maximum score
  • 27 Trustworthy factor score
  • 28 Ultimate signal
  • 29 Thread
  • 30 Alternate calculation steps
  • 31 Alternate scoring matrix
  • 32 Remote location
  • 33 Remember Media action handler
  • 34 Media Previously Trusted action handler
  • 35 External security level
  • 36 Data structures
  • 37 Matrix of numerical scores
  • 38 Matrix of weighing factors
  • 39 Zone action handler response
  • 40 volume mount point icon
  • 50 Volume Trust (application)
  • S100 Detect Insertion of Media
    • S110 User Logs onto Computer
    • S120 Automatically Start Application
    • S130 Identify Existing Mount Points
    • S140 Wait for Media Notification
    • S150 User Inserts External Storage Device with Media
    • S160 Spawn a Thread
    • S170 Display Progress Bar
  • S200 Extract Media Metadata
    • S210 Convert Logical Disk to Partition
    • S220 Convert Partition to Physical Drive
    • S230 Fetch Storage Device Data
    • S240 Fetch Logical Disk Data
    • S250 Fetch Disk Partition Data
    • S260 Fetch Physical Media Data
    • S270 Fetch Data Channel Data
    • S280 Fetch Media Device Data
  • S300 Load Trustworthy Factor Calculator
    • S310 Identify Location
    • S320 Lookup Trustworthy Factor for Identified Location
    • S330 Load Trustworthy Factor Calculator from Local Computer
    • S340 Download Trustworthy Factor Calculator from Remote Location
    • S350 Initialize Calculator and Load Weight Factors
  • S400 Calculate Trustworthy Factor
    • S410 Compute Actual and Maximum Possible Score
    • S420 Calculate Normalized Trustworthy Factor
  • S500 Load Scoring Matrix
    • S510 Identify Location
    • S520 Lookup Scoring Matrix for Identified Location
  • S600 Determine Level of Trust Zone
  • S700 Execute Appropriate Zone Action Handlers
    • S705 Check if Media Previously Trusted
    • S710 Prompt for Password
    • S720 Prompt for Biometric
    • S730 Prompt for Security Token Card
    • S740 Determine if User Belongs to the Administrator Security Group
    • S750 Remember Media Decision
    • S760 Always Associate Media with Mount or Dismount Conclusion
    • S770 Determine and Track Association with an Expiration Date
  • S800 Allow—Disallow Mount
    • S810 Show Level of Trust Zone
DETAILED DESCRIPTION OF THE INVENTION
An overall flow-chart view of the basic process steps of the volume mount authentication process, S100 through S800, is shown in FIG. 1. There is a wide assortment of media currently available that may be inserted into a media reading or writing device. Examples include, but are not limited to: CD's, USB drives, floppy disks, memory sticks, and many other devices. Media 1 is inserted into a media reading or writing device 2 that is in communication with a computing device 3, such as a computer or network device. Computing device 3 detects insertion of the media, step S100. Upon insertion of media 1, data structures containing metadata 6 related to media 1 becomes available to computing device 3. For example, metadata may include information about the type of media, its cryptographic characteristics including its ID, its actual physical size, the file architecture used (such as “FAT32”, “FAT16”, et cetera), sector size, et cetera. Metadata 6 is extracted, step S200. If not already available, a trustworthy factor calculator 9 is loaded, step S300. Trustworthy factor calculator 9 is typically a plug-in software module that processes each metadata element and applies a weighed score, resulting in a trustworthy factor score 27, step S400. A scoring matrix 11 is loaded, step S500. Scoring matrix 11 denotes ranges of values of the trustworthy factor score 27 into zones, typically four zones. Scoring matrix 11 is used to convert trustworthy factor score 27 into a zone number, called a Level of Trust Zone 12, step S600. Based on the value of Level of Trust Zone 12, an appropriate Zone Action Handler 14 is selected, step S700. By returning a Zone Action Handler Response 28, Zone Action Handler 14 may direct computing device 3 to disallow the mounting of media 1, may require specific authentication action to take place prior to allowing a mount of media 1, or may indicate that media 1 may be mounted without further authentication. Typically, Zone Action Handler 14 comprises a plurality of action handlers that are executed in succession. Upon completion of execution of Zone Action Handler 14, a decision to allow or disallow the mount is made, step S800.
Furthermore, a media device may be hosted by a second computing device. Such second computing device may abstract the media device from the first computing device. For example, a desktop PC is a first computing device which is performing volume mount authentication on a PDA (a handheld portable computer) that contains a media device such as a hard disk storage drive. The PDA in this example is a second computing device which is hosting the media device. In all cases, the second computing device, or any computing intermediary, is effectively the same as a media device which it is hosting. The meaning of the term media device may include any media device, its host, or other computing intermediary.
A detailed flow-chart view of the core process steps of the volume mount authentication process is illustrated in FIG. 2. Typically, a user logs into computing device 3, step S110. A personal computer is used for purposes of illustration, but computing device 3 may be any of a myriad of devices either now known or developed in the future. For example, computing device 3 may be a Windows or LINUX based personal computer, a Macintosh, a UNIX machine, a Personal Digital Assistant, a telephone or telephone system, a network controller, server, workstation, digital appliance, computerized test equipment, custom computer, et cetera. Typically, the volume mount authentication application, called Volume Trust 50, is started automatically, step S120. Application Volume Trust 50 polls or waits for notification to analyze a volume mount point 5, step S140. A volume mount point is an abstraction of the memory addresses that reference a device or media capable of being mounted or recognized by the computer. Volume mount points exist for all typical computer devices, especially those holding data, such as hard drives, floppy disks, CD/DVD drives, et cetera. Volume mount points also exist for devices connected by way of infrared and radio signals. Beaming data to a computer by way of an infrared signal creates a volume mount point, as does personal area networks, such as “Blue Tooth”, and even radio frequency connections to telephone cell towers. The volume mount point, regardless of the form it takes, establishes the link between the logical connection and the physical connection to a device and its media. When a user inserts an external storage media device 2 with media 1, or media 1 into a connected storage media device 2, step S150, a volume mount notification 16 occurs and is recognized by application Volume Trust 50. Application Volume Trust 50 spawns a thread 29, step S160, to begin the volume trust authentication process. While it is not necessary to spawn a thread in order to practice the present invention, it is of great advantage to use multi-thread techniques. Use of multi-threading allows authentication of a plurality of media while the first media is still undergoing authentication. Optionally, a progress bar 15 is displayed for the user's benefit, step S170.
Volume mount notification 16 must be decoded so metadata 6 that is related to media 1 may be extracted. This is done by first converting the logical disk information 17 into a physical disk partition address 18, step S210. Note, physical disk partition address 18 is commonly known to refer to any block of storage space that may be read from, written to, or is both readable and writable. Physical disk partition address 18 is then converted into a physical storage device address 19, step S220. These steps of deabstracting the information are typically performed using routine libraries, and these steps are well known to those skilled in the art. Once the physical drive information is obtained, the storage device data is extracted, step S230, along with logical disk data, S240, disk partition data, S250, and physical media data, S260, from their respective data structures, as is appropriate for the media being authenticated. Such collected metadata 6 is stored as a volume metadata object 7. Typically, at least two dozen metadata elements 8 describing media 1 and media device 2 are gathered.
One or more data communications channels may exist between the computing device and the media device or media itself. In such cases, it is also possible to collect metadata associated with the data communications channel.
The media may also be associated with one or more media devices, data communications channels, or media computing devices, each of which are abstracted behind the volume mount point. For instance, the computing device under authentication may detect a volume mount point from an infrared signal being sent from a handheld computing device containing a miniature hard disk drive that is plugged into the handheld computing device's USB port. The miniature hard disk drive represents the media device. In such a configuration, the computing device under authentication may retrieve metadata from the infra-communication channel, the handheld computing device itself, its USB data channel, and the miniature hard disk drive.
Trustworthy factor calculator 9 is loaded, step S300. Typically, in a Windows operating system, trustworthy factor calculator 9 is a dynamic linked library, a plug in module. Trustworthy factor calculator 9 looks up and loads calculation steps 22 associated with the metadata elements of interest. Trustworthy factor calculator 9 loads weighing factors 23 which correspond to the metadata elements, step S350. For each metadata element 8, Trustworthy factor calculator 9, using calculation steps 22, determines a score value 24 and its maximum possible score value 25. Weighing factors 23 are applied to each score value 24 and each maximum possible score value 25. Score values 24 are accumulated as a raw score 10 and the maximum possible score values 25 are accumulated as an overall maximum score 26, step S410. Accumulated raw score 10 is normalized, based on overall maximum score 26, step S420, establishing a trustworthy factor score 27. Typically, for convenience, trustworthy factor score 27 is set to create a range of zero (0) to one hundred (100). This is accomplished by simply dividing accumulated raw score 10 by overall maximum score 26 and multiplying by one hundred (100).
Scoring matrix 11 is loaded, step S500. Typically, in a Windows brand operating system, this module is a dynamic linked library, a plug in module. Scoring matrix 11 is a set of established thresholds used to classify resulting Trustworthy Factor Score 27 created the Trustworthy Factor Calculator 9. The zone encompassing Trustworthy Factor Score 27 is identified as the Level of Trust Zone 12, step S600. For example, a trustworthy factor score falling between 0 to 15 may be classed as zone one (1), a trustworthy factor score falling between 16 to 50 as zone two (2), a trustworthy factor score falling between 51 to 80 as zone three (3), and a trustworthy factor score falling between 81 to 100 as zone four (4). Once Level of Trust Zone 12 is identified, the zone information is used to select and execute a Zone Action Handler 14 for that Level of Trust Zone 12, step S700. Continuing the example, a trustworthy factor score of 45 falls between 16 and 50 and is therefore classed as zone two (2). The Zone Action Handler corresponding to that zone two (2) is then executed.
Zone Action Handler 14 may perform a variety of actions, which will be detailed in FIG. 6.
Zone Action Handler 14 returns an ultimate signal, a Zone Action Handler Response 39, to allow mount of media 1 or disallow mount of media 1, step S800. This concludes the volume mount authentication process.
FIG. 3 further details the boot analysis steps in the case of authenticating existing volume mount points 5′. Typically, a user logs into computing device 3, step S110. Typically, application Volume Trust 50 is started automatically, step S120. Application Volume Trust 50 polls for existing volume mount points 5′ seen by computing device 3, step S140. For each volume mount point 5′, application Volume Trust 50 spawns a thread 29, step S160, to begin the volume mount authentication process for each detected volume mount point 5′.
FIG. 4 illustrates an optional step of alerting the user that a volume mount has been authenticated by the Volume Trust application. Zone Action Handler 14 returns Zone Action Handler Response 39 to allow mount of media 1 or disallow mount of media 1, step S800. If the mount is allowed, a volume mount point icon 40 is displayed or otherwise communicated, reflecting the Level of Trust Zone for which the mount was allowed. This alerts the user of the trust level circumstances which allowed media 1 or media device 2 to be mounted. This icon or communication may be used by the operating system, throughout the operating system application dialogs, to denote the Level of Trust Zone.
FIG. 5 illustrates use of the device connection information to guide dynamic adjustment of scoring matrix 11. Trustworthy Factor Calculator 9 returns Trustworthy Factor Score 27, step 420. The initial scoring matrix 11 is loaded, step S500. Devices connected to computing device 3 (such as network connections, printers, media devices) are identified, step S510, establishing a perceived location for computing device 3. For example, it may be found that computing device 3, say a laptop computer, is connected to a wireless network at a remote location rather than docked to a high-security network inside an office at a fixed location. Adjustments to the scoring matrix 11 are selected from one or more alternate scoring matrices 11′, based on the perceived location of computing device 3, step S520. Continuing with the laptop computer example, scoring matrix 11 may be adjusted, or an alternate scoring matrix 11′ loaded, to reflect a higher score requirement in order to produce a mount authentication. The Level of Trust Zone 12′ is determined by comparing the Trustworthy Factor Score 27 to the adjusted scoring matrix 11′, step S600.
FIG. 6 illustrates use of device connection information to guide dynamic adjustment of the Trustworthy Factor Calculator. Trustworthy Factor Calculator 9 is loaded, step S300. Devices connected to computing device 3 are identified, step S310. Based on the perceived identified location, the appropriate calculation steps 22 to use are selected, step S320. For example, it may be found that computing device 3, say a laptop computer, is connected to a wireless network at a remote location rather than docked to a high-security network inside an office at a fixed location. This means that calculation steps 22, one for remote wireless operation, are required. Calculation steps 22 are loaded, step S330. Trustworthy Factor Calculator 9 then loads weighing factors 23 which have been previously determined for the media 1 and media device 2 undergoing authentication, step S350.
FIG. 7 illustrates use of device connection information to guide dynamic adjustment of Trustworthy Factor Calculator 9, where calculation steps 22′ are obtained from a remote location 32, such as over a network or the internet. Trustworthy Factor Calculator 9 is loaded, step S300. Devices connected to computing device 3 are identified, step S310. Based on the perceived identified location, the appropriate calculation steps 22′ to use are selected, step S320. For example, it may be found that computing device 3, say a laptop computer, is connected to a wireless network at a remote location rather than docked to a high-security network inside an office at a fixed location. This means that calculation steps 22′, one for remote wireless operation, are required. For very high security situations, it may be required that calculation steps 22′ may not be obtained from computing device 3, rather must be downloaded from a specific secure remote location. Calculation steps 22′ are loaded from a remote location, step S340. Trustworthy Factor Calculator 9 then loads weighing factors 23 which have been previously determined for the media 1 and media device 2 undergoing authentication, step S350.
FIG. 8 illustrates various details of the authentication process, including actions for external additional authentication, which may be called upon by a selected Zone Action Handler. Scoring matrix 11 is used to convert Trustworthy Factor Score 27 into Level of Trust Zone 12, step S600. Based on Level of Trust Zone 12, Zone Action Handler 14 is selected, step S700. Note, that Zone Action Handler 14 may in practice embody one or more action handlers 13, each of which performs particular tasks. Zone Action Handler 14 refers to the collective actions of all action handlers 13. Zone Action Handler 14 may return a response that recommends or directs computing device 3 to disallow the mounting of media 1, may require specific authentication action to take place prior to allowing a mount of media 1, or may indicate that media 1 may be mounted without further authentication. For instance, one action handler 13 may prompt the user for a password, step S710, then call a second action handler 13′ to prompt for biometric information, step S720, which in turn calls a third action handler 13″ to prompt for a security token card, step S730, then calling a fourth action handler 13′″ to determine whether the user belongs to an administrative security group, step S740. Each of these action handlers 13, 13′, 13″, 13′″ returns a response. Various other authentication steps, now known or to be developed, may be programmed into a Zone Action Handler 14 or its action handlers 13. Upon completion of execution of Zone Action Handler 14, a Zone Action Handler Response 39 is returned and a decision to allow or disallow the mount is made, step S800.
In an alternative embodiment, Zone Action Handler 14 may include the capability to decide whether to remember the external additional authentication for the particular media or media device being authenticated, step S750. In such case, Zone Action Handler 14 includes a Remember Media Action Handler 33, which may be configured to always associate the particular media 1′ with a mount or dismount conclusion, step S760. Such being the case, the next time that particular media 1′ is subject to an authentication request, another action handler, the Media Previously Trusted Action Handler 34, may directly return a mount or dismount conclusion without invoking other action handlers to prompt for password, biometrics, security token card, or administrator security group determination, step S705. An additional alternate embodiment is to enable the Remember Media Action Handler 33 to grant such mount or dismount association for a fixed period of time, or other validity condition, step S770. In such case, Media Previously Trusted Action Handler 34 uses the period of time or other validity condition in making its mount or dismount conclusion.
FIG. 9 illustrates volume mount point steps. Typically, a user logs into computing device 3, step S110. Typically, application Volume Trust 50 is started automatically, step S120. Application Volume Trust 50 polls or waits for notification to analyze a volume mount point 5, step S140. A notification may occur when a device beams an infrared or wireless signal to the computing device or a device attached to the computing device, step S155. Application Volume Trust 50 spawns thread 29, step S160, to begin the volume mount authentication process.
FIG. 10 illustrates various details of the metadata extraction process. Partition information 18 is converted into physical drive information 19, step S220. Once the physical drive information 19 is obtained, the storage device data is extracted, step S230, along with logical disk data, step S240, disk partition data, step S250, and physical media data, step S260, as is appropriate for the media being authenticated. Additionally, it is optionally possible to obtain data associated with the data communications channel 20, step S270, and the media device 2 itself, including its hosted computing device, if one exists, step S280. The collected metadata 6 is stored as a volume metadata object 7, composed of metadata elements 8. The Trustworthy Factor Calculator is loaded, step S300.
An alternate embodiment of the present invention includes use of external reporting of security levels to adjust the scoring matrix. A governmental agency, an industry, a specific plant or locale may issue security alerts of various levels. For example, a refinery may receive “red”, “orange”, “yellow”, and “green” security levels, depending on external intelligence, terrorist action, or geopolitical conditions. These external security levels may be used to automatically modify the scoring matrix. In this example, a “red” or “orange” security level, indicating a threatening security condition, may be used to require greater trustworthy factor scores to meet specific level of trust zone thresholds. In such case, the external security levels are used as indicators to adjust or replace the scoring matrix to reflect these more stringent security requirements.
Although the description above contains many specifications, these should not be construed as limiting the scope of the invention but as merely providing illustrations of some of the presently preferred embodiments of this present invention. Persons skilled in the art will understand that the method and apparatus described herein may be practiced, including but not limited to, the embodiments described. Further, it should be understood that the invention is not to be unduly limited to the foregoing which has been set forth for illustrative purposes. Various modifications and alternatives will be apparent to those skilled in the art without departing from the true scope of the invention. While there has been illustrated and described particular embodiments of the present invention, it will be appreciated that numerous changes and modifications will occur to those skilled in the art, and it is intended as herein disclosed to cover those changes and modifications which fall within the true spirit and scope of the present invention.

Claims (74)

1. A method for authenticating computer media for communication with a computing device, comprising the steps of:
a) detecting a media volume mount point;
b) deabstracting a logical address of said media volume mount point into a physical disk partition address;
cb) deabstracting said physical disk partition addressmedia volume mount point into a physical storage device address;
dc) receiving a plurality of metadata elements from data structures associated with one or more components from the list comprising: said computer media, said physical storage device address, saida physical disk partition address, a data communications channel, and said media volume mount point;
ed) loading a trustworthy factor calculator wherein said trustworthy factor calculator comprises calculation steps producing score values and maximum possible score values associated with said metadata elements;
fe) initializing said trustworthy factor calculator with a matrix of weighing factors associated with said plurality of metadata elements;
gf) accumulating a raw score based on said score values for said plurality of metadata elements, wherein each score value used in said accumulation of said raw score is adjusted by said associated weighing factors, accumulating an overall maximum possible score for said maximum possible score values, wherein each maximum possible score value used in said accumulation of said overall maximum score is adjusted by said associated weighing factors, normalizing said raw score with said overall maximum score, whereby a trustworthy factor score is produced;
hg) initializing said trustworthy factor calculator with a scoring matrix having discrete level of trust zone values associated with trustworthy factor scores;
ih) comparing said trustworthy factor score with said scoring matrix, whereby a level of trust zone value is produced;
ji) executing at least one zone action handler based on said level of trust zone value, said zone action handler returning at least one zone action handler response; and
kj) determining whether said volume mount point authentication should be permitted or denied based on the result of said zone action handlers response.
2. The method as claimed in claim 1 wherein said detecting a media volume mount point comprises detecting existing volume mount points recognized by the computing device.
3. The method as claimed in claim 1 further comprising the step of communicating said level of trust zone value to said computing device.
4. The method as claimed in claim 1 further comprising the step of communicating said level of trust zone value to an operating system of said computing device.
5. The method as claimed in claim 1 further comprising the step of communicating said level of trust zone value to a user of said computing device.
6. The method as claimed in claim 1 wherein said trustworthy factor calculator loads calculation steps from a remote location.
7. The method as claimed in claim 1 wherein said trustworthy factor calculator loads calculation steps locally from said computing device.
8. The method as claimed in claim 1 further comprising the steps of:
a) identifying devices connected to said computing device; and
b) loading alternate calculation steps producing score values and maximum possible score values associated with said metadata elements, said alternate loading based on the results of said identifying of devices connected to said computing device.
9. The method as claimed in claim 8 wherein said alternate calculation steps are loaded from said computing device.
10. The method as claimed in claim 8 wherein said alternate calculation steps are loaded from a remote location.
11. The method as claimed in claim 1 further comprising the steps of:
a) identifying devices connected to said computing device; and
b) adjusting said scoring matrix based upon the results of said identification of devices connected to said computing device.
12. The method as claimed in claim 11 wherein said adjustments to said scoring matrix are loaded from a remote location.
13. The method as claimed in claim 11 wherein said adjustments to said scoring matrix are loaded from said computing device.
14. The method as claimed in claim 1 wherein said scoring matrix having discrete level of trust zone values is loaded from said computing device.
15. The method as claimed in claim 1 wherein said scoring matrix having discrete level of trust zone values is loaded from a remote location.
16. The method as claimed in claim 1 wherein said execution of a zone action handler comprises the step of requiring specific authentication action.
17. The method as claimed in claim 1 wherein said execution of a zone action handler further comprises the step of determining whether the user belongs to a particular group.
18. The method as claimed in claim 1 wherein said execution of a zone action handler further comprises the step of determining whether the user belongs to an administrative security group.
19. The method as claimed in claim 1 wherein said execution of a zone action handler comprises the step of prompting the user for a password.
20. The method as claimed in claim 1 wherein said execution of a zone action handler comprises the step of prompting for biometric information.
21. The method as claimed in claim 1 wherein said execution of a zone action handler comprises the step of prompting a security token card.
22. The method as claimed in claim 1 wherein said execution of at least one of said zone action handler comprises the step of recording said zone action handler responses for said computer media undergoing authentication.
23. The method as claimed in claim 22, wherein said recording of zone action handler responses is made on said computing device.
24. The method as claimed in claim 22, wherein said recording of zone action handler responses is made on said computer media undergoing authentication.
25. The method as claimed in claim 1, wherein said execution of at least one of said zone action handler comprises the step of recording a validity condition.
26. The method as claimed in claim 25, wherein said recording of said validity condition is made on said computing device.
27. The method as claimed in claim 25, wherein said recording of said validity condition is made on said computer media undergoing authentication.
28. The method as claimed in claim 1, wherein said execution of at least one of said zone action handler comprises the step of recording a validity period of time.
29. The method as claimed in claim 28, wherein said recording of said validity period of time is made on said computing device.
30. The method as claimed in claim 28, wherein said recording of said validity period of time is made on said computer media undergoing authentication.
31. The method as claimed in claim 1 wherein said execution of at least one of said zone action handler comprises the steps of:
a) detecting a recorded zone action handler response; and
b) returning a zone action handler response, based upon said recorded zone action handler response.
32. The method as claimed in claim 1 wherein said execution of at least one of said zone action handler comprises the steps of:
a) detecting a recorded validity condition;
b) testing for said validity condition; and
c) returning a zone action handler response, based upon said testing of said validity condition.
33. The method as claimed in claim 1 wherein said execution of at least one of said zone action handler comprises the steps of:
a) detecting a recorded validity period of time;
b) obtaining a present time;
c) determining whether said present time is within said validity period of time; and
d) returning a zone action handler response, based upon said determination.
34. The method as claimed in claim 1 wherein said computing device communicates with said media through at least one communications channel.
35. The method as claimed in claim 34, further comprising the step of receiving a plurality of metadata elements from data structures associated with said communications channel.
36. The method as claimed in claim 1, further comprising the step of receiving a plurality of metadata elements from data structures associated with devices abstracted behind said media volume mount point.
37. The method as claimed in claim 1 further comprising the steps of:
a) identifying an external security level indicator; and
b) adjusting said discrete level of trust zone values associated with trustworthy factor scores, based on the results of said identification of external security level.
38. The method as claimed in claim 1, wherein the step of deabstracting said media volume mount point into a physical storage device address comprises:
a) deabstracting a logical address of said media mount point into a physical disk partition address; and
b) deabstracting said physical disk partition address media volume mount point into said physical storage device address.
39. The method as claimed in claim 38 wherein said detecting a media volume mount point comprises detecting existing volume mount points recognized by the computing device.
40. The method as claimed in claim 38 further comprising the step of communicating said level of trust zone value to said computing device.
41. The method as claimed in claim 38 further comprising the step of communicating said level of trust zone value to an operating system of said computing device.
42. The method as claimed in claim 38 further comprising the step of communicating said level of trust zone value to a user of said computing device.
43. The method as claimed in claim 38 wherein said trustworthy factor calculator loads calculation steps from a remote location.
44. The method as claimed in claim 38 wherein said trustworthy factor calculator loads calculation steps locally from said computing device.
45. The method as claimed in claim 38 further comprising the steps of:
a) identifying devices connected to said computing device; and
b) loading alternate calculation steps producing score values and maximum possible score values associated with said metadata elements, said alternate loading based on the results of said identifying of devices connected to said computing device.
46. The method as claimed in claim 45 wherein said alternate calculation steps are loaded from said computing device.
47. The method as claimed in claim 45 wherein said alternate calculation steps are loaded from a remote location.
48. The method as claimed in claim 38 further comprising the steps of:
a) identifying devices connected to said computing device; and
b) adjusting said scoring matrix based upon the results of said identification of devices connected to said computing device.
49. The method as claimed in claim 48 wherein said adjustments to said scoring matrix are loaded from a remote location.
50. The method as claimed in claim 48 wherein said adjustments to said scoring matrix are loaded from said computing device.
51. The method as claimed in claim 38 wherein said scoring matrix having discrete level of trust zone values is loaded from said computing device.
52. The method as claimed in claim 38 wherein said scoring matrix having discrete level of trust zone values is loaded from a remote location.
53. The method as claimed in claim 38 wherein said execution of a zone action handler comprises the step of requiring specific authentication action.
54. The method as claimed in claim 38 wherein said execution of a zone action handler further comprises the step of determining whether the user belongs to a particular group.
55. The method as claimed in claim 38 wherein said execution of a zone action handler further comprises the step of determining whether the user belongs to an administrative security group.
56. The method as claimed in claim 38 wherein said execution of a zone action handler comprises the step of prompting the user for a password.
57. The method as claimed in claim 38 wherein said execution of a zone action handler comprises the step of prompting for biometric information.
58. The method as claimed in claim 38 wherein said execution of a zone action handler comprises the step of prompting a security token card.
59. The method as claimed in claim 38 wherein said execution of at least one of said zone action handler comprises the step of recording said zone action handler responses for said computer media undergoing authentication.
60. The method as claimed in claim 59, wherein said recording of zone action handler responses is made on said computing device.
61. The method as claimed in claim 59, wherein said recording of zone action handler responses is made on said computer media undergoing authentication.
62. The method as claimed in claim 38, wherein said execution of at least one of said zone action handler comprises the step of recording a validity condition.
63. The method as claimed in claim 62, wherein said recording of said validity condition is made on said computing device.
64. The method as claimed in claim 62, wherein said recording of said validity condition is made on said computer media undergoing authentication.
65. The method as claimed in claim 38, wherein said execution of at least one of said zone action handler comprises the step of recording a validity period of time.
66. The method as claimed in claim 65, wherein said recording of said validity period of time is made on said computing device.
67. The method as claimed in claim 65, wherein said recording of said validity period of time is made on said computer media undergoing authentication.
68. The method as claimed in claim 38 wherein said execution of at least one of said zone action handler comprises the steps of: a) detecting a recorded zone action handler response; and b) returning a zone action handler response, based upon said recorded zone action handler response.
69. The method as claimed in claim 38 wherein said execution of at least one of said zone action handler comprises the steps of: a) detecting a recorded validity condition; b) testing for said validity condition; and c) returning a zone action handler response, based upon said testing of said validity condition.
70. The method as claimed in claim 38 wherein said execution of at least one of said zone action handler comprises the steps of: a) detecting a recorded validity period of time; b) obtaining a present time; c) determining whether said present time is within said validity period of time; and d) returning a zone action handler response, based upon said determination.
71. The method as claimed in claim 38 wherein said computing device communicates with said media through at least one communications channel.
72. The method as claimed in claim 71, further comprising the step of receiving a plurality of metadata elements from data structures associated with said communications channel.
73. The method as claimed in claim 38, further comprising the step of receiving a plurality of metadata elements from data structures associated with devices abstracted behind said media volume mount point.
74. The method as claimed in claim 38 further comprising the steps of: a) identifying an external security level indicator; and b) adjusting said discrete level of trust zone values associated with trustworthy factor scores, based on the results of said identification of external security level.
US12/860,612 2004-07-24 2010-08-20 Volume mount authentication Active 2026-10-13 USRE42382E1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/860,612 USRE42382E1 (en) 2004-07-24 2010-08-20 Volume mount authentication

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/898,048 US7480931B2 (en) 2004-07-24 2004-07-24 Volume mount authentication
US12/860,612 USRE42382E1 (en) 2004-07-24 2010-08-20 Volume mount authentication

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US10/898,048 Reissue US7480931B2 (en) 2004-07-24 2004-07-24 Volume mount authentication

Publications (1)

Publication Number Publication Date
USRE42382E1 true USRE42382E1 (en) 2011-05-17

Family

ID=35658624

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/898,048 Ceased US7480931B2 (en) 2004-07-24 2004-07-24 Volume mount authentication
US12/860,612 Active 2026-10-13 USRE42382E1 (en) 2004-07-24 2010-08-20 Volume mount authentication

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US10/898,048 Ceased US7480931B2 (en) 2004-07-24 2004-07-24 Volume mount authentication

Country Status (1)

Country Link
US (2) US7480931B2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140173686A1 (en) * 2012-12-19 2014-06-19 Taeho Kgil Device Communication Based On Device Trustworthiness
US8938796B2 (en) 2012-09-20 2015-01-20 Paul Case, SR. Case secure computer architecture

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100337502C (en) * 2004-07-28 2007-09-12 华为技术有限公司 Method for logic binding and verifying parts in device
US20060294380A1 (en) * 2005-06-28 2006-12-28 Selim Aissi Mechanism to evaluate a token enabled computer system
JP4929803B2 (en) * 2006-04-10 2012-05-09 富士通株式会社 Authentication method, authentication apparatus, and authentication program
US20080083037A1 (en) * 2006-10-03 2008-04-03 Rmcl, Inc. Data loss and theft protection method
US7886334B1 (en) * 2006-12-11 2011-02-08 Qurio Holdings, Inc. System and method for social network trust assessment
US8250639B2 (en) 2007-11-20 2012-08-21 Intel Corporation Micro and macro trust in a decentralized environment
US8290960B2 (en) * 2008-10-24 2012-10-16 International Business Machines Corporation Configurable trust context assignable to facts and associated trust metadata
US20100106558A1 (en) * 2008-10-24 2010-04-29 International Business Machines Corporation Trust Index Framework for Providing Data and Associated Trust Metadata
US8443189B2 (en) * 2008-10-24 2013-05-14 International Business Machines Corporation Trust event notification and actions based on thresholds and associated trust metadata scores
US8276157B2 (en) 2009-10-23 2012-09-25 International Business Machines Corporation Monitoring information assets and information asset topologies
US8209316B2 (en) * 2010-01-05 2012-06-26 Microsoft Corporation Providing suggestions of related videos
US8566934B2 (en) 2011-01-21 2013-10-22 Gigavation, Inc. Apparatus and method for enhancing security of data on a host computing device and a peripheral device
GB2506803B (en) 2011-08-10 2020-07-01 Srivastava Gita Apparatus and method for enhancing security of data on a host computing device and a peripheral device
US20130173653A1 (en) * 2011-12-30 2013-07-04 Microsoft Corporation Path composition for planning
US9706410B2 (en) * 2012-03-07 2017-07-11 Rapid 7, Inc. Controlling enterprise access by mobile devices
US20170326479A1 (en) * 2016-05-10 2017-11-16 Glacier Fresh Water filter
GB2552721A (en) 2016-08-03 2018-02-07 Cirrus Logic Int Semiconductor Ltd Methods and apparatus for authentication in an electronic device
GB2545534B (en) 2016-08-03 2019-11-06 Cirrus Logic Int Semiconductor Ltd Methods and apparatus for authentication in an electronic device
US11301550B2 (en) 2016-09-07 2022-04-12 Cylance Inc. Computer user authentication using machine learning
GB2555660B (en) * 2016-11-07 2019-12-04 Cirrus Logic Int Semiconductor Ltd Methods and apparatus for authentication in an electronic device
CN109189734A (en) * 2018-09-30 2019-01-11 维沃移动通信有限公司 A kind of file open method and mobile terminal

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5832213A (en) * 1996-07-03 1998-11-03 Sun Microsystems, Inc. Flexible mounting and unmounting of user removable media
US6012145A (en) * 1993-11-13 2000-01-04 Calluna Technology Limited Security system for hard disk drive
US6014746A (en) * 1997-02-21 2000-01-11 Lockheed Martin Energy Research Corporation Workstation lock and alarm system
US6301665B1 (en) * 1998-04-30 2001-10-09 Compaq Computer Corporation Security methodology for devices having plug and play capabilities
US20020083339A1 (en) * 2000-12-22 2002-06-27 Blumenau Steven M. Method and apparatus for preventing unauthorized access by a network device
US20030163719A1 (en) * 2002-02-26 2003-08-28 Fujitsu Limited Removable disk device with identification information
US6665714B1 (en) * 1999-06-30 2003-12-16 Emc Corporation Method and apparatus for determining an identity of a network device
WO2003107589A1 (en) 2002-06-17 2003-12-24 Koninklijke Philips Electronics N.V. Method for authentication between devices
US6711685B1 (en) * 1998-07-17 2004-03-23 International Business Machines Corporation System and procedure for protection against the analytical espionage of secret information
US20040117318A1 (en) * 2002-12-16 2004-06-17 Grawrock David W. Portable token controlling trusted environment launch
US20050015611A1 (en) * 2003-06-30 2005-01-20 Poisner David I. Trusted peripheral mechanism
US6904493B2 (en) * 2002-07-11 2005-06-07 Animeta Systems, Inc. Secure flash memory device and method of operation
US7107610B2 (en) * 2001-05-11 2006-09-12 Intel Corporation Resource authorization
US7191467B1 (en) * 2002-03-15 2007-03-13 Microsoft Corporation Method and system of integrating third party authentication into internet browser code
US7318150B2 (en) * 2004-02-25 2008-01-08 Intel Corporation System and method to support platform firmware as a trusted process

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6819486B2 (en) * 2001-01-17 2004-11-16 3M Innovative Properties Company Projection screen having elongated structures

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6012145A (en) * 1993-11-13 2000-01-04 Calluna Technology Limited Security system for hard disk drive
US6119232A (en) * 1996-07-03 2000-09-12 Sun Microsystems, Inc. Flexible mounting and unmounting of user removable media
US5832213A (en) * 1996-07-03 1998-11-03 Sun Microsystems, Inc. Flexible mounting and unmounting of user removable media
US6014746A (en) * 1997-02-21 2000-01-11 Lockheed Martin Energy Research Corporation Workstation lock and alarm system
US6301665B1 (en) * 1998-04-30 2001-10-09 Compaq Computer Corporation Security methodology for devices having plug and play capabilities
US6711685B1 (en) * 1998-07-17 2004-03-23 International Business Machines Corporation System and procedure for protection against the analytical espionage of secret information
US6665714B1 (en) * 1999-06-30 2003-12-16 Emc Corporation Method and apparatus for determining an identity of a network device
US20020083339A1 (en) * 2000-12-22 2002-06-27 Blumenau Steven M. Method and apparatus for preventing unauthorized access by a network device
US7107610B2 (en) * 2001-05-11 2006-09-12 Intel Corporation Resource authorization
US20030163719A1 (en) * 2002-02-26 2003-08-28 Fujitsu Limited Removable disk device with identification information
US7191467B1 (en) * 2002-03-15 2007-03-13 Microsoft Corporation Method and system of integrating third party authentication into internet browser code
WO2003107589A1 (en) 2002-06-17 2003-12-24 Koninklijke Philips Electronics N.V. Method for authentication between devices
US6904493B2 (en) * 2002-07-11 2005-06-07 Animeta Systems, Inc. Secure flash memory device and method of operation
US20040117318A1 (en) * 2002-12-16 2004-06-17 Grawrock David W. Portable token controlling trusted environment launch
US20050015611A1 (en) * 2003-06-30 2005-01-20 Poisner David I. Trusted peripheral mechanism
US7318150B2 (en) * 2004-02-25 2008-01-08 Intel Corporation System and method to support platform firmware as a trusted process

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8938796B2 (en) 2012-09-20 2015-01-20 Paul Case, SR. Case secure computer architecture
US9122633B2 (en) 2012-09-20 2015-09-01 Paul Case, SR. Case secure computer architecture
US20140173686A1 (en) * 2012-12-19 2014-06-19 Taeho Kgil Device Communication Based On Device Trustworthiness
US9386045B2 (en) * 2012-12-19 2016-07-05 Visa International Service Association Device communication based on device trustworthiness

Also Published As

Publication number Publication date
US20060020792A1 (en) 2006-01-26
US7480931B2 (en) 2009-01-20

Similar Documents

Publication Publication Date Title
USRE42382E1 (en) Volume mount authentication
US20200380160A1 (en) Data security classification sampling and labeling
US10902149B2 (en) Remote testing analysis for software optimization based on client-side local differential privacy-based data
US9450966B2 (en) Method and apparatus for lifecycle integrity verification of virtual machines
US7552480B1 (en) Method and system of assessing risk using a one-dimensional risk assessment model
US8332917B2 (en) Providing secure dynamic role selection and managing privileged user access from a client device
US7647622B1 (en) Dynamic security policy through use of empirical security events
US8606659B2 (en) Identification of discrepancies in actual and expected inventories in computing environment having multiple provisioning orchestration server pool boundaries
US9047452B2 (en) Multi-user BIOS authentication
US7730219B2 (en) System and method for detecting free and open wireless networks
US20060021003A1 (en) Biometric authentication system
RU2638775C2 (en) System of access control and management based on biometric technologies for authenticating person by voice and by face
CN103201747A (en) A method for attesting a plurality of data processing systems
US20080052526A1 (en) System and Method for Enrolling Users in a Pre-Boot Authentication Feature
CN107122669A (en) A kind of method and apparatus for assessing leaking data risk
US12041054B2 (en) Methods and systems for detecting inadvertent unauthorized account access
US11019494B2 (en) System and method for determining dangerousness of devices for a banking service
CN116881979A (en) Method, device and equipment for detecting data safety compliance
Lee et al. An android malware detection system using a knowledge-based permission counting method
CN113498592B (en) Method and system for digital property authentication and management
EP3543882B1 (en) Method and system for identifying original data by using data order
Kimm et al. Multilevel Security Embedded Information Retrieval and Tracking on Cloud Environments
CN104134025A (en) Mobile terminal locking method and device based on SIM cards and mobile terminal
US11930000B2 (en) Detection of anomalous authentications
KR101955196B1 (en) Portable information analysis apparatusand method for analyzing data using the same

Legal Events

Date Code Title Description
REMI Maintenance fee reminder mailed
AS Assignment

Owner name: IDERA, INC., TEXAS

Free format text: CHANGE OF NAME;ASSIGNOR:BBS TECHNOLOGIES, INC.;REEL/FRAME:029429/0262

Effective date: 20120127

FPAY Fee payment

Year of fee payment: 4

SULP Surcharge for late payment
AS Assignment

Owner name: SQUARE 1 BANK, NORTH CAROLINA

Free format text: SECURITY AGREEMENT;ASSIGNOR:IDERA, INC.;REEL/FRAME:030574/0185

Effective date: 20121120

AS Assignment

Owner name: IDERA, INC. F/K/A BBS TECHNOLOGIES, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:SQUARE 1 BANK;REEL/FRAME:030781/0275

Effective date: 20130709

AS Assignment

Owner name: COMERICA BANK, AS AGENT, MICHIGAN

Free format text: SECURITY INTEREST;ASSIGNORS:IDERA, INC.;PRECISE SOFTWARE SOLUTIONS, INC.;COPPEREGG CORPORATION;REEL/FRAME:033696/0004

Effective date: 20140905

AS Assignment

Owner name: FIFTH STREET MANAGEMENT LLC, AS AGENT, CONNECTICUT

Free format text: SECURITY INTEREST;ASSIGNORS:IDERA, INC.;PRECISE SOFTWARE SOLUTIONS, INC.;COPPEREGG CORPORATION;REEL/FRAME:034260/0360

Effective date: 20141105

AS Assignment

Owner name: IDERA, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:COMERICA BANK;REEL/FRAME:036747/0982

Effective date: 20141105

Owner name: PRECISE SOFTWARE SOLUTIONS, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:COMERICA BANK;REEL/FRAME:036747/0982

Effective date: 20141105

Owner name: COPPEREGG CORPORATION, TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:COMERICA BANK;REEL/FRAME:036747/0982

Effective date: 20141105

AS Assignment

Owner name: IDERA, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:FIFTH STREET MANAGEMENT LLC;REEL/FRAME:036771/0552

Effective date: 20151009

Owner name: COPPEREGG CORPORATION, TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:FIFTH STREET MANAGEMENT LLC;REEL/FRAME:036771/0552

Effective date: 20151009

Owner name: PRECISE SOFTWARE SOLUTIONS, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:FIFTH STREET MANAGEMENT LLC;REEL/FRAME:036771/0552

Effective date: 20151009

AS Assignment

Owner name: JEFFERIES FINANCE LLC, AS COLLATERAL AGENT, NEW YO

Free format text: FIRST LIEN SECURITY AGREEMENT;ASSIGNORS:IDERA, INC.;CODEGEAR LLC;EMBARCADERO TECHNOLOGIES, INC.;AND OTHERS;REEL/FRAME:036842/0410

Effective date: 20151009

AS Assignment

Owner name: JEFFERIES FINANCE LLC, AS COLLATERAL AGENT, NEW YO

Free format text: SECOND LIEN SECURITY AGREEMENT;ASSIGNORS:IDERA, INC.;CODEGEAR LLC;EMBARCADERO TECHNOLOGIES, INC.;AND OTHERS;REEL/FRAME:036863/0137

Effective date: 20151009

FPAY Fee payment

Year of fee payment: 8

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2553); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment: 12

AS Assignment

Owner name: IDERA, INC., TEXAS

Free format text: CHANGE OF NAME;ASSIGNOR:CORECO IDERA OPS, INC.;REEL/FRAME:066626/0867

Effective date: 20240101

Owner name: CORECO IDERA OPS, INC., TEXAS

Free format text: NUNC PRO TUNC ASSIGNMENT;ASSIGNOR:IDERA, INC.;REEL/FRAME:066496/0733

Effective date: 20240219