Patents Assigned to iPolicy Networks, Inc.
-
Patent number: 7356027Abstract: The present invention essentially comprises a Packet Receiver and a Stream Manager for a computer network. When a stream of packets passes through the present invention, they are received by the Packet Receiver. The Packet Receiver identifies the session to which the packet stream belongs, and passes the packet to the Stream Manager. The Stream Manager identifies the application generating the packet stream by scanning an Application ID Hash Table, which is a table that contains a mapping of destination ports to corresponding applications. Thereafter, it uses a State Machine Execution Engine to execute application decode instructions on the packet stream. The application decode instructions are stored in a table called Expression Action Table, and are generated based on a decode script created by the user for each application.Type: GrantFiled: October 4, 2002Date of Patent: April 8, 2008Assignee: iPolicy Networks Inc.Inventors: Pankaj Parekh, Sandeep Gupta, Vijay Mamtani, Himanshu Deoskar
-
Patent number: 7321556Abstract: A system and method for enforcing policies on data packets in a computer network is disclosed. The enforcement of policies is done by prioritizing and regulating the flow of data packets. The regulation of prioritized data packets includes a determination of: service level agreement violations, flow control of data packets of a predefined priority and session resettings. For determination of service level agreements the policy engine carries out a response time calculation and finds if it is in consonance with the response time agreed upon in the service level agreement. Flow control in case of a service level agreement violation is implemented either by reducing the server side window size or by delaying acknowledgement packets sent by the client.Type: GrantFiled: October 28, 2002Date of Patent: January 22, 2008Assignee: iPolicy Networks, IncInventors: Pankaj Parekh, Sandeep Gupta, Vijay Mamtani
-
Patent number: 7257833Abstract: Enforcing a plurality of different policies on a stream of packets is disclosed. In lieu of running separate algorithms for each policy, the system exploits the commonalities of all of the policies. The conditions corresponding to the compiled rules are arranged in a condition tree and processed in a pipelined architecture that allows the results of the various stages to be carried forward into subsequent stages of processing. The rules for which all conditions have been satisfied can be identified by one stage of processing in one pass of condition tree traversal and are passed to subsequent stages. A rule table corresponding to an individual policy type can then be readily examined to determine partial or complete satisfaction of the rule of that policy type, without requiring a re-examination of the conditions underlying the rule. Additionally, corresponding actions can be taken where rule satisfaction is determined. This approach allows extremely high-speed policy enforcement performance.Type: GrantFiled: January 17, 2002Date of Patent: August 14, 2007Assignee: Ipolicy Networks, Inc.Inventors: Pankaj S. Parekh, Vimal Vaidya, Sandeep Gupta, Pranav Shah
-
Patent number: 7219142Abstract: The present invention is a system and method for allowing an administrator of a computer network higher up in a hierarchical arrangement to define the scope of policies for the services offered, and users lower in the hierarchical arrangement to customize policies within the scope defined by the administrator. While defining policy rules, administrators classify them as scoping or non-scoping. Users lower in the hierarchical arrangement can then customize scoping rules by defining sub-rules. Policy rules have a condition part and an action part, and the sub-rules can be used to change the scope of the condition and action parts. The present invention adds all the non-scoping policy rules, all the scoping policy rules, and all the sub-rules (with their scope limited by the scoping rules) to a rules database. This rules database is then used by any policy enforcement engine to enforce policy rules.Type: GrantFiled: October 21, 2002Date of Patent: May 15, 2007Assignee: iPolicy Networks, Inc.Inventors: Pankaj Parekh, Sandeep Gupta, Vijay Mamtani, Atul Jain, Sanjay K. Aggarwal
-
Patent number: 7203744Abstract: An integrated policy enforcement system for a computer network implements several policies on the network traffic. A rule compiler compiles these policies and converts them into a rule tree-graph, which is then used to provide desired behavior to the network traffic comprising data packets. The rule compiler comprises three sub-modules namely—a rule input module, a rule tree generator module and a rule output module. The rule input module receives the input for the rule compiler and prepares the input for the rule tree generator module. The rule tree generator module generates the rule tree-graph. The rule tree-graph is a data structure comprising tree data structure and graph data structure.Type: GrantFiled: October 7, 2002Date of Patent: April 10, 2007Assignee: iPolicy Networks, Inc.Inventors: Pankaj Parekh, Sandeep Gupta, Vijay Mamtani, Puneet Tutliani, Proneet Biswas
-
Publication number: 20070038775Abstract: A rule engine for a computer network traverses a rule mesh having path nodes and path edges in form of a tree part and a graph part. The rule engine evaluates data packets flowing through a network to determine rules matched for every packet. Subsequent packets having same expression values as an already checked packet are not rechecked against the same nodes in the rule mesh through the use of a session entry. The rule engine performs a search on every path node of rule mesh to determine the next path edge to traverse. A Tree-Id and Rule Confirmation Bitmap that are indicative of path traversed and rules matched by a packet are generated at the end of rule mesh traversal. These are appended in the packet extension for subsequent modules of Policy Agent.Type: ApplicationFiled: October 20, 2006Publication date: February 15, 2007Applicant: iPOLICY NETWORKS, Inc.Inventors: Pankaj Parekh, Sandeep Gupta, Vijay Mamtani
-
Patent number: 7139837Abstract: A rule engine for a computer network traverses a rule mesh having path nodes and path edges in form of a tree part and a graph part. The rule engine evaluates data packets flowing through a network to determine rules matched for every packet. Subsequent packets having same expression values as an already checked packet are not rechecked against the same nodes in the rule mesh through the use of a session entry. The rule engine performs a search on every path node of rule mesh to determine the next path edge to traverse. A Tree-Id and Rule Confirmation Bitmap that are indicative of path traversed and rules matched by a packet are generated at the end of rule mesh traversal. These are appended in the packet extension for subsequent modules of Policy Agent.Type: GrantFiled: October 4, 2002Date of Patent: November 21, 2006Assignee: iPolicy Networks, Inc.Inventors: Pankaj Parekh, Sandeep Gupta, Vijay Mamtani
-
Patent number: 7120144Abstract: A universal application decode engine that can be programmed to decode packet streams and identify the application which is generating the packet streams is disclosed. The universal application decode engine comprises a packet receiver, a state machine execution engine for executing application decode instructions, and a session correlation lookup engine for correlating a new session to an existing session.Type: GrantFiled: September 18, 2001Date of Patent: October 10, 2006Assignee: iPolicy Networks, Inc.Inventors: Pankaj Parekh, Sandeep Gupta, Vijay Mamtani, Himanshu Deoskar
-
Patent number: 7058821Abstract: An intrusion detection system detects and takes appropriate action against intrusion attacks on packets transmitted on a network. Various conditions for the intrusion attacks are described in the form of a rule tree. The intrusion detection system employs a pipelined structure including a plurality of modules, and parts of the rule are assigned to the modules. The modules determine in a pipelined manner whether the conditions of an intrusion attack are satisfied. In an intrusion attack on the packet is detected, the intrusion detection system takes appropriate action against the determined intrusion attack.Type: GrantFiled: January 17, 2002Date of Patent: June 6, 2006Assignee: iPolicy Networks, Inc.Inventors: Pankaj S. Parekh, Sandeep Gupta, Vijay P. Mamtani, Sarraju N. Rao, Yashodhan R. Deshpande
-
Patent number: 7039950Abstract: A system, method and computer program product for ensuring the quality of services being provided by a protected network of computers during an ongoing security breach is provided. The quality of the services is ensured by performing secure Quality of Service actions on data packets on the network. The sQoS actions depend on whether the data packets correspond to an attack on the computer to which they are directed, called the destination computer. If the data packet corresponds to an attack, then the actions also depend on the type of attack. In case there is no attack, the actions depend on the history of attacks by data packets that had originated from the same source computer and were directed towards the same destination computer. Supported actions include HardenFW, ControlBW and ConnectionLimit.Type: GrantFiled: April 21, 2003Date of Patent: May 2, 2006Assignee: iPolicy Networks, Inc.Inventors: Pankaj Parekh, Sandeep Gupta, Vijay Mamtani, Saurabh Sarpal
-
Publication number: 20040250114Abstract: A system, method and computer program product for ensuring the quality of services being provided by a protected network of computers during an ongoing security breach is provided. The quality of the services is ensured by performing secure Quality of Service actions on data packets on the network. The sQoS actions depend on whether the data packets correspond to an attack on the computer to which they are directed, called the destination computer. If the data packet corresponds to an attack, then the actions also depend on the type of attack. In case there is no attack, the actions depend on the history of attacks by data packets that had originated from the same source computer and were directed towards the same destination computer. Supported actions include HardenFW, ControlBW and ConnectionLimit.Type: ApplicationFiled: April 21, 2003Publication date: December 9, 2004Applicant: IPOLICY NETWORKS INC.Inventors: Pankaj Parekh, Sandeep Gupta, Vijay Mamtani, Saurabh Sarpal
-
Publication number: 20040215630Abstract: The present invention provides a system, method and computer program product for managing customers in a hierarchical manner. The customer hierarchy comprises a root service provider (RSP), tiered service providers (TSPs) and end customers. The present invention enables the governing of the customers by a large service provider by providing an ability to make smaller service providers as customers and managing their resources. The smaller service provider, in turn, can have its own customers. The smaller service provider governs these customers without interference from the service providers above it in the hierarchy. The customers are governed by policies. A policy is a set of rules laid down by the service provider to control the customers. The present invention also enables the service provider to implement different policies on different customers and change the policy for a customer without affecting other customers.Type: ApplicationFiled: April 25, 2003Publication date: October 28, 2004Applicant: iPolicy Networks, Inc.Inventors: Pankaj Parekh, Sandeep Gupta, Vijay Mamtani, Atul Jain, Sanjay Kumar Agarwal