Patents by Inventor Clark Debs Jeffries
Clark Debs Jeffries has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 7853794Abstract: A remote user, two-way authentication and password change protocol that also allows parties to optionally establish a session key which can be used to protect subsequent communication. In a preferred embodiment, a challenge token is generated and exchanged which is a onetime value that includes a random value that changes from session to session. The construction and use of the challenge token avoids transmission of the password or even the transmission of a digest of the password itself. Thus the challenge token does not reveal any information about a secret password or a digest of the password.Type: GrantFiled: June 14, 2007Date of Patent: December 14, 2010Assignee: International Business Machines CorporationInventors: Clark Debs Jeffries, Mohammad Peyravian
-
Publication number: 20100241746Abstract: A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.Type: ApplicationFiled: June 8, 2010Publication date: September 23, 2010Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Everett Arthur Corl, JR., Gordon Taylor Davis, Clark Debs Jeffries, Steven Richard Perrin, Hiroshi Takada, Victoria Sue Thio
-
Patent number: 7796513Abstract: A method and system for encoding a set of range labels for each parameter field in a packet classification key in such a way as to require preferably only a single entry per rule in a final processing stage of a packet classifier. Multiple rules are sorted accorded to their respective significance. A range, based on a parameter in the packet header, is previously determined. Multiple rules are evaluated according to an overlapping of rules according to different ranges. Upon a determination that two or more rules overlap, each overlapping rule is expanded into multiple unique segments that identify unique range intersections. Each cluster of overlapping ranges is then offset so that at least one bit in a range for the rule remains unchanged. The range segments are then converted from binary to Gray code, which results in the ability to determine a CAM entry to use for each range.Type: GrantFiled: August 6, 2008Date of Patent: September 14, 2010Assignee: International Business Machines CorporationInventors: Claude Basso, Jean Louis Calvignac, Gordon Taylor Davis, Clark Debs Jeffries
-
Patent number: 7769858Abstract: A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.Type: GrantFiled: February 23, 2005Date of Patent: August 3, 2010Assignee: International Business Machines CorporationInventors: Everett Arthur Corl, Jr., Gordon Taylor Davis, Clark Debs Jeffries, Steven Richard Perrin, Hiroshi Takada, Victoria Sue Thio
-
Patent number: 7707633Abstract: A method of progressive response for invoking and suspending blocking measures that defend against network anomalies such as malicious network traffic so that false positives and false negatives are minimized. When an anomaly is detected, the detector notifies protective equipment such as a firewall or a router to invoke a blocking measure. The blocking measure is maintained for an initial duration, after which it is suspended while another test for the anomaly is made. If the anomaly is no longer evident, the method returns to the state of readiness. Otherwise, a loop is executed to re-apply the blocking measure for a specified duration, then suspend the blocking measure and test again for the anomaly. If the anomaly is detected, the blocking measure is re-applied, and its duration is adapted. If the anomaly is no longer detected, the method returns to the state of readiness.Type: GrantFiled: October 12, 2007Date of Patent: April 27, 2010Assignee: International Business Machines CorporationInventors: Robert William Danford, Kenneth M. Farmer, Clark Debs Jeffries, Robert B. Sisk, Michael A. Walter
-
Patent number: 7673142Abstract: A remote user, two-way authentication and password change protocol that also allows parties to optionally establish a session key which can be used to protect subsequent communication. In a preferred embodiment, a challenge token is generated and exchanged which is a one-time value that includes a random value that changes from session to session. The construction and use of the challenge token avoids transmission of the password or even the transmission of a digest of the password itself. Thus the challenge token does not reveal any information about a secret password or a digest of the password.Type: GrantFiled: May 23, 2008Date of Patent: March 2, 2010Assignee: International Business Machines CorporationInventors: Clark Debs Jeffries, Mohammad Peyravian
-
Patent number: 7669240Abstract: A detection and response system including a set of algorithms for detection within a stream of normal computer traffic a subset of TCP packets with one IP Source Address (SA), one Destination Port (DP), and a number exceeding a threshold of distinct Destination Addresses (DA). There is efficient use of a lookup mechanism such as a Direct Table and Patricia search tree to record sets of packets with one SA and one DP as well as the set of DA values observed for the given SA, DP combination. The existence of such a subset and the header values including SA, DP, and multiple DAs of the subset are reported to a network administrator. In addition, various administrative responses to reports are provided.Type: GrantFiled: July 22, 2004Date of Patent: February 23, 2010Assignee: International Business Machines CorporationInventors: Alan David Boulanger, Robert William Danford, Kevin David Himberger, Clark Debs Jeffries
-
Patent number: 7657942Abstract: A method, apparatus, and computer instructions for providing a current and complete security compliance view of an enterprise system. The present invention provides the ability to gain a real-time security posture and security compliance view of an enterprise and to assess the risk impact of known threats and attacks to continued business operations at various levels is provided. Responsive to a change to an enterprise environment, a request, or an external threat, an administrator loads or updates at least one of a Critical Application Operations database, a Historical database, an Access Control database, a Connectivity database, and a Threat database. Based on a comparison of information in the databases against similar security data elements from company or external policies, the administrator may generate a Security Compliance view of the enterprise. A Security Posture view may also be generated by comparing the Security Compliance view against data in the Threat database.Type: GrantFiled: January 11, 2005Date of Patent: February 2, 2010Assignee: International Business Machines CorporationInventors: Kevin David Himberger, Clark Debs Jeffries, Charles Steven Lingafelt, Allen Leonid Roginsky, Phillip Singleton
-
Patent number: 7646709Abstract: The decision within a packet processing device to transmit a newly arriving packet into a queue to await processing or to discard the same packet is made by a flow control method and system. The flow control is updated with a constant period determined by storage and flow rate limits. The update includes comparing current queue occupancy to thresholds and also comparing present queue occupancy to previous queue occupancy. The outcome of the update is a new transmit probability value. The value is stored for the subsequent period of flow control and packets arriving during that period are subject to a transmit or discard decision that uses that value.Type: GrantFiled: November 15, 2006Date of Patent: January 12, 2010Assignee: International Business Machines CorporationInventors: Clark Debs Jeffries, Jitesh Ramachandran Nair, Michael Steven Siegel, Rama Mohan Yedavalli
-
Patent number: 7617526Abstract: A method of blocking spam at a firewall involves applying blocking measures for an adaptively determined duration. The blocking measure is then suspended while determining whether the spam has ended. If so, the method resets to an initial state. Otherwise, the blocking measure is re-applied for a second duration.Type: GrantFiled: October 6, 2005Date of Patent: November 10, 2009Assignee: International Business Machines CorporationInventors: John Fred Davis, Kevin David Himberger, Clark Debs Jeffries, Garreth Joseph Jeremiah
-
Patent number: 7489246Abstract: System and method for recording temperature on an RFID tag. A first RFID tag is attached to a container. The first RFID tag includes a temperature sensor. The container contains a multiplicity of packages. A multiplicity of second RFID tags are attached to the multiplicity of packages, respectively. The first RFID tag transmits temperature information to the multiplicity of second RFID tags. In response, the multiplicity of second RFID tags record the temperature information. Consequently, there is no need for expensive temperature sensors on the multiplicity of RFID tags on the packages. According to features of the present invention, the first RFID tag is an active RFID tag, and the multiplicity of second RFID tags are passive RFID tags. The first RFID tag also transmits other information to the multiplicity of second RFID tags to enable the second RFID tags to authenticate the temperature information.Type: GrantFiled: June 22, 2007Date of Patent: February 10, 2009Assignee: International Business Machines CorporationInventors: Kevin David Himberger, Clark Debs Jeffries, Mohammad Peyravian
-
Publication number: 20090034530Abstract: A method and system for encoding a set of range labels for each parameter field in a packet classification key in such a way as to require preferably only a single entry per rule in a final processing stage of a packet classifier. Multiple rules are sorted accorded to their respective significance. A range, based on a parameter in the packet header, is previously determined. Multiple rules are evaluated according to an overlapping of rules according to different ranges. Upon a determination that two or more rules overlap, each overlapping rule is expanded into multiple unique segments that identify unique range intersections. Each cluster of overlapping ranges is then offset so that at least one bit in a range for the rule remains unchanged. The range segments are then converted from binary to Gray code, which results in the ability to determine a CAM entry to use for each range.Type: ApplicationFiled: August 6, 2008Publication date: February 5, 2009Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: CLAUDE BASSO, JEAN LOUIS CALVIGNAC, GORDON TAYLOR DAVIS, CLARK DEBS JEFFRIES
-
Patent number: 7475252Abstract: System, method and computer program for authenticating a user of a client computer to a remote server computer. A client computer initially sends a userID but not a password of the user to the remote server computer. In response to the userID, the server computer determines a subsequent time window during which the server computer will consider for authentication submission of a combination of the userID and a password. The server computer notifies the client computer of the time window. After receipt of the notification from the server computer, during the time window, the client computer sends the userID and a corresponding password to the server computer. In response to receipt of the userID and the corresponding password from the client computer, the server computer determines if the combination of the userID and the corresponding password is valid.Type: GrantFiled: August 12, 2004Date of Patent: January 6, 2009Assignee: International Business Machines CorporationInventors: Clark Debs Jeffries, Mohammad Peyravian
-
Patent number: 7466687Abstract: A method and system for encoding a set of range labels for each parameter field in a packet classification key in such a way as to require preferably only a single entry per rule in a final processing stage of a packet classifier. Multiple rules are sorted accorded to their respective significance. A range, based on a parameter in the packet header, is previously determined. Multiple rules are evaluated according to an overlapping of rules according to different ranges. Upon a determination that two or more rules overlap, each overlapping rule is expanded into multiple unique segments that identify unique range intersections. Each cluster of overlapping ranges is then offset so that at least one bit in a range for the rule remains unchanged. The range segments are then converted from binary to Gray code, which results in the ability to determine a CAM entry to use for each range.Type: GrantFiled: April 28, 2003Date of Patent: December 16, 2008Assignee: International Business Machines CorporationInventors: Claude Basso, Jean Louis Calvignac, Gordon Taylor Davis, Clark Debs Jeffries
-
Patent number: 7464404Abstract: A method of progressive response for invoking and suspending blocking measures that defend against network anomalies such as malicious network traffic so that false positives and false negatives are minimized. When a truncated secure session attack is detected, the detector notifies protective equipment such as a firewall or a router to invoke a blocking measure. The blocking measure is maintained for an initial duration, after which it is suspended while another test for the anomaly is made. If the attack is no longer evident, the method returns to the state of readiness. Otherwise, a loop is executed to re-applying the blocking measure for a specified duration, then suspend the blocking measure and test again for the attack. If the attack is detected, the blocking measure is re-applied, and its duration is adapted. If the attack is no longer detected, the method returns to the state of readiness.Type: GrantFiled: November 17, 2005Date of Patent: December 9, 2008Assignee: International Business Machines CorporationInventors: Brian Edward Carpenter, Kevin David Himberger, Clark Debs Jeffries, Mohammad Peyravian
-
Publication number: 20080273464Abstract: The decision within a packet processing device to transmit a newly arriving packet into a queue to await further processing or to discard the same packet is made by a flow control method and system. The flow control is updated with a constant period determined by storage and flow rate limits. The update includes comparing current queue occupancy to a threshold. The outcome of the update is adjustment up or down of the transmit probability value. The value is stored for the subsequent period of flow control and packets arriving during that period are subject to a transmit or discard decision that uses that value.Type: ApplicationFiled: July 17, 2008Publication date: November 6, 2008Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: James Johnson Allen, Brian Mitchell Bass, Gordon Taylor Davis, Clark Debs Jeffries, Jitesh Ramachandran Nair, Ravinder Kumar Sabhikhi, Michael Steven Siegel, Rama Mohan Yedavalli
-
Patent number: 7434050Abstract: A remote user, two-way authentication and password change protocol that also allows parties to optionally establish a session key which can be used to protect subsequent communication. In a preferred embodiment, a challenge token is generated and exchanged which is a one-time value that includes a random value that changes from session to session. The construction and use of the challenge token avoids transmission of the password or even the transmission of a digest of the password itself. Thus the challenge token does not reveal any information about a secret password or a digest of the password.Type: GrantFiled: December 11, 2003Date of Patent: October 7, 2008Assignee: International Business Machines CorporationInventors: Clark Debs Jeffries, Mohammad Peyravian
-
Patent number: 7430169Abstract: The decision within a packet processing device to transmit a newly arriving packet into a queue to await further processing or to discard the same packet is made by a flow control method and system. The flow control is updated with a constant period determined by storage and flow rate limits. The update includes comparing current queue occupancy to a threshold. The outcome of the update is adjustment up or down of the transmit probability value. The value is stored for the subsequent period of flow control and packets arriving during that period are subject to a transmit or discard decision that uses that value.Type: GrantFiled: June 3, 2002Date of Patent: September 30, 2008Assignee: International Business Machines CorporationInventors: James Johnson Allen, Jr., Brian Mitchell Bass, Gordon Taylor Davis, Clark Debs Jeffries, Jitesh Ramachandran Nair, Ravinder Kumar Sabhikhi, Michael Steven Siegel, Rama Mohan Yedavalli
-
Publication number: 20080232386Abstract: A method and system for transmitting packets in a packet switching network. Packets received by a packet processor may be prioritized based on the urgency to process them. Packets that are urgent to be processed may be referred to as real-time packets. Packets that are not urgent to be processed may be referred to as non-real-time packets. Real-time packets have a higher priority to be processed than non-real-time packets. A real-time packet may either be discarded or transmitted into a real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time queue congestion conditions. A non-real-time packet may either be discarded or transmitted into a non-real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time and non-real-time queue congestion conditions.Type: ApplicationFiled: May 3, 2008Publication date: September 25, 2008Applicant: International Business Machines CorporationInventors: Brahmanand Kumar Gorti, Marco Heddes, Clark Debs Jeffries, Andreas Kind, Michael Steven Siegel
-
Publication number: 20080229105Abstract: A remote user, two-way authentication and password change protocol that also allows parties to optionally establish a session key which can be used to protect subsequent communication. In a preferred embodiment, a challenge token is generated and exchanged which is a one-time value that includes a random value that changes from session to session. The construction and use of the challenge token avoids transmission of the password or even the transmission of a digest of the password itself. Thus the challenge token does not reveal any information about a secret password or a digest of the password.Type: ApplicationFiled: May 23, 2008Publication date: September 18, 2008Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Clark Debs Jeffries, Mohammad Peyravian