Patents by Inventor Makan Pourzandi
Makan Pourzandi has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20210182418Abstract: A node includes processing circuitry configured to encrypt first network data including a first tenant identifier using a first cryptographic key to generate first encrypted data and anonymize the first encrypted data to generate anonymized data where the anonymizing of the first encrypted data includes segmenting the first encrypted data and the anonymizing of the first encrypted data preserving relationships among the first network data associated with the first tenant identifier, encrypt the anonymized data using a second cryptographic key to generate encrypted anonymized data, transmit the encrypted anonymized data, at least one analysis parameter, at least one security policy and instructions to analyze the encrypted anonymized data using the at least one analysis parameter, the at least one security policy and the second cryptographic key, receive analysis data resulting from the analysis of the encrypted anonymized data, and determine verification results from the received analysis data.Type: ApplicationFiled: February 28, 2018Publication date: June 17, 2021Inventors: Momen OQAILY, Yosr JARRAYA, Lingyu WANG, Makan POURZANDI, Mourad DEBBABI
-
Publication number: 20210152572Abstract: A method, computing device and system are disclosed for evaluating security of virtual infrastructures of tenants in a cloud environment. At least one security metric may be calculated for virtual infrastructures of a tenant based on information associated with at least one virtual resource of the first tenant and at least one interaction of the at least one virtual resource of the first tenant with at least one virtual resource of at least one other tenant in a multi-tenant virtualized infrastructure. At least one security parameter may be evaluated for the first tenant based at least in part on at least one of the at least one calculated security metric for monitoring a security level of the first tenant relative to the at least one other tenant in the multi-tenant virtualized infrastructure.Type: ApplicationFiled: April 23, 2019Publication date: May 20, 2021Inventors: Taous MADI, Mengyuan ZHANG, Yosr JARRAYA, Lingyu WANG, Makan POURZANDI, Mourad DEBBABI
-
Publication number: 20210111881Abstract: Methods, terminal and a data center gateway are provided for allowing efficient debugging and troubleshooting of data session encrypted with Perfect Forward Secrecy (PFS) encryption techniques such as for example the Transport Layer Security (TLS) protocol version 1.3. Embodiments of the invention allow the user terminal to authorize a data center gateway to persistently store one or more encryption keys associated with the data session for use to access the recorded data session and troubleshooting it after the session ended, when faults are detected. When a fault is detected, the user terminal provides authorization to the gateway to persistently store the data session along with one or more encryption key(s).Type: ApplicationFiled: April 3, 2018Publication date: April 15, 2021Inventors: Daniel MIGAULT, Makan POURZANDI
-
Publication number: 20200374210Abstract: Systems and methods for verifying the validity of a network link are described herein. A verification packet and an associated packet handling flow can be generated and added to a network in order to investigate a link between network nodes (e.g. switches).Type: ApplicationFiled: December 4, 2018Publication date: November 26, 2020Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)Inventors: Amir ALIMOHAMMADIFAR, Lingyu WANG, Yosr JARRAYA, Makan POURZANDI, Mourad DEBBABI
-
Publication number: 20200314139Abstract: Systems and methods are provided for mitigating security attacks by enabling collaboration between security service functions. A Service Function Chaining (SFC) node receives a packet and determines whether to apply a service function to the packet. Responsive to determining that the packet has been treated by the service function, the packet can be reclassified and switched to a different SFC path.Type: ApplicationFiled: May 15, 2017Publication date: October 1, 2020Inventors: Daniel MIGAULT, Makan POURZANDI, Bruno MEDEIROS DE BARROS, Tereza Cristina CARVALHO, Thiago RODRIGUES MEIRA DE ALMEIDA
-
Patent number: 10666755Abstract: The invention is directed to secure content delivery. A device (10) sends (4) a content request to a CP (14) identifying targeted content and a public key (K PUB) of the device. A response (8) identifies a Content Delivery Network (18-1, 18-2), CDN, and includes an authorization token (TOKEN A) and a content key (K-NEW) derived from the public key of the communication device and a private key of the CP. The authorization token is sent (10) to the CDN and a delivery token (TOKEN B) and delivery node address are received (15). The delivery token and content key are sent (18) to the delivery node and encrypted content is received (30), the encrypted content comprises content as initially encrypted by the CP and as further encrypted by the CDN using the content key. The encrypted content is decrypted (31) using a private key of the device (10).Type: GrantFiled: October 23, 2015Date of Patent: May 26, 2020Assignee: Telefonaktiebolaget LM Ericsson (publ)Inventors: Zhongwen Zhu, Makan Pourzandi
-
Publication number: 20190394170Abstract: Systems and methods for managing firewall rules in a distributed firewall system are provided. A first subset of rules is identified to be removed from a first firewall in a first domain and to be added to a second firewall in a second domain. A second subset of rules is identified to be duplicated from the first firewall to the second firewall. Usage statistics for the rules in the identified subsets are synchronized between the first and second firewalls and the second firewall can be configured accordingly.Type: ApplicationFiled: February 27, 2017Publication date: December 26, 2019Inventors: Alireza SHAMELI-SENDI, Yosr JARRAYA, Daniel MIGAULT, Makan POURZANDI, Mohamed CHERIET
-
Publication number: 20190372941Abstract: A node including processing circuitry configured to: generate anonymized data based at least in part on a first cryptographic key and network data, calculate a coordination vector, generate initialized data based at least in part on the anonymized data, a second cryptographic key and the coordination vector, transmit the initialized data, the random vector, a security policy and instructions to analyze n iterations of the initialized data and the security policy using the random vector and the second cryptographic key, and receive results of the analysis of the n iterations of the initialized data and the security policy using the random vector and the second cryptographic key. The analysis of an m iteration of the n iterations correspond to an analysis of the initialized data with prefix preservation where the analysis of the remaining iterations of the n iterations fail to be prefixed preserved.Type: ApplicationFiled: February 28, 2018Publication date: December 5, 2019Applicant: Telefonaktiebolaget LM Ericsson (publ)Inventors: Meisam MOHAMMADY, Yosr JARRAYA, Lingyu WANG, Mourad DEBBABI, Makan POURZANDI
-
Patent number: 10439984Abstract: Providing security for one or more network flows may include a security deployment node decomposing one or more virtual security appliances (265) of a logical security architecture (255) into security modules (310). The security deployment node orders the security modules (310) into a sequence (320) that implements a selected workflow pattern (400). The selected workflow pattern (400) may be selected from a workflow pattern database, and may define the security to be provided for a flow, for example, according to known best practices. The sequence (320) is then divided into segments (330), and the segments (330) are assigned to different groups (220) of network nodes (230) in a network (200). For each segment (330), an assignment of each security module (310) in the segment (330) to a network node (230) within the group (220) to which the segment (330) is assigned is computed. The network (200) is then configured according to the assignments.Type: GrantFiled: February 20, 2015Date of Patent: October 8, 2019Assignee: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)Inventors: Yosr Jarraya, Alireza Shameli-Sendi, Mohamed Fekih-Ahmed, Makan Pourzandi, Mohamed Cheriet
-
Patent number: 10367906Abstract: According to one aspect, the teachings herein disclose a method and apparatus for a providing content over a secure connection to a subscriber device, where the content is advantageously securely delivered from a cache local to the telecommunication network. Such operation is based on intercepting a secure connection request from the subscriber device and establishing a corresponding secure session between the subscriber device and a local network data center, rather than the remote content provider targeted by the request.Type: GrantFiled: February 2, 2015Date of Patent: July 30, 2019Assignee: Telefonaktiebolaget LM Ericsson (publ)Inventors: Zhongwen Zhu, Makan Pourzandi
-
Patent number: 10268834Abstract: A method for a survey server for managing query communications between at least a requester server and at least one data holding entity is provided. The requester server holds a first share of a private key and the survey server holds a second share of the private key. An encrypted query is received and then forwarded to at least one data holding entity. A plurality of comparison responses is received. Each comparison response is generated by a private comparison protocol that compares the encrypted query with encrypted data. The encrypted data having been encrypted using the public key. Each comparison response having been partially decrypted with the first share of the private key and placed in the array in a randomized order. The array is decrypted using the second share of the private key. At least one result of the query is determined.Type: GrantFiled: June 26, 2014Date of Patent: April 23, 2019Assignee: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)Inventors: Makan Pourzandi, Feras Aljumah, Mourad Debbabi
-
Publication number: 20180278712Abstract: According to one aspect, the teachings herein disclose a method and apparatus for a providing content over a secure connection to a subscriber device, where the content is advantageously securely delivered from a cache local to the telecommunication network. Such operation is based on intercepting a secure connection request from the subscriber device and establishing a corresponding secure session between the subscriber device and a local network data center, rather than the remote content provider targeted by the request.Type: ApplicationFiled: February 2, 2015Publication date: September 27, 2018Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)Inventors: Zhongwen ZHU, Makan POURZANDI
-
Publication number: 20180248969Abstract: The invention is directed to secure content delivery. A device (10) sends (4) a content request to a CP (14) identifying targeted content and a public key (K PUB) of the device. A response (8) identifies a Content Delivery Network (18-1, 18-2), CDN, and includes an authorization token (TOKEN A) and a content key (K-NEW) derived from the public key of the communication device and a private key of the CP. The authorization token is sent (10) to the CDN and a delivery token (TOKEN B) and delivery node address are received (15). The delivery token and content key are sent (18) to the delivery node and encrypted content is received (30), the encrypted content comprises content as initially encrypted by the CP and as further encrypted by the CDN using the content key. The encrypted content is decrypted (31) using a private key of the device (10).Type: ApplicationFiled: October 23, 2015Publication date: August 30, 2018Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)Inventors: Zhongwen ZHU, Makan POURZANDI
-
Patent number: 9912582Abstract: Systems and methods for ensuring multi-tenant isolation in a data center are provided. A switch, or virtualized switch, can be used to de-multiplex incoming traffic between a number of data centers tenants and to direct traffic to the appropriate virtual slice for an identified tenant. The switch can store tenant identifying information received from a master controller and packet forwarding rules received from at least one tenant controller. The packet handling rules are associated with a specific tenant and can be used to forward traffic to its destination.Type: GrantFiled: November 18, 2014Date of Patent: March 6, 2018Assignee: Telefonaktiebolaget LM Ericsson (publ)Inventors: Makan Pourzandi, Mohamed Fekih Ahmed, Mohamed Cheriet, Chamseddine Talhi
-
Publication number: 20180034774Abstract: Providing security for one or more network flows may include a security deployment node decomposing one or more virtual security appliances (265) of a logical security architecture (255) into security modules (310). The security deployment node orders the security modules (310) into a sequence (320) that implements a selected workflow pattern (400). The selected workflow pattern (400) may be selected from a workflow pattern database, and may define the security to be provided for a flow, for example, according to known best practices. The sequence (320) is then divided into segments (330), and the segments (330) are assigned to different groups (220) of network nodes (230) in a network (200). For each segment (330), an assignment of each security module (310) in the segment (330) to a network node (230) within the group (220) to which the segment (330) is assigned is computed. The network (200) is then configured according to the assignments.Type: ApplicationFiled: February 20, 2015Publication date: February 1, 2018Inventors: Yosr Jarraya, Alireza Shameli-Sendi, Mohamed Fekih-Ahmed, Makan Pourzandi, Mohamed Cheriet
-
Patent number: 9882874Abstract: This disclosure provides example details for apparatuses and methods that manage virtual firewalls in a wireless communication network that includes a Core Network, CN, and an associated Radio Access Network, RAN. The virtual firewalls process traffic for respective wireless devices supported by the network. For example, the virtual firewall associated with a given wireless device is maintained in the RAN at the RAN node supporting the device, and is migrated from that RAN node in response to detecting a handover event involving the device. Advantageously, migration may be “horizontal,” where the associated virtual firewall is moved between nodes in the RAN, or may be “vertical,” where the associated virtual firewall is moved from the RAN to the CN.Type: GrantFiled: August 23, 2013Date of Patent: January 30, 2018Assignee: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)Inventors: Makan Pourzandi, Zhongwen Zhu
-
Publication number: 20170124348Abstract: A method for a survey server for managing query communications between at least a requester server and at least one data holding entity is provided. The requester server holds a first share of a private key and the survey server holds a second share of the private key. An encrypted query is received and then forwarded to at least one data holding entity. A plurality of comparison responses is received. Each comparison response is generated by a private comparison protocol that compares the encrypted query with encrypted data. The encrypted data having been encrypted using the public key. Each comparison response having been partially decrypted with the first share of the private key and placed in the array in a randomized order. The array is decrypted using the second share of the private key. At least one result of the query is determined.Type: ApplicationFiled: June 26, 2014Publication date: May 4, 2017Inventors: Makan POURZANDI, Feras ALJUMAH, Mourad DEBBABI
-
Publication number: 20170054553Abstract: According to one embodiment, an apparatus for scrambling a message is provided. The apparatus includes a processor and a memory in communication with the processor. The memory contains instructions executable by the processor that are configured to cause the apparatus to retrieve webpage data of at least one webpage. The at least one webpage is different from the message. The memory contains instructions executable by the processor that are configured to cause the apparatus to perform a hash operation on the webpage data to generate hashed webpage data, generate at least one pseudo-random value based at least in part on the hashed webpage data and generate a scrambled message by performing a first logical operation on the at least one generated pseudo-random value and the message.Type: ApplicationFiled: April 28, 2014Publication date: February 23, 2017Inventors: Makan POURZANDI, Mats NÄSLUND
-
Patent number: 9304801Abstract: An efficient elastic enforcement layer (EEL) for realizing security policies is deployed in a cloud computing environment based on a split architecture framework. The split architecture network includes a controller coupled to switches. When the controller receives a packet originating from a source VM, it extracts an application identifier from the received packet that identifies an application running on the source VM. Based on the application identifier, the controller determines a chain of middlebox types. The controller further determines middlebox instances based on current availability of resources. The controller then adds a set of rules to the switches to cause the switches to forward the packet toward the destination VM via the middlebox instances.Type: GrantFiled: June 12, 2012Date of Patent: April 5, 2016Assignee: Telefonaktiebolaget L M Erricsson (publ)Inventors: Tommy Koorevaar, Makan Pourzandi, Ying Zhang
-
Patent number: 9275004Abstract: A system and method for managing a hybrid firewall solution, employing both hardware and software firewall components, for a cloud computing data center is provided. A virtual application is hosted by a first plurality of application virtual machines and a second plurality of firewall virtual machines provides firewalling services for traffic associated with the virtual application. A cloud management entity determines that the virtual application requires an increased number of application virtual machines. A security profile for the virtual application is verified to determine if an increased number of firewall virtual machines is required by the increased number of application virtual machines. The cloud management entity can instantiate additional application virtual machines and firewall virtual machines as required.Type: GrantFiled: December 11, 2012Date of Patent: March 1, 2016Assignee: Telefonaktiebolaget LM Ericsson (publ)Inventors: Zhongwen Zhu, Makan Pourzandi