Patents by Inventor Choung-Yaw Michael Shieh

Choung-Yaw Michael Shieh has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 9742732
    Abstract: A method and apparatus is disclosed herein for TCP SYN flood protection. In one embodiment, a TCP SYN flood protection arrangement comprises a first device operable to process packet input and output functions, including performing sender verification with respect to a connection initiation from a sender for a first TCP connection between the sender and a destination server and a second device, separate from the first device, to perform one or more security processing operations on packets of the first TCP connection from the sender after the first device verifies the sender is legitimate.
    Type: Grant
    Filed: March 11, 2013
    Date of Patent: August 22, 2017
    Assignee: VARMOUR NETWORKS, INC.
    Inventors: Yi Sun, Meng Xu, Lee Cheung, Choung-Yaw Michael Shieh
  • Patent number: 9621568
    Abstract: A method and apparatus for distributed threat detection in a computer network is described. The method may include receiving, by a threat detection system of a first computer network, a request for a service from a threat sensor of a second computer network, the service requested of the threat sensor within the second computer network from a network element of the second computer network. The method may also include emulating the service identified in the request to generate a response to the request, and sending the response to the threat sensor for forwarding to the network element within the second computer network. Furthermore, the method may include analyzing one or more communications between the threat detection system and the network element during emulation of the service requested by the network element to determine whether the network element is a threat to the second network.
    Type: Grant
    Filed: September 8, 2014
    Date of Patent: April 11, 2017
    Assignee: VARMOUR NETWORKS, INC.
    Inventor: Choung-Yaw Michael Shieh
  • Patent number: 9529995
    Abstract: A method and apparatus is disclosed herein for performing auto discovery of virtual machines. In one embodiment, the method includes monitoring, using an interface of the device, one or more packets being sent from one or more virtual machines, the one or more packets being sent determining, using a processor of the device, if one of the monitored packets includes a discovery packet from one virtual machine of the one or more virtual machines, wherein the discovery packet includes an address of a destination location; sending, using the interface of the device, a reply packet to the one virtual machine using an address in the discovery packet identified in the monitored packets, the reply packet including an Internet Protocol (IP) address of the device.
    Type: Grant
    Filed: November 8, 2011
    Date of Patent: December 27, 2016
    Assignee: VARMOUR NETWORKS, INC.
    Inventor: Choung-Yaw Michael Shieh
  • Publication number: 20160294858
    Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.
    Type: Application
    Filed: April 2, 2015
    Publication date: October 6, 2016
    Inventors: Marc Woolward, Choung-Yaw Michael Shieh, Jia-Jyi Lian
  • Publication number: 20160269425
    Abstract: Systems for providing security to distributed microservices are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.
    Type: Application
    Filed: March 13, 2015
    Publication date: September 15, 2016
    Inventors: Choung-Yaw Michael Shieh, Marc Woolward
  • Patent number: 9438634
    Abstract: Systems for providing vulnerability scanning within distributed microservices are provided herein. In some embodiments, a system includes a plurality of microsegmented environments that each includes a hypervisor, an enforcement point that has an active probe device, and a plurality of virtual machines that each implements at least one microservice. The system also has a cloud data center server coupled with the plurality of microsegmented environments over a network. The cloud data center server has a security controller configured to provide a security policy to each of the plurality of microsegmented environments and an active probe controller configured to cause the active probe device of the plurality of microsegmented environments to execute a vulnerability scan.
    Type: Grant
    Filed: August 28, 2015
    Date of Patent: September 6, 2016
    Assignee: vArmour Networks, Inc.
    Inventors: Colin Ross, Choung-Yaw Michael Shieh, Jia-Jyi Roger Lian, Meng Xu, Yi Sun
  • Patent number: 9294302
    Abstract: A method and apparatus is disclosed herein for IP packet tunneling in a network. In one embodiment, the method comprises receiving, at a first network device, a first IP packet of a IP connection; creating a second IP packet by replacing information in a field in the first IP packet with a session ID identifying the IP connection; and forwarding, by the first network device, the second IP packet to the second network device in the distributed network environment.
    Type: Grant
    Filed: March 20, 2013
    Date of Patent: March 22, 2016
    Assignee: VARMOUR NETWORKS, INC.
    Inventors: Yi Sun, Meng Xu, Choung-Yaw Michael Shieh
  • Patent number: 9258275
    Abstract: A method and apparatus for dynamic security insertion into virtualized networks is described. The method may include receiving, at a network device from a second network device, a data packet and application data extracted from the data packet. The method may also include generating a routing decision for a network connection associated with the data packet based, at least in part, on the application data. Furthermore, the method may include transmitting the routing decision for the data packet to the second device for the second device to route the data based on the routing decision.
    Type: Grant
    Filed: April 11, 2013
    Date of Patent: February 9, 2016
    Assignee: VARMOUR NETWORKS, INC.
    Inventors: Yi Sun, Meng Xu, Jia-Jyi Roger Lian, Choung-Yaw Michael Shieh
  • Publication number: 20160028851
    Abstract: A network gateway device includes an ingress interface, an egress interface, and a load balancing module coupled to the ingress and egress interfaces. The load balancing module configured to receive a packet from the ingress interface, determine a set of a plurality of processes corresponding to a connections session associated with the packet based on a policy. For each of the identified processes, the load balancing module is to identify a service processing module executed by a virtual machine that is capable of handling the identified process, and to send the packet to the identified service processing module to perform the identified process on the packet. The packet is then transmitted to the egress interface of the gateway device to be forwarded to a destination.
    Type: Application
    Filed: October 7, 2015
    Publication date: January 28, 2016
    Inventor: Choung-Yaw Michael Shieh
  • Patent number: 9191327
    Abstract: A network gateway device includes an ingress interface, an egress interface, and a load balancing module coupled to the ingress and egress interfaces. The load balancing module configured to receive a packet from the ingress interface, determine a set of a plurality of processes corresponding a connections session associated with the packet based on a policy. For each of the identified processes, the load balancing module is to identify a service processing module executed by a virtual machine that is capable of handling the identified process, and to send the packet to the identified service processing module to perform the identified process on the packet. The packet is then transmitted to the egress interface of the gateway device to be forwarded to a destination.
    Type: Grant
    Filed: January 31, 2012
    Date of Patent: November 17, 2015
    Assignee: VARMOUR NETWORKS, INC.
    Inventor: Choung-Yaw Michael Shieh
  • Publication number: 20150229656
    Abstract: A method and apparatus for distributed threat detection in a computer network is described. The method may include receiving, by a threat detection system of a first computer network, a request for a service from a threat sensor of a second computer network, the service requested of the threat sensor within the second computer network from a network element of the second computer network. The method may also include emulating the service identified in the request to generate a response to the request, and sending the response to the threat sensor for forwarding to the network element within the second computer network. Furthermore, the method may include analyzing one or more communications between the threat detection system and the network element during emulation of the service requested by the network element to determine whether the network element is a threat to the second network.
    Type: Application
    Filed: September 8, 2014
    Publication date: August 13, 2015
    Inventor: Choung-Yaw Michael Shieh
  • Patent number: 8984114
    Abstract: A method and apparatus is disclosed herein for migrating session information between security gateways are disclosed. In one embodiment, receiving, at a first security gateway, session information associated with a session corresponding to a network connection, the session information having been transferred from a second security gateway, the first and second security gateway being separate physical devices; and thereafter performing security processing for the session at the first security gateway.
    Type: Grant
    Filed: October 4, 2012
    Date of Patent: March 17, 2015
    Assignee: Varmour Networks, Inc.
    Inventors: Choung-Yaw Michael Shieh, Meng Xu, Yi Sun
  • Patent number: 8955093
    Abstract: A network system includes a security device and a network access device. The network access device is to receive a packet from a source node destined to a destination node, and to examine a data structure maintained by the network access device to determine whether the data structure stores a data member having a predetermined value, the data member indicating whether the packet should undergo security processing. If the data member matches the predetermined value, the packet is transmitted to a security device associated with the network access device to allow the security device to perform content inspection, and in response to a response received from the security device, the packet is routed to the destination node dependent upon the response. The packet is routed to the destination node without forwarding the packet to the security device.
    Type: Grant
    Filed: April 10, 2013
    Date of Patent: February 10, 2015
    Assignee: Varmour Networks, Inc.
    Inventors: Choung-Yaw Michael Shieh, Meng Xu, Yi Sun, Jia-Jyi Roger Lian
  • Patent number: 8813169
    Abstract: A method and apparatus is disclosed herein for using a virtual security boundary. In one embodiment, the method comprises receiving information from a virtual machine after the virtual machine has been moved from a first physical location in a network to a second physical location in the network, where the information identifies the virtual machine as one previously assigned to a security boundary; determining that access to the virtual machine at the first physical location was permitted by the security gateway; assigning the virtual machine at the second physical location to the security boundary, and applying a security policy associated with the security boundary to communications between the network and the virtual machine at the second physical location.
    Type: Grant
    Filed: November 3, 2011
    Date of Patent: August 19, 2014
    Assignee: Varmour Networks, Inc.
    Inventors: Choung-Yaw Michael Shieh, Jia-Jyi Roger Lian
  • Patent number: 8612744
    Abstract: A distributed firewall of a gateway device includes at least one IO module for performing IO functionality of the distributed firewall, at least one security processing module for performing security functionality of the distributed firewall and a firewall controller for managing the IO module and the security processing module. Each of the at least one IO and security processing modules is executed within a virtual machine. In response to a packet received from an ingress interface, the at least one IO module is to identify a security processing module corresponding to a connections session associated with the packet, to transmit the packet to the identified security processing module to perform a security process on the packet, and in response to a signal received from the identified security processing module indicating that the security process has been completed, to transmit the packet to the egress interface.
    Type: Grant
    Filed: January 31, 2012
    Date of Patent: December 17, 2013
    Assignee: Varmour Networks, Inc.
    Inventor: Choung-Yaw Michael Shieh
  • Publication number: 20130291088
    Abstract: A network system includes a security device and a network access device. The network access device is to receive a packet from a source node destined to a destination node, and to examine a data structure maintained by the network access device to determine whether the data structure stores a data member having a predetermined value, the data member indicating whether the packet should undergo security processing. If the data member matches the predetermined value, the packet is transmitted to a security device associated with the network access device to allow the security device to perform content inspection, and in response to a response received from the security device, the packet is routed to the destination node dependent upon the response. The packet is routed to the destination node without forwarding the packet to the security device.
    Type: Application
    Filed: April 10, 2013
    Publication date: October 31, 2013
    Inventors: Choung-Yaw Michael Shieh, Meng Xu, Yi Sun, Jia-Jyi Roger Lian
  • Publication number: 20130276092
    Abstract: A method and apparatus for dynamic security insertion into virtualized networks is described. The method may include receiving, at a network device from a second network device, a data packet and application data extracted from the data packet. The method may also include generating a routing decision for a network connection associated with the data packet based, at least in part, on the application data. Furthermore, the method may include transmitting the routing decision for the data packet to the second device for the second device to route the data based on the routing decision.
    Type: Application
    Filed: April 11, 2013
    Publication date: October 17, 2013
    Inventors: Yi SUN, Meng XU, Jia-Jyi Roger LIAN, Choung-Yaw Michael SHIEH
  • Publication number: 20130275592
    Abstract: A network system includes a first network access device having an input/output (IO) module of a firewall to capture a packet of a network session originated from a first node associated with the first network access device, a first security device having a firewall processing module to determine based on the captured packet whether the first node is a destination node that is receiving VM migration from a second node that is associated with a second network access device. The first security device is to update a first flow table within the first network access device. The network system further includes a second security device to receive a message from the first security device concerning the VM migration to update a second flow table of the second network access device, such that further network traffic of the network session is routed to the first node without interrupting the network session.
    Type: Application
    Filed: April 10, 2013
    Publication date: October 17, 2013
    Inventors: Meng Xu, Yi Sun, Hsisheng Wang, Choung-Yaw Michael Shieh
  • Publication number: 20130263245
    Abstract: A method and apparatus is disclosed herein for TCP SYN flood protection. In one embodiment, a TCP SYN flood protection arrangement comprises a first device operable to process packet input and output functions, including performing sender verification with respect to a connection initiation from a sender for a first TCP connection between the sender and a destination server and a second device, separate from the first device, to perform one or more security processing operations on packets of the first TCP connection from the sender after the first device verifies the sender is legitimate.
    Type: Application
    Filed: March 11, 2013
    Publication date: October 3, 2013
    Inventors: Yi Sun, Meng Xu, Louis Cheung, Choung-Yaw Michael Shieh
  • Publication number: 20130250956
    Abstract: A method and apparatus is disclosed herein for IP packet tunneling in a network. In one embodiment, the method comprises receiving, at a first network device, a first IP packet of a IP connection; creating a second IP packet by replacing information in a field in the first IP packet with a session ID identifying the IP connection; and forwarding, by the first network device, the second IP packet to the second network device in the distributed network environment.
    Type: Application
    Filed: March 20, 2013
    Publication date: September 26, 2013
    Inventors: Yi Sun, Meng Xu, Choung-Yaw Michael Shieh