Patents by Inventor Choung-Yaw Michael Shieh

Choung-Yaw Michael Shieh has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20130276092
    Abstract: A method and apparatus for dynamic security insertion into virtualized networks is described. The method may include receiving, at a network device from a second network device, a data packet and application data extracted from the data packet. The method may also include generating a routing decision for a network connection associated with the data packet based, at least in part, on the application data. Furthermore, the method may include transmitting the routing decision for the data packet to the second device for the second device to route the data based on the routing decision.
    Type: Application
    Filed: April 11, 2013
    Publication date: October 17, 2013
    Inventors: Yi SUN, Meng XU, Jia-Jyi Roger LIAN, Choung-Yaw Michael SHIEH
  • Publication number: 20130275592
    Abstract: A network system includes a first network access device having an input/output (IO) module of a firewall to capture a packet of a network session originated from a first node associated with the first network access device, a first security device having a firewall processing module to determine based on the captured packet whether the first node is a destination node that is receiving VM migration from a second node that is associated with a second network access device. The first security device is to update a first flow table within the first network access device. The network system further includes a second security device to receive a message from the first security device concerning the VM migration to update a second flow table of the second network access device, such that further network traffic of the network session is routed to the first node without interrupting the network session.
    Type: Application
    Filed: April 10, 2013
    Publication date: October 17, 2013
    Inventors: Meng Xu, Yi Sun, Hsisheng Wang, Choung-Yaw Michael Shieh
  • Publication number: 20130263245
    Abstract: A method and apparatus is disclosed herein for TCP SYN flood protection. In one embodiment, a TCP SYN flood protection arrangement comprises a first device operable to process packet input and output functions, including performing sender verification with respect to a connection initiation from a sender for a first TCP connection between the sender and a destination server and a second device, separate from the first device, to perform one or more security processing operations on packets of the first TCP connection from the sender after the first device verifies the sender is legitimate.
    Type: Application
    Filed: March 11, 2013
    Publication date: October 3, 2013
    Inventors: Yi Sun, Meng Xu, Louis Cheung, Choung-Yaw Michael Shieh
  • Publication number: 20130250956
    Abstract: A method and apparatus is disclosed herein for IP packet tunneling in a network. In one embodiment, the method comprises receiving, at a first network device, a first IP packet of a IP connection; creating a second IP packet by replacing information in a field in the first IP packet with a session ID identifying the IP connection; and forwarding, by the first network device, the second IP packet to the second network device in the distributed network environment.
    Type: Application
    Filed: March 20, 2013
    Publication date: September 26, 2013
    Inventors: Yi Sun, Meng Xu, Choung-Yaw Michael Shieh
  • Publication number: 20130117836
    Abstract: A method and apparatus is disclosed herein for performing auto discovery of virtual machines. In one embodiment, the method comprises monitoring, using an interface of the device, one or more packets being sent from one or more virtual machines, the one or more packets being sent determining, using a processor of the device, if one of the monitored packets comprises a discovery packet from one virtual machine of the one or more virtual machines, wherein the discovery packet includes an address of a destination location; sending, using the interface of the device, a reply packet to the one virtual machine using an address in the discovery packet identified in the monitored packets, the reply packet including an Internet Protocol (IP) address of the device.
    Type: Application
    Filed: November 8, 2011
    Publication date: May 9, 2013
    Inventor: Choung-Yaw Michael Shieh
  • Publication number: 20130117801
    Abstract: A method and apparatus is disclosed herein for using a virtual security boundary. In one embodiment, the method comprises receiving information from a virtual machine after the virtual machine has been moved from a first physical location in a network to a second physical location in the network, where the information identifies the virtual machine as one previously assigned to a security boundary; determining that access to the virtual machine at the first physical location was permitted by the security gateway; assigning the virtual machine at the second physical location to the security boundary, and applying a security policy associated with the security boundary to communications between the network and the virtual machine at the second physical location.
    Type: Application
    Filed: November 3, 2011
    Publication date: May 9, 2013
    Inventors: Choung-Yaw Michael Shieh, Jia-Jyi Roger Lian
  • Publication number: 20130111542
    Abstract: A method and apparatus is disclosed herein for using one or more dynamic policies that each have one or more parameters that are instantiated with results of applying one or more other policies. In one embodiment, the method comprises storing a set of policies in a memory, wherein at least one of the policies includes one activatable policy that is conditionally activated during run-time, receiving network traffic using a network interface, applying at least one other policy in the set of policies to the received network traffic, activating the one activatable policy in response to the received network traffic and using results of applying said at least one other policy, and applying the one activatable policy to subsequently received network traffic.
    Type: Application
    Filed: October 31, 2011
    Publication date: May 2, 2013
    Inventor: Choung-Yaw Michael Shieh
  • Publication number: 20120210417
    Abstract: A distributed firewall of a gateway device includes at least one IO module for performing IO functionality of the distributed firewall, at least one security processing module for performing security functionality of the distributed firewall and a firewall controller for managing the IO module and the security processing module. Each of the at least one IO and security processing modules is executed within a virtual machine. In response to a packet received from an ingress interface, the at least one IO module is to identify a security processing module corresponding to a connections session associated with the packet, to transmit the packet to the identified security processing module to perform a security process on the packet, and in response to a signal received from the identified security processing module indicating that the security process has been completed, to transmit the packet to the egress interface.
    Type: Application
    Filed: January 31, 2012
    Publication date: August 16, 2012
    Inventor: Choung-Yaw Michael Shieh
  • Publication number: 20120207174
    Abstract: A network gateway device includes an ingress interface, an egress interface, and a load balancing module coupled to the ingress and egress interfaces. The load balancing module configured to receive a packet from the ingress interface, determine a set of a plurality of processes corresponding a connections session associated with the packet based on a policy. For each of the identified processes, the load balancing module is to identify a service processing module executed by a virtual machine that is capable of handling the identified process, and to send the packet to the identified service processing module to perform the identified process on the packet. The packet is then transmitted to the egress interface of the gateway device to be forwarded to a destination.
    Type: Application
    Filed: January 31, 2012
    Publication date: August 16, 2012
    Inventor: Choung-Yaw Michael Shieh