Patents by Inventor Choung-Yaw Shieh
Choung-Yaw Shieh has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20170063791Abstract: Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.Type: ApplicationFiled: July 25, 2016Publication date: March 2, 2017Inventors: Colin Ross, Choung-Yaw Shieh, Jia-Jyi Lian, Meng Xu, Yi Sun
-
Publication number: 20170063933Abstract: Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.Type: ApplicationFiled: September 1, 2016Publication date: March 2, 2017Inventors: Choung-Yaw Shieh, Jia-Jyi Lian, Yi Sun, Meng Xu
-
Publication number: 20170052827Abstract: Systems and methods for using a plurality of processing cores for packet processing in a virtualized network environment are described herein. An example system can comprise a scheduler operable to initiate a processing core of the plurality of processing cores. The processing core is operable to process a plurality of data packets. Based on the determination that the processing core exceeds a threshold processing capacity associated with the processing core, the scheduler sequentially initiates at least one subsequent processing core. The at least one subsequent processing core has a corresponding threshold processing capacity and is operable to process data packets of the plurality of data packets in excess of threshold processing capacities associated with preceding processing cores. Thus, the threshold processing capacities associated with the preceding processing cores are not exceeded.Type: ApplicationFiled: August 31, 2016Publication date: February 23, 2017Inventors: Choung-Yaw Shieh, Marc Woolward, Yi Sun
-
Patent number: 9525697Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.Type: GrantFiled: April 2, 2015Date of Patent: December 20, 2016Assignee: vArmour Networks, Inc.Inventors: Marc Woolward, Choung-Yaw Shieh, Jia-Jyi Lian
-
Publication number: 20160323245Abstract: A network system includes a security gateway that receives information from a virtual machine after the virtual machine has migrated from a first network access device to a second network access device, where the information identifies the virtual machine as one associated with a privilege level. The security gateway determines that access to the virtual machine at the first network access device was permitted by the privilege level and assigns the virtual machine at the second network access device to the privilege level. The security gateway then applies a set of rules associated with the privilege level to communications between the network and the virtual machine at the second network access device.Type: ApplicationFiled: July 13, 2016Publication date: November 3, 2016Inventors: Choung-Yaw Shieh, Jia-Jyi Lian, Meng Xu, Yi Sun, Hsisheng Wang
-
Patent number: 9483317Abstract: Systems and methods for using a plurality of processing cores for packet processing in a virtualized network environment are described herein. An example system can comprise a scheduler operable to initiate a processing core of the plurality of processing cores. The processing core is operable to process a plurality of data packets. Based on the determination that the processing core exceeds a threshold processing capacity associated with the processing core, the scheduler sequentially initiates at least one subsequent processing core. The at least one subsequent processing core has a corresponding threshold processing capacity and is operable to process data packets of the plurality of data packets in excess of threshold processing capacities associated with preceding processing cores. Thus, the threshold processing capacities associated with the preceding processing cores are not exceeded.Type: GrantFiled: August 17, 2015Date of Patent: November 1, 2016Assignee: vArmour Networks, Inc.Inventors: Choung-Yaw Shieh, Marc Woolward, Yi Sun
-
Patent number: 9467476Abstract: Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.Type: GrantFiled: August 28, 2015Date of Patent: October 11, 2016Assignee: vArmour Networks, Inc.Inventors: Choung-Yaw Shieh, Jia-Jyi Lian, Yi Sun, Meng Xu
-
Publication number: 20160294774Abstract: Some embodiments include methods comprising: writing entries in a forwarding table of a switch through an application programming interface (API) of the switch, such that first data packets from a first host and directed to a second host are forwarded by the switch to an enforcement point; receiving the first data packets; forwarding the first data packets to the enforcement point using the forwarding table; determining whether the first data packets violate a high-level security policy using a low-level rule set; configuring the forwarding table through the API such that second data packets are forwarded by the switch to the second host, in response to determining the first data packets do not violate the security policy; configuring the forwarding table through the API such that the second data packets are dropped or forwarded to a security function by the switch, in response to the determining.Type: ApplicationFiled: April 2, 2015Publication date: October 6, 2016Inventors: Marc Woolward, Choung-Yaw Shieh
-
Publication number: 20160269442Abstract: Systems and methods for improving analytics in a distributed network are described herein. An example system can comprise at least one processor, an analytics module, and a security policy module. The security policy module is operable to define a security policy. The security policy is executed by the processor on a network packet. Furthermore, the processor collects network information from the network packet. The analytics module is operable to analyze the network information with additional group information from the security policy. The analysis is used by the processor to generate the result. Based on the generated result, the security policy module updates the security policy.Type: ApplicationFiled: March 13, 2015Publication date: September 15, 2016Inventor: Choung-Yaw Shieh
-
Patent number: 8478999Abstract: A network device implements congestion management of sessions of a network protocol. In one implementation, an incoming request component receives session requests for a negotiation session between the network device and a second network device. A capacity pool stores a value relating to capacity of the network device to continue to efficiently process the session requests. New sessions are initiated when the value stored in the capacity pool is less than an estimate of the capacity of the network device at which the network device maximizes processor usage while minimizing session timeouts.Type: GrantFiled: August 31, 2009Date of Patent: July 2, 2013Assignee: Juniper Networks, Inc.Inventors: Yonghui Cheng, Choung-Yaw Shieh
-
Patent number: 8433900Abstract: A request to receive multicast data, associated with a multicast group, may be transmitted. The request may be transmitted via a tunnel. Group keys may be received in response to the request. The group keys may be based on the multicast group. An encapsulated packet may be received via another tunnel. The encapsulated packet may be processed, using the group keys, to obtain a multicast packet associated with the multicast data. The multicast packet may be forwarded to at least one multicast recipient.Type: GrantFiled: November 30, 2011Date of Patent: April 30, 2013Assignee: Juniper Networks, Inc.Inventors: Gregory M. Lebovitz, Changming Liu, Choung-Yaw Shieh
-
Publication number: 20120144191Abstract: A request to receive multicast data, associated with a multicast group, may be transmitted. The request may be transmitted via a tunnel. Group keys may be received in response to the request. The group keys may be based on the multicast group. An encapsulated packet may be received via another tunnel. The encapsulated packet may be processed, using the group keys, to obtain a multicast packet associated with the multicast data. The multicast packet may be forwarded to at least one multicast recipient.Type: ApplicationFiled: November 30, 2011Publication date: June 7, 2012Applicant: JUNIPER NETWORKS, INC.Inventors: Gregory M. Lebovitz, Changming Liu, Choung-Yaw Shieh
-
Publication number: 20120137358Abstract: A system establishes a virtual private network (VPN) tunnel to a destination and determines a next hop for the VPN tunnel. The system inserts the next hop, and an address associated with the destination, into an entry of a first table. The system inserts the next hop, and a tunnel identifier corresponding to the established VPN tunnel, into an entry of a second table. The system associates one or more security parameters, used to encrypt traffic sent via the VPN tunnel, with the tunnel identifier.Type: ApplicationFiled: February 9, 2012Publication date: May 31, 2012Applicant: JUNIPER NETWORKS, INC.Inventors: Changming LIU, Choung-Yaw SHIEH, Yonghui CHENG
-
Patent number: 8132000Abstract: Secure tunneled multicast transmission and reception through a network is provided. A join request may be received from a second tunnel endpoint, the join request indicating a multicast group to be joined. Group keys may be transmitted to the second tunnel endpoint, where the group keys are based at least on the multicast group. A packet received at the first tunnel endpoint may be cryptographically processed to generate an encapsulated payload. A header may be appended to the encapsulated payload to form an encapsulated packet, wherein the header includes information associated with the second tunnel endpoint. A tunnel may be established between the first tunnel endpoint and the second tunnel endpoint based on the appended header. The encapsulated packet may be transmitted through the tunnel to the second tunnel endpoint. The second tunnel endpoint may receive the encapsulated packet. Cryptographic processing of the encapsulated packet may reveal the packet having a second header.Type: GrantFiled: July 30, 2009Date of Patent: March 6, 2012Assignee: Juniper Networks, Inc.Inventors: Gregory M Lebovitz, Changming Liu, Choung-Yaw Shieh
-
Patent number: 8127349Abstract: A system establishes a virtual private network (VPN) tunnel to a destination and determines a next hop for the VPN tunnel. The system inserts the next hop, and an address associated with the destination, into an entry of a first table. The system inserts the next hop, and a tunnel identifier corresponding to the established VPN tunnel, into an entry of a second table. The system associates one or more security parameters, used to encrypt traffic sent via the VPN tunnel, with the tunnel identifier.Type: GrantFiled: July 12, 2010Date of Patent: February 28, 2012Assignee: Juniper Networks, Inc.Inventors: Changming Liu, Choung-Yaw Shieh, Yonghui Cheng
-
Publication number: 20100278181Abstract: A system establishes a virtual private network (VPN) tunnel to a destination and determines a next hop for the VPN tunnel. The system inserts the next hop, and an address associated with the destination, into an entry of a first table. The system inserts the next hop, and a tunnel identifier corresponding to the established VPN tunnel, into an entry of a second table. The system associates one or more security parameters, used to encrypt traffic sent via the VPN tunnel, with the tunnel identifier.Type: ApplicationFiled: July 12, 2010Publication date: November 4, 2010Applicant: JUNIPER NETWORKS, INC.Inventors: Changming LIU, Choung-Yaw Shieh, Yonghui Cheng
-
Patent number: 7779461Abstract: A system establishes a virtual private network (VPN) tunnel to a destination and determines a next hop for the VPN tunnel. The system inserts the next hop, and an address associated with the destination, into an entry of a first table. The system inserts the next hop, and a tunnel identifier corresponding to the established VPN tunnel, into an entry of a second table. The system associates one or more security parameters, used to encrypt traffic sent via the VPN tunnel, with the tunnel identifier.Type: GrantFiled: November 16, 2004Date of Patent: August 17, 2010Assignee: Juniper Networks, Inc.Inventors: Changming Liu, Choung-Yaw Shieh, Yonghui Cheng
-
Publication number: 20090320122Abstract: A network device implements congestion management of sessions of a network protocol. In one implementation, an incoming request component receives session requests for a negotiation session between the network device and a second network device. A capacity pool stores a value relating to capacity of the network device to continue to efficiently process the session requests. New sessions are initiated when the value stored in the capacity pool is less than an estimate of the capacity of the network device at which the network device maximizes processor usage while minimizing session timeouts.Type: ApplicationFiled: August 31, 2009Publication date: December 24, 2009Applicant: JUNIPER NETWORKS, INC.Inventors: Yonghui Cheng, Choung-Yaw Shieh
-
Publication number: 20090292917Abstract: Secure tunneled multicast transmission and reception through a network is provided. A join request may be received from a second tunnel endpoint, the join request indicating a multicast group to be joined. Group keys may be transmitted to the second tunnel endpoint, where the group keys are based at least on the multicast group. A packet received at the first tunnel endpoint may be cryptographically processed to generate an encapsulated payload. A header may be appended to the encapsulated payload to form an encapsulated packet, wherein the header includes information associated with the second tunnel endpoint. A tunnel may be established between the first tunnel endpoint and the second tunnel endpoint based on the appended header. The encapsulated packet may be transmitted through the tunnel to the second tunnel endpoint. The second tunnel endpoint may receive the encapsulated packet. Cryptographic processing of the encapsulated packet may reveal the packet having a second header.Type: ApplicationFiled: July 30, 2009Publication date: November 26, 2009Applicant: Juniper Networks, Inc.Inventors: Gregory M. Lebovitz, Changming Liu, Choung-Yaw Shieh
-
Patent number: 7602709Abstract: A network device implements congestion management of sessions of a network protocol. In one implementation, an incoming request component receives session requests for a negotiation session between the network device and a second network device. A capacity pool stores a value relating to capacity of the network device to continue to efficiently process the session requests. New sessions are initiated when the value stored in the capacity pool is less than an estimate of the capacity of the network device at which the network device maximizes processor usage while minimizing session timeouts.Type: GrantFiled: November 17, 2004Date of Patent: October 13, 2009Assignee: Juniper Networks, Inc.Inventors: Yonghui Cheng, Choung-Yaw Shieh