Patents by Inventor Clifford E. Kahn

Clifford E. Kahn has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 11930036
    Abstract: Attacks on a network device, e.g. an IoT device, are detected by analyzing network traffic and subsequently quarantining or blocking the network device on the network to prevent lateral movement of malware. The techniques described herein relate to developing a baseline of network device activity corresponding with a network device during a learning period and comparing the baseline of network device activity with new network activity by the network device in order to identify potentially unusual network device activity by the network device. If unusual network activity is found, remedial actions such as quarantining the network device or restricting some access to a network may be initiated.
    Type: Grant
    Filed: August 31, 2022
    Date of Patent: March 12, 2024
    Assignee: Pulse Secure, LLC
    Inventors: Biju Kaimal, Bandam Radha Shravan, Thiyagu Rajendran, Clifford E. Kahn
  • Publication number: 20230007012
    Abstract: Attacks on a network device, e.g. an IoT device, are detected by analyzing network traffic and subsequently quarantining or blocking the network device on the network to prevent lateral movement of malware. The techniques described herein relate to developing a baseline of network device activity corresponding with a network device during a learning period and comparing the baseline of network device activity with new network activity by the network device in order to identify potentially unusual network device activity by the network device. If unusual network activity is found, remedial actions such as quarantining the network device or restricting some access to a network may be initiated.
    Type: Application
    Filed: August 31, 2022
    Publication date: January 5, 2023
    Applicant: Pulse Secure, LLC
    Inventors: Biju Kaimal, Bandam Radha Shravan, Thiyagu Rajendran, Clifford E. Kahn
  • Patent number: 11483339
    Abstract: Attacks on a network device, e.g. an IoT device, are detected by analyzing network traffic and subsequently quarantining or blocking the network device on the network to prevent lateral movement of malware. The techniques described herein relate to developing a baseline of network device activity corresponding with a network device during a learning period and comparing the baseline of network device activity with new network activity by the network device in order to identify potentially unusual network device activity by the network device. If unusual network activity is found, remedial actions such as quarantining the network device or restricting some access to a network may be initiated.
    Type: Grant
    Filed: December 18, 2019
    Date of Patent: October 25, 2022
    Assignee: Pulse Secure, LLC
    Inventors: Biju Kaimal, Bandam Radha Shravan, Thiyagu Rajendran, Clifford E. Kahn
  • Patent number: 11477028
    Abstract: A server to provide single sign on services. The server includes a processor and a memory storing an attempt table. The server, in response to receiving a first password for a user account, forwards the first password to an authentication device. The server determines that the first password is not valid for the user account. The server stores the first password in association with the user account in the attempt table. In response to receiving a second password for the user account, the server determines whether the second password matches the first password. When the second password does not match the first password, the server forwards the second password to the authentication device.
    Type: Grant
    Filed: February 19, 2020
    Date of Patent: October 18, 2022
    Assignee: Pulse Secure, LLC
    Inventors: Clifford E. Kahn, Siva Kumar K, Brett Littrell
  • Publication number: 20200329025
    Abstract: A server to provide single sign on services. The server includes a processor and a memory storing an attempt table. The server, in response to receiving a first password for a user account, forwards the first password to an authentication device. The server determines that the first password is not valid for the user account. The server stores the first password in association with the user account in the attempt table. In response to receiving a second password for the user account, the server determines whether the second password matches the first password. When the second password does not match the first password, the server forwards the second password to the authentication device.
    Type: Application
    Filed: February 19, 2020
    Publication date: October 15, 2020
    Inventors: Clifford E. Kahn, Siva Kumar K, Brett Littrell
  • Patent number: 10075432
    Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.
    Type: Grant
    Filed: July 13, 2016
    Date of Patent: September 11, 2018
    Assignee: Pulse Secure, LLC
    Inventors: Andy Tsang, Roger A. Chickering, Clifford E. Kahn, Jeffrey C. Venable, Sr.
  • Publication number: 20180198786
    Abstract: A network access control (NAC) device enforces one or more policies for accessing one or more remote network devices. The NAC device includes a processor configured to receive authentication credentials from the user device over an L2 connection including first identification information of the user device, authenticate the user device using the authentication credentials, receive compliance information from the user device over an L3 connection including second identification information of the user device, associate the L2 connection with the L3 connection using the first identification information and the second identification information, and in response to determining that the compliance information satisfies the one or more policies, authorize the user device to access the one or more remote network devices.
    Type: Application
    Filed: January 11, 2018
    Publication date: July 12, 2018
    Inventors: Viral Ileshkumar Shah, Clifford E. Kahn, Jonathan Rausch, Lenson Andrade
  • Publication number: 20180115571
    Abstract: A device may receive information that identifies an attack signature for detecting an intrusion. The device may determine a device configuration that is vulnerable to the intrusion, may determine an endpoint device associated with the device configuration, and may determine a time period during which the endpoint device was associated with the device configuration. The device may determine an endpoint identifier associated with the endpoint device during the time period, and may identify network traffic information associated with the endpoint identifier during the time period. The device may apply the attack signature to the network traffic information, and may determine whether the endpoint device was subjected to the intrusion during the time period based on applying the attack signature to the network traffic information. The device may selectively perform an action based on determining whether the endpoint device was subjected to the intrusion.
    Type: Application
    Filed: December 15, 2017
    Publication date: April 26, 2018
    Inventors: Clifford E. Kahn, Stephen R. Hanna
  • Patent number: 9848006
    Abstract: A device may receive information that identifies an attack signature for detecting an intrusion. The device may determine a device configuration that is vulnerable to the intrusion, may determine an endpoint device associated with the device configuration, and may determine a time period during which the endpoint device was associated with the device configuration. The device may determine an endpoint identifier associated with the endpoint device during the time period, and may identify network traffic information associated with the endpoint identifier during the time period. The device may apply the attack signature to the network traffic information, and may determine whether the endpoint device was subjected to the intrusion during the time period based on applying the attack signature to the network traffic information. The device may selectively perform an action based on determining whether the endpoint device was subjected to the intrusion.
    Type: Grant
    Filed: October 21, 2016
    Date of Patent: December 19, 2017
    Assignee: Juniper Networks, Inc.
    Inventors: Clifford E. Kahn, Stephen R. Hanna
  • Publication number: 20170041334
    Abstract: A device may receive information that identifies an attack signature for detecting an intrusion. The device may determine a device configuration that is vulnerable to the intrusion, may determine an endpoint device associated with the device configuration, and may determine a time period during which the endpoint device was associated with the device configuration. The device may determine an endpoint identifier associated with the endpoint device during the time period, and may identify network traffic information associated with the endpoint identifier during the time period. The device may apply the attack signature to the network traffic information, and may determine whether the endpoint device was subjected to the intrusion during the time period based on applying the attack signature to the network traffic information. The device may selectively perform an action based on determining whether the endpoint device was subjected to the intrusion.
    Type: Application
    Filed: October 21, 2016
    Publication date: February 9, 2017
    Inventors: Clifford E. KAHN, Stephen R. Hanna
  • Publication number: 20160323263
    Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.
    Type: Application
    Filed: July 13, 2016
    Publication date: November 3, 2016
    Inventors: Andy Tsang, Roger A. Chickering, Clifford E. Kahn, Jeffrey C. Venable, SR.
  • Patent number: 9485262
    Abstract: A device may receive information that identifies an attack signature for detecting an intrusion. The device may determine a device configuration that is vulnerable to the intrusion, may determine an endpoint device associated with the device configuration, and may determine a time period during which the endpoint device was associated with the device configuration. The device may determine an endpoint identifier associated with the endpoint device during the time period, and may identify network traffic information associated with the endpoint identifier during the time period. The device may apply the attack signature to the network traffic information, and may determine whether the endpoint device was subjected to the intrusion during the time period based on applying the attack signature to the network traffic information. The device may selectively perform an action based on determining whether the endpoint device was subjected to the intrusion.
    Type: Grant
    Filed: March 28, 2014
    Date of Patent: November 1, 2016
    Assignee: Juniper Networks, Inc.
    Inventors: Clifford E. Kahn, Stephen R. Hanna
  • Patent number: 9401913
    Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.
    Type: Grant
    Filed: March 17, 2015
    Date of Patent: July 26, 2016
    Assignee: Pulse Secure, LLC
    Inventors: Andy Tsang, Roger A. Chickering, Clifford E. Kahn, Jeffrey C. Venable, Sr.
  • Publication number: 20150195273
    Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.
    Type: Application
    Filed: March 17, 2015
    Publication date: July 9, 2015
    Inventors: Andy Tsang, Roger A. Chickering, Clifford E. Kahn, Jeffrey C. Venable, SR.
  • Patent number: 9001999
    Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client in accordance with an authentication protocol, and authenticate the client based on a comparison of the first form to a value derived from a second form of the password stored in a password database. The comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client over the secure connection, authenticate the client by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client when the authentication server receives the first form.
    Type: Grant
    Filed: December 6, 2011
    Date of Patent: April 7, 2015
    Assignee: Pulse Secure, LLC
    Inventors: Andy Tsang, Roger A. Chickering, Clifford E. Kahn, Jeffrey C. Venable, Sr.
  • Patent number: 8478797
    Abstract: A device maintains, in a database, a plurality of data items, each data item of the plurality of data items being associated with a respective category. The device associates, in the database, a first counter value with each data item, the first counter value indicating a number of times the respective category has been deleted from the database at a time when the data item was stored in the database. The device associates, in the database or another database, a second counter value with the respective category, the second counter value indicating a current value for a number of times the respective category has been deleted from the database. The device selectively deletes, from the database, one or more data items of the plurality of data items from the database based on the first counter values and the second counter value.
    Type: Grant
    Filed: May 31, 2012
    Date of Patent: July 2, 2013
    Assignee: Juniper Networks, Inc.
    Inventors: Clifford E. Kahn, Roger A. Chickering
  • Patent number: 8312540
    Abstract: In general, the invention is directed toward techniques for controlling access to a network or other computing resource in order to slow down the execution of a password attack while providing minimal obstruction to normal network activity. The method includes generating a history of successful network logins, detecting symptoms of a network password attack, and activating countermeasures in response to the detection. The method further includes receiving a valid login request from the user while the countermeasures are activated and analyzing the history of successful network logins to determine whether the valid login request satisfies a match condition. The method further includes granting the user access to the network when the valid login request satisfies the match condition and denying the user access to the network when the valid login request does not satisfy the match condition even though the valid login request contains a valid username and a valid password.
    Type: Grant
    Filed: August 26, 2008
    Date of Patent: November 13, 2012
    Assignee: Juniper Networks, Inc.
    Inventors: Clifford E. Kahn, Jeffrey C. Venable, Sr., Roger A. Chickering
  • Patent number: 8290991
    Abstract: A device may maintain, in a database, a plurality of data items, each data item of the plurality of data items being associated with a respective category and supplemental information relating to deletion of the data item. The device may associate a group of counters with at least one of the categories and receive a deletion request corresponding to one of the group of categories, the deletion request including the supplemental information. The device may identify a counter associated with the category corresponding to the deletion request based on the supplemental information. The device may then increment the identified counters and selectively delete the data items based on values of the counters.
    Type: Grant
    Filed: June 7, 2010
    Date of Patent: October 16, 2012
    Assignee: Juniper Networks, Inc.
    Inventors: Clifford E. Kahn, Roger A. Chickering
  • Publication number: 20120239685
    Abstract: A device maintains, in a database, a plurality of data items, each data item of the plurality of data items being associated with a respective category. The device associates, in the database, a first counter value with each data item, the first counter value indicating a number of times the respective category has been deleted from the database at a time when the data item was stored in the database. The device associates, in the database or another database, a second counter value with the respective category, the second counter value indicating a current value for a number of times the respective category has been deleted from the database. The device selectively deletes, from the database, one or more data items of the plurality of data items from the database based on the first counter values and the second counter value.
    Type: Application
    Filed: May 31, 2012
    Publication date: September 20, 2012
    Applicant: JUNIPER NETWORKS, INC.
    Inventors: Clifford E. KAHN, Roger A. CHICKERING
  • Patent number: 8214411
    Abstract: A device maintains, in a database, a plurality of data items, each data item of the plurality of data items being associated with a respective category. The device associates, in the database, a first counter value with each data item, the first counter value indicating a number of times the respective category has been deleted from the database at a time when the data item was stored in the database. The device associates, in the database or another database, a second counter value with the respective category, the second counter value indicating a current value for a number of times the respective category has been deleted from the database. The device selectively deletes, from the database, one or more data items of the plurality of data items from the database based on the first counter values and the second counter value.
    Type: Grant
    Filed: December 15, 2009
    Date of Patent: July 3, 2012
    Assignee: Juniper Networks, Inc.
    Inventors: Clifford E. Kahn, Roger A. Chickering