Patents by Inventor Clifford E. Kahn
Clifford E. Kahn has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11930036Abstract: Attacks on a network device, e.g. an IoT device, are detected by analyzing network traffic and subsequently quarantining or blocking the network device on the network to prevent lateral movement of malware. The techniques described herein relate to developing a baseline of network device activity corresponding with a network device during a learning period and comparing the baseline of network device activity with new network activity by the network device in order to identify potentially unusual network device activity by the network device. If unusual network activity is found, remedial actions such as quarantining the network device or restricting some access to a network may be initiated.Type: GrantFiled: August 31, 2022Date of Patent: March 12, 2024Assignee: Pulse Secure, LLCInventors: Biju Kaimal, Bandam Radha Shravan, Thiyagu Rajendran, Clifford E. Kahn
-
Publication number: 20230007012Abstract: Attacks on a network device, e.g. an IoT device, are detected by analyzing network traffic and subsequently quarantining or blocking the network device on the network to prevent lateral movement of malware. The techniques described herein relate to developing a baseline of network device activity corresponding with a network device during a learning period and comparing the baseline of network device activity with new network activity by the network device in order to identify potentially unusual network device activity by the network device. If unusual network activity is found, remedial actions such as quarantining the network device or restricting some access to a network may be initiated.Type: ApplicationFiled: August 31, 2022Publication date: January 5, 2023Applicant: Pulse Secure, LLCInventors: Biju Kaimal, Bandam Radha Shravan, Thiyagu Rajendran, Clifford E. Kahn
-
Patent number: 11483339Abstract: Attacks on a network device, e.g. an IoT device, are detected by analyzing network traffic and subsequently quarantining or blocking the network device on the network to prevent lateral movement of malware. The techniques described herein relate to developing a baseline of network device activity corresponding with a network device during a learning period and comparing the baseline of network device activity with new network activity by the network device in order to identify potentially unusual network device activity by the network device. If unusual network activity is found, remedial actions such as quarantining the network device or restricting some access to a network may be initiated.Type: GrantFiled: December 18, 2019Date of Patent: October 25, 2022Assignee: Pulse Secure, LLCInventors: Biju Kaimal, Bandam Radha Shravan, Thiyagu Rajendran, Clifford E. Kahn
-
Patent number: 11477028Abstract: A server to provide single sign on services. The server includes a processor and a memory storing an attempt table. The server, in response to receiving a first password for a user account, forwards the first password to an authentication device. The server determines that the first password is not valid for the user account. The server stores the first password in association with the user account in the attempt table. In response to receiving a second password for the user account, the server determines whether the second password matches the first password. When the second password does not match the first password, the server forwards the second password to the authentication device.Type: GrantFiled: February 19, 2020Date of Patent: October 18, 2022Assignee: Pulse Secure, LLCInventors: Clifford E. Kahn, Siva Kumar K, Brett Littrell
-
Publication number: 20200329025Abstract: A server to provide single sign on services. The server includes a processor and a memory storing an attempt table. The server, in response to receiving a first password for a user account, forwards the first password to an authentication device. The server determines that the first password is not valid for the user account. The server stores the first password in association with the user account in the attempt table. In response to receiving a second password for the user account, the server determines whether the second password matches the first password. When the second password does not match the first password, the server forwards the second password to the authentication device.Type: ApplicationFiled: February 19, 2020Publication date: October 15, 2020Inventors: Clifford E. Kahn, Siva Kumar K, Brett Littrell
-
Patent number: 10075432Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.Type: GrantFiled: July 13, 2016Date of Patent: September 11, 2018Assignee: Pulse Secure, LLCInventors: Andy Tsang, Roger A. Chickering, Clifford E. Kahn, Jeffrey C. Venable, Sr.
-
Publication number: 20180198786Abstract: A network access control (NAC) device enforces one or more policies for accessing one or more remote network devices. The NAC device includes a processor configured to receive authentication credentials from the user device over an L2 connection including first identification information of the user device, authenticate the user device using the authentication credentials, receive compliance information from the user device over an L3 connection including second identification information of the user device, associate the L2 connection with the L3 connection using the first identification information and the second identification information, and in response to determining that the compliance information satisfies the one or more policies, authorize the user device to access the one or more remote network devices.Type: ApplicationFiled: January 11, 2018Publication date: July 12, 2018Inventors: Viral Ileshkumar Shah, Clifford E. Kahn, Jonathan Rausch, Lenson Andrade
-
Publication number: 20180115571Abstract: A device may receive information that identifies an attack signature for detecting an intrusion. The device may determine a device configuration that is vulnerable to the intrusion, may determine an endpoint device associated with the device configuration, and may determine a time period during which the endpoint device was associated with the device configuration. The device may determine an endpoint identifier associated with the endpoint device during the time period, and may identify network traffic information associated with the endpoint identifier during the time period. The device may apply the attack signature to the network traffic information, and may determine whether the endpoint device was subjected to the intrusion during the time period based on applying the attack signature to the network traffic information. The device may selectively perform an action based on determining whether the endpoint device was subjected to the intrusion.Type: ApplicationFiled: December 15, 2017Publication date: April 26, 2018Inventors: Clifford E. Kahn, Stephen R. Hanna
-
Patent number: 9848006Abstract: A device may receive information that identifies an attack signature for detecting an intrusion. The device may determine a device configuration that is vulnerable to the intrusion, may determine an endpoint device associated with the device configuration, and may determine a time period during which the endpoint device was associated with the device configuration. The device may determine an endpoint identifier associated with the endpoint device during the time period, and may identify network traffic information associated with the endpoint identifier during the time period. The device may apply the attack signature to the network traffic information, and may determine whether the endpoint device was subjected to the intrusion during the time period based on applying the attack signature to the network traffic information. The device may selectively perform an action based on determining whether the endpoint device was subjected to the intrusion.Type: GrantFiled: October 21, 2016Date of Patent: December 19, 2017Assignee: Juniper Networks, Inc.Inventors: Clifford E. Kahn, Stephen R. Hanna
-
Publication number: 20170041334Abstract: A device may receive information that identifies an attack signature for detecting an intrusion. The device may determine a device configuration that is vulnerable to the intrusion, may determine an endpoint device associated with the device configuration, and may determine a time period during which the endpoint device was associated with the device configuration. The device may determine an endpoint identifier associated with the endpoint device during the time period, and may identify network traffic information associated with the endpoint identifier during the time period. The device may apply the attack signature to the network traffic information, and may determine whether the endpoint device was subjected to the intrusion during the time period based on applying the attack signature to the network traffic information. The device may selectively perform an action based on determining whether the endpoint device was subjected to the intrusion.Type: ApplicationFiled: October 21, 2016Publication date: February 9, 2017Inventors: Clifford E. KAHN, Stephen R. Hanna
-
Publication number: 20160323263Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.Type: ApplicationFiled: July 13, 2016Publication date: November 3, 2016Inventors: Andy Tsang, Roger A. Chickering, Clifford E. Kahn, Jeffrey C. Venable, SR.
-
Patent number: 9485262Abstract: A device may receive information that identifies an attack signature for detecting an intrusion. The device may determine a device configuration that is vulnerable to the intrusion, may determine an endpoint device associated with the device configuration, and may determine a time period during which the endpoint device was associated with the device configuration. The device may determine an endpoint identifier associated with the endpoint device during the time period, and may identify network traffic information associated with the endpoint identifier during the time period. The device may apply the attack signature to the network traffic information, and may determine whether the endpoint device was subjected to the intrusion during the time period based on applying the attack signature to the network traffic information. The device may selectively perform an action based on determining whether the endpoint device was subjected to the intrusion.Type: GrantFiled: March 28, 2014Date of Patent: November 1, 2016Assignee: Juniper Networks, Inc.Inventors: Clifford E. Kahn, Stephen R. Hanna
-
Patent number: 9401913Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.Type: GrantFiled: March 17, 2015Date of Patent: July 26, 2016Assignee: Pulse Secure, LLCInventors: Andy Tsang, Roger A. Chickering, Clifford E. Kahn, Jeffrey C. Venable, Sr.
-
Publication number: 20150195273Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.Type: ApplicationFiled: March 17, 2015Publication date: July 9, 2015Inventors: Andy Tsang, Roger A. Chickering, Clifford E. Kahn, Jeffrey C. Venable, SR.
-
Patent number: 9001999Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client in accordance with an authentication protocol, and authenticate the client based on a comparison of the first form to a value derived from a second form of the password stored in a password database. The comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client over the secure connection, authenticate the client by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client when the authentication server receives the first form.Type: GrantFiled: December 6, 2011Date of Patent: April 7, 2015Assignee: Pulse Secure, LLCInventors: Andy Tsang, Roger A. Chickering, Clifford E. Kahn, Jeffrey C. Venable, Sr.
-
Patent number: 8478797Abstract: A device maintains, in a database, a plurality of data items, each data item of the plurality of data items being associated with a respective category. The device associates, in the database, a first counter value with each data item, the first counter value indicating a number of times the respective category has been deleted from the database at a time when the data item was stored in the database. The device associates, in the database or another database, a second counter value with the respective category, the second counter value indicating a current value for a number of times the respective category has been deleted from the database. The device selectively deletes, from the database, one or more data items of the plurality of data items from the database based on the first counter values and the second counter value.Type: GrantFiled: May 31, 2012Date of Patent: July 2, 2013Assignee: Juniper Networks, Inc.Inventors: Clifford E. Kahn, Roger A. Chickering
-
Patent number: 8312540Abstract: In general, the invention is directed toward techniques for controlling access to a network or other computing resource in order to slow down the execution of a password attack while providing minimal obstruction to normal network activity. The method includes generating a history of successful network logins, detecting symptoms of a network password attack, and activating countermeasures in response to the detection. The method further includes receiving a valid login request from the user while the countermeasures are activated and analyzing the history of successful network logins to determine whether the valid login request satisfies a match condition. The method further includes granting the user access to the network when the valid login request satisfies the match condition and denying the user access to the network when the valid login request does not satisfy the match condition even though the valid login request contains a valid username and a valid password.Type: GrantFiled: August 26, 2008Date of Patent: November 13, 2012Assignee: Juniper Networks, Inc.Inventors: Clifford E. Kahn, Jeffrey C. Venable, Sr., Roger A. Chickering
-
Patent number: 8290991Abstract: A device may maintain, in a database, a plurality of data items, each data item of the plurality of data items being associated with a respective category and supplemental information relating to deletion of the data item. The device may associate a group of counters with at least one of the categories and receive a deletion request corresponding to one of the group of categories, the deletion request including the supplemental information. The device may identify a counter associated with the category corresponding to the deletion request based on the supplemental information. The device may then increment the identified counters and selectively delete the data items based on values of the counters.Type: GrantFiled: June 7, 2010Date of Patent: October 16, 2012Assignee: Juniper Networks, Inc.Inventors: Clifford E. Kahn, Roger A. Chickering
-
Publication number: 20120239685Abstract: A device maintains, in a database, a plurality of data items, each data item of the plurality of data items being associated with a respective category. The device associates, in the database, a first counter value with each data item, the first counter value indicating a number of times the respective category has been deleted from the database at a time when the data item was stored in the database. The device associates, in the database or another database, a second counter value with the respective category, the second counter value indicating a current value for a number of times the respective category has been deleted from the database. The device selectively deletes, from the database, one or more data items of the plurality of data items from the database based on the first counter values and the second counter value.Type: ApplicationFiled: May 31, 2012Publication date: September 20, 2012Applicant: JUNIPER NETWORKS, INC.Inventors: Clifford E. KAHN, Roger A. CHICKERING
-
Patent number: 8214411Abstract: A device maintains, in a database, a plurality of data items, each data item of the plurality of data items being associated with a respective category. The device associates, in the database, a first counter value with each data item, the first counter value indicating a number of times the respective category has been deleted from the database at a time when the data item was stored in the database. The device associates, in the database or another database, a second counter value with the respective category, the second counter value indicating a current value for a number of times the respective category has been deleted from the database. The device selectively deletes, from the database, one or more data items of the plurality of data items from the database based on the first counter values and the second counter value.Type: GrantFiled: December 15, 2009Date of Patent: July 3, 2012Assignee: Juniper Networks, Inc.Inventors: Clifford E. Kahn, Roger A. Chickering