Patents by Inventor David Patrick Mankins
David Patrick Mankins has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9723023Abstract: Systems and methods for protecting a network including providing a mapping between internal addresses as seen by devices of the protected network and external addresses; providing devices with a mapped address for a destination in response to a lookup request; rewriting, at a gateway, destination addresses of packets exiting the protected network based on the mapping; and rewriting, at the destination-network gateway, source addresses of packets entering the protected network based on the mapping. Embodiments include a gateway coupled to a protected network, an external network, and a name server. The name server, in response to a hostname lookup request, configured to provide a network device with the internal address; and the gateway with a mapping including the internal address, the addresses of the device, and the hostname. The gateway configured to rewrite destination addresses of outbound packets, and source addresses of inbound packets, based on the mapping.Type: GrantFiled: March 14, 2013Date of Patent: August 1, 2017Assignee: Raytheon BBN Technologies Corp.Inventors: Daniel Joseph Ellard, Alden Warren Jackson, Christine Elaine Jones, Josh Forrest Karlin, Victoria Ursula Manfredi, David Patrick Mankins, William Timothy Strayer
-
Patent number: 9237027Abstract: Systems and methods for protecting a network including preventing data traffic from exiting the network unless a domain name request has been performed by a device attempting to transmit the data traffic. In an embodiment, a device within the protected network attempting to send data outside the protected network requests an address for a destination outside the protected network from a domain name server (DNS). In response, the DNS provides an address of the destination to the device and a gateway. In response to receiving the address, the gateway temporarily allows access to the address. In an embodiment, a DNS is coupled to a protected network and the gateway, the DNS provides an external address to a device in response to a request; and a mapping to the gateway; the gateway, coupled to a protected network and an external network, allows traffic according to the mapping.Type: GrantFiled: March 14, 2013Date of Patent: January 12, 2016Assignee: Raytheon BBN Technologies Corp.Inventors: Daniel Joseph Ellard, Alden Warren Jackson, Christine Elaine Jones, Josh Forrest Karlin, Victoria Ursula Manfredi, David Patrick Mankins, William Timothy Strayer
-
Patent number: 9003518Abstract: Systems and methods are disclosed for detecting covert DNS tunnels using n-grams. The majority of legitimate DNS requests originate from network content itself, for example, through hyperlinks in websites. So, comparing data from incoming network communications to a hostname included in a DNS request can give an indication on whether the DNS request is a legitimate request or associated with a covert DNS tunnel. This process can be made computationally efficient by extracting n-grams from incoming network content and storing the n-grams in an efficient data structure, such as a Bloom filter. The stored n-grams are compared with n-grams extracted from outgoing DNS requests. If n-grams from an outgoing DNS request are not found in the data structure, the domain associated with the DNS request is determined to be associated with a suspected covert DNS tunnel.Type: GrantFiled: September 1, 2010Date of Patent: April 7, 2015Assignee: Raytheon BBN Technologies Corp.Inventors: Daniel Wyschogrod, David Patrick Mankins
-
Means of mitigating denial of service attacks on IP fragmentation in high performance IPSEC gateways
Patent number: 8688979Abstract: Embodiments of the invention reduce the probability of success of a DOS attack on a node receiving packets by decreasing the probability of random collisions of packets sent by a malicious user with those sent by honest users. The probability of random collisions may be reduced in one class of embodiments of the invention by supplementing the identification field of the IP header of each transmitted packet with at least one bit from another field of the header. The probability of random collisions may be reduced in another class of embodiments of the invention by ensuring that packets sent from a transmitting IPsec node to a receiving IPsec node are not fragmented.Type: GrantFiled: March 4, 2011Date of Patent: April 1, 2014Assignees: Verizon Corporate Services Group Inc., Raytheon BBN Technologies Corp.Inventors: Craig Partridge, Walter Clark Milliken, David Patrick Mankins -
Patent number: 8595818Abstract: Systems, methods, and devices for decoy routing and covert channel bonding are described. The decoy routing system includes a client computing device, a decoy router, and a decoy proxy such that packets addressed to a decoy destination are re-routed by the decoy router to a covert destination via the decoy proxy. The decoy routing method may be applied to a covert channel bonding process, in which a plurality of packet data streams are sent to one or more decoy destinations, re-routed appropriately via one or more decoy routers and/or decoy proxies, and assembled together into a single packet data stream at either a decoy proxy, or a final covert destination.Type: GrantFiled: June 1, 2011Date of Patent: November 26, 2013Assignee: Raytheon BBN Technologies Corp.Inventors: Josh Forrest Karlin, Gregory Stephen Lauer, Craig Partridge, David Patrick Mankins, William Timothy Strayer
-
Publication number: 20120311691Abstract: Systems, methods, and devices for decoy routing and covert channel bonding are described. The decoy routing system includes a client computing device, a decoy router, and a decoy proxy such that packets addressed to a decoy destination are re-routed by the decoy router to a covert destination via the decoy proxy. The decoy routing method may be applied to a covert channel bonding process, in which a plurality of packet data streams are sent to one or more decoy destinations, re-routed appropriately via one or more decoy routers and/or decoy proxies, and assembled together into a single packet data stream at either a decoy proxy, or a final covert destination.Type: ApplicationFiled: June 1, 2011Publication date: December 6, 2012Applicant: Raytheon BBN Technologies Corp.Inventors: Josh Forrest Karlin, Gregory Stephen Lauer, Craig Partridge, David Patrick Mankins, William Timothy Strayer
-
Patent number: 8139504Abstract: Systems, devices, and methods for routing data through a first and a second ad-hoc network are described. Routing information structured according to a first routing protocol associated with a plurality of nodes in the first network is received at a border node that is part of at least the first and second ad-hoc networks. Routing information structured according to a second routing protocol associated with a plurality of nodes in the second ad-hoc network is also received. The received routing information is translated from the first routing protocol to the second routing protocol, or vice versa, and disseminated to nodes in the first or second ad-hoc networks. Data packets from nodes in the first ad-hoc network are forwarded to nodes in the second ad-hoc network, or vice versa, based in part on the translated routing information.Type: GrantFiled: April 7, 2009Date of Patent: March 20, 2012Assignee: Raytheon BBN Technologies Corp.Inventors: David Patrick Mankins, Gregory D. Troxel, Karen Z. Haigh
-
Publication number: 20120054860Abstract: Systems and methods are disclosed for detecting covert DNS tunnels using n-grams. The majority of legitimate DNS requests originate from network content itself, for example, through hyperlinks in websites. So, comparing data from incoming network communications to a hostname included in a DNS request can give an indication on whether the DNS request is a legitimate request or associated with a covert DNS tunnel. This process can be made computationally efficient by extracting n-grams from incoming network content and storing the n-grams in an efficient data structure, such as a Bloom filter. The stored n-grams are compared with n-grams extracted from outgoing DNS requests. If n-grams from an outgoing DNS request are not found in the data structure, the domain associated with the DNS request is determined to be associated with a suspected covert DNS tunnel.Type: ApplicationFiled: September 1, 2010Publication date: March 1, 2012Applicant: RAYTHEON BBN TECHNOLOGIES CORP.Inventors: Daniel Wyschogrod, David Patrick Mankins
-
MEANS OF MITIGATING DENIAL OF SERVICE ATTACKS ON IP FRAGMENTATION IN HIGH PERFORMANCE IPSEC GATEWAYS
Publication number: 20110161664Abstract: Embodiments of the invention reduce the probability of success of a DOS attack on a node receiving packets by decreasing the probability of random collisions of packets sent by a malicious user with those sent by honest users. The probability of random collisions may be reduced in one class of embodiments of the invention by supplementing the identification field of the IP header of each transmitted packet with at least one bit from another field of the header. The probability of random collisions may be reduced in another class of embodiments of the invention by ensuring that packets sent from a transmitting IPsec node to a receiving IPsec node are not fragmented.Type: ApplicationFiled: March 4, 2011Publication date: June 30, 2011Inventors: Craig Partridge, Walter Clark Milliken, David Patrick Mankins -
Means of mitigating denial of service attacks on IP fragmentation in high performance IPsec gateways
Patent number: 7921285Abstract: Embodiments of the invention reduce the probability of success of a DOS attack on a node receiving packets by decreasing the probability of random collisions of packets sent by a malicious user with those sent by honest users. The probability of random collisions may be reduced in one class of embodiments of the invention by supplementing the identification field of the IP header of each transmitted packet with at least one bit from another field of the header. The probability of random collisions may be reduced in another class of embodiments of the invention by ensuring that packets sent from a transmitting IPsec node to a receiving IPsec node are not fragmented.Type: GrantFiled: November 14, 2003Date of Patent: April 5, 2011Assignees: Verizon Corporate Services Group Inc., Raytheon BBN Technologies Corp.Inventors: Craig Partridge, Walter Clark Milliken, David Patrick Mankins -
Publication number: 20100254309Abstract: Systems, devices, and methods for routing data through a first and a second ad-hoc network are described. Routing information structured according to a first routing protocol associated with a plurality of nodes in the first network is received at a border node that is part of at least the first and second ad-hoc networks. Routing information structured according to a second routing protocol associated with a plurality of nodes in the second ad-hoc network is also received. The received routing information is translated from the first routing protocol to the second routing protocol, or vice versa, and disseminated to nodes in the first or second ad-hoc networks. Data packets from nodes in the first ad-hoc network are forwarded to nodes in the second ad-hoc network, or vice versa, based in part on the translated routing information.Type: ApplicationFiled: April 7, 2009Publication date: October 7, 2010Applicant: BBN Technologies Corp.Inventors: David Patrick Mankins, Gregory D. Troxel, Karen Z. Haigh
-
Patent number: 7061914Abstract: Schemes for determining whether all of the fragments of a datagram are received are described herein. The schemes described herein can allocate fifteen bits of memory to one or more counters to facilitate a determination of whether all of the fragments of a datagram are received.Type: GrantFiled: May 28, 2003Date of Patent: June 13, 2006Assignees: Verizon Corporate Services Group Inc., BBNT Solutions LLCInventor: David Patrick Mankins
-
Publication number: 20040243782Abstract: Schemes for determining whether all of the fragments of a datagram are received are described herein. The schemes described herein can allocate fifteen bits of memory to one or more counters to facilitate a determination of whether all of the fragments of a datagram are received.Type: ApplicationFiled: May 28, 2003Publication date: December 2, 2004Inventor: David Patrick Mankins