Patents by Inventor Dennis J. Cox
Dennis J. Cox has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11075886Abstract: Methods and systems are disclosed that provide in-session splitting of network traffic sessions for monitoring of traffic between network clients and network servers. This in-session splitting is based upon monitoring traffic sessions for one or more events and then initiating a proxied session based upon detection of the one or more events. For further embodiments, the creation of the proxied session is implemented based upon detection of a request for a secure link within the session traffic, and the proxied session is then implemented such that original session participants are not aware of the proxied session. The encrypted secure communications between the network client and the network server are split into two connections that decrypted and re-encrypted so that the contents of the secure link can be analyzed to identify network threats and/or other desired network related activities.Type: GrantFiled: December 15, 2016Date of Patent: July 27, 2021Assignee: KEYSIGHT TECHNOLOGIES SINGAPORE (SALES) PTE. LTD.Inventors: Santanu Paul, Kristopher Raney, Dennis J. Cox
-
Patent number: 10171425Abstract: Methods and systems are disclosed that provide active firewall control for network traffic sessions within virtual processing platforms. Client agent instances run within virtual machine (VM) platforms (e.g., hypervisor, container, etc.) within virtual processing environments and enforce access, proxy, and/or other firewall rules with respect to network traffic sessions for application instances also running within the VM platforms. For certain embodiments, the agent instances collect information about applications and services running within the VM platforms and use this collected information to automatically enforce firewall rules. Additional disclosed embodiments redirect packets from “bad” network sources to a proxied application instance that interacts with the “bad” network source. This proxied interaction allows an agent instance monitoring the proxied session to analyze and assess the actual activity by the “bad” network source without putting the original data or network service at risk.Type: GrantFiled: December 15, 2016Date of Patent: January 1, 2019Assignee: Keysight Technologies Singapore (Holdings) Pte LtdInventors: Kristopher Raney, Dennis J. Cox, Santanu Paul
-
Publication number: 20180176189Abstract: Methods and systems are disclosed that provide in-session splitting of network traffic sessions for monitoring of traffic between network clients and network servers. This in-session splitting is based upon monitoring traffic sessions for one or more events and then initiating a proxied session based upon detection of the one or more events. For further embodiments, the creation of the proxied session is implemented based upon detection of a request for a secure link within the session traffic, and the proxied session is then implemented such that original session participants are not aware of the proxied session. The encrypted secure communications between the network client and the network server are split into two connections that decrypted and re-encrypted so that the contents of the secure link can be analyzed to identify network threats and/or other desired network related activities.Type: ApplicationFiled: December 15, 2016Publication date: June 21, 2018Inventors: Santanu Paul, Kristopher Raney, Dennis J. Cox
-
Publication number: 20180176182Abstract: Methods and systems are disclosed that provide active firewall control for network traffic sessions within virtual processing platforms. Client agent instances run within virtual machine (VM) platforms (e.g., hypervisor, container, etc.) within virtual processing environments and enforce access, proxy, and/or other firewall rules with respect to network traffic sessions for application instances also running within the VM platforms. For certain embodiments, the agent instances collect information about applications and services running within the VM platforms and use this collected information to automatically enforce firewall rules. Additional disclosed embodiments redirect packets from “bad” network sources to a proxied application instance that interacts with the “bad” network source. This proxied interaction allows an agent instance monitoring the proxied session to analyze and assess the actual activity by the “bad” network source without putting the original data or network service at risk.Type: ApplicationFiled: December 15, 2016Publication date: June 21, 2018Inventors: Kristopher Raney, Dennis J. Cox, Santanu Paul
-
Publication number: 20160255013Abstract: Systems and methods are disclosed for dynamic resource management for load balancing within network packet communication systems. In part, the disclosed embodiments receive operating performance information associated with processing systems within the packet network communication system, generate sets of load balancing rules based upon the operating performance information to adjust load balancing resources within the network packet communication system, apply the sets of load balancing rules to different load balancers within the network packet communication system, and use the load balancers to determine how packets are distributed within the network packet communication system. In addition, processing system resources can also be adjusted based upon operating performance information received with respect to the processing systems and load balancers.Type: ApplicationFiled: February 27, 2015Publication date: September 1, 2016Inventors: Dennis J. Cox, Kristopher Raney
-
Publication number: 20160255007Abstract: Systems and methods are disclosed for matrix load balancing within network packet communication systems. The disclosed embodiments in part identify multiple sets of different load balancing parameters, select one or more parameters within each set of load balancing parameters to form a matrix of load balancing parameters, generate load balancing rules (e.g., unique keys and/or signatures) based upon the matrix of load balancing parameters, apply the load balancing rules to one or more load balancers within a network packet communication system, and use the one or more load balancers to determine how packets are distributed within the network packet communication system.Type: ApplicationFiled: February 27, 2015Publication date: September 1, 2016Inventors: Dennis J. Cox, Kristopher Raney
-
Patent number: 9386103Abstract: Systems and methods are disclosed for application identification and dynamic signature generation for managing network communication systems. Communication sessions and related packet flows are monitored within a network communication system. Application level information is extracted from session packets by unpacking one or more communication protocols associated with the network packets to obtain application level information encapsulated within the network packets. The extracted application level information is compared to a database of known application signatures in order to identify known applications. For unknown applications, the application level information is used to generate new dynamic application signatures. The application level information can also be used to identify and access external network-accessible resources to obtain additional identification information for the unknown application.Type: GrantFiled: October 4, 2013Date of Patent: July 5, 2016Assignee: BreakingPoint Systems, Inc.Inventors: Ryan S. Clifton, Alexander I. Tomlinson, Deep Datta, Jeremy B. Moss, Dennis J. Cox
-
Publication number: 20150101043Abstract: Systems and methods are disclosed for application identification and dynamic signature generation for managing network communication systems. Communication sessions and related packet flows are monitored within a network communication system. Application level information is extracted from session packets by unpacking one or more communication protocols associated with the network packets to obtain application level information encapsulated within the network packets. The extracted application level information is compared to a database of known application signatures in order to identify known applications. For unknown applications, the application level information is used to generate new dynamic application signatures. The application level information can also be used to identify and access external network-accessible resources to obtain additional identification information for the unknown application.Type: ApplicationFiled: October 4, 2013Publication date: April 9, 2015Applicant: BreakingPoint Systems, Inc.Inventors: Ryan S. Clifton, Alexander I. Tomlinson, Deep Datta, Jeremy B. Moss, Dennis J. Cox
-
Patent number: 8683061Abstract: A system for identifying a subscriber includes an access server coupled to a number of subscribers using a first communication network and further coupled to a second communication network, a memory coupled to the access server, and a processor coupled to the memory. The access server receives a communication from a particular subscriber using a particular one of a number of virtual circuits associated with the first communication network. The memory stores path information that identifies a virtual circuit assigned to the particular subscriber. The processor identifies the particular subscriber for connection to the second communication network based upon the path information and the particular virtual circuit used to receive the communication from the particular subscriber.Type: GrantFiled: March 30, 2007Date of Patent: March 25, 2014Assignee: Cisco Technology, Inc.Inventors: Aravind Sitaraman, Aziz Abdul, Bernard R. James, Dennis J. Cox, John A. Joyce, Peter S. Heitman, Shujin Zhang, Rene T. Tio
-
Patent number: 8570866Abstract: A network node includes a classify engine interfaced with the Internet. The classify engine accepts packets from the Internet and determines classification information for each packet. A process engine is interfaced with the classify engine, and has ports, each port being associated with a function. A controller is interfaced with the classify engine and the process engine. The controller programs the classify engine with a dataflow program to route each packet to a predetermined port of the process engine based on the classification information of the packet.Type: GrantFiled: February 9, 2012Date of Patent: October 29, 2013Assignee: Hewlett-Packard Development Company, L.P.Inventors: Charles R. Buckman, Dennis J. Cox, Donovan M. Kolbly, Craig S. Cantrell, Brian C. Smith, Jon H. Werner, Marc Willebeek-LeMair, Joe Wayne Blackard, Francis S. Webster, III
-
Publication number: 20120140672Abstract: A network node includes a classify engine interfaced with the Internet. The classify engine accepts packets from the Internet and determines classification information for each packet. A process engine is interfaced with the classify engine, and has ports, each port being associated with a function. A controller is interfaced with the classify engine and the process engine. The controller programs the classify engine with a dataflow program to route each packet to a predetermined port of the process engine based on the classification information of the packet.Type: ApplicationFiled: February 9, 2012Publication date: June 7, 2012Inventors: Charles R. Buckman, Dennis J. Cox, Donovan M. Kolbly, Craig S. Cantrell, Brian C. Smith, Jon H. Werner, Marc Willebeek-LeMair, Joe Wayne Blackard, Francis S. Webster, III
-
Patent number: 8125905Abstract: A system and method provides a broadband network node for a best effort network such as the Internet or intranets which supports the inexpensive and rapid deployment of services to the best efforts network. Separate data path and control path mechanisms allow high-speed data transfers with parallel processing flows for the data path that are controlled across data flows by the control path. Packets are classified, modified and shaped to enable the service on the network with an accountant to track packet traffic for control and billing purposes. A series of processing blades perform a modification function for each blade that processes packets according to classifications. The processing blades are modular and scalable for insertion in the broad band switch to rapidly adapt the broadband network node for new services.Type: GrantFiled: September 3, 2009Date of Patent: February 28, 2012Assignee: Hewlett-Packard Development Company, L.P.Inventors: Charles R Buckman, Dennis J Cox, Donovan M Kolby, Craig S Cantrell, Brian C Smith, John H Werner, Marc Willebeek-LeMair, Joe Wayne Blackard, Francis S. Webster, III
-
Publication number: 20090323550Abstract: A system and method provides a broadband network node for a best effort network such as the Internet or intranets which supports the inexpensive and rapid deployment of services to the best efforts network. Separate data path and control path mechanisms allow high-speed data transfers with parallel processing flows for the data path that are controlled across data flows by the control path. Packets are classified, modified and shaped to enable the service on the network with an accountant to track packet traffic for control and billing purposes. A series of processing blades perform a modification function for each blade that processes packets according to classifications. The processing blades are modular and scalable for insertion in the broadband switch to rapidly adapt the broadband network node for new services.Type: ApplicationFiled: September 3, 2009Publication date: December 31, 2009Applicant: 3COM CORPORATIONInventors: Charles R. Buckman, Dennis J. Cox, Donovan M. Kolbly, Craig S. Cantrell, Brian C. Smith, Jon H. Werner, Marc Willebeek-LeMair, Joe Wayne Blackard, Francis S. Webster, III
-
Patent number: 7633868Abstract: A system and method provides a broadband network node for a best effort network such as the Internet or intranets which supports the inexpensive and rapid deployment of services to the best efforts network. Separate data path and control path mechanisms allow high-speed data transfers with parallel processing flows for the data path that are controlled across data flows by the control path. Packets are classified, modified and shaped to enable the service on the network with an accountant to track packet traffic for control and billing purposes. A series of processing blades perform a modification function for each blade that processes packets according to classifications. The processing blades are modular and scalable for insertion in the broad band switch to rapidly adapt the broadband network node for new services.Type: GrantFiled: June 23, 2006Date of Patent: December 15, 2009Assignee: TippingPoint Technologies, Inc.Inventors: Charles R. Buckman, Dennis J. Cox, Donovan M. Kolbly, Craig S. Cantrell, Brian C. Smith, Jon H. Werner, Marc Willebeek-LeMair, Joe Wayne Blackard, Francis S. Webster, III
-
Patent number: 7249186Abstract: A system for identifying a subscriber includes an access server coupled to a number of subscribers using a first communication network and further coupled to a second communication network, a memory coupled to the access server, and a processor coupled to the memory. The access server receives a communication from a particular subscriber using a particular one of a number of virtual circuits associated with the first communication network. The memory stores path information that identifies a virtual circuit assigned to the particular subscriber. The processor identifies the particular subscriber for connection to the second communication network based upon the path information and the particular virtual circuit used to receive the communication from the particular subscriber.Type: GrantFiled: January 20, 2000Date of Patent: July 24, 2007Assignee: Cisco Technology, Inc.Inventors: Aravind Sitaraman, Aziz Abdul, Bernard R. James, Dennis J. Cox, John A. Joyce, Peter S. Heitman, Shujin Zhang, Rene T. Tio
-
Patent number: 7239639Abstract: A system and method classifies packets with a programmably fixed network processor program and dynamically updated data structures. The network processor program selects predetermined packet field values of the packets transmitted across the network and classifies the packets by matching one or more packet field values with a data structure. New packet classifications are dynamically created by updating the data structure to associate one or more predetermined packet field values with the new packet classification. For instance, a parse tree program extracts packet header information and matches the packet header information to the data structure. A pattern tree data structure provides longest prefix matches and an ordered tree data structure provides combination matches so that classification of arbitrary Boolean combinations of extracted header fields can be formed.Type: GrantFiled: December 27, 2001Date of Patent: July 3, 2007Assignee: 3Com CorporationInventors: Dennis J. Cox, Alexander I. Tomlinson, Joseph Dempsey, Matthew C. Laswell, Scott Strentzsch, Stephen Egbert, Terry G. Ahnstedt, Brian C. Smith
-
Patent number: 7216175Abstract: A system for determining subscriber information includes an access server coupled to a number of subscribers using a communication network, a memory coupled to the access server, and a processor coupled to the memory. The access server receives a communication from a particular subscriber using a particular one of a number of virtual circuits associated with the communication network. The memory stores subscriber information for the subscribers, wherein the subscriber information is indexed by path information that identifies a virtual circuit assigned to the particular subscriber. The processor determines subscriber information for communication to the particular subscriber based upon the path information and the particular virtual circuit used to receive communication from the particular subscriber.Type: GrantFiled: January 20, 2000Date of Patent: May 8, 2007Assignee: Cisco Systems, Inc.Inventors: Aravind Sitaraman, Dennis J. Cox, John A. Joyce, Shujin Zhang
-
Patent number: 7095715Abstract: A system and method provides a broadband network node for a best effort network such as the Internet or intranets which supports the inexpensive and rapid deployment of services to the best efforts network. Separate data path and control path mechanisms allow high-speed data transfers with parallel processing flows for the data path that are controlled across data flows by the control path. Packets are classified, modified and shaped to enable the service on the network with an accountant to track packet traffic for control and billing purposes. A series of processing blades perform a modification function for each blade that processes packets according to classifications. The processing blades are modular and scalable for insertion in the broad band switch to rapidly adapt the broadband network node for new services.Type: GrantFiled: July 2, 2001Date of Patent: August 22, 2006Assignee: 3Com CorporationInventors: Charles R. Buckman, Dennis J. Cox, Donovan M. Kolbly, Craig S. Cantrell, Brian C. Smith, Jon H. Werner, Marc Willebeek-LeMair, Joe Wayne Blackard, Francis S. Webster, III
-
Publication number: 20030123452Abstract: A system and method classifies packets with a programmably fixed network processor program and dynamically updated data structures. The network processor program selects predetermined packet field values of the packets transmitted across the network and classifies the packets by matching one or more packet field values with a data structure. New packet classifications are dynamically created by updating the data structure to associate one or more predetermined packet field values with the new packet classification. For instance, a parse tree program extracts packet header information and matches the packet header information to the data structure. A pattern tree data structure provides longest prefix matches and an ordered tree data structure provides combination matches so that classification of arbitrary Boolean combinations of extracted header fields can be formed.Type: ApplicationFiled: December 27, 2001Publication date: July 3, 2003Applicant: TippingPoint Technologies, Inc.Inventors: Dennis J. Cox, Alexander I. Tomlinson, Joseph F. Dempsey, Matthew C. Laswell, Scott Strentzsch, Stephen Egbert, Terry G. Ahnstedt, Brian C. Smith
-
Publication number: 20030033519Abstract: A system and method programs network nodes of a packet-based network to provide services. A service creation tool provides an interface for defining packet processing behaviors in a domain specific programming language and package the service for deployment to the network. A service control center deploys, provisions and monitors the service on programmable nodes. Network processors associated with the programmable nodes have packet processing behaviors translated from the programming language to operation code with a network processor abstraction layer. The service control center and network nodes use a three layer architecture to represent service, execution environment and infrastructure functionality.Type: ApplicationFiled: August 13, 2001Publication date: February 13, 2003Applicant: Tippingpoint Technologies,Inc.Inventors: Charles R. Buckman, Dennis J. Cox, Donovan M. Kolbly, Craig S. Cantrell, Brain C. Smith, Jon H. Werner, Marc Willebeek-LeMair, J. Wayne Blackard, Francis S. Webster