Patents by Inventor Douglas L. Schales

Douglas L. Schales has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20200201989
    Abstract: This disclosure provides an automatic causality tracking system that meets real-time analysis needs. It solves causality tracking for cybersecurity, preferably as three sub-tasks: backward tracking, forward tracking, and path-finding. Given a set of threat indicators, the first sub-task yields the system elements (e.g., entities such as processes, files, network sockets, and the like) that contribute information to a set of threat indicators backward in time. The second sub-task yields system elements forward in time. Given two sets of threat indicators, the third sub-task yields shortest paths between them, e.g., how the two sets of indicators are connected to one another. The system enables efficient multi-point traversal analysis with respect to a set of potential compromise points, and using data from real information flows.
    Type: Application
    Filed: October 12, 2018
    Publication date: June 25, 2020
    Applicant: International Business Machines Corporation
    Inventors: Xiaokui Shu, Douglas L. Schales, Marc Philippe Stoecklin
  • Publication number: 20200120109
    Abstract: A technique for storage-efficient cyber incident reasoning by graph matching. The method begins with a graph pattern that comprises a set of elements with constraints and connections among them. A graph of constraint relations (GoC) in the graph pattern is derived. An activity graph representing activity data captured in association with a host machine is then obtained. In response to a query, one or more subgraphs of the activity graph that satisfy the graph pattern are then located and, in particular, by iteratively solving constraints in the graph pattern. In particular, a single element constraint is solved to generate a result, and that result is propagated to connected constraints in the graph of constraint relations. This process continues until all single element constraints have been evaluated, and all propagations have been performed. The subgraphs of the activity graph that result are then returned in response to a database query.
    Type: Application
    Filed: October 12, 2018
    Publication date: April 16, 2020
    Applicant: International Business Machines Corporation
    Inventors: Xiaokui Shu, Douglas L. Schales, Marc Philippe Stoecklin, Frederico Araujo
  • Patent number: 10410127
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Grant
    Filed: October 23, 2017
    Date of Patent: September 10, 2019
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Mihai Christodorescu, Xin Hu, Douglas L. Schales, Reiner Sailer, Marc Ph. Stoecklin, Ting Wang, Andrew M. White
  • Patent number: 9922287
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Grant
    Filed: June 17, 2015
    Date of Patent: March 20, 2018
    Assignee: International Business Machines Corporation
    Inventors: Mihai Christodorescu, Xin Hu, Douglas L. Schales, Reiner Sailer, Marc PH. Stoecklin, Ting Wang, Andrew M. White
  • Publication number: 20180060745
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Application
    Filed: October 23, 2017
    Publication date: March 1, 2018
    Inventors: Mihai CHRISTODORESCU, Xin HU, Douglas L. SCHALES, Reiner SAILER, Marc PH. STOECKLIN, Ting WANG, Andrew M. WHITE
  • Patent number: 9854057
    Abstract: Embodiments include a network data collection and response system for enhancing security in an enterprise network providing a user-supplied computing device with access to the network. A network data collection and response system tracks network activity of the device and maintains a device inventory recording the device type and configuration information for the device along with a resource utilization profile for the device. The network data collection and response system detects high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a data monitoring agent installed on the device and implements a response action to mitigate the high-risk or unauthorized network.
    Type: Grant
    Filed: May 6, 2014
    Date of Patent: December 26, 2017
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Suresh N. Chari, Pau-Chen Cheng, Xin Hu, Lawrence Koved, Josyula R. Rao, Reiner Sailer, Douglas L. Schales, Kapil K. Singh, Marc P. Stoecklin
  • Publication number: 20160358083
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Application
    Filed: June 17, 2015
    Publication date: December 8, 2016
    Inventors: MIHAI CHRISTODORESCU, XIN HU, DOUGLAS L. SCHALES, REINER SAILER, MARC PH. STOECKLIN, TING WANG, ANDREW M. WHITE
  • Patent number: 9491078
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Grant
    Filed: June 26, 2015
    Date of Patent: November 8, 2016
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Mihai Christodorescu, Xin Hu, Douglas L. Schales, Reiner Sailer, Marc Ph. Stoecklin, Ting Wang, Andrew M. White
  • Publication number: 20150326594
    Abstract: Embodiments include a network data collection and response system for enhancing security in an enterprise network providing a user-supplied computing device with access to the network. A network data collection and response system tracks network activity of the device and maintains a device inventory recording the device type and configuration information for the device along with a resource utilization profile for the device. The network data collection and response system detects high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a data monitoring agent installed on the device and implements a response action to mitigate the high-risk or unauthorized network.
    Type: Application
    Filed: May 6, 2014
    Publication date: November 12, 2015
    Applicant: International Business Machines Corporation
    Inventors: Suresh N. Chari, Pau-Chen Cheng, Xin Hu, Lawrence Koved, Josyula R. Rao, Reiner Sailer, Douglas L. Schales, Kapil K. Singh, Marc P. Stoecklin
  • Publication number: 20150295805
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Application
    Filed: June 26, 2015
    Publication date: October 15, 2015
    Inventors: MIHAI CHRISTODORESCU, XIN HU, DOUGLAS L. SCHALES, REINER SAILER, MARC PH. STOECKLIN, TING WANG, ANDREW M. WHITE
  • Patent number: 9106536
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Grant
    Filed: April 15, 2013
    Date of Patent: August 11, 2015
    Assignee: International Business Machines Corporation
    Inventors: Mihai Christodorescu, Xin Hu, Douglas L. Schales, Reiner Sailer, Marc Ph. Stoecklin, Ting Wang, Andrew M. White
  • Patent number: 9100309
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Grant
    Filed: September 12, 2013
    Date of Patent: August 4, 2015
    Assignee: International Business Machines Corporation
    Inventors: Mihai Christodorescu, Xin Hu, Douglas L. Schales, Reiner Sailer, Marc Ph. Stoecklin, Ting Wang, Andrew M. White
  • Patent number: 9032521
    Abstract: Performing adaptive cyber-security analytics including a computer implemented method that includes receiving a report on a network activity. A score responsive to the network activity and to a scoring model is computed at a computer. The score indicates a likelihood of a security violation. The score is validated and the scoring model is automatically updated responsive to results of the validating. The network activity is reported as suspicious in response to the score being within a threshold of a security violation value.
    Type: Grant
    Filed: October 13, 2010
    Date of Patent: May 12, 2015
    Assignee: International Business Machines Corporation
    Inventors: Lisa Amini, Mihai Christodorescu, Mitchell A. Cohen, Srinivasan Parthasarathy, Josyula Rao, Reiner Sailer, Douglas L. Schales, Wietse Z. Venema, Oliver Verscheure
  • Patent number: 8949797
    Abstract: A system, method and computer program product for verifying integrity of a running application program on a computing device. The method comprises: determining entry points into an application programs processing space that impact proper execution impact program integrity; mapping data elements reachable from the determined entry points into a memory space of a host system where the application to verify is running; run-time monitoring, in the memory space, potential modification of the data elements in a manner potentially breaching program integrity; and initiating a response to the potential modification. The run-time monitoring detects when a data transaction, e.g., a write event, reaches a malicious agent's entry point, a corresponding memory hook is triggered and control is passed to a security agent running outside the monitored system.
    Type: Grant
    Filed: April 16, 2010
    Date of Patent: February 3, 2015
    Assignee: International Business Machines Corporation
    Inventors: Najwa Aaraj, Mihai Christodorescu, Dimitrios Pendarakis, Reiner Sailer, Douglas L. Schales
  • Publication number: 20140310517
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Application
    Filed: September 12, 2013
    Publication date: October 16, 2014
    Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: MIHAI CHRISTODORESCU, XIN HU, DOUGLAS L. SCHALES, REINER SAILER, MARC PH. STOECKLIN, TING WANG, ANDREW M. WHITE
  • Publication number: 20140310396
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Application
    Filed: April 15, 2013
    Publication date: October 16, 2014
    Inventors: MIHAI CHRISTODORESCU, XIN HU, DOUGLAS L. SCHALES, REINER SAILER, MARC PH. STOECKLIN, TING WANG, ANDREW M. WHITE
  • Patent number: 8863293
    Abstract: Methods for determining cyber-attack targets include collecting and storing network event information from sensors to extract information regarding an attacker; forming an attack scenario tree that encodes network topology and vulnerability information including paths from known compromised nodes to a set of potential targets; calculating a likelihood for each of the paths using a processor; calculating a probability distribution for the set of potential targets to determine which potential targets are most likely pursued by the attacker; calculating a probability distribution over a set of nodes and node vulnerability types already accessed by the attacker; determining a network graph edge to remove which minimizes a defender's expected uncertainty over the potential targets; and removing the determined network graph edge.
    Type: Grant
    Filed: May 23, 2012
    Date of Patent: October 14, 2014
    Assignee: International Business Machines Corporation
    Inventors: Mihai Christodorescu, Dmytro Korzhyk, Reiner Sailer, Douglas L. Schales, Marc Ph Stoecklin, Ting Wang
  • Publication number: 20130318615
    Abstract: Methods for determining cyber-attack targets include collecting and storing network event information from sensors to extract information regarding an attacker; forming an attack scenario tree that encodes network topology and vulnerability information including paths from known compromised nodes to a set of potential targets; calculating a likelihood for each of the paths using a processor; calculating a probability distribution for the set of potential targets to determine which potential targets are most likely pursued by the attacker; calculating a probability distribution over a set of nodes and node vulnerability types already accessed by the attacker; determining a network graph edge to remove which minimizes a defender's expected uncertainty over the potential targets; and removing the determined network graph edge.
    Type: Application
    Filed: May 23, 2012
    Publication date: November 28, 2013
    Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Mihai Christodorescu, Dmytro Korzhyk, Reiner Sailer, Douglas L. Schales, Marc Ph. Stoecklin, Ting Wang
  • Publication number: 20130318616
    Abstract: Systems for determining cyber-attack target include a network monitor module configured to collect network event information from sensors in one or more network nodes; a processor configured to extract information regarding an attacker from the network event information, to form an attack scenario tree that encodes network topology and vulnerability information including a plurality of paths from known compromised nodes to a set of potential targets, to calculate a likelihood for each of the paths, to calculate a probability distribution for the set of potential targets to determine which potential targets are most likely pursued by the attacker, to calculate a probability distribution over a set of nodes and node vulnerability types already accessed by the attacker, and to determine a network graph edge to remove that minimizes a defender's expected uncertainty over the potential targets; and a network management module configured to remove the determined network graph edge.
    Type: Application
    Filed: June 4, 2012
    Publication date: November 28, 2013
    Applicant: International Business Machines Corporation
    Inventors: Mihai Christodorescu, Dmytro Korzhyk, Reiner Sailer, Douglas L Schales, Marc Ph Stoecklin, Ting Wang
  • Publication number: 20120096549
    Abstract: Performing adaptive cyber-security analytics including a computer implemented method that includes receiving a report on a network activity. A score responsive to the network activity and to a scoring model is computed at a computer. The score indicates a likelihood of a security violation. The score is validated and the scoring model is automatically updated responsive to results of the validating. The network activity is reported as suspicious in response to the score being within a threshold of a security violation value.
    Type: Application
    Filed: October 13, 2010
    Publication date: April 19, 2012
    Applicant: International Business Machines Corporation
    Inventors: Lisa Amini, Mihai Christodorescu, Mitchell A. Cohen, Srinivasan Parthasarathy, Josyula Rao, Reiner Sailer, Douglas L. Schales, Wietse Z. Venema, Olivier Verscheure