Patents by Inventor Jean-Marc Robert
Jean-Marc Robert has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 8966263Abstract: A system and method are provided for key-based network equipment remote access authentication. A remote client machine and a piece of network equipment perform client-server authentication while the network equipment employs an access validation server to perform access validation for key-based authentication.Type: GrantFiled: March 31, 2006Date of Patent: February 24, 2015Assignee: Alcatel LucentInventors: Jean-Marc Robert, Koen Jan Van De Weyer, Katrien B. N. Scharre
-
Patent number: 8020207Abstract: A malware detection and response system based on traffic pattern anomalies detection is provided, whereby packets associated with a variety of protocols on each port of a network element are counted distinctly for each direction. Such packets include: ARP requests, TCP/SYN requests and acknowledgements, TCP/RST packets, DNS/NETBEUI name lookups, out-going ICMP packets, UDP packets, etc. When a packet causes an individual count or combination of counts to exceed a threshold, appropriate action is taken. The system can be incorporated into the fast path, that is, the data plane, enabling communications systems such as switches, routers, and DSLAMs to have built-in security at a very low cost.Type: GrantFiled: January 23, 2007Date of Patent: September 13, 2011Assignee: ALCATEL LUCENTInventors: Stanley TaiHai Chow, Jean-Marc Robert, Kevin McNamee, Douglas Wiemer, Bradley Kenneth McFarlane
-
Publication number: 20110197278Abstract: A malware detection and response system based on traffic pattern anomalies detection is provided, whereby packets associated with a variety of protocols on each port of a network element are counted distinctly for each direction. Such packets include: ARP requests, TCP/SYN requests and acknowledgements, TCP/RST packets, DNS/NETBEUI name lookups, out-going ICMP packets, UDP packets, etc. When a packet causes an individual count or combination of counts to exceed a threshold, appropriate action is taken. The system can be incorporated into the fast path, that is, the data plane, enabling communications systems such as switches, routers, and DSLAMs to have built-in security at a very low cost.Type: ApplicationFiled: January 23, 2007Publication date: August 11, 2011Applicant: ALCATEL LUCENTInventors: Stanley TaiHai Chow, Jean-Marc Robert, Kevin McNamee, Douglas Wiemer, Bradley Kenneth McFarlane
-
Patent number: 7962958Abstract: Methods to detect rogue access points (APs) and prevent unauthorized wireless access to services provided by a communication network are provided. A mobile station (MS) reports to a serving AP the received signal strength (RSS) for all APs in the area it travels. The serving AP detect a rogue AP based on inconsistencies perceived in the RSS reports, assessed during the handover phase or whilst the communication is active.Type: GrantFiled: February 19, 2010Date of Patent: June 14, 2011Assignee: Alcatel LucentInventors: Jean-Marc Robert, Michel Barbeau
-
Patent number: 7757283Abstract: This method and system for detecting abnormal traffic in a communications network is based on classifying the traffic in risk and status categories and maintaining a service status table with this information for each service at a respective node. The risk categories are initially established based on known software vulnerabilities recognized for the respective service. An early notifier enables further processing of services suspected of malware propagation. Status categories enable segregating the traffic with a “under attack status” from the “non under attack” status, so that the intrusion detection system at the respective node only processes the “under attack” traffic. In this way, the time and amount of processing performed by the intrusion detection system is considerably reduced.Type: GrantFiled: July 8, 2005Date of Patent: July 13, 2010Assignee: Alcatel LucentInventors: Jean-Marc Robert, Francois J. N. Cosquer
-
Publication number: 20100142709Abstract: Methods to detect rogue access points (APs) and prevent unauthorized wireless access to services provided by a communication network are provided. A mobile station (MS) reports to a serving AP the received signal strength (RSS) for all APs in the area it travels. The serving AP detect a rogue AP based on inconsistencies perceived in the RSS reports, assessed during the handover phase or whilst the communication is active.Type: ApplicationFiled: February 19, 2010Publication date: June 10, 2010Applicant: ALCATELInventors: Jean-Marc Robert, Michel Barbeau
-
Patent number: 7716740Abstract: Methods to detect rogue access points (APs) and prevent unauthorized wireless access to services provided by a communication network are provided. A mobile station (MS) reports to a serving AP the received signal strength (RSS) for all APs in the area it travels. The serving AP detect a rogue AP based on inconsistencies perceived in the RSS reports, assessed during the handover phase or whilst the communication is active.Type: GrantFiled: October 5, 2005Date of Patent: May 11, 2010Assignee: Alcatel LucentInventors: Jean-Marc Robert, Michel Barbeau
-
Patent number: 7685420Abstract: Methods and apparatus for improving the resilience of wireless packet-switched networks to Layer-2 attacks is provided via a lightweight mechanism for detecting spoofed frames. The mechanism enables a receiving node to detect spoofed frames from information contained in cookies sent with frames. A first cookie, containing initial information, is sent to the receiving station from the transmitting node along with the first frame of a frame set. For each received frame, spoofing detection includes applying a function to information received via a corresponding cookie received with the subject frame, the result of which function is compared with information received via a previous cookie. The validity of the subject frame is asserted if the result of applying the function to information received in the corresponding subject cookie correlates with previous or initial information received in a previous or the first cookie, respectively. An exemplary implementation includes using a one-way hashing function.Type: GrantFiled: September 14, 2004Date of Patent: March 23, 2010Assignee: Alcatel LucentInventors: Frederic Gariador, Jean-Marc Robert
-
Patent number: 7647623Abstract: A method and system for filtering malicious packets received at the edge of a service provider (SP) domain is provided. A protocol aware border element identifies the protocol used by any ingress packet, and then determines which domain-specific information is used in the application payload of the packet to form the source identity. If this packet pretends to come from the SP domain, and no domain entity is allowed to roam, the packet is identified as illegitimate and is subjected to a given security policy. The border element also identifies as legitimate the SP domain entities that are allowed to roam, and legitimate sources outside said SP domain that communicates customary with entities in the SP domain.Type: GrantFiled: October 17, 2005Date of Patent: January 12, 2010Assignee: Alcatel LucentInventors: Jean-Marc Robert, Dmitri Vinokurov
-
Patent number: 7565426Abstract: A system and method of tracing network flows in an autonomous communications system are described. The Autonomous System may be formed of multiple subgroups depending on size and application. Each subgroup contains multiple, interconnected routers which participate in transporting data flow across the Autonomous System (AS). A Director within the AS has a full and complete vision of the network topology. When it is desired to trace a particular flow because of an identified attack, selected routers in key locations—through which that particular flow travels—mark packets with labels which enable the tracing of the path. These labels permit the source of the attack, at least in so far as it travels through the AS, to be identified. If the number of entry (or key) points to the AS is larger than the number of available labels, the AS will be divided into subgroups, the flow is traced from subgroup to subgroup.Type: GrantFiled: August 7, 2003Date of Patent: July 21, 2009Assignee: Alcatel LucentInventors: Emanuele Jones, Jean-Marc Robert
-
Patent number: 7487541Abstract: A method and system for tracing-back single packets based on storing only one record per flow, ‘FlowId’, observed by a router on a given interface and in a given time window ‘Time Period’. This record can be seen as a canonical representation for all packets seen during this window. A malicious packet may be traced back to its origin by identifying the port of arrival based on that packet time of arrival X and the FlowId.Type: GrantFiled: December 10, 2003Date of Patent: February 3, 2009Assignee: Alcatel LucentInventor: Jean-Marc Robert
-
Publication number: 20090013404Abstract: When the processing resources of a host system are occupied beyond a trigger point by incoming requests, that host system issues a cool-it message that is broadcast throughout the network, eventually reaching edge routers that, in response to the message, throttle the traffic that they pass into the network. The throttling is applied in increasing amounts with increasing traffic volumes received at the edge routers. The cool-it messages are authenticated to ensure that they are not being used as instruments of a DoS attack. This mechanism also works to control legitimate network congestion, and it does not block users from a host system that is under attack.Type: ApplicationFiled: July 5, 2007Publication date: January 8, 2009Applicant: ALCATEL LUCENTInventors: Stanley TaiHai Chow, Douglas Wiemer, Jean-Marc Robert
-
Patent number: 7464398Abstract: Systems and methods of mitigating attacks, such as Denial of Service (DoS) attacks, in a communications network are presented. Source addresses of packets received at network devices are monitored in relation to known reliable addresses stored in a decision engine. If the source address, as stored in a source table, is known as being legitimate the packets are placed in a high priority queue for transmission at the highest rate. Packets with an unknown address are placed in a lower priority queue, the source address stored in a different source table, and the packet is serviced at a lower rate. Packets that become known to be legitimate are moved from the unknown table to the table from which high priority queues are serviced. In this way, an attacker that employs spoofing techniques is prevented from overtaxing network resources.Type: GrantFiled: May 19, 2003Date of Patent: December 9, 2008Assignee: Alcatel LucentInventors: Jean-Marc Robert, Scott David D'Souza, Paul Kierstead
-
Patent number: 7415018Abstract: The Time to Live (TTL) field in an IP header is used as a covert channel in a communication system. More particularly the TTL field can be used to selectively mark packets with unique identifiers as they pass through an upstream station on their way to a downstream station. In this way the source of a traffic flow at least within a particular domain can be absolutely identified. This method of performing a traceback operation doesn't utilize additional resources as it relies on functionality which already exists in the system.Type: GrantFiled: September 17, 2003Date of Patent: August 19, 2008Assignee: Alcatel LucentInventors: Emanuele Jones, Olivier Le Moigne, Jean-Marc Robert
-
Patent number: 7373663Abstract: A mechanism for detecting denial of service attacks in a digital communications system is described. A probabilistically determined portion of input packets of a connection are processed using a hash function to determine whether the packets belong to the flow initiated by a TCP SYN packet. The hash function includes a secret key for additional security. The result of the hash function is added to a value which is dependent on the sequence number of a packet being processed.Type: GrantFiled: December 12, 2002Date of Patent: May 13, 2008Assignee: Alcatel Canada Inc.Inventor: Jean-Marc Robert
-
Patent number: 7284272Abstract: Methods of preventing flooding-type denial-of-service attacks in a computer-based network are described. Connection establishing messages known as SYN packets are matched with connection terminating messages (FIN packets) by using a hash algorithm. The hash algorithm or message digest uses source and destination IP addresses, port numbers, and a secret key as input parameters. The SYN packets and FIN packets are mapped to buckets using the hash algorithm and statistics are maintained for each bucket. A correspondence between SYN packets and FIN packets is maintained to close a security hole.Type: GrantFiled: May 31, 2002Date of Patent: October 16, 2007Assignee: Alcatel Canada Inc.Inventors: Brett Howard, Jean-Marc Robert, Paul Kierstead, Scott David D'Souza
-
Publication number: 20070234054Abstract: A system and method are provided for key-based network equipment remote access authentication. A remote client machine and a piece of network equipment perform client-server authentication while the network equipment employs an access validation server to perform access validation for key-based authentication.Type: ApplicationFiled: March 31, 2006Publication date: October 4, 2007Inventors: Jean-Marc Robert, Koen Van De Weyer, Katrien Scharre
-
Publication number: 20070086338Abstract: A method and system for filtering malicious packets received at the edge of a service provider (SP) domain is provided. A protocol aware border element identifies the protocol used by any ingress packet, and then determines which domain-specific information is used in the application payload of the packet to form the source identity. If this packet pretends to come from the SP domain, and no domain entity is allowed to roam, the packet is identified as illegitimate and is subjected to a given security policy. The border element also identifies as legitimate the SP domain entities that are allowed to roam, and legitimate sources outside said SP domain that communicates customary with entities in the SP domain.Type: ApplicationFiled: October 17, 2005Publication date: April 19, 2007Applicant: ALCATELInventors: Jean-Marc Robert, Dmitri Vinokurov
-
Publication number: 20070079376Abstract: Methods to detect rogue access points (APs) and prevent unauthorized wireless access to services provided by a communication network are provided. A mobile station (MS) reports to a serving AP the received signal strength (RSS) for all APs in the area it travels. The serving AP detect a rogue AP based on inconsistencies perceived in the RSS reports, assessed during the handover phase or whilst the communication is active.Type: ApplicationFiled: October 5, 2005Publication date: April 5, 2007Applicant: ALCATELInventors: Jean-Marc Robert, Michel Barbeau
-
Publication number: 20070067845Abstract: The invention is directed to providing threat and risk analysis for a network that has a high degree of inter-relationships and interdependencies among the assets comprising it, using a “cut set” enumeration method. The identified cut sets are used as the basis to the threat and risk analysis, since each cut set may affect the traffic between two dependent assets in the network, and thereby affect the security state of the dependent assets themselves. The affected security state may be confidentiality, integrity, availability, or other network or security relevant parameter.Type: ApplicationFiled: September 22, 2005Publication date: March 22, 2007Applicant: ALCATELInventors: Douglas Wiemer, Jean-Marc Robert, Bradley McFarlane, Christophe Gustave, Stanley Chow, Jian Tang