Patents by Inventor Jia-Jyi Lian
Jia-Jyi Lian has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10333986Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.Type: GrantFiled: April 5, 2017Date of Patent: June 25, 2019Assignee: vArmour Networks, Inc.Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
-
Patent number: 10158672Abstract: Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.Type: GrantFiled: September 1, 2016Date of Patent: December 18, 2018Assignee: vArmour Networks, Inc.Inventors: Choung-Yaw Shieh, Jia-Jyi Lian, Yi Sun, Meng Xu
-
Patent number: 10110636Abstract: Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.Type: GrantFiled: February 23, 2017Date of Patent: October 23, 2018Assignee: vArmour Networks, Inc.Inventors: Colin Ross, Choung-Yaw Shieh, Jia-Jyi Lian, Meng Xu, Yi Sun
-
Patent number: 10084753Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.Type: GrantFiled: November 3, 2016Date of Patent: September 25, 2018Assignee: vArmour Networks, Inc.Inventors: Marc Woolward, Choung-Yaw Shieh, Jia-Jyi Lian
-
Patent number: 10009381Abstract: Methods, systems, and media for a security system are provided herein. Exemplary methods may include: acquiring a firewall security policy from a policy compiler; receiving network traffic originating from a source machine and directed to a destination machine; analyzing the network traffic using the firewall security policy; forwarding or dropping each of the network traffic according to the security policy; and redirecting one or more network packets of the network traffic according to the security policy.Type: GrantFiled: January 27, 2016Date of Patent: June 26, 2018Assignee: vArmour Networks, Inc.Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
-
Publication number: 20170208100Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.Type: ApplicationFiled: April 5, 2017Publication date: July 20, 2017Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
-
Publication number: 20170163688Abstract: Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.Type: ApplicationFiled: February 23, 2017Publication date: June 8, 2017Inventors: Colin Ross, Choung-Yaw Shieh, Jia-Jyi Lian, Meng Xu, Yi Sun
-
Patent number: 9621595Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.Type: GrantFiled: May 10, 2016Date of Patent: April 11, 2017Assignee: vArmour Networks, Inc.Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
-
Patent number: 9609026Abstract: Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.Type: GrantFiled: July 25, 2016Date of Patent: March 28, 2017Assignee: vArmour Networks, Inc.Inventors: Colin Ross, Choung-Yaw Shieh, Jia-Jyi Lian, Meng Xu, Yi Sun
-
Publication number: 20170078247Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.Type: ApplicationFiled: November 3, 2016Publication date: March 16, 2017Inventors: Marc Woolward, Choung-Yaw Shieh, Jia-Jyi Lian
-
Publication number: 20170063933Abstract: Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.Type: ApplicationFiled: September 1, 2016Publication date: March 2, 2017Inventors: Choung-Yaw Shieh, Jia-Jyi Lian, Yi Sun, Meng Xu
-
Publication number: 20170063791Abstract: Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.Type: ApplicationFiled: July 25, 2016Publication date: March 2, 2017Inventors: Colin Ross, Choung-Yaw Shieh, Jia-Jyi Lian, Meng Xu, Yi Sun
-
Publication number: 20170063795Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.Type: ApplicationFiled: May 10, 2016Publication date: March 2, 2017Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
-
Patent number: 9525697Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.Type: GrantFiled: April 2, 2015Date of Patent: December 20, 2016Assignee: vArmour Networks, Inc.Inventors: Marc Woolward, Choung-Yaw Shieh, Jia-Jyi Lian
-
Publication number: 20160323245Abstract: A network system includes a security gateway that receives information from a virtual machine after the virtual machine has migrated from a first network access device to a second network access device, where the information identifies the virtual machine as one associated with a privilege level. The security gateway determines that access to the virtual machine at the first network access device was permitted by the privilege level and assigns the virtual machine at the second network access device to the privilege level. The security gateway then applies a set of rules associated with the privilege level to communications between the network and the virtual machine at the second network access device.Type: ApplicationFiled: July 13, 2016Publication date: November 3, 2016Inventors: Choung-Yaw Shieh, Jia-Jyi Lian, Meng Xu, Yi Sun, Hsisheng Wang
-
Patent number: 9467476Abstract: Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.Type: GrantFiled: August 28, 2015Date of Patent: October 11, 2016Assignee: vArmour Networks, Inc.Inventors: Choung-Yaw Shieh, Jia-Jyi Lian, Yi Sun, Meng Xu
-
Publication number: 20160294858Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.Type: ApplicationFiled: April 2, 2015Publication date: October 6, 2016Inventors: Marc Woolward, Choung-Yaw Michael Shieh, Jia-Jyi Lian
-
Publication number: 20160294875Abstract: Methods, systems, and media for a security system are provided herein. Exemplary methods may include: acquiring a firewall security policy from a policy compiler; receiving network traffic originating from a source machine and directed to a destination machine; analyzing the network traffic using the firewall security policy; forwarding or dropping each of the network traffic according to the security policy; and redirecting one or more network packets of the network traffic according to the security policy.Type: ApplicationFiled: January 27, 2016Publication date: October 6, 2016Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
-
Patent number: 9407605Abstract: Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.Type: GrantFiled: March 31, 2014Date of Patent: August 2, 2016Assignee: Juniper Networks, Inc.Inventors: Yuming Mao, Roger Jia-Jyi Lian, Guangsong Huang, Lee Chik Cheung
-
Patent number: 9380027Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.Type: GrantFiled: March 30, 2015Date of Patent: June 28, 2016Assignee: vArmour Networks, Inc.Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward