Patents by Inventor Jia-Jyi Lian

Jia-Jyi Lian has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 10333986
    Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.
    Type: Grant
    Filed: April 5, 2017
    Date of Patent: June 25, 2019
    Assignee: vArmour Networks, Inc.
    Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
  • Patent number: 10158672
    Abstract: Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.
    Type: Grant
    Filed: September 1, 2016
    Date of Patent: December 18, 2018
    Assignee: vArmour Networks, Inc.
    Inventors: Choung-Yaw Shieh, Jia-Jyi Lian, Yi Sun, Meng Xu
  • Patent number: 10110636
    Abstract: Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.
    Type: Grant
    Filed: February 23, 2017
    Date of Patent: October 23, 2018
    Assignee: vArmour Networks, Inc.
    Inventors: Colin Ross, Choung-Yaw Shieh, Jia-Jyi Lian, Meng Xu, Yi Sun
  • Patent number: 10084753
    Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.
    Type: Grant
    Filed: November 3, 2016
    Date of Patent: September 25, 2018
    Assignee: vArmour Networks, Inc.
    Inventors: Marc Woolward, Choung-Yaw Shieh, Jia-Jyi Lian
  • Patent number: 10009381
    Abstract: Methods, systems, and media for a security system are provided herein. Exemplary methods may include: acquiring a firewall security policy from a policy compiler; receiving network traffic originating from a source machine and directed to a destination machine; analyzing the network traffic using the firewall security policy; forwarding or dropping each of the network traffic according to the security policy; and redirecting one or more network packets of the network traffic according to the security policy.
    Type: Grant
    Filed: January 27, 2016
    Date of Patent: June 26, 2018
    Assignee: vArmour Networks, Inc.
    Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
  • Publication number: 20170208100
    Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.
    Type: Application
    Filed: April 5, 2017
    Publication date: July 20, 2017
    Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
  • Publication number: 20170163688
    Abstract: Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.
    Type: Application
    Filed: February 23, 2017
    Publication date: June 8, 2017
    Inventors: Colin Ross, Choung-Yaw Shieh, Jia-Jyi Lian, Meng Xu, Yi Sun
  • Patent number: 9621595
    Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.
    Type: Grant
    Filed: May 10, 2016
    Date of Patent: April 11, 2017
    Assignee: vArmour Networks, Inc.
    Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
  • Patent number: 9609026
    Abstract: Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.
    Type: Grant
    Filed: July 25, 2016
    Date of Patent: March 28, 2017
    Assignee: vArmour Networks, Inc.
    Inventors: Colin Ross, Choung-Yaw Shieh, Jia-Jyi Lian, Meng Xu, Yi Sun
  • Publication number: 20170078247
    Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.
    Type: Application
    Filed: November 3, 2016
    Publication date: March 16, 2017
    Inventors: Marc Woolward, Choung-Yaw Shieh, Jia-Jyi Lian
  • Publication number: 20170063933
    Abstract: Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.
    Type: Application
    Filed: September 1, 2016
    Publication date: March 2, 2017
    Inventors: Choung-Yaw Shieh, Jia-Jyi Lian, Yi Sun, Meng Xu
  • Publication number: 20170063791
    Abstract: Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.
    Type: Application
    Filed: July 25, 2016
    Publication date: March 2, 2017
    Inventors: Colin Ross, Choung-Yaw Shieh, Jia-Jyi Lian, Meng Xu, Yi Sun
  • Publication number: 20170063795
    Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.
    Type: Application
    Filed: May 10, 2016
    Publication date: March 2, 2017
    Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
  • Patent number: 9525697
    Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.
    Type: Grant
    Filed: April 2, 2015
    Date of Patent: December 20, 2016
    Assignee: vArmour Networks, Inc.
    Inventors: Marc Woolward, Choung-Yaw Shieh, Jia-Jyi Lian
  • Publication number: 20160323245
    Abstract: A network system includes a security gateway that receives information from a virtual machine after the virtual machine has migrated from a first network access device to a second network access device, where the information identifies the virtual machine as one associated with a privilege level. The security gateway determines that access to the virtual machine at the first network access device was permitted by the privilege level and assigns the virtual machine at the second network access device to the privilege level. The security gateway then applies a set of rules associated with the privilege level to communications between the network and the virtual machine at the second network access device.
    Type: Application
    Filed: July 13, 2016
    Publication date: November 3, 2016
    Inventors: Choung-Yaw Shieh, Jia-Jyi Lian, Meng Xu, Yi Sun, Hsisheng Wang
  • Patent number: 9467476
    Abstract: Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.
    Type: Grant
    Filed: August 28, 2015
    Date of Patent: October 11, 2016
    Assignee: vArmour Networks, Inc.
    Inventors: Choung-Yaw Shieh, Jia-Jyi Lian, Yi Sun, Meng Xu
  • Publication number: 20160294858
    Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.
    Type: Application
    Filed: April 2, 2015
    Publication date: October 6, 2016
    Inventors: Marc Woolward, Choung-Yaw Michael Shieh, Jia-Jyi Lian
  • Publication number: 20160294875
    Abstract: Methods, systems, and media for a security system are provided herein. Exemplary methods may include: acquiring a firewall security policy from a policy compiler; receiving network traffic originating from a source machine and directed to a destination machine; analyzing the network traffic using the firewall security policy; forwarding or dropping each of the network traffic according to the security policy; and redirecting one or more network packets of the network traffic according to the security policy.
    Type: Application
    Filed: January 27, 2016
    Publication date: October 6, 2016
    Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
  • Patent number: 9407605
    Abstract: Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.
    Type: Grant
    Filed: March 31, 2014
    Date of Patent: August 2, 2016
    Assignee: Juniper Networks, Inc.
    Inventors: Yuming Mao, Roger Jia-Jyi Lian, Guangsong Huang, Lee Chik Cheung
  • Patent number: 9380027
    Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.
    Type: Grant
    Filed: March 30, 2015
    Date of Patent: June 28, 2016
    Assignee: vArmour Networks, Inc.
    Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward