Patents by Inventor Kent K. Leung

Kent K. Leung has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20210218771
    Abstract: Presented herein are methodologies for implementing application security. A method includes generating an extraction vector based on a plurality of application security rules to be enforced, transmitting the extraction vector to a first agent operating on a first network device and to a second agent operating on a second network device; receiving, separately, from the first agent and from the second agent, first metadata generated by the first agent and second metadata generated by the second agent by the agents applying the extraction vector to network traffic passing, respectively, through the first network device and the second network device. The first metadata includes a transaction ID assigned by the first agent, and the second metadata includes the same transaction ID. The method further includes correlating the first metadata with the second metadata based on the transaction ID to construct a transactional service graph for the network traffic.
    Type: Application
    Filed: January 14, 2020
    Publication date: July 15, 2021
    Inventors: Michel Khouderchah, Jayaraman Iyer, Kent K. Leung, Jianxin Wang, Donovan O'Hara, Saman Taghavi Zargar, Subharthi Paul
  • Patent number: 10721211
    Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.
    Type: Grant
    Filed: October 13, 2017
    Date of Patent: July 21, 2020
    Assignee: CISCO TECHNOLOGY, INC.
    Inventors: Kent K. Leung, Xun Wang, Andrew E. Ossipov, Zhijun Liu, Jonathan Augustine Kunder
  • Patent number: 10708178
    Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.
    Type: Grant
    Filed: October 25, 2018
    Date of Patent: July 7, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: Reinaldo Penno, Carlos M. Pignataro, Paul Quinn, Hung The Chau, Chui-Tin Yen, Vivek Kansal, Jianxin Wang, Kent K. Leung
  • Patent number: 10588044
    Abstract: A method is provided in one example embodiment and includes receiving a data packet transported on a backhaul link at a first network element; de-capsulating the data packet; identifying whether the data packet is an upstream data packet; identifying whether the data packet matches an internet protocol (IP) access control list (ACL) or a tunnel endpoint identifier; and offloading the data packet from the backhaul link. In more specific embodiment, the method can include identifying that the data packet does not match the IP ACL or the tunnel endpoint identifier; and communicating the data packet to a second network element. In other examples, the method can include identifying that the data packet is a downstream data packet; identifying a service to be performed for the data packet that cannot be performed at the first network element; and communicating the data packet to a second network element.
    Type: Grant
    Filed: May 14, 2018
    Date of Patent: March 10, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: Flemming S. Andreasen, Kent K. Leung, Michel Khouderchah, Jayaraman R. Iyer, Timothy P. Stammers
  • Patent number: 10455403
    Abstract: Embodiments are directed to a virtual mobility anchor network element to receive, from a packet gateway (PGW) node, a request for an internet protocol (IP) address for a mobile device, establish an IP address for the mobile device; and provide the IP address to the PGW node in response to the request for the IP address for the mobile device. The virtual mobility anchor network element is configured to receive IP traffic from a network location; determine a target destination for the IP traffic based on a destination IP address, the destination IP address comprising the second IP address; and forward the IP traffic to the PGW node associated with the destination IP address. The virtual mobility anchor network element is also configured to receive IP traffic from the PGW node; determine a target destination for the IP traffic; and route the IP traffic to the target destination.
    Type: Grant
    Filed: May 21, 2018
    Date of Patent: October 22, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: Srinath Gundavelli, Vojislav Vucetic, Kent K. Leung
  • Publication number: 20190068490
    Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.
    Type: Application
    Filed: October 25, 2018
    Publication date: February 28, 2019
    Inventors: Reinaldo Penno, Carlos M. Pignataro, Paul Quinn, Hung The Chau, Chui-Tin Yen, Vivek Kansal, Jianxin Wang, Kent K. Leung
  • Patent number: 10171350
    Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.
    Type: Grant
    Filed: May 20, 2016
    Date of Patent: January 1, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: Reinaldo Penno, Carlos M. Pignataro, Paul Quinn, Hung The Chau, Chui-Tin Yen, Vivek Kansal, Jianxin Wang, Kent K. Leung
  • Patent number: 10111060
    Abstract: A system is disclosed for measuring data utilization attributable to use by an application being executed on a mobile device. The system has a server operable to register the application and transmit information to establish a connection between the application and a proxy server. The system also has a proxy server operable to establish a first connection with the application, receive direction to establish a second connection with a target endpoint, establish the second connection between the proxy server and the target endpoint, pass data between the target endpoint and the application using the established connections, and measure the amount of data passed between the target endpoint and the application.
    Type: Grant
    Filed: June 12, 2013
    Date of Patent: October 23, 2018
    Assignee: Cisco Tecnology, Inc.
    Inventors: Kent K. Leung, Jayaraman R. Iyer, Flemming S. Andreasen
  • Patent number: 10110433
    Abstract: A method is provided in one example embodiment and includes communicating a message from a network element to a remote data plane element in order to request a data plane resource for hosting a session for a particular subscriber. The remote data plane element is designated to host a data plane function for a particular mobile network subscriber and the data plane resource comprises at least one of memory space and processor allocation. The method further includes discovering nodes capable of supporting the control plane functions; discovering nodes capable of supporting the data plane functions for the session; and performing a system-specific internal configuration to support separation of the data plane functions and the control plane functions.
    Type: Grant
    Filed: February 27, 2015
    Date of Patent: October 23, 2018
    Assignee: Cisco Technology, Inc.
    Inventors: Gary B. Mahaffey, Jayaraman R. Iyer, Michel Khouderchah, Kent K. Leung, Robert A. Mackie, Timothy P. Stammers, Hy Quoc Pham
  • Patent number: 10084703
    Abstract: A method is provided in one example embodiment and includes receiving at a network element a packet including a Network Services Header (“NSH”), in which the NSH includes an Infrastructure (“I”) flag and a service path header comprising a Service Index (“SI”), and a Service Path ID (“SPI”) and determining whether the I flag is set to a first value. The method further includes, if the I flag is set to the first value, setting the I flag to a second value and forwarding the packet to the service function that corresponds to the SI for processing. The method still further includes, if the I flag is not set to the first value, decrementing the SI and making a forwarding decision based on a new value of the SI and the SPI.
    Type: Grant
    Filed: April 29, 2016
    Date of Patent: September 25, 2018
    Assignee: CISCO TECHNOLOGY, INC.
    Inventors: Surendra M. Kumar, Hendrikus G. P. Bosch, Kent K. Leung, Abhijit Patra
  • Publication number: 20180270646
    Abstract: Embodiments are directed to a virtual mobility anchor network element to receive, from a packet gateway (PGW) node, a request for an internet protocol (IP) address for a mobile device, establish an IP address for the mobile device; and provide the IP address to the PGW node in response to the request for the IP address for the mobile device. The virtual mobility anchor network element is configured to receive IP traffic from a network location; determine a target destination for the IP traffic based on a destination IP address, the destination IP address comprising the second IP address; and forward the IP traffic to the PGW node associated with the destination IP address. The virtual mobility anchor network element is also configured to receive IP traffic from the PGW node; determine a target destination for the IP traffic; and route the IP traffic to the target destination.
    Type: Application
    Filed: May 21, 2018
    Publication date: September 20, 2018
    Inventors: Srinath GUNDAVELLI, Vojislav VUCETIC, Kent K. LEUNG
  • Publication number: 20180262942
    Abstract: A method is provided in one example embodiment and includes receiving a data packet transported on a backhaul link at a first network element; de-capsulating the data packet; identifying whether the data packet is an upstream data packet; identifying whether the data packet matches an internet protocol (IP) access control list (ACL) or a tunnel endpoint identifier; and offloading the data packet from the backhaul link. In more specific embodiment, the method can include identifying that the data packet does not match the IP ACL or the tunnel endpoint identifier; and communicating the data packet to a second network element. In other examples, the method can include identifying that the data packet is a downstream data packet; identifying a service to be performed for the data packet that cannot be performed at the first network element; and communicating the data packet to a second network element.
    Type: Application
    Filed: May 14, 2018
    Publication date: September 13, 2018
    Inventors: Flemming S. ANDREASEN, Kent K. LEUNG, Michel KHOUDERCHAH, Jayaraman R. IYER, Timothy P. STAMMERS
  • Patent number: 10063556
    Abstract: A method is provided and may include receiving a request for a network content delivery service from an access device; directing the access device to a network service provider for authentication for the network content delivery service; receiving a network authorization token from the access device, where the network authorization token is associated with the access device; obtaining a network access token from the network service provider; and binding the network access token to a content access token.
    Type: Grant
    Filed: August 4, 2016
    Date of Patent: August 28, 2018
    Assignee: Cisco Technology, Inc.
    Inventors: Kent K. Leung, Jayaraman R. Iyer, Bruce A. Thompson, Flemming S. Andreasen
  • Patent number: 10009751
    Abstract: Embodiments are directed to a virtual mobility anchor network element to receive, from a packet gateway (PGW) node, a request for an internet protocol (IP) address for a mobile device, establish an IP address for the mobile device; and provide the IP address to the PGW node in response to the request for the IP address for the mobile device. The virtual mobility anchor network element is configured to receive IP traffic from a network location; determine a target destination for the IP traffic based on a destination IP address, the destination IP address comprising the second IP address; and forward the IP traffic to the PGW node associated with the destination IP address. The virtual mobility anchor network element is also configured to receive IP traffic from the PGW node; determine a target destination for the IP traffic; and route the IP traffic to the target destination.
    Type: Grant
    Filed: December 28, 2015
    Date of Patent: June 26, 2018
    Assignee: Cisco Technology, Inc.
    Inventors: Srinath Gundavelli, Vojislav Vucetic, Kent K. Leung
  • Patent number: 9973961
    Abstract: A method is provided in one example embodiment and includes receiving a data packet transported on a backhaul link at a first network element; de-capsulating the data packet; identifying whether the data packet is an upstream data packet; identifying whether the data packet matches an internet protocol (IP) access control list (ACL) or a tunnel endpoint identifier; and offloading the data packet from the backhaul link. In more specific embodiment, the method can include identifying that the data packet does not match the IP ACL or the tunnel endpoint identifier; and communicating the data packet to a second network element. In other examples, the method can include identifying that the data packet is a downstream data packet; identifying a service to be performed for the data packet that cannot be performed at the first network element; and communicating the data packet to a second network element.
    Type: Grant
    Filed: April 10, 2015
    Date of Patent: May 15, 2018
    Assignee: Cisco Technology, Inc.
    Inventors: Flemming S. Andreasen, Kent K. Leung, Michel Khouderchah, Jayaraman R. Iyer, Timothy P. Stammers
  • Publication number: 20180041474
    Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.
    Type: Application
    Filed: October 13, 2017
    Publication date: February 8, 2018
    Inventors: Kent K. Leung, Xun Wang, Andrew E. Ossipov, Zhijun Liu, Jonathan Augustine Kunder
  • Patent number: 9854000
    Abstract: In one embodiment, a method includes identifying unusual behavior with respect to a handshake between a first endpoint and a second endpoint that are included in a network, and determining whether the unusual behavior with respect to the handshake indicates presence of malicious software. The method also includes identifying at least one of the first endpoint and the second endpoint as potentially being infected by the malicious software if it is determined that the unusual behavior with respect to the handshake indicates the presence of malicious software.
    Type: Grant
    Filed: November 6, 2014
    Date of Patent: December 26, 2017
    Assignee: Cisco Technology, Inc.
    Inventors: Daniel G. Wing, Flemming S. Andreasen, Kent K. Leung
  • Publication number: 20170317926
    Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.
    Type: Application
    Filed: May 20, 2016
    Publication date: November 2, 2017
    Applicant: CISCO TECHNOLOGY, INC.
    Inventors: Reinaldo Penno, Carlos M. Pignataro, Paul Quinn, Hung The Chau, Chui-Tin Yen, Vivek Kansal, Jianxin Wang, Kent K. Leung
  • Patent number: 9800549
    Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.
    Type: Grant
    Filed: February 11, 2015
    Date of Patent: October 24, 2017
    Assignee: CISCO TECHNOLOGY, INC.
    Inventors: Kent K. Leung, Xun Wang, Andrew E. Ossipov, Zhijun Liu, Jonathan Augustine Kunder
  • Publication number: 20170188223
    Abstract: Embodiments are directed to a virtual mobility anchor network element to receive, from a packet gateway (PGW) node, a request for an internet protocol (IP) address for a mobile device, establish an IP address for the mobile device; and provide the IP address to the PGW node in response to the request for the IP address for the mobile device. The virtual mobility anchor network element is configured to receive IP traffic from a network location; determine a target destination for the IP traffic based on a destination IP address, the destination IP address comprising the second IP address; and forward the IP traffic to the PGW node associated with the destination IP address. The virtual mobility anchor network element is also configured to receive IP traffic from the PGW node; determine a target destination for the IP traffic; and route the IP traffic to the target destination.
    Type: Application
    Filed: December 28, 2015
    Publication date: June 29, 2017
    Applicant: CISCO TECHNOLOGY, INC.
    Inventors: Srinath Gundavelli, Vojislav Vucetic, Kent K. Leung