Patents by Inventor Mark Krischer
Mark Krischer has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9755943Abstract: In an example embodiment, there is described herein a location based detection technique that determines whether multiple requests from different addresses, such as a Layer 2 MAC (Media Access Control) address and/or layer 3 IP (Internet Protocol) address are being sent form a single device. In particular embodiments, if the device sends more than a predefined threshold number of requests, those requests can be ignored and/or denied.Type: GrantFiled: August 8, 2013Date of Patent: September 5, 2017Assignee: Cisco Technology, Inc.Inventors: Mark Krischer, Tom Koenig, Nancy Cam-Winget
-
Patent number: 9264895Abstract: A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.Type: GrantFiled: August 12, 2013Date of Patent: February 16, 2016Assignee: Cisco Technology, Inc.Inventors: Mark Krischer, Nancy Cam-Winget, Sheausong Yang, Ajit Sanzgiri, Timothy Olson, Pauline Shuen
-
Publication number: 20150042792Abstract: In an example embodiment, there is described herein a location based detection technique that determines whether multiple requests from different addresses, such as a Layer 2 MAC (Media Access Control) address and/or layer 3 IP (Internet Protocol) address are being sent form a single device. In particular embodiments, if the device sends more than a predefined threshold number of requests, those requests can be ignored and/or denied.Type: ApplicationFiled: August 8, 2013Publication date: February 12, 2015Applicant: Cisco Technology, Inc.Inventors: Mark Krischer, Tom Koenig, Nancy Cam-Winget
-
Publication number: 20140237247Abstract: System architecture and corresponding method for securing communication via a network (e.g. IEEE 802.11) is provided. In accordance with one embodiment, the present system and method protocol, may be suitably configured to achieve mutual authentication by using a shared secret to establish a tunnel used to protect weaker authentication methods (e.g. user names and passwords). The shared secret, referred to in this embodiment as the protected access credential may be advantageously used to mutually authenticate a server and a peer upon securing a tunnel for communication via a network. The present system and method disclosed and claimed herein, in one aspect thereof, comprises the steps of 1) providing a communication implementation between a first and a second party; 2) provisioning a secure credential between the first and the second party; and 3) establishing a secure tunnel between the first and the second party using the secure credential.Type: ApplicationFiled: April 28, 2014Publication date: August 21, 2014Inventors: Nancy C. Winget, Hao Zhou, Mark Krischer, Joseph Salowey, Jeremy Stieglitz, Saar Gillai, Padmanabha Jakkahalli
-
Patent number: 8713626Abstract: Methods and systems for use in a wireless client that includes one or more wireless network interfaces for communicating with at least one access point wherein the method enables the wireless client to validate the authenticity and integrity of received management frames. The method includes receiving a protected wireless network management frame from an access point verifying a message integrity check (MIC) appended to the protected wireless network management frame. One or more security policies are then conditionally applied based on a failure to verify the MIC.Type: GrantFiled: December 6, 2005Date of Patent: April 29, 2014Assignee: Cisco Technology, Inc.Inventors: Nancy Cam-Winget, Mark Krischer, Robert B. O'Hara, Jr.
-
Patent number: 8627470Abstract: In one embodiment, an apparatus includes an intrusion detection arrangement and a location identification arrangement. The intrusion detection arrangement determines when a client without authorization attempts to access a wireless network of which the intrusion detection arrangement is a part. The location identification arrangement identifies at least a first approximate physical location of the client without authorization when the client without authorization attempts to access the wireless network. The location identification arrangement is configured to communicate the first approximate physical location to a surveillance arrangement which monitors the first approximate physical location.Type: GrantFiled: November 13, 2007Date of Patent: January 7, 2014Assignee: Cisco Technology, Inc.Inventors: Mark Krischer, Simon King
-
Publication number: 20130333012Abstract: A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.Type: ApplicationFiled: August 12, 2013Publication date: December 12, 2013Applicant: Cisco Technology, Inc.Inventors: Mark KRISCHER, Nancy CAM-WINGET, Sheausong YANG, Ajit SANZGIRI, Timothy OLSON, Pauline SHUEN
-
Patent number: 8533832Abstract: A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.Type: GrantFiled: April 25, 2012Date of Patent: September 10, 2013Assignee: Cisco Technology, Inc.Inventors: Nancy Cam Winget, Mark Krischer, Sheausong Yang, Ajit Sanzgiri, Timothy Olson, Pauline Shuen
-
Patent number: 8254882Abstract: In one embodiment, a method includes receiving security context information relevant to a connection between a wireless network infrastructure component and a wireless client, wherein the security context information comprises at least, an identification of the wireless client, and wherein the security context information identifies any security protocols associated with the connection; validating the connection based on the security context information; and transmitting the security context information to one or more detector wireless access points.Type: GrantFiled: January 29, 2007Date of Patent: August 28, 2012Assignee: Cisco Technology, Inc.Inventors: Nancy Cam-Winget, Mark Krischer, Robert B. O'Hara, Jr.
-
Publication number: 20110113252Abstract: In an example embodiment described herein is an apparatus comprising a transceiver configured to send and receive data, and logic coupled to the transceiver. The logic is configured to determine from a beacon received by the wireless transceiver whether an associated wireless device sending the beacon supports a protocol for advertising available services from the associated wireless device. The logic is configured to send a request for available services from the associated wireless device via the wireless transceiver responsive to determining the associated wireless device supports the protocol. The logic is configured to receive a response to the request via the wireless transceiver, the response comprising a signature. The logic is configured to validate the response by confirming the signature comprises network data cryptographically bound with service data.Type: ApplicationFiled: November 6, 2009Publication date: May 12, 2011Inventors: Mark Krischer, James Edward Burns, Nancy Cam-Winget, Esteban Raul Torres
-
Patent number: 7882349Abstract: Method for detecting an attack on a broadcast key shared between an access point and its wireless clients. Upon detection of the attack, actions are implemented to react to the attack as defined in one or more security policies. Detection of the attack is achieved by examining both a link message integrity check and an infrastructure management frame protection (IMFP) message integrity check contained in a broadcast management frame.Type: GrantFiled: December 6, 2005Date of Patent: February 1, 2011Assignee: Cisco Technology, Inc.Inventors: Nancy Cam-Winget, Mark Krischer, Robert B. O'Hara, Jr.
-
Method and apparatus to provide data streaming over a network connection in a wireless MAC processor
Patent number: 7835371Abstract: A method of wirelessly transmitting or receiving a packet of information, and an apparatus to wirelessly transmit or receive a packet of information. In the case of transmitting, the method includes streaming a data element, including at least some of the contents of the packet, over a network link during transmit time. In the case of receiving, the method includes streaming a data element, including at least some of the contents of the received packet, over a network link during receive time. The transmitting or receiving is by a station of a wireless network and the streaming is to or from the station from or to a network device coupled to the station by the network link.Type: GrantFiled: September 1, 2005Date of Patent: November 16, 2010Assignee: Cisco Technology, Inc.Inventors: Mark Krischer, Philip J. Ryan, Michael J. Webb -
Patent number: 7809354Abstract: Methods, apparatuses and systems directed to detecting address spoofing in wireless networks by, after receiving a wireless management frame, transmitting verification messages to determine whether a given wireless node (e.g., a wireless access point, or wireless client) has legitimately lost its connection state.Type: GrantFiled: March 16, 2006Date of Patent: October 5, 2010Assignee: Cisco Technology, Inc.Inventors: Patrice R. Calhoun, Nancy Cam-Winget, Mark Krischer, Robert B. O'Hara, Jr.
-
Patent number: 7788480Abstract: A method and implementation is disclosed for secure communication between two or more parties. A secure tunnel is established between parties using an encryption algorithm. An authentication process is performed between parties over the secured tunnel. The provisioning of credentials is thereafter performed between parties.Type: GrantFiled: November 5, 2003Date of Patent: August 31, 2010Assignee: Cisco Technology, Inc.Inventors: Nancy Cam Winget, Mark Krischer, Ilan Frenkel, Hao Zhou
-
Publication number: 20090327736Abstract: Method for detecting an attack on a broadcast key shared between an access point and its wireless clients. Upon detection of the attack, actions are implemented to react to the attack as defined in one or more security policies. Detection of the attack is achieved by examining both a link message integrity check and an infrastructure management frame protection (IMFP) message integrity check contained in a broadcast management frame.Type: ApplicationFiled: December 6, 2005Publication date: December 31, 2009Applicant: Cisco Technology, Inc.Inventors: Nancy Cam-Winget, Mark Krischer, Robert B. O'Hara, JR.
-
Patent number: 7631347Abstract: A system and method that supports disjoint authentication server farms and disjoint policy or authorization servers for multi-session establishment. The authentication server has global knowledge of authenticators for additional sessions for a supplicant and can split authentication requests as needed to different authentication servers. The split authentication and authorization requests can be aggregated should the other authentication and authorization servers have the capability to handle multiple requests. In the case of server farms, authentication and implied authorization requests can be split to facilitate load balancing.Type: GrantFiled: November 18, 2005Date of Patent: December 8, 2009Assignee: Cisco Technology, Inc.Inventors: Nancy Cam-Winget, Mark Krischer, Jeremy Stieglitz
-
Publication number: 20090235077Abstract: A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.Type: ApplicationFiled: April 27, 2009Publication date: September 17, 2009Inventors: Nancy Cam Winget, Mark Krischer, Sheausong Yang, Ajit Sanzgiri, Timothy Olson, Pauline Shuen
-
Patent number: 7562224Abstract: A system and method that allows a device to complete a single complete authentication sequence to a AAA server resulting in as many secure sessions required for the different applications or subsystems determined by the client's identity and the AAA server's policy. As the device is authenticated, it is determined where there are other sessions for the device. The sessions are established by generating unique new keying material that is passed to each session. This can be accomplished by (a) the authenticator or AAA server issuing the keys and distributing them to both the supplicant and applications (via their authenticators); or (b) authenticator or the AAA server mutually generating the session unique keys with the supplicant that are then distributed to the applications (via their authenticators).Type: GrantFiled: April 4, 2005Date of Patent: July 14, 2009Assignee: Cisco Technology, Inc.Inventors: Mark Krischer, Nancy Cam Winget
-
Patent number: 7548532Abstract: A method of wirelessly transmitting or receiving a packet of information, and an apparatus to wirelessly transmit or receive a packet of information. In the case of transmitting, the method includes streaming a data element, including at least some of the contents of the packet, over a network link during transmit time, including encrypting the data element during the streaming in real time prior to the transfer over the network link. In the case of receiving, the method includes streaming a data element, including at least some of the contents of the received packet, over a network link during receive time, including decrypting the data element during the streaming in real time after to the transfer over the network link. The transmitting or receiving is by a station of a wireless network and the streaming is to or from the station from or to a network device coupled to the station by the network link.Type: GrantFiled: August 5, 2005Date of Patent: June 16, 2009Assignee: Cisco Technology, Inc.Inventors: Mark Krischer, Philip J. Ryan, Michael J. Webb
-
Publication number: 20090125981Abstract: In one embodiment, an apparatus includes an intrusion detection arrangement and a location identification arrangement. The intrusion detection arrangement determines when a client without authorization attempts to access a wireless network of which the intrusion detection arrangement is a part. The location identification arrangement identifies at least a first approximate physical location of the client without authorization when the client without authorization attempts to access the wireless network.Type: ApplicationFiled: November 13, 2007Publication date: May 14, 2009Applicant: CISCO TECHNOLOGY, INC.Inventors: Mark Krischer, Simon King