Patents by Inventor Paul Kierstead
Paul Kierstead has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 7464398Abstract: Systems and methods of mitigating attacks, such as Denial of Service (DoS) attacks, in a communications network are presented. Source addresses of packets received at network devices are monitored in relation to known reliable addresses stored in a decision engine. If the source address, as stored in a source table, is known as being legitimate the packets are placed in a high priority queue for transmission at the highest rate. Packets with an unknown address are placed in a lower priority queue, the source address stored in a different source table, and the packet is serviced at a lower rate. Packets that become known to be legitimate are moved from the unknown table to the table from which high priority queues are serviced. In this way, an attacker that employs spoofing techniques is prevented from overtaxing network resources.Type: GrantFiled: May 19, 2003Date of Patent: December 9, 2008Assignee: Alcatel LucentInventors: Jean-Marc Robert, Scott David D'Souza, Paul Kierstead
-
Patent number: 7457867Abstract: A modified security protocol for remotely managed computer-based communications devices is presented. The protocol is based on the Syslog Sign protocol but is altered to allow an entity that collects log events from and/or remotely manages the device to provide authenticated acknowledgement of event logs that have been successfully received. This is achieved through an Acknowledgement Block which is signed by the entity and made available to the device.Type: GrantFiled: October 15, 2003Date of Patent: November 25, 2008Assignee: Alcatel LucentInventors: Brett Howard, Paul Kierstead
-
Patent number: 7284272Abstract: Methods of preventing flooding-type denial-of-service attacks in a computer-based network are described. Connection establishing messages known as SYN packets are matched with connection terminating messages (FIN packets) by using a hash algorithm. The hash algorithm or message digest uses source and destination IP addresses, port numbers, and a secret key as input parameters. The SYN packets and FIN packets are mapped to buckets using the hash algorithm and statistics are maintained for each bucket. A correspondence between SYN packets and FIN packets is maintained to close a security hole.Type: GrantFiled: May 31, 2002Date of Patent: October 16, 2007Assignee: Alcatel Canada Inc.Inventors: Brett Howard, Jean-Marc Robert, Paul Kierstead, Scott David D'Souza
-
Patent number: 7284269Abstract: A communications security system has been described. The security system in the form of a firewall is made up of a plurality of communicatively coupled sets of modules in a matrix configuration. The modules may be implemented in hardware and software in order to rely on the advantages of each technology. Data packets are typically coupled to an ingress side of the firewall where policy rules having the highest importance are checked first. The result is a high speed system having carrier class availability.Type: GrantFiled: May 29, 2002Date of Patent: October 16, 2007Assignee: Alcatel Canada Inc.Inventors: Bertrand Marquet, Scott David D'Souza, Paul Kierstead
-
Patent number: 7283461Abstract: Methods and apparatus for detecting denial of service attacks on a system in a communications network are provided. A frequency analysis is performed on certain types of packets that arrive with a periodic nature. A frequency power spectrum obtained through Fourier Transform reveals whether the power level of any particular frequency is greater than the average power spectrum. The detection of a higher than average power level is an indication that an attack is in progress.Type: GrantFiled: August 21, 2002Date of Patent: October 16, 2007Assignee: Alcatel Canada Inc.Inventors: Scott D'Souza, Paul Kierstead
-
Patent number: 7190671Abstract: Methods and apparatus for mitigating denial of service attacks in a communications network are described. Frequency domain techniques such as Fourier Transform are used to detect packet flooding in which a frequency spectrum reveals a periodic pattern to the attack packets. A pulse generator is used to create pulses having the frequency and phase of the periodic pattern. New packets arriving simultaneously with the created pulses are dropped from the system and packets which are not synchronized with the pulse generator are passed through the system normally.Type: GrantFiled: August 21, 2002Date of Patent: March 13, 2007Assignee: Alcatel Canada Inc.Inventors: Scott D'Souza, Paul Kierstead
-
Patent number: 7114182Abstract: Methods of detecting TCP SYN flooding attacks at a router located between a LAN and a network such as the Internet are described. The methods rely on a counting arrangement in which SYN and Fin packets are counted on both the LAN side and the network or Internet side of the router during a time interval. Weighting factors are applied to each count, the factor for the LAN side count having the opposite polarity to the factor for the network side count. The absolute values of the sums of the weighting factors of like polarity are equal. An abnormal number of unsuccessful connection attempts are determined based on a parameter calculated using the weighting factors in conjunction with the respective counts.Type: GrantFiled: May 31, 2002Date of Patent: September 26, 2006Assignee: Alcatel Canada Inc.Inventors: Jean-Marc Robert, Brett Howard, Paul Kierstead, Scott David D'Souza
-
Publication number: 20050086370Abstract: A modified security protocol for remotely managed computer-based communications devices is presented. The protocol is based on the Syslog Sign protocol but is altered to allow an entity that collects log events from and/or remotely manages the device to provide authenticated acknowledgement of event logs that have been successfully received. This is achieved through an Acknowledgement Block which is signed by the entity and made available to the device.Type: ApplicationFiled: October 15, 2003Publication date: April 21, 2005Applicant: AlcatelInventors: Brett Howard, Paul Kierstead
-
Publication number: 20040250123Abstract: Systems and methods of mitigating attacks, such as Denial of Service (DoS) attacks, in a communications network are presented. Source addresses of packets received at network devices are monitored in relation to known reliable addresses stored in a decision engine. If the source address, as stored in a source table, is known as being legitimate the packets are placed in a high priority queue for transmission at the highest rate. Packets with an unknown address are placed in a lower priority queue, the source address stored in a different source table, and the packet is serviced at a lower rate. Packets that become known to be legitimate are moved from the unknown table to the table from which high priority queues are serviced. In this way, an attacker that employs spoofing techniques is prevented from overtaxing network resources.Type: ApplicationFiled: May 19, 2003Publication date: December 9, 2004Applicant: AlcatelInventors: Jean-Marc Robert, Scott David D'Souza, Paul Kierstead
-
Publication number: 20040037326Abstract: Methods and apparatus for mitigating denial of service attacks in a communications network are described. Frequency domain techniques such as Fourier Transform are used to detect packet flooding in which a frequency spectrum reveals a periodic pattern to the attack packets. A pulse generator is used to create pulses having the frequency and phase of the periodic pattern. New packets arriving simultaneously with the created pulses are dropped from the system and packets which are not synchronized with the pulse generator are passed through the system normally.Type: ApplicationFiled: August 21, 2002Publication date: February 26, 2004Inventors: Scott D'Souza, Paul Kierstead
-
Publication number: 20040037229Abstract: Methods and apparatus for detecting denial of service attacks on a system in a communications network are provided. A frequency analysis is performed on certain types of packets that arrive with a periodic nature. A frequency power spectrum obtained through Fourier Transform reveals whether the power level of any particular frequency is greater than the average power spectrum. The detection of a higher than average power level is an indication that an attack is in progress.Type: ApplicationFiled: August 21, 2002Publication date: February 26, 2004Inventors: Scott D'Souza, Paul Kierstead
-
Publication number: 20030226035Abstract: Methods of detecting TCP SYN flooding attacks at a router located between a LAN and a network such as the Internet are described. The methods rely on a counting arrangement in which SYN and Fin packets are counted on both the LAN side and the network or Internet side of the router during a time interval. Weighting factors are applied to each count, the factor for the LAN side count having the opposite polarity to the factor for the network side count. The absolute values of the sums of the weighting factors of like polarity are equal. An abnormal number of unsuccessful connection attempts are determined based on a parameter calculated using the weighting factors in conjunction with the respective counts.Type: ApplicationFiled: May 31, 2002Publication date: December 4, 2003Inventors: Jean-Marc Robert, Brett Howard, Paul Kierstead, Scott David D'Souza
-
Publication number: 20030226034Abstract: Methods of preventing flooding-type denial-of-service attacks in a computer-based network are described. Connection establishing messages known as SYN packets are matched with connection terminating messages (FIN packets) by using a hash algorithm. The hash algorithm or message digest uses source and destination IP addresses, port numbers, and a secret key as input parameters. The SYN packets and FIN packets are mapped to buckets using the hash algorithm and statistics are maintained for each bucket. A correspondence between SYN packets and FIN packets is maintained to close a security hole.Type: ApplicationFiled: May 31, 2002Publication date: December 4, 2003Inventors: Brett Howard, Jean-Marc Robert, Paul Kierstead, Scott David D'Souza
-
Publication number: 20030226027Abstract: A communications security system has been described. The security system in the form of a firewall is made up of a plurality of communicatively coupled sets of modules in a matrix configuration. The modules may be implemented in hardware and software in order to rely on the advantages of each technology. Data packets are typically coupled to an ingress side of the firewall where policy rules having the highest importance are checked first. The result is a high speed system having carrier class availability.Type: ApplicationFiled: May 29, 2002Publication date: December 4, 2003Inventors: Bertrand Marquet, Scott David D'Souza, Paul Kierstead
-
Patent number: 6529513Abstract: A method and system for providing routing information for use in virtual private networks is disclosed. The method supports a variety of different secure network topologies. According to the method a static map is generated including information on each static gateway and resources accessible therethrough. The map also contains security information for accessing and authenticating a gateway.Type: GrantFiled: February 4, 1999Date of Patent: March 4, 2003Assignee: Alcatel Canada Inc.Inventors: Brett Howard, Andrew Robison, Roy Pereira, Paul Kierstead, Gabor Solymar
-
Patent number: 6353886Abstract: A method and system for implementing network policy is described. The method involves storing policy data using certificates using a certificate database server. Upon retrieval, a policy is then validated as properly certified prior to use. When a policy is not validated, it indicates tampering or improper policy data entry. When policy data is successfully validated, the policy is implemented.Type: GrantFiled: November 24, 1998Date of Patent: March 5, 2002Assignee: Alcatel Canada Inc.Inventors: Brett Howard, Paul Kierstead, Gabor Solymar, Andrew Robison, Roy Pereira, Lucien Marcotte