Patents by Inventor Reiner Sailer

Reiner Sailer has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 10410127
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Grant
    Filed: October 23, 2017
    Date of Patent: September 10, 2019
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Mihai Christodorescu, Xin Hu, Douglas L. Schales, Reiner Sailer, Marc Ph. Stoecklin, Ting Wang, Andrew M. White
  • Patent number: 10375101
    Abstract: A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity.
    Type: Grant
    Filed: March 7, 2016
    Date of Patent: August 6, 2019
    Assignee: International Business Machines Corporation
    Inventors: Stefan Berger, Yangyi Chen, Xin Hu, Dimitrious Pendarakis, Josyula Rao, Reiner Sailer, Douglas Lee Schales, Marc Stoecklin
  • Patent number: 10242192
    Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.
    Type: Grant
    Filed: September 9, 2016
    Date of Patent: March 26, 2019
    Assignee: International Business Machines Corporation
    Inventors: Stefan Berger, Kenneth Goldman, Trent R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez
  • Patent number: 9922287
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Grant
    Filed: June 17, 2015
    Date of Patent: March 20, 2018
    Assignee: International Business Machines Corporation
    Inventors: Mihai Christodorescu, Xin Hu, Douglas L. Schales, Reiner Sailer, Marc PH. Stoecklin, Ting Wang, Andrew M. White
  • Publication number: 20180060745
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Application
    Filed: October 23, 2017
    Publication date: March 1, 2018
    Inventors: Mihai CHRISTODORESCU, Xin HU, Douglas L. SCHALES, Reiner SAILER, Marc PH. STOECKLIN, Ting WANG, Andrew M. WHITE
  • Patent number: 9854057
    Abstract: Embodiments include a network data collection and response system for enhancing security in an enterprise network providing a user-supplied computing device with access to the network. A network data collection and response system tracks network activity of the device and maintains a device inventory recording the device type and configuration information for the device along with a resource utilization profile for the device. The network data collection and response system detects high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a data monitoring agent installed on the device and implements a response action to mitigate the high-risk or unauthorized network.
    Type: Grant
    Filed: May 6, 2014
    Date of Patent: December 26, 2017
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Suresh N. Chari, Pau-Chen Cheng, Xin Hu, Lawrence Koved, Josyula R. Rao, Reiner Sailer, Douglas L. Schales, Kapil K. Singh, Marc P. Stoecklin
  • Patent number: 9836607
    Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.
    Type: Grant
    Filed: September 9, 2016
    Date of Patent: December 5, 2017
    Assignee: International Business Machines Corporation
    Inventors: Stefan Berger, Kenneth Goldman, Trent R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez
  • Patent number: 9832217
    Abstract: A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity.
    Type: Grant
    Filed: September 30, 2014
    Date of Patent: November 28, 2017
    Assignee: International Business Machines Corporation
    Inventors: Stefan Berger, Yangyi Chen, Xin Hu, Dimitrios Pendarakis, Josyula Rao, Reiner Sailer, Douglas Lee Schales, Marc Stoecklin
  • Patent number: 9536092
    Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.
    Type: Grant
    Filed: February 16, 2016
    Date of Patent: January 3, 2017
    Assignee: International Business Machines Corporation
    Inventors: Stefan Berger, Kenneth Goldman, Trent R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez
  • Publication number: 20160381008
    Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.
    Type: Application
    Filed: September 9, 2016
    Publication date: December 29, 2016
    Inventors: Stefan Berger, Kenneth Goldman, Trent R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez
  • Publication number: 20160381007
    Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.
    Type: Application
    Filed: September 9, 2016
    Publication date: December 29, 2016
    Inventors: Stefan Berger, Kenneth Goldman, Trent R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez
  • Publication number: 20160358083
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Application
    Filed: June 17, 2015
    Publication date: December 8, 2016
    Inventors: MIHAI CHRISTODORESCU, XIN HU, DOUGLAS L. SCHALES, REINER SAILER, MARC PH. STOECKLIN, TING WANG, ANDREW M. WHITE
  • Patent number: 9495420
    Abstract: A distributed feature collection and correlation engine is provided, Feature extraction comprises obtaining one or more data records; extracting information from the one or more data records based on domain knowledge; transforming the extracted information into a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; and storing the key/value pair in a feature store database if the key/value pair does not already exist in the feature store database using a de-duplication mechanism. Features extracted from data records can be queried by obtaining a feature store database comprised of the extracted features stored as a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; receiving a query comprised of at least one query key; retrieving values from the feature store database that match the query key; and returning one or more retrieved key/value pairs.
    Type: Grant
    Filed: May 22, 2013
    Date of Patent: November 15, 2016
    Assignee: International Business Machines Corporation
    Inventors: Mihai Christodorescu, Xin Hu, Douglas Lee Schales, Reiner Sailer, Marc P. Stoecklin, Ting Wang
  • Patent number: 9489426
    Abstract: A distributed feature collection and correlation engine is provided, Feature extraction comprises obtaining one or more data records; extracting information from the one or more data records based on domain knowledge; transforming the extracted information into a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; and storing the key/value pair in a feature store database if the key/value pair does not already exist in the feature store database using a de-duplication mechanism. Features extracted from data records can be queried by obtaining a feature store database comprised of the extracted features stored as a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; receiving a query comprised of at least one query key; retrieving values from the feature store database that match the query key; and returning one or more retrieved key/value pairs.
    Type: Grant
    Filed: August 15, 2013
    Date of Patent: November 8, 2016
    Assignee: International Business Machines Corporation
    Inventors: Mihai Christodorescu, Xin Hu, Douglas Lee Schales, Reiner Sailer, Marc P. Stoecklin, Ting Wang
  • Patent number: 9491078
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Grant
    Filed: June 26, 2015
    Date of Patent: November 8, 2016
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Mihai Christodorescu, Xin Hu, Douglas L. Schales, Reiner Sailer, Marc Ph. Stoecklin, Ting Wang, Andrew M. White
  • Publication number: 20160261624
    Abstract: A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity.
    Type: Application
    Filed: March 7, 2016
    Publication date: September 8, 2016
    Inventors: Stefan Berger, Yangyi Chen, Xin Hu, Dimitrious Pendarakis, Josyula Rao, Reiner Sailer, Douglas Lee Schales, Marc Stoecklin
  • Publication number: 20160164862
    Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.
    Type: Application
    Filed: February 16, 2016
    Publication date: June 9, 2016
    Inventors: Stefan Berger, Kenneth Goldman, Trent R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez
  • Patent number: 9298922
    Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.
    Type: Grant
    Filed: July 10, 2008
    Date of Patent: March 29, 2016
    Assignee: International Business Machines Corporation
    Inventors: Stefan Berger, Kenneth Goldman, Trenton R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez
  • Patent number: 9251328
    Abstract: A method for identifying an unknown user according to a plurality of facets of user activity in a plurality of contexts includes receiving a plurality of priors for the facets with respect to the contexts, receiving a plurality of footprints of known users, aggregating the footprints of the users to determine an ensemble prior, receiving a plurality of network traces relevant to an unknown user in a computer environment, matching the network traces against each of the footprints to determine a plurality of matches, aggregating the matches using the ensemble prior according to the facets and the contexts, and outputting a probable user identity for the unknown user.
    Type: Grant
    Filed: July 19, 2012
    Date of Patent: February 2, 2016
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Mihai Christodorescu, Reiner Sailer, Douglas Lee Schales, Marc Stoecklin, Ting Wang
  • Publication number: 20150326594
    Abstract: Embodiments include a network data collection and response system for enhancing security in an enterprise network providing a user-supplied computing device with access to the network. A network data collection and response system tracks network activity of the device and maintains a device inventory recording the device type and configuration information for the device along with a resource utilization profile for the device. The network data collection and response system detects high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a data monitoring agent installed on the device and implements a response action to mitigate the high-risk or unauthorized network.
    Type: Application
    Filed: May 6, 2014
    Publication date: November 12, 2015
    Applicant: International Business Machines Corporation
    Inventors: Suresh N. Chari, Pau-Chen Cheng, Xin Hu, Lawrence Koved, Josyula R. Rao, Reiner Sailer, Douglas L. Schales, Kapil K. Singh, Marc P. Stoecklin