Patents by Inventor Reiner Sailer
Reiner Sailer has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10410127Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.Type: GrantFiled: October 23, 2017Date of Patent: September 10, 2019Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Mihai Christodorescu, Xin Hu, Douglas L. Schales, Reiner Sailer, Marc Ph. Stoecklin, Ting Wang, Andrew M. White
-
Patent number: 10375101Abstract: A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity.Type: GrantFiled: March 7, 2016Date of Patent: August 6, 2019Assignee: International Business Machines CorporationInventors: Stefan Berger, Yangyi Chen, Xin Hu, Dimitrious Pendarakis, Josyula Rao, Reiner Sailer, Douglas Lee Schales, Marc Stoecklin
-
Patent number: 10242192Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.Type: GrantFiled: September 9, 2016Date of Patent: March 26, 2019Assignee: International Business Machines CorporationInventors: Stefan Berger, Kenneth Goldman, Trent R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez
-
Patent number: 9922287Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.Type: GrantFiled: June 17, 2015Date of Patent: March 20, 2018Assignee: International Business Machines CorporationInventors: Mihai Christodorescu, Xin Hu, Douglas L. Schales, Reiner Sailer, Marc PH. Stoecklin, Ting Wang, Andrew M. White
-
Publication number: 20180060745Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.Type: ApplicationFiled: October 23, 2017Publication date: March 1, 2018Inventors: Mihai CHRISTODORESCU, Xin HU, Douglas L. SCHALES, Reiner SAILER, Marc PH. STOECKLIN, Ting WANG, Andrew M. WHITE
-
Patent number: 9854057Abstract: Embodiments include a network data collection and response system for enhancing security in an enterprise network providing a user-supplied computing device with access to the network. A network data collection and response system tracks network activity of the device and maintains a device inventory recording the device type and configuration information for the device along with a resource utilization profile for the device. The network data collection and response system detects high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a data monitoring agent installed on the device and implements a response action to mitigate the high-risk or unauthorized network.Type: GrantFiled: May 6, 2014Date of Patent: December 26, 2017Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Suresh N. Chari, Pau-Chen Cheng, Xin Hu, Lawrence Koved, Josyula R. Rao, Reiner Sailer, Douglas L. Schales, Kapil K. Singh, Marc P. Stoecklin
-
Patent number: 9836607Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.Type: GrantFiled: September 9, 2016Date of Patent: December 5, 2017Assignee: International Business Machines CorporationInventors: Stefan Berger, Kenneth Goldman, Trent R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez
-
Patent number: 9832217Abstract: A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity.Type: GrantFiled: September 30, 2014Date of Patent: November 28, 2017Assignee: International Business Machines CorporationInventors: Stefan Berger, Yangyi Chen, Xin Hu, Dimitrios Pendarakis, Josyula Rao, Reiner Sailer, Douglas Lee Schales, Marc Stoecklin
-
Patent number: 9536092Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.Type: GrantFiled: February 16, 2016Date of Patent: January 3, 2017Assignee: International Business Machines CorporationInventors: Stefan Berger, Kenneth Goldman, Trent R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez
-
Publication number: 20160381008Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.Type: ApplicationFiled: September 9, 2016Publication date: December 29, 2016Inventors: Stefan Berger, Kenneth Goldman, Trent R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez
-
Publication number: 20160381007Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.Type: ApplicationFiled: September 9, 2016Publication date: December 29, 2016Inventors: Stefan Berger, Kenneth Goldman, Trent R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez
-
Publication number: 20160358083Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.Type: ApplicationFiled: June 17, 2015Publication date: December 8, 2016Inventors: MIHAI CHRISTODORESCU, XIN HU, DOUGLAS L. SCHALES, REINER SAILER, MARC PH. STOECKLIN, TING WANG, ANDREW M. WHITE
-
Patent number: 9495420Abstract: A distributed feature collection and correlation engine is provided, Feature extraction comprises obtaining one or more data records; extracting information from the one or more data records based on domain knowledge; transforming the extracted information into a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; and storing the key/value pair in a feature store database if the key/value pair does not already exist in the feature store database using a de-duplication mechanism. Features extracted from data records can be queried by obtaining a feature store database comprised of the extracted features stored as a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; receiving a query comprised of at least one query key; retrieving values from the feature store database that match the query key; and returning one or more retrieved key/value pairs.Type: GrantFiled: May 22, 2013Date of Patent: November 15, 2016Assignee: International Business Machines CorporationInventors: Mihai Christodorescu, Xin Hu, Douglas Lee Schales, Reiner Sailer, Marc P. Stoecklin, Ting Wang
-
Patent number: 9489426Abstract: A distributed feature collection and correlation engine is provided, Feature extraction comprises obtaining one or more data records; extracting information from the one or more data records based on domain knowledge; transforming the extracted information into a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; and storing the key/value pair in a feature store database if the key/value pair does not already exist in the feature store database using a de-duplication mechanism. Features extracted from data records can be queried by obtaining a feature store database comprised of the extracted features stored as a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; receiving a query comprised of at least one query key; retrieving values from the feature store database that match the query key; and returning one or more retrieved key/value pairs.Type: GrantFiled: August 15, 2013Date of Patent: November 8, 2016Assignee: International Business Machines CorporationInventors: Mihai Christodorescu, Xin Hu, Douglas Lee Schales, Reiner Sailer, Marc P. Stoecklin, Ting Wang
-
Patent number: 9491078Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.Type: GrantFiled: June 26, 2015Date of Patent: November 8, 2016Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Mihai Christodorescu, Xin Hu, Douglas L. Schales, Reiner Sailer, Marc Ph. Stoecklin, Ting Wang, Andrew M. White
-
Publication number: 20160261624Abstract: A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity.Type: ApplicationFiled: March 7, 2016Publication date: September 8, 2016Inventors: Stefan Berger, Yangyi Chen, Xin Hu, Dimitrious Pendarakis, Josyula Rao, Reiner Sailer, Douglas Lee Schales, Marc Stoecklin
-
Publication number: 20160164862Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.Type: ApplicationFiled: February 16, 2016Publication date: June 9, 2016Inventors: Stefan Berger, Kenneth Goldman, Trent R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez
-
Patent number: 9298922Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.Type: GrantFiled: July 10, 2008Date of Patent: March 29, 2016Assignee: International Business Machines CorporationInventors: Stefan Berger, Kenneth Goldman, Trenton R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez
-
Patent number: 9251328Abstract: A method for identifying an unknown user according to a plurality of facets of user activity in a plurality of contexts includes receiving a plurality of priors for the facets with respect to the contexts, receiving a plurality of footprints of known users, aggregating the footprints of the users to determine an ensemble prior, receiving a plurality of network traces relevant to an unknown user in a computer environment, matching the network traces against each of the footprints to determine a plurality of matches, aggregating the matches using the ensemble prior according to the facets and the contexts, and outputting a probable user identity for the unknown user.Type: GrantFiled: July 19, 2012Date of Patent: February 2, 2016Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Mihai Christodorescu, Reiner Sailer, Douglas Lee Schales, Marc Stoecklin, Ting Wang
-
Publication number: 20150326594Abstract: Embodiments include a network data collection and response system for enhancing security in an enterprise network providing a user-supplied computing device with access to the network. A network data collection and response system tracks network activity of the device and maintains a device inventory recording the device type and configuration information for the device along with a resource utilization profile for the device. The network data collection and response system detects high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a data monitoring agent installed on the device and implements a response action to mitigate the high-risk or unauthorized network.Type: ApplicationFiled: May 6, 2014Publication date: November 12, 2015Applicant: International Business Machines CorporationInventors: Suresh N. Chari, Pau-Chen Cheng, Xin Hu, Lawrence Koved, Josyula R. Rao, Reiner Sailer, Douglas L. Schales, Kapil K. Singh, Marc P. Stoecklin