Patents by Inventor Ronald Becker Williams
Ronald Becker Williams has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10839082Abstract: A data model extends or supplements an entity/resource association to include a “quality” of that association, where the quality is defined by an ordered set of relative values/characteristics. In an example scenario, an entity/resource association is augmented to include a quality characteristic that is defined by a tuple that is preferably an ordered set of relative values. The number of values and their designations in the data model will depend on nature of the underlying entity/resource association. When entity/resource associations are annotated to include relative quality values in this manner, much more useful comparisons of apparently similar entity/resource associations may be carried out.Type: GrantFiled: January 6, 2014Date of Patent: November 17, 2020Assignee: International Business Machines CorporationInventor: Ronald Becker Williams
-
Patent number: 10680946Abstract: “Multi-tenant awareness” is added to a set of one or more packet processing devices in a Software Defined Network (SDN) having a controller. For each of one or more tenants, information in a table associates network protocol address attributes with an Internet Protocol (IP) address unique to the tenant. The table is associated with a multiple-layer translation layer being managed by the SDN controller. As a data packet traverses the translation layer, network protocol address attributes are translated according to values in the table to enable logical routing of the packet (to a given PPD. This translation occurs dynamically (or “on-the-fly”) as packets are “on route” to their destination. By implementing a multi-layer network address translation (NAT), one layer may be used to translate network protocol address source attributes, while a second layer may be used to translate network protocol address destination attributes.Type: GrantFiled: May 21, 2019Date of Patent: June 9, 2020Assignee: International Business Machines CorporationInventors: Ronald Becker Williams, Cheng-Ta Lee, Lun-Pin Yuan
-
Publication number: 20190273681Abstract: “Multi-tenant awareness” is added to a set of one or more packet processing devices in a Software Defined Network (SDN) having a controller. For each of one or more tenants, information in a table associates network protocol address attributes with an Internet Protocol (IP) address unique to the tenant. The table is associated with a multiple-layer translation layer being managed by the SDN controller. As a data packet traverses the translation layer, network protocol address attributes are translated according to values in the table to enable logical routing of the packet (to a given PPD. This translation occurs dynamically (or “on-the-fly”) as packets are “on route” to their destination. By implementing a multi-layer network address translation (NAT), one layer may be used to translate network protocol address source attributes, while a second layer may be used to translate network protocol address destination attributes.Type: ApplicationFiled: May 21, 2019Publication date: September 5, 2019Applicant: International Business Machines CorporationInventors: Ronald Becker Williams, Cheng-Ta Lee, Lun-Pin Yuan
-
Patent number: 10298489Abstract: “Multi-tenant awareness” is added to a set of one or more packet processing devices in a Software Defined Network (SDN) having a controller. For each of one or more tenants, information in a table associates network protocol address attributes with an Internet Protocol (IP) address unique to the tenant. The table is associated with a multiple-layer translation layer being managed by the SDN controller. As a data packet traverses the translation layer, network protocol address attributes are translated according to values in the table to enable logical routing of the packet (to a given PPD. This translation occurs dynamically (or “on-the-fly”) as packets are “on route” to their destination. By implementing a multi-layer network address translation (NAT), one layer may be used to translate network protocol address source attributes, while a second layer may be used to translate network protocol address destination attributes.Type: GrantFiled: July 24, 2015Date of Patent: May 21, 2019Assignee: International Business Machines CorporationInventors: Ronald Becker Williams, Cheng-Ta Lee, Lun-Pin Yuan
-
Patent number: 9961103Abstract: A network-based appliance includes a mechanism to intercept, decrypt and inspect secure network traffic flowing over SSL/TLS between a client and a server. The mechanism responds to detection of a session initiation request message from the client, the message being received following establishment of a TCP connection between the client and server. The mechanism responds by holding the session initiation request message, preferably by creating a fake socket to a local process, and then diverting the request message over that socket. The TCP connection is then terminated, and the mechanism initiates a new session in initiation request message, all while the original session initiation request message continues to be held. The server responds with its server certificate, which is then used by the mechanism to generate a new server certificate. The new server certificate is then returned to the requesting client as the response to the session initiation request message.Type: GrantFiled: October 28, 2014Date of Patent: May 1, 2018Assignee: International Business Machines CorporationInventors: Ronald Becker Williams, Paul Coccoli, John William Court, Gregory Lyle Galloway, Matthew Joseph Kubilus, Steven Ashley Mazur, Joseph Karl Vossen
-
Patent number: 9942273Abstract: A method, apparatus and computer program product for automatically reconfiguring a policy of a multi-tenant service is disclosed. A first tenant specific policy for a first tenant of a plurality of tenants serviced by the multi-tenant service is provided. The multi-tenant service uses a second tenant specific policy different from the first tenant specific policy for a second tenant of the plurality of tenants. An event relevant to the first tenant specific policy is detected. The first tenant specific policy is reconfigured according to the detected event.Type: GrantFiled: December 9, 2015Date of Patent: April 10, 2018Assignee: International Business Machines CorporationInventors: Cheng-Ta Lee, Ronald Becker Williams
-
Publication number: 20170171245Abstract: A method, apparatus and computer program product for automatically reconfiguring a policy of a multi-tenant service is disclosed. A first tenant specific policy for a first tenant of a plurality of tenants serviced by the multi-tenant service is provided. The multi-tenant service uses a second tenant specific policy different from the first tenant specific policy for a second tenant of the plurality of tenants. An event relevant to the first tenant specific policy is detected. The first tenant specific policy is reconfigured according to the detected event.Type: ApplicationFiled: December 9, 2015Publication date: June 15, 2017Inventors: Cheng-Ta Lee, Ronald Becker Williams
-
Patent number: 9621592Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.Type: GrantFiled: June 25, 2015Date of Patent: April 11, 2017Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Paul Anthony Ashley, Stefan Berger, Tian Cheng Liu, He Yuan Huang, Sreekanth Ramakrishna Iyer, Ashish Kundu, Nataraj Nagaratnam, Dimitrios Pendarakis, Ronald Becker Williams
-
Patent number: 9609023Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.Type: GrantFiled: February 10, 2015Date of Patent: March 28, 2017Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Paul Anthony Ashley, Stefan Berger, Tian Cheng Liu, He Yuan Huang, Sreekanth Ramakrishna Iyer, Ashish Kundu, Nataraj Nagaratnam, Dimitrios Pendarakis, Ronald Becker Williams
-
Patent number: 9584477Abstract: An SDN controller associated with a switch maintains unique tenant/port association data, and pushes to the switch per-tenant policies. A per-tenant information processing port (IPP) on the switch enables traffic sent to or from a tenant to be distinguished from that of another tenant, even with respect to packet processing devices (PPDs) that share a particular switch. With the described approach, the properties of a non-overlay SDN are leveraged to support multi-tenancy in an efficient manner, preferably by associating a specific tenant with a specific port (on the virtual switch) once, rather than continuously parsing tenant data from the information flow. The technique enables the application of tenant-specific policy to tenant-specific network flows in a multi-tenant network.Type: GrantFiled: February 26, 2015Date of Patent: February 28, 2017Assignee: International Business Machines CorporationInventors: Ronald Becker Williams, Cheng-Ta Lee
-
Publication number: 20170026283Abstract: “Multi-tenant awareness” is added to a set of one or more packet processing devices in a Software Defined Network (SDN) having a controller. For each of one or more tenants, information in a table associates network protocol address attributes with an Internet Protocol (IP) address unique to the tenant. The table is associated with a multiple-layer translation layer being managed by the SDN controller. As a data packet traverses the translation layer, network protocol address attributes are translated according to values in the table to enable logical routing of the packet (to a given PPD. This translation occurs dynamically (or “on-the-fly”) as packets are “on route” to their destination. By implementing a multi-layer network address translation (NAT), one layer may be used to translate network protocol address source attributes, while a second layer may be used to translate network protocol address destination attributes.Type: ApplicationFiled: July 24, 2015Publication date: January 26, 2017Inventors: Ronald Becker Williams, Cheng-Ta Lee, Lun-Pin Yuan
-
Publication number: 20160255051Abstract: An SDN controller associated with a switch maintains unique tenant/port association data, and pushes to the switch per-tenant policies. A per-tenant information processing port (IPP) on the switch enables traffic sent to or from a tenant to be distinguished from that of another tenant, even with respect to packet processing devices (PPDs) that share a particular switch. With the described approach, the properties of a non-overlay SDN are leveraged to support multi-tenancy in an efficient manner, preferably by associating a specific tenant with a specific port (on the virtual switch) once, rather than continuously parsing tenant data from the information flow. The technique enables the application of tenant-specific policy to tenant-specific network flows in a multi-tenant network.Type: ApplicationFiled: February 26, 2015Publication date: September 1, 2016Inventors: Ronald Becker Williams, Cheng-Ta Lee
-
Publication number: 20160234250Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.Type: ApplicationFiled: February 10, 2015Publication date: August 11, 2016Inventors: Paul Anthony ASHLEY, Stefan Berger, Tian Cheng Liu, He Yuan Huang, Sreekanth Ramakrishna Iyer, Ashish Kundu, Nataraj Nagaratnam, Dimitrios Pendarakis, Ronald Becker Williams
-
Publication number: 20160234224Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.Type: ApplicationFiled: June 25, 2015Publication date: August 11, 2016Inventors: Paul Anthony ASHLEY, Stefan BERGER, Tian Cheng LIU, He Yuan HUANG, Sreekanth Ramakrishna IYER, Ashish KUNDU, Nataraj NAGARATNAM, Dimitrios PENDARAKIS, Ronald Becker WILLIAMS
-
Publication number: 20160119374Abstract: A network-based appliance includes a mechanism to intercept, decrypt and inspect secure network traffic flowing over SSL/TLS between a client and a server. The mechanism responds to detection of a session initiation request message from the client, the message being received following establishment of a TCP connection between the client and server. The mechanism responds by holding the session initiation request message, preferably by creating a fake socket to a local process, and then diverting the request message over that socket. The TCP connection is then terminated, and the mechanism initiates a new session in initiation request message, all while the original session initiation request message continues to be held. The server responds with its server certificate, which is then used by the mechanism to generate a new server certificate. The new server certificate is then returned to the requesting client as the response to the session initiation request message.Type: ApplicationFiled: October 28, 2014Publication date: April 28, 2016Inventors: Ronald Becker Williams, Paul Coccoli, John William Court, Gregory Lyle Galloway, Matthew Joseph Kubilus, Steven Ashley Mazur, Joseph Karl Vossen
-
Publication number: 20150193524Abstract: A data model extends or supplements an entity/resource association to include a “quality” of that association, where the quality is defined by an ordered set of relative values/characteristics. In an example scenario, an entity/resource association is augmented to include a quality characteristic that is defined by a tuple that is preferably an ordered set of relative values. The number of values and their designations in the data model will depend on nature of the underlying entity/resource association. When entity/resource associations are annotated to include relative quality values in this manner, much more useful comparisons of apparently similar entity/resource associations may be carried out.Type: ApplicationFiled: January 6, 2014Publication date: July 9, 2015Applicant: International Business Machines CorporationInventor: Ronald Becker Williams