Patents by Inventor Sheng-Tung Hsu
Sheng-Tung Hsu has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20190230120Abstract: A computer network endpoint is secured to prevent information leak or other compromise by instantiating in memory first, second and third security zones. With respect to an authorized user, the first zone is readable and writable, the second zone is read-only, and the third zone is neither readable nor writable. System information (e.g., applications, libraries, policies, etc.) are deployed into the first zone from the second zone. When sensitive data is generated in the first zone, e.g., when a secure communication session is established using a cryptographic key, the sensitive data is transferred from the first zone to the third zone, wherein it is immune from information leak or other compromise. The sensitive information is transferable from the third zone to one or more external having a need to know that information. Because information does not pass directly from the first security zone to the external systems, the endpoint is secured against information leak or other attack.Type: ApplicationFiled: January 19, 2018Publication date: July 25, 2019Applicant: International Business Machines CorporationInventors: Kuo-Chun Chen, Wei-Hsiang Hsiung, Sheng-Tung Hsu, Fadly Yahaya
-
Publication number: 20190116205Abstract: Establishing Transport Layer Security/Secure Sockets Layer (TLS/SSL) sessions with destination servers for Internet of Things (IoT) devices is provided. A request is sent to establish a TLS/SSL session with a target destination server in a set of destination servers using destination server information related to a particular IoT device in a plurality of IoT devices. A TLS/SSL session is established with the target destination server corresponding to the particular IoT device. TLS/SSL session credential information is received for the particular IoT device from the target destination server. The TLS/SSL session credential information for the particular IoT device is saved in a session credential information table. The TLS/SSL session is suspended with the target destination server corresponding to the particular IoT device.Type: ApplicationFiled: October 16, 2017Publication date: April 18, 2019Inventors: Kuo-Chun Chen, Wei-Hsiang Hsiung, Sheng-Tung Hsu, Jia-Sian Jhang
-
Publication number: 20190109859Abstract: Selecting a receive side scaling (RSS) key is provided. It is determined whether a defined time interval expired. In response to determining that the defined time interval has expired, it is determined whether one or more keys in a set of randomly generated candidate RSS keys have a higher packet distribution score than an active RSS key. In response to determining that one or more keys in the set of randomly generated candidate RSS keys have a higher packet distribution score than the active RSS key, an RSS key having a highest packet distribution score is selected from the one or more keys in the set of randomly generated candidate RSS keys that have a higher packet distribution score than the active RSS key. The RSS key having the highest packet distribution score is used to distribute incoming network packets across a plurality of processors.Type: ApplicationFiled: November 14, 2017Publication date: April 11, 2019Inventors: Chih-Wen Chao, Kuo-Chun Chen, Wei-Hsiang Hsiung, Sheng-Tung Hsu, Ming-Pin Hsueh
-
Publication number: 20190109858Abstract: Selecting a receive side scaling (RSS) key is provided. It is determined whether a defined time interval expired. In response to determining that the defined time interval has expired, it is determined whether one or more keys in a set of randomly generated candidate RSS keys have a higher packet distribution score than an active RSS key. In response to determining that one or more keys in the set of randomly generated candidate RSS keys have a higher packet distribution score than the active RSS key, an RSS key having a highest packet distribution score is selected from the one or more keys in the set of randomly generated candidate RSS keys that have a higher packet distribution score than the active RSS key. The RSS key having the highest packet distribution score is used to distribute incoming network packets across a plurality of processors.Type: ApplicationFiled: October 11, 2017Publication date: April 11, 2019Inventors: Chih-Wen Chao, Kuo-Chun Chen, Wei-Hsiang Hsiung, Sheng-Tung Hsu, Ming-Pin Hsueh
-
Publication number: 20190104148Abstract: A method for preventing abnormal application activity is provided. Packets are retrieved from a packet buffer using packet location information corresponding to information associated with the abnormal application activity in a data processing system. The packets are analyzed to identify content of the network packets causing the abnormal application activity. Network packets containing the content causing the abnormal application activity in the data processing system are blocked.Type: ApplicationFiled: November 14, 2017Publication date: April 4, 2019Inventors: Kuo-Chun Chen, Chih-Hung Chou, Wei-Hsiang Hsiung, Sheng-Tung Hsu
-
Publication number: 20190104146Abstract: A system and computer program product for preventing abnormal application activity is provided. Packets are retrieved from a packet buffer using packet location information corresponding to information associated with the abnormal application activity in a data processing system. The packets are analyzed to identify content of the network packets causing the abnormal application activity. Network packets containing the content causing the abnormal application activity in the data processing system are blocked.Type: ApplicationFiled: October 3, 2017Publication date: April 4, 2019Inventors: Kuo-Chun Chen, Chih-Hung Chou, Wei-Hsiang Hsiung, Sheng-Tung Hsu
-
Patent number: 10250596Abstract: A method for monitoring encrypted communication sessions between computing devices includes intercepting messages of a handshaking procedure between a client and a server device, the handshaking procedure establishing an encrypted communication session between the client and server. The method further includes determining, from the messages, a session context for the encrypted session and an identifier associated with the session context. The method further includes storing the session context in a database indexed by the identifier. The method further includes intercepting, subsequent to the storing, second messages of a second handshaking procedure between the client and a second server device, the where second handshaking procedure resumes the encrypted communication session after an interruption.Type: GrantFiled: June 29, 2016Date of Patent: April 2, 2019Assignee: International Business Machines CorporationInventors: Sheng-Tung Hsu, Cheng-Ta Lee, Wei-Shiau Suen, Ming-Hsun Wu, Rick M. F. Wu
-
Publication number: 20190098029Abstract: A system, method and computer program product for detecting distributed denial-of-service (DDoS) attacks is provided. Current aggregated flow information for a defined period of time is analyzed. It is determined whether network flow increased above a defined flow threshold value to a second data processing system connected to a network within the defined period of time based on analyzing the current aggregated flow information. In response to determining that the network flow has increased above the defined flow threshold value to the second data processing system connected to the network within the defined period of time, it is determined that the second data processing system is under a DDoS attack.Type: ApplicationFiled: October 15, 2018Publication date: March 28, 2019Inventors: Kuo-Chun Chen, Chih-Hung Chou, Wei-Hsiang Hsiung, Sheng-Tung Hsu
-
Patent number: 10237284Abstract: A method for implementing an Internet of Things security appliance is presented. The method may include intercepting a data packet sent from a server to a client computing device. The method may include performing a security check on the data packet using security modules. The method may include determining the data packet is not malicious based on the security check. The method may include determining a shadow tester to test the data packet based on a type associated with the client computing device. The method may include creating a virtualization environment of the client computing device using the shadow tester. The method may include analyzing behaviors associated with the data packet within the virtualization environment using detection modules. The method may include determining the behaviors do not violate a behavior policy associated with the client computing device. The method may include transmitting the data packet to the client computing device.Type: GrantFiled: March 31, 2016Date of Patent: March 19, 2019Assignee: International Business Machines CorporationInventors: KuoChun Chen, Sheng-Tung Hsu, Jia-Sian Jhang, Chun-Shuo Lin
-
Publication number: 20190014132Abstract: A method for implementing an Internet of Things security appliance is presented. The method may include intercepting a data packet sent from a server to a client computing device. The method may include performing a security check on the data packet using security modules. The method may include determining the data packet is not malicious based on the security check. The method may include determining a shadow tester to test the data packet based on a type associated with the client computing device. The method may include creating a virtualization environment of the client computing device using the shadow tester. The method may include analyzing behaviors associated with the data packet within the virtualization environment using detection modules. The method may include determining the behaviors do not violate a behavior policy associated with the client computing device. The method may include transmitting the data packet to the client computing device.Type: ApplicationFiled: September 12, 2018Publication date: January 10, 2019Inventors: KuoChun Chen, Sheng-Tung Hsu, Jia-Sian Jhang, Chun-Shuo Lin
-
Patent number: 10178068Abstract: A method of translating network attributes of packets in a multi-tenant environment, and an appliance and a program product implementing the method. The method comprises the following steps: receiving a packet from a multi-tenant environment; referring to the information of tenants, translating a selected network attribute of the packet into a unique identity representing the packet in the multi-tenant environment; and forwarding the translated packet including the unique identity.Type: GrantFiled: October 6, 2017Date of Patent: January 8, 2019Assignee: International Business Machines CorporationInventors: Sheng-Tung Hsu, Cheng-Ta Lee, Wei-Shiau Suen, Ming-Hsun Wu
-
Patent number: 10116672Abstract: A method for detecting distributed denial-of-service (DDoS) attacks is provided. Current aggregated flow information for a defined period of time is analyzed. It is determined whether network flow increased above a defined flow threshold value to a second data processing system connected to a network within the defined period of time based on analyzing the current aggregated flow information. In response to determining that the network flow has increased above the defined flow threshold value to the second data processing system connected to the network within the defined period of time, it is determined that the second data processing system is under a DDoS attack.Type: GrantFiled: November 14, 2017Date of Patent: October 30, 2018Assignee: International Business Machines CorporationInventors: Kuo-Chun Chen, Chih-Hung Chou, Wei-Hsiang Hsiung, Sheng-Tung Hsu
-
Patent number: 10116671Abstract: A system and computer program product for detecting distributed denial-of-service (DDoS) attacks is provided. Current aggregated flow information for a defined period of time is analyzed. It is determined whether network flow increased above a defined flow threshold value to a second data processing system connected to a network within the defined period of time based on analyzing the current aggregated flow information. In response to determining that the network flow has increased above the defined flow threshold value to the second data processing system connected to the network within the defined period of time, it is determined that the second data processing system is under a DDoS attack.Type: GrantFiled: September 28, 2017Date of Patent: October 30, 2018Assignee: International Business Machines CorporationInventors: Kuo-Chun Chen, Chih-Hung Chou, Wei-Hsiang Hsiung, Sheng-Tung Hsu
-
Patent number: 10091167Abstract: A method of interpreting a rule and a rule-interpreting apparatus for rule-based security apparatus, and an apparatus implementing the method. The method comprises the following steps: designating a suspicious timeslot; if any packet does not present in the designated timeslot, capturing current incoming packets or capturing other incoming packets in the designated timeslot next time; automatically associating the packets in the designated timeslot to form at least one traffic flow corresponding to a connection or call; analyzing the at least one traffic flow to select at least one suspicious target traffic flow; and outputting the at least one selected suspicious target flow.Type: GrantFiled: May 18, 2017Date of Patent: October 2, 2018Assignee: International Business Machines CorporationInventors: Sheng-Tung Hsu, Chien Pang Lee, Pei-Chun Yao
-
Patent number: 9935981Abstract: Embodiments of the present invention provide systems and methods for exchanging information. Communications between an intrusion prevention system (IPS) and at least one end-point are facilitated by controlling network traffic flow in an IPS and the at least one end-point and formation of an information plane. The formed information plane allows attributes of the IPS and the at least one end-point to reside in the formed information plane. A network access policy (NAP) works in conjunction with an IPS and leverages created customized network objects (CNOs). Upon analyzing data packets, the data packets may or may not be forwarded to the IPS.Type: GrantFiled: September 18, 2015Date of Patent: April 3, 2018Assignee: International Business Machines CorporationInventors: Sheng-Tung Hsu, Cheng-Ta Lee, Joey H. Y. Tseng, Rick M. F. Wu
-
Patent number: 9906557Abstract: A mechanism is provided for generating a packet inspection policy for a policy enforcement point in a centralized management environment. Data of a network topology for the policy enforcement point corresponding to a network infrastructure is updated according to metadata of the policy enforcement point, the metadata including a capability of the policy enforcement point. The packet inspection policy for the policy enforcement point is generated according to the data of the network topology and the capability of the policy enforcement point. The packet inspection policy is then deployed to the policy enforcement point.Type: GrantFiled: June 19, 2015Date of Patent: February 27, 2018Assignee: International Business Machines CorporationInventors: Wei-Hsiang Hsiung, Sheng-Tung Hsu, Cheng-Ta Lee, Ming-Hsun Wu
-
Patent number: 9887962Abstract: A method of translating network attributes of packets in a multi-tenant environment, and an appliance and a program product implementing the method. The method comprises the following steps: receiving a packet from a multi-tenant environment; referring to the information of tenants, translating a selected network attribute of the packet into a unique identity representing the packet in the multi-tenant environment; and forwarding the translated packet including the unique identity.Type: GrantFiled: September 30, 2015Date of Patent: February 6, 2018Assignee: International Business Machines CorporationInventors: Sheng-Tung Hsu, Cheng-Ta Lee, Wei-Shiau Suen, Ming-Hsun Wu
-
Publication number: 20180034768Abstract: A method of translating network attributes of packets in a multi-tenant environment, and an appliance and a program product implementing the method. The method comprises the following steps: receiving a packet from a multi-tenant environment; referring to the information of tenants, translating a selected network attribute of the packet into a unique identity representing the packet in the multi-tenant environment; and forwarding the translated packet including the unique identity.Type: ApplicationFiled: October 6, 2017Publication date: February 1, 2018Inventors: Sheng-Tung Hsu, Cheng-Ta Lee, Wei-Shiau Suen, Ming-Hsun Wu
-
Publication number: 20180007038Abstract: A method for monitoring encrypted communication sessions between computing devices includes intercepting messages of a handshaking procedure between a client and a server device, the handshaking procedure establishing an encrypted communication session between the client and server. The method further includes determining, from the messages, a session context for the encrypted session and an identifier associated with the session context. The method further includes storing the session context in a database indexed by the identifier. The method further includes intercepting, subsequent to the storing, second messages of a second handshaking procedure between the client and a second server device, the where second handshaking procedure resumes the encrypted communication session after an interruption.Type: ApplicationFiled: June 29, 2016Publication date: January 4, 2018Inventors: Sheng-Tung Hsu, Cheng-Ta Lee, Wei-Shiau Suen, Ming-Hsun Wu, Rick M.F. Wu
-
Publication number: 20170339108Abstract: A method of interpreting a rule and a rule-interpreting apparatus for rule-based security apparatus, and an apparatus implementing the method. The method comprises the following steps: designating a suspicious timeslot; if any packet does not present in the designated timeslot, capturing current incoming packets or capturing other incoming packets in the designated timeslot next time; automatically associating the packets in the designated timeslot to form at least one traffic flow corresponding to a connection or call; analyzing the at least one traffic flow to select at least one suspicious target traffic flow; and outputting the at least one selected suspicious target flow.Type: ApplicationFiled: May 18, 2017Publication date: November 23, 2017Inventors: Sheng-Tung Hsu, Chien Pang Lee, Pei-Chun Yao