Patents by Inventor Shidong Shan
Shidong Shan has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11481508Abstract: A mechanism is provided for monitoring and controlling data access. Responsive to intercepting a response from a server to a request for information from a client device, a security system agent applies pattern matching using a predefined set of sensitive data pattern rules to identify at least one sensitive data access included in the response. Responsive to identifying at least one sensitive data access matching one or more of the predefined set of sensitive data pattern rules, the security system agent modifies that the request from the client by marking the at least one sensitive data access as sensitive thereby forming a modified request. The security system agent sends the modified request to the security system thereby causing the security system to process the modified request without access the sensitive data associated with the at least one marked sensitive data access.Type: GrantFiled: December 15, 2020Date of Patent: October 25, 2022Assignee: International Business Machines CorporationInventors: Tania Butovsky, Leonid Rodniansky, Mikhail Shpak, Richard Ory Jerrell, Peter Maniatis, Shidong Shan
-
Publication number: 20220224722Abstract: A method, system, and computer program product for recommending an initial database security model. The method may include identifying a plurality of nodes connected to a security network. The method may also include analyzing security characteristics of each node of the plurality of nodes. The method may also include identifying, from the security characteristics, key factors for each node. The method may also include calculating similarities between each node of the plurality of nodes. The method may also include building a self-organized centerless network across the plurality of nodes by grouping nodes with high similarities based on the similarities between each node, where the self-organized centerless network is a centerless network without a central management server, and includes groups of nodes from the plurality of nodes. The method may also include generating federated security models for the groups of nodes.Type: ApplicationFiled: January 14, 2021Publication date: July 14, 2022Inventors: Sheng Yan Sun, Shuo Li, Xiaobo Wang, Jun Wang, Hua Wang, Shidong Shan, Xing Xing Jing
-
Publication number: 20220188437Abstract: A mechanism is provided for monitoring and controlling data access. Responsive to intercepting a response from a server to a request for information from a client device, a security system agent applies pattern matching using a predefined set of sensitive data pattern rules to identify at least one sensitive data access included in the response. Responsive to identifying at least one sensitive data access matching one or more of the predefined set of sensitive data pattern rules, the security system agent modifies that the request from the client by marking the at least one sensitive data access as sensitive thereby forming a modified request. The security system agent sends the modified request to the security system thereby causing the security system to process the modified request without access the sensitive data associated with the at least one marked sensitive data access.Type: ApplicationFiled: December 15, 2020Publication date: June 16, 2022Inventors: Tania Butovsky, Leonid Rodniansky, Mikhail Shpak, Richard Ory Jerrell, Peter Maniatis, Shidong Shan
-
Patent number: 10397279Abstract: Data traffic is monitored on a network with data access elements thereof collected and compared to security rules. An audit data collection is sent to a repository responsive to data access elements matching a condition of the security rules, where security rules having the condition designate the audit data collection and repository. A tag to data traffic is applied responsive to the matching condition. Comparing of collected data access elements to the corresponding security rules having the matching condition is discontinued responsive to applying the tag. The tag indicates a repository and the data traffic includes a connection and session. An audit data collection is sent to the repository indicated by the tag for a data access responsive to the tag in the tagged data traffic. The method continues sending audit data for future data accesses in the tagged data traffic without comparing to the corresponding security rules again.Type: GrantFiled: December 20, 2017Date of Patent: August 27, 2019Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Sean C. Foley, Ury Segal, Shidong Shan
-
Patent number: 10110637Abstract: Data traffic is monitored on a network with data access elements thereof collected and compared to security rules. An audit data collection is sent to a repository responsive to data access elements matching a condition of the security rules, where security rules having the condition designate the audit data collection and repository. A tag to data traffic is applied responsive to the matching condition. Comparing of collected data access elements to the corresponding security rules having the matching condition is discontinued responsive to applying the tag. The tag indicates a repository and the data traffic includes a connection and session. An audit data collection is sent to the repository indicated by the tag for a data access responsive to the tag in the tagged data traffic. The method continues sending audit data for future data accesses in the tagged data traffic without comparing to the corresponding security rules again.Type: GrantFiled: October 22, 2017Date of Patent: October 23, 2018Assignee: International Business Machines CorporationInventors: Sean C. Foley, Ury Segal, Shidong Shan
-
Publication number: 20180139243Abstract: Data traffic is monitored on a network with data access elements thereof collected and compared to security rules. An audit data collection is sent to a repository responsive to data access elements matching a condition of the security rules, where security rules having the condition designate the audit data collection and repository. A tag to data traffic is applied responsive to the matching condition. Comparing of collected data access elements to the corresponding security rules having the matching condition is discontinued responsive to applying the tag. The tag indicates a repository and the data traffic includes a connection and session. An audit data collection is sent to the repository indicated by the tag for a data access responsive to the tag in the tagged data traffic. The method continues sending audit data for future data accesses in the tagged data traffic without comparing to the corresponding security rules again.Type: ApplicationFiled: December 20, 2017Publication date: May 17, 2018Inventors: Sean C. Foley, Ury Segal, Shidong Shan
-
Patent number: 9973536Abstract: Data traffic is monitored on a network and data access elements thereof are collected. The collected data access elements are compared to security rules. A first audit data collection is sent to a first repository in response to one or more data access elements of a first data access matching a first condition of one of the security rules. The one of the security rules having the first condition designates the first audit data collection and the first repository. A second audit data collection is sent to a second repository in response to one or more data access elements of a second data access matching a second condition of one of the security rules. The one of the security rules having the second condition designates the second audit data collection and the second repository.Type: GrantFiled: July 21, 2015Date of Patent: May 15, 2018Assignee: International Business Machines CorporationInventors: Sean C. Foley, Ury Segal, Shidong Shan
-
Publication number: 20180063196Abstract: Data traffic is monitored on a network with data access elements thereof collected and compared to security rules. An audit data collection is sent to a repository responsive to data access elements matching a condition of the security rules, where security rules having the condition designate the audit data collection and repository. A tag to data traffic is applied responsive to the matching condition. Comparing of collected data access elements to the corresponding security rules having the matching condition is discontinued responsive to applying the tag. The tag indicates a repository and the data traffic includes a connection and session. An audit data collection is sent to the repository indicated by the tag for a data access responsive to the tag in the tagged data traffic. The method continues sending audit data for future data accesses in the tagged data traffic without comparing to the corresponding security rules again.Type: ApplicationFiled: October 22, 2017Publication date: March 1, 2018Inventors: Sean C. Foley, Ury Segal, Shidong Shan
-
Publication number: 20150326616Abstract: Data traffic is monitored on a network and data access elements thereof are collected. The collected data access elements are compared to security rules. A first audit data collection is sent to a first repository in response to one or more data access elements of a first data access matching a first condition of one of the security rules. The one of the security rules having the first condition designates the first audit data collection and the first repository. A second audit data collection is sent to a second repository in response to one or more data access elements of a second data access matching a second condition of one of the security rules. The one of the security rules having the second condition designates the second audit data collection and the second repository.Type: ApplicationFiled: July 21, 2015Publication date: November 12, 2015Inventors: Sean C. Foley, Ury Segal, Shidong Shan
-
Patent number: 9124619Abstract: Data traffic is monitored on a network and data access elements thereof are collected. The collected data access elements are compared to security rules providing sets of predefined data access elements for identifying predefined data accesses. First audit data collections for data accesses are sent to a first repository. For a data access that matches one of the rules, a second audit data collection defined by the matching rule is sent to at least a second repository designated by the matching rule.Type: GrantFiled: December 8, 2012Date of Patent: September 1, 2015Assignee: International Business Machines CorporationInventors: Sean C. Foley, Ury Segal, Shidong Shan
-
Patent number: 9106682Abstract: Data traffic is monitored on a network and data access elements thereof are collected. The collected data access elements are compared to security rules providing sets of predefined data access elements for identifying predefined data accesses. First audit data collections for data accesses are sent to a first repository. For a data access that matches one of the rules, a second audit data collection defined by the matching rule is sent to at least a second repository designated by the matching rule.Type: GrantFiled: July 8, 2013Date of Patent: August 11, 2015Assignee: International Business Machines CorporationInventors: Sean C. Foley, Ury Segal, Shidong Shan
-
Publication number: 20140165133Abstract: Data traffic is monitored on a network and data access elements thereof are collected. The collected data access elements are compared to security rules providing sets of predefined data access elements for identifying predefined data accesses. First audit data collections for data accesses are sent to a first repository. For a data access that matches one of the rules, a second audit data collection defined by the matching rule is sent to at least a second repository designated by the matching rule.Type: ApplicationFiled: July 8, 2013Publication date: June 12, 2014Inventors: Sean C. Foley, Ury Segal, Shidong Shan
-
Publication number: 20140165189Abstract: Data traffic is monitored on a network and data access elements thereof are collected. The collected data access elements are compared to security rules providing sets of predefined data access elements for identifying predefined data accesses. First audit data collections for data accesses are sent to a first repository. For a data access that matches one of the rules, a second audit data collection defined by the matching rule is sent to at least a second repository designated by the matching rule.Type: ApplicationFiled: December 8, 2012Publication date: June 12, 2014Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Sean C. Foley, Ury Segal, Shidong Shan