Patents by Inventor WEI-HSIANG HSIUNG
WEI-HSIANG HSIUNG has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20200153859Abstract: Preventing Transport Layer Security session man-in-the-middle attacks is provided. A first security digest generated by an endpoint device is compared with a second security digest received from a peer device. It is determined whether a match exists between the first security digest and the second security digest based on the comparison. In response to determining that a match does not exist between the first security digest and the second security digest, a man-in-the-middle attack is detected and a network connection for a Transport Layer Security session is terminated with the peer device.Type: ApplicationFiled: November 9, 2018Publication date: May 14, 2020Inventors: Wei-Hsiang Hsiung, Sheng-Tung Hsu, Kuo-Chun Chen, Chih-Hung Chou
-
Patent number: 10652224Abstract: Embodiments provide a system and method for stateless session synchronization between inspectors for high availability deployments. Man in the Middle inspectors of a communication session between a client and server exchange a shared key that is used as a common seed value in a mapping function algorithm. Each inspector generates identical key-pairs using the common mapping function algorithm, and the inspectors generate the session keys from the key-pairs. Inspectors use the session keys to decrypt and either actively or passively inspect data transferred in a session between a client and server.Type: GrantFiled: December 5, 2017Date of Patent: May 12, 2020Assignee: International Business Machines CorporationInventors: Kuo-Chun Chen, Wei-Hsiang Hsiung, Cheng-ta Lee, Wei-Shiau Suen, Ming Hsun Wu
-
Publication number: 20200127829Abstract: A technique to secure a wireless communication link that is being shared among a wireless access point (AP), and each of a set of wireless clients (each a mobile station (STA)) that are coupled to the AP over the communication link. A typical implementation is a WPA2-PSK communication link. In this approach, and in lieu of a single secret key being shared by all AP-STA pairs, each AP-STA pair derives its own unique WLAN shared secret, preferably via a Diffie-Hellman (DH) key exchange. The WLAN shared secret is then used to generate WPA2-PSK keys, namely, pairwise master key (PMK) and pairwise transient key (PTK), that establish an 802.11 standards-compliant secure link.Type: ApplicationFiled: October 22, 2018Publication date: April 23, 2020Applicant: International Business Machines CorporationInventors: Chih-Wei Hsiao, Chih-Wen Chao, Wei-Hsiang Hsiung, Ya-Hsuan Tsai
-
Patent number: 10613857Abstract: A processor-implemented method for generating a test suite within a time requirement is provided. The processor-implemented method includes executing a rule selection operation to determine candidate test cases utilizing attributes corresponding to each of the candidate test cases to produce selected test cases. The processor-implemented method includes determining whether an estimated testing execution time of the selected test cases is equal to or less than the time requirement. The processor-implemented method includes generating the test suite based on the selected test cases when the estimated testing execution time is equal to or less than the time requirement.Type: GrantFiled: November 17, 2017Date of Patent: April 7, 2020Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Wei-Hsiang Hsiung, Jeff H C Kuo, Chien Pang Lee, John K C Lee
-
Patent number: 10613856Abstract: A processor-implemented method for generating a test suite within a time requirement is provided. The processor-implemented method includes executing a rule selection operation to determine candidate test cases utilizing attributes corresponding to each of the candidate test cases to produce selected test cases. The processor-implemented method includes determining whether an estimated testing execution time of the selected test cases is equal to or less than the time requirement. The processor-implemented method includes generating the test suite based on the selected test cases when the estimated testing execution time is equal to or less than the time requirement.Type: GrantFiled: August 24, 2017Date of Patent: April 7, 2020Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Wei-Hsiang Hsiung, Jeff H C Kuo, Chien Pang Lee, John K C Lee
-
Publication number: 20200100107Abstract: Securing public hotspot communications by: generating a public-private key pair, deriving an SSID using the generated public key, creating a network using the SSID, specifying a network security setting, and providing a Client the SSID and network security settings. Further, by: receiving a network connection request from the Client, establishing a connection with the Client, receiving a probe request from a network access point, sending an authentication message, receiving SSID configuration information from the network access point, associating the SSID network and the network access point, and receiving Client data.Type: ApplicationFiled: September 26, 2018Publication date: March 26, 2020Inventors: Chih-Wei Hsiao, Wei-Hsiang Hsiung, Chih-Wen Chao, Sheng Hao Wang
-
Patent number: 10587634Abstract: A system, method and computer program product for detecting distributed denial-of-service (DDoS) attacks is provided. Current aggregated flow information for a defined period of time is analyzed. It is determined whether network flow increased above a defined flow threshold value to a second data processing system connected to a network within the defined period of time based on analyzing the current aggregated flow information. In response to determining that the network flow has increased above the defined flow threshold value to the second data processing system connected to the network within the defined period of time, it is determined that the second data processing system is under a DDoS attack.Type: GrantFiled: October 15, 2018Date of Patent: March 10, 2020Assignee: International Business Machines CorporationInventors: Kuo-Chun Chen, Chih-Hung Chou, Wei-Hsiang Hsiung, Sheng-Tung Hsu
-
Publication number: 20200036776Abstract: Optimizing receive side scaling (RSS) key selection is provided. Different weights are assigned to different fields of flow data corresponding to a network connection of a registered client device. A score is generated representing an amount of balanced processor loading for each RSS key corresponding to the registered client device based on the different fields of the flow data with assigned weights. A current RSS key on the registered client device is updated with an optimal RSS key based on the score corresponding to the optimal RSS key representing balanced loading of processors on the registered client device.Type: ApplicationFiled: October 1, 2019Publication date: January 30, 2020Inventors: Chih-Wen Chao, Wei-Hsiang Hsiung, Kuo-Chun Chen, Ming-Pin Hsueh, Sheng-Tung Hsu
-
Patent number: 10547641Abstract: A network-based appliance includes a mechanism to provide TLS inspection with session resumption, but without requiring that a session cache be maintained. To this end, the inspector is configured to cause the TLS client to participate in maintaining the session context, in effect on behalf of the TLS inspector. In operation, when the inspector first receives a session ID from the TLS server, the inspector generates and issues to the client a session ticket that includes the original session ID and other session context information. In this manner, the inspector converts the Session ID-based connection to a Session Ticket-based connection. The session ticket is encrypted by the inspector to secure the session information. When the TLS client presents the session ticket to resume the TLS connection, the inspector decrypts the ticket and retrieves the session ID from it directly. The inspector then uses the original session ID to resume the TLS session.Type: GrantFiled: June 1, 2017Date of Patent: January 28, 2020Assignee: International Business Machines CorporationInventors: Cheng-Ta Lee, Wei-Hsiang Hsiung, Wei-Shiau Suen, Ming-Hsun Wu
-
Patent number: 10542041Abstract: A network-based appliance includes a mechanism to provide TLS inspection with session resumption, but without requiring that a session cache be maintained. To this end, the inspector is configured to cause the TLS client to participate in maintaining the session context, in effect on behalf of the TLS inspector. In operation, when the inspector first receives the session ticket from the TLS server, and in lieu of caching it, the inspector generates and issues to the client a composited ticket that includes the original ticket and session context information that contains the session key. The composited ticket is encrypted by the inspector to secure the session information. When the TLS client presents the composited session ticket to resume the TLS connection, the inspector decrypts the ticket and retrieves the session context from it directly. The inspector then uses the original session ticket to resume the TLS session.Type: GrantFiled: June 1, 2017Date of Patent: January 21, 2020Assignee: International Business Machines CorporationInventors: Cheng-Ta Lee, Wei-Hsiang Hsiung, Wei-Shiau Suen, Ming-Hsun Wu
-
Patent number: 10491625Abstract: A system and computer program product for preventing abnormal application activity is provided. Packets are retrieved from a packet buffer using packet location information corresponding to information associated with the abnormal application activity in a data processing system. The packets are analyzed to identify content of the network packets causing the abnormal application activity. Network packets containing the content causing the abnormal application activity in the data processing system are blocked.Type: GrantFiled: October 3, 2017Date of Patent: November 26, 2019Assignee: International Business Machines CorporationInventors: Kuo-Chun Chen, Chih-Hung Chou, Wei-Hsiang Hsiung, Sheng-Tung Hsu
-
Patent number: 10484420Abstract: A method for preventing abnormal application activity is provided. Packets are retrieved from a packet buffer using packet location information corresponding to information associated with the abnormal application activity in a data processing system. The packets are analyzed to identify content of the network packets causing the abnormal application activity. Network packets containing the content causing the abnormal application activity in the data processing system are blocked.Type: GrantFiled: November 14, 2017Date of Patent: November 19, 2019Assignee: International Business Machines CorporationInventors: Kuo-Chun Chen, Chih-Hung Chou, Wei-Hsiang Hsiung, Sheng-Tung Hsu
-
Patent number: 10469569Abstract: Optimizing receive side scaling (RSS) key selection is provided. Different weights are assigned to different fields of flow data corresponding to a network connection of a registered client device. A score is generated representing an amount of balanced processor loading for each RSS key corresponding to the registered client device based on the different fields of the flow data with assigned weights. A current RSS key on the registered client device is updated with an optimal RSS key based on the score corresponding to the optimal RSS key representing balanced loading of processors on the registered client device.Type: GrantFiled: March 22, 2018Date of Patent: November 5, 2019Assignee: International Business Machines CorporationInventors: Chih-Wen Chao, Wei-Hsiang Hsiung, Kuo-Chun Chen, Ming-Pin Hsueh, Sheng-Tung Hsu
-
Publication number: 20190327222Abstract: An embodiment of the invention may include a method, computer program product and system for secure authentication within a communication protocol session. The embodiment may include retrieving, by a client computer of the TLS session, a challenge string associated with the TLS session. The embodiment may include generating, by the client computer, a first digest based on the challenge string and authentication information of a user of the client computer. The embodiment may include sending, by the client computer, the first digest to a server of the TLS session. The retrieving, generating and sending, by the client computer, are carried out after the TLS session has been established between the client computer and the server.Type: ApplicationFiled: April 24, 2018Publication date: October 24, 2019Inventors: Sheng-Tung Hsu, Wei-Hsiang Hsiung, Kuo-Chun Chen, Wayne Chou
-
Publication number: 20190327266Abstract: A computer network endpoint is secured to prevent information leak or other compromise by instantiating in memory first, second and third security zones. With respect to an authorized user, the first zone is readable and writable, the second zone is read-only, and the third zone is neither readable nor writable. System information (e.g., applications, libraries, policies, etc.) are deployed into the first zone from the second zone. When sensitive data is generated in the first zone, e.g., when a secure communication session is established using a cryptographic key, the sensitive data is transferred from the first zone to the third zone, wherein it is immune from information leak or other compromise. The sensitive information is transferable from the third zone to one or more external having a need to know that information. Because information does not pass directly from the first security zone to the external systems, the endpoint is secured against information leak or other attack.Type: ApplicationFiled: June 29, 2019Publication date: October 24, 2019Applicant: International Business Machines CorporationInventors: Kuo-Chun Chen, Wei-Hsiang Hsiung, Sheng-Tung Hsu, Fadly Yahaya
-
Patent number: 10454946Abstract: Selecting a receive side scaling (RSS) key is provided. It is determined whether a defined time interval expired. In response to determining that the defined time interval has expired, it is determined whether one or more keys in a set of randomly generated candidate RSS keys have a higher packet distribution score than an active RSS key. In response to determining that one or more keys in the set of randomly generated candidate RSS keys have a higher packet distribution score than the active RSS key, an RSS key having a highest packet distribution score is selected from the one or more keys in the set of randomly generated candidate RSS keys that have a higher packet distribution score than the active RSS key. The RSS key having the highest packet distribution score is used to distribute incoming network packets across a plurality of processors.Type: GrantFiled: November 14, 2017Date of Patent: October 22, 2019Assignee: International Business Machines CorporationInventors: Chih-Wen Chao, Kuo-Chun Chen, Wei-Hsiang Hsiung, Sheng-Tung Hsu, Ming-Pin Hsueh
-
Publication number: 20190297138Abstract: Optimizing receive side scaling (RSS) key selection is provided. Different weights are assigned to different fields of flow data corresponding to a network connection of a registered client device. A score is generated representing an amount of balanced processor loading for each RSS key corresponding to the registered client device based on the different fields of the flow data with assigned weights. A current RSS key on the registered client device is updated with an optimal RSS key based on the score corresponding to the optimal RSS key representing balanced loading of processors on the registered client device.Type: ApplicationFiled: March 22, 2018Publication date: September 26, 2019Inventors: Chih-Wen Chao, Wei-Hsiang Hsiung, Kuo-Chun Chen, Ming-Pin Hsueh, Sheng-Tung Hsu
-
Patent number: 10419447Abstract: Selecting a receive side scaling (RSS) key is provided. It is determined whether a defined time interval expired. In response to determining that the defined time interval has expired, it is determined whether one or more keys in a set of randomly generated candidate RSS keys have a higher packet distribution score than an active RSS key. In response to determining that one or more keys in the set of randomly generated candidate RSS keys have a higher packet distribution score than the active RSS key, an RSS key having a highest packet distribution score is selected from the one or more keys in the set of randomly generated candidate RSS keys that have a higher packet distribution score than the active RSS key. The RSS key having the highest packet distribution score is used to distribute incoming network packets across a plurality of processors.Type: GrantFiled: October 11, 2017Date of Patent: September 17, 2019Assignee: International Business Machines CorporationInventors: Chih-Wen Chao, Kuo-Chun Chen, Wei-Hsiang Hsiung, Sheng-Tung Hsu, Ming-Pin Hsueh
-
Publication number: 20190230120Abstract: A computer network endpoint is secured to prevent information leak or other compromise by instantiating in memory first, second and third security zones. With respect to an authorized user, the first zone is readable and writable, the second zone is read-only, and the third zone is neither readable nor writable. System information (e.g., applications, libraries, policies, etc.) are deployed into the first zone from the second zone. When sensitive data is generated in the first zone, e.g., when a secure communication session is established using a cryptographic key, the sensitive data is transferred from the first zone to the third zone, wherein it is immune from information leak or other compromise. The sensitive information is transferable from the third zone to one or more external having a need to know that information. Because information does not pass directly from the first security zone to the external systems, the endpoint is secured against information leak or other attack.Type: ApplicationFiled: January 19, 2018Publication date: July 25, 2019Applicant: International Business Machines CorporationInventors: Kuo-Chun Chen, Wei-Hsiang Hsiung, Sheng-Tung Hsu, Fadly Yahaya
-
Publication number: 20190173863Abstract: Embodiments provide a system and method for stateless session synchronization between inspectors for high availability deployments. Man in the Middle inspectors of a communication session between a client and server exchange a shared key that is used as a common seed value in a mapping function algorithm. Each inspector generates identical key-pairs using the common mapping function algorithm, and the inspectors generate the session keys from the key-pairs. Inspectors use the session keys to decrypt and either actively or passively inspect data transferred in a session between a client and server.Type: ApplicationFiled: December 5, 2017Publication date: June 6, 2019Inventors: Kuo-Chun Chen, Wei-Hsiang Hsiung, Cheng-ta Lee, Wei-Shiau Suen, Ming Hsun Wu